PCNSE3

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?. It automatically pushes the configuration to Panorama after strengthening the overall security posture. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama. The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment. The AIOps plugin in Panorama retroactively checks the policy changes during the commits.

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?. Add service accounts running on that machine to the 'Ignore User List' in the User-ID agent setup. Remove the identity redistribution rules synced from Cloud Identity Engine from the User-ID agent configuration. Remove the rate-limiting rule that is assigned to User A access from the User-ID agent configuration. Add the subnets of both the user machine and the resource to the 'Include List' in the User-ID agent configuration.

An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWSbased firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?. Panorama must use the same plugin version numbers for both AWS and NSX-V environments before device group inheritance can function properly. Panorama requires the objects to be overridden in the child device group before firewalls in different hypervisors can inherit Security policies. Panorama by default does not allow different hypervisors in parent/child device groups, but this can be overridden with the command 'set device-group allow-multi-hypervisor enable'. Panorama does not support policy inheritance across device groups containing firewalls deployed in different hypervisors when using multiple plugins.

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?. Enable certificate revocation checking to deny access to sites with revoked certificates. Add the certificate CN to the SSL Decryption Exclusion List to allow traffic without decryption. Check for expired certificates and take appropriate actions to block or allow access based on business needs. Contact the site administrator with the expired certificate to request updates or renewal.

Which translated port number should be used when configuring a NAT rule for a transparent proxy?. 80. 443. 8080. 4443.

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?. Confirm the file types and direction are configured correctly in the WildFire analysis profile. Configure the appropriate actions in the Antivirus security profile. Configure the appropriate actions in the File Blocking profile. Confirm the file size limits are configured correctly in the WildFire general settings.

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two). GlobalProtect. Authentication. User-ID. WildFire.

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?. Upgrade both HA peers at the same time using Panorama's 'Group HA Peers' option to ensure version consistency. Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer. Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer.

What must be taken into consideration when preparing a log forwarding design for all of a customer's deployed Palo Alto Networks firewalls?. The logs will not contain the names of the identified applications unless the 'Enable enhanced application logging' option is selected. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules. App-ID engine will not identify any application traffic unless the 'Enable enhanced application logging' option is selected. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in 'Logging and Reporting Settings'.

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?. Review high-severity system logs to identify why the threat is missing in "Vulnerability Profile Exceptions". Select "Show all signatures" within the vulnerability protection profile under "Exceptions". Review traffic logs to add the exception from there. Open a support case.

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs. How can the administrator ensure that User-IDs are populated in the traffic logs?. Create a Group Mapping for the GlobalProtect Group. Enable Captive Portal on the expected source interfaces. Add the users to the proper Dynamic User Group. Enable User-ID on the expected trusted zones.

A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?. Multiple external gateways. Single or multiple internal gateways. Split DNS and HIP checks. IPv6 for internal gateways.

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys Where are the pre-shared keys located on the firewall?. Network/lPSec Tunnels. Network/Network Profiles/IKE Gateways. Network/Network ProfilesTlPSec Crypto. Network/Network Profiles/IKE Crypto.

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?. Change the "GlobalProtect Gateway -> Agent -> Network Services -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Portal -> Satellite -> Gateways -> No direct access to local network" setting to "off". Change the "GlobalProtect Gateway -> Agent -> Client Settings -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Portal -> Agent -> App -> Split Tunnel -> No direct access to local network" setting to "off".

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88. Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both external servers as "Destination Address." and Source Translation remaining as is with bidirectional option enabled. Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?. It blocks all communication with the server indefinitely. It downgrades the protocol to ensure compatibility. It automatically adds the server to the SSL Decryption Exclusion list. It generates an decryption error message but allows the traffic to continue decryption.

An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed. Which set of actions should the engineer take to achieve this goal?. 1- Open the current log forwarding profile. 2. Open the existing match list for threat log type. 3. Define the filter. 4. Select the syslog forward method. 1. Create a new log forwarding profile. 2. Add a new match list for threat log type. 3. Define the filter. 4. Select the Panorama and syslog forward methods. 1. Open the current log forwarding profile. 2. Add a new match list for threat log type. 3. Define the filter. 4. Select the syslog forward method. 1. Create a new log forwarding profile. 2. Add a new match list for threat log type. 3. Define the filter. 4. Select the syslog forward method.

Which tool can gather information about the application patterns when defining a signature for a custom application?. Policy Optimizer. Data Filtering Log. Wireshark. Expedition.

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?. Create a custom application and define it by the correct TCP and UDP ports. Create an application filter based on the existing application category and risk. Add specific applications that are seen when creating cloned rules. Add the relevant container application when creating cloned rules.

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?. The PAN-OS integrated User-ID agent must be a member of the Active Directory domain. The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW’s management CPU. The standalone User-ID agent consumes fewer resources on the NGFW’s management CPU. The standalone User-ID agent must run directly on the domain controller server.

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?. debug dataplane Internal vif route 250. show routing route type service-route. show routing route type management. debug dataplane internal vif route 255.

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?. increase the frequency of the applications and threats dynamic updates. Increase the frequency of the antivirus dynamic updates. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus. Enable the "Report Grayware Files" option in Device > Setup > WildFire.

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?. Enable PFS under the IKE Gateway advanced options. Enable PFS under the IPsec Tunnel advanced options ?. Select the appropriate DH Group under the IPsec Crypto profile. Add an authentication algorithm in the IPsec Crypto profile.

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?. Command line > debug dataplane packet-diag clear filter-marked-session all. In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface. Command line> debug dataplane packet-diag clear filter all. In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude".

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?. Virtual ware. Tap. Layer 2. Layer 3.

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?. Tunnel. Ethernet. VLAN. Lookback.

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?. Configure a dynamic address group for the addresses to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these addresses when logs are generated in the threat log. Under Device > User Identification > Trusted Source Address, add the condition "NOT malicious.". Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group. Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the "Actions" tab in "Signature Policies," select "block-user.".

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows. Deploy the GlobalProtect as a lee data hub. Deploy Window User-ID agents on each domain controller. Deploys AILS integrated Use 10 agent on each vsys. Deploy a M.200 as a Users-ID collector.

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?. debug ike stat. test vpn ipsec-sa tunnel. show vpn ipsec-sa tunnel. test vpn ike-sa gateway.

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter. What must the administrator consider as they prepare to configure the decryption policy?. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions. Obtain or generate the server certificate and private key from the datacenter server. Obtain or generate the self-signed certificate with private key in the firewall. Obtain or generate the forward trust and forward untrust certificate from the datacenter server.

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.). Custom application. Source interface. Schedule. Source device.

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three.). Create a URL filtering profile. Create an anti-virus profile. Enable User-ID. Configure a URL profile to block the phishing category. Create a decryption policy rule.

What are three prerequisites for credential phishing prevention to function? (Choose three.). In the URL filtering profile, use the drop-down list to enable user credential detection. Enable Device-ID in the zone. Select the action for Site Access for each category. Add the URL filtering profile to one or more Security policy rules. Set phishing category to block in the URL Filtering profile.

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two). IKEv1 only to deactivate the use of public key encryption. IKEv2 with Hybrid Key exchange. IKEv2 with Post-Quantum Pre-shared Keys. IPsec with Hybrid ID exchange.

A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two.). HTTP. SSL. Email. TLS.

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter. What can the administrator do to limit the captured traffic to the newly configured filter?. A. In the GUI under Monitor > Packet Capture > Manage Filters, under Ingress Interface, select an interface. B. Command line: > debug dataplane packet-diag clear filter all. C. In the GUI under Monitor > Packet Capture > Manage Filters, under the Non-IP field, select "exclude.". D. Command line: > debug dataplane packet-diag clear filter-marked-session all.

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values: - Source zone: Outside and source IP address 1.2.2.2 - Destination zone: Outside and destination IP address 2.2.2.1 The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone. Which destination IP address and zone should the engineer use to configure the security policy?. A. Destination Zone Outside. Destination IP address 2.2.2.1. B. Destination Zone DMZ, Destination IP address 10.10.10.1. C. Destination Zone DMZ, Destination IP address 2.2.2.1. D. Destination Zone Outside. Destination IP address 10.10.10.1.

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90. When firewall-01 is rebooted, is there any action taken by the firewalls? Options: A. No - Neither firewall takes any action because firewall-01 cannot be rebooted when configured with device priority of 90. B. No - Neither firewall takes any action because firewall-02 is already the active-primary member. C. Yes - Firewall-02 takes over as the active-primary firewall; firewall-01 takes over as the active-primary member after it becomes functional.?. D. Yes - Firewall-02 takes over as the active-primary firewall; firewall-02 remains the active-primary member after firewall-01 becomes functional.

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?. A. Resource Protection. B. TCP Port Scan Protection. C. Packet Based Attack Protection. D. Packet Buffer Protection.

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.) Options: A. Telemetry feature is automatically enabled during PAN-OS installation. B. Telemetry data is uploaded into Strata Logging Service. C. Telemetry feature is using Traffic logs and packet captures to collect data. D. Telemetry data is shared in real time with Palo Alto Networks.

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system. In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.). A. Add a route with next hop next-vr by using the VR configured in the virtual system. B. Layer 3 zones for the virtual systems that need to communicate. C. Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate. D. Ensure the virtual systems are visible to one another. E. External zones with the virtual systems added.

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file. What does Advanced WildFire do when the link is clicked?. A. Performs malicious content analysis on the linked page: but not the corresponding PE file. B. Performs malicious content analysis on the linked page and the corresponding PE file. C. Does not perform malicious content analysis on the linked page but performs it on the corresponding PE file. D. Does not perform malicious content analysis on either the linked page or the corresponding PE file.

Forwarding Of Which Two Log Types Is Configured In Device > Log Settings? (Choose Two.). Traffic. Threat. HIP Match. Configuration.

An Administrator Configures HA On A Customer’s Palo Alto Networks Firewalls With Path Monitoring By Using The Default Configuration Values. What Are The Default Values For Ping Interval And Ping Count Before A Failover Is Triggered?. Ping interval of 200 ms and ping count of three failed pings. Ping interval of 5000 ms and ping count of 10 failed pings. Ping interval of 200 ms and ping count of 10 failed pings. Ping interval of 5000 ms and ping count of three failed pings.

A Firewall Administrator Has Configured User-ID And Deployed GlobalProtect, But There Is No User-ID Showing In The Traffic Logs. How Can The Administrator Ensure That User-IDs Are Populated In The Traffic Logs?. Enable Captive Portal on the expected source interfaces. Enable User-ID on the expected trusted zones. Create a Group Mapping for the GlobalProtect Group. Add the users to the proper Dynamic User Group.

Decryption Policy Has Been Created With An Action Of “No Decryption.” The Decryption Profile Is Configured In Alignment To Best Practices. What Protections Does This Policy Provide To The Enterprise?. 1. It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers. 2. It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists. 3. It encrypts all certificate information to maintain privacy and compliance with local regulations. 4. It allows for complete visibility into certificate data, ensuring secure connections to all websites.

An Administrator Plans To Install The Windows User-ID Agent On A Domain Member System. What Is A Best Practice For Choosing Where To Install The User-ID Agent?. On the DC holding the Schema Master FSMO role. In close proximity to the servers it will be monitoring. In close proximity to the firewall it will be providing User-ID to. On the same RODC that is used for credential detection.

A Firewall Engineer At A Company Is Researching The Device Telemetry Feature Of PAN-OS. Which Two Aspects Of The Feature Require Further Action For The Company To Remain Compliant With Local Laws Regarding Privacy And Data Storage? (Choose Two.). 1. Telemetry feature is automatically enabled during PAN-OS installation. 2. Telemetry feature is using Traffic logs and packet captures to collect data. 3. Telemetry data is uploaded into Strata Logging Service. 4. Telemetry data is shared in real time with Palo Alto Networks.

While Troubleshooting An Issue, A Firewall Administrator Performs A Packet Capture With A Specific Filter. The Administrator Sees Drops For Packets With A Source IP Address Of 10.1.1.1. How Can The Administrator Further Investigate These Packet Drops By Looking At The Global Counters For This Packet Capture Filter?. 1. >show counter global filter severity drop. 2. >show counter global filter packet-filter yes delta yes. 3. >show counter global filter delta yes | match 10.1.1.1. 4. >debug dataplane packet-diag set capture stage drop.

What Type Of NAT Is Required To Configure Transparent Proxy?. 1. Destination translation with Static IP. 2. Source translation with Static IP. 3. Destination translation with Dynamic IP. 4. Source translation with Dynamic IP and Port.

An Administrator Is Tasked To Provide Secure Access To Applications Running On A Server In The Company’s On-Premises Datacenter. What Must The Administrator Consider As They Prepare To Configure The Decryption Policy?. 1. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions. 2. Obtain or generate the forward trust and forward untrust certificate from the datacenter server. 3. Obtain or generate the self-signed certificate with private key in the firewall. 4. Obtain or generate the server certificate and private key from the datacenter server.

An Administrator Is Creating A New Dynamic User Group To Quarantine Users For Suspicious Activity. Which Two Objects Can Dynamic User Groups Use As Match Conditions For Group Membership? (Choose Two.). 1. Source IP address. 2. Static tags. 3. Dynamic tags. 4. Ldap attributes.

An Administrator Plans To Install The Windows-Based User-ID Agent. What Type Of Active Directory (AD) Service Account Should The Administrator Use?. 1 System Account. 2. Dedicated Service Account. 3. Domain Administrator. 4. Enterprise Administrator.

Firewall Engineer Is Tasked With Defining Signatures For A Custom Application. Which Two Sources Can The Engineer Use To Gather Information About The Application Patterns? (Choose Two.). Wireshark. Traffic logs. Data filtering logs. Policy Optimizer.

What Should An Engineer Consider When Setting Up The DNS Proxy For Web Proxy?. 1. A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server. 2. A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy. 3. Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds. 4. DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

Which Statement Accurately Describes How Web Proxy Is Run On A Firewall With Multiple Virtual Systems?. 1 It can run on multiple virtual systems without issue. 2. It can run only on a single virtual system. 3. It can run only on a virtual system with an alias named “web proxy.”. 4. It can run on a single virtual system and multiple virtual systems.

What Does The User-ID Agent Use To Find Login And Logout Events In Syslog Messages?. 1 Syslog Parse profile. 2. Authentication log. 3. Syslog Server profile. 4. Log Forwarding profile.

An Administrator Is Troubleshooting Intermittent Connectivity Problems With A User’s GlobalProtect Connection. Packet Captures At The Firewall Reveal Missing UDP Packets, Suggesting Potential Packet Loss On The Connection. The Administrator Aims To Resolve The Issue By Enforcing An SSL Tunnel Over TCP Specifically For This User. What Configuration Change Is Necessary To Implement This Troubleshooting Solution For The User?. 1. Modify the user’s client to prioritize UDP traffic for GlobalProtect. 2. Enable SSL tunnel over TCP in a new agent configuration for the specific user. 3. Increase the user’s VPN bandwidth allocation in the GlobalProtect settings. 4. Enable SSL tunnel! within the GlobalProtect gateway remote user’s settings.

In Which Two Scenarios Would It Be Necessary To Use Proxy IDs When Configuring Site-To-Site VPN Tunnels? (Choose Two.). 1. Firewalls which support policy-based VPNs. 2. The remote device is a Palo Alto Networks firewall. 3. Firewalls which support route-based VPNs. 4. The remote device is a non-Palo Alto Networks firewall.

A New Firewall Has The Threat Prevention Subscription, But The Antivirus Does Not Appear In Dynamic Updates. What Must Occur To Have Antivirus Signatures Update?. 1. An Antivirus license is needed first, then a Security profile for Antivirus needs to be created. 2. Install the Application and Threats updates first, then refresh the Dynamic Updates. 3. An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus. 4. An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

Which Three Sessions Are Created By A NGFW For Web Proxy? (Choose Three.). 1. A session for proxy to authentication server. 2. A session for web server to client. 3. A session for DNS proxy to DNS servers. 4. A session for proxy to web server. 5. A session for client to proxy.

Which Two Scripting File Types Require Direct Upload To The Advanced WildFire Portal/API For Analysis? (Choose Two.). Ps1. Perl. Python. VBS.

An Administrator Wants To Add User-|ID Information For Their Citrix MetaFrame Presentation Server (MPS) Users. Which Option Should The Administrator Use?. 1. Terminal Server Agent for User Mapping. 2. PAN-OS Integrated User-ID Agent. 3. Windows-Based User-ID Agent. 4. PAN-OS XML API.

An Administrator Plans To Install The Windows-Based User-ID Agent To Prevent Credential Phishing. Which Installer Package File Should The Administrator Download From The Support Site’?. 1.UaCredinstall64-11.0.0.msi. 2.GlobalProtect64-6.2.1.msi. 3. Ualnstall-11.0.0.msi. 4. Talnstall-11.0.0.msi.

When Configuring Explicit Proxy On A Firewall, Which Interface Should Be Selected Under The Listening Interface Option?. 1. Egress for the outgoing traffic to the internet. 2. Firewall management. 3. Ingress for the client traffic. 4. Loopback for the proxy.

An Administrator Is Troubleshooting Application Traffic That Has A Valid Business Use Case, And Observes The Following Decryption Log Message: “Received Fatal Alert UnknownCA From Client.” How Should The Administrator Remediate This Issue?. 1. Check for expired certificates and take appropriate actions to block or allow access based on business needs. 2. Contact the site administrator with the expired certificate to request updates or renewal. 3. Add the server’s hostname to the SSL Decryption Exclusion List to allow traffic without decryption. 4. Enable certificate revocation checking to deny access to sites with revoked certificates.

An Engineer Configures A Destination NAT Policy To Allow Inbound Access To An Internal Server In The DMZ. The NAT Policy Is Configured With The Following Values: • Source zone: Outside and source IP address 1.2.2.2 • Destination zone: Outside and destination IP address 2.2.2.4 The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone. Which destination IP address and zone should the engineer use to configure the security policy?. A. Destination Zone DMZ, Destination IP address 10.10.10.1. B. Destination Zone DMZ, Destination IP address 2.2.2.1. C. Destination Zone Outside, Destination IP address 2.2.2.1. D. Destination Zone Outside, Destination IP address 10.10.10.1.

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?. Management plane CPU. Dataplane CPU. Packet buffers. On-chip packet descriptors.

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?. Device > Setup Settings Do not enable on each interface. Network > Zone Settings Do not enable on each interface. Network > Zone Settings Enable on each interface. Device > Setup Settings Enable on each interface.

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address. Which two actions are required for this scenario to work? (Choose two.). On the HQ firewall select peer IP address type FQDN. On the remote location firewall select peer IP address type Dynamic. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel. On the remote location firewall enable DONS under the interface used for the IPSec tunnel.

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.). Log Forwarding Profile is configured but not added to security rules in the data center firewall. HIP profiles are configured but not added to security rules in the data center firewall. User ID is not enabled in the Zone where the users are coming from in the data center firewall. HIP Match log forwarding is not configured under Log Settings in the device tab.