option
Questions
ayuda
daypo
search.php

tggt

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
tggt

Description:
tes 4 pr4ctic3 1ns1d3

Creation Date: 2026/07/05

Category: Others

Number of questions: 76

Rating:(0)
Share the Test:
Nuevo ComentarioNuevo Comentario
New Comment
NO RECORDS
Content:

DNS rewrite can only be configured on a NAT rule with which type of destination address translation?. Dynamic IP and Port (DIPP). Dynamic IP (with session distribution). Static IP. Dynamic IP.

An analyst needs to prevent users from downloading executable files from "High-Risk" URL categories while allowing them from "Business-and-Economy." Which profile should be configured to achieve this specific file-type restriction?. URL Filtering Profile. Data Filtering Profile. File Blocking Profile. Vulnerability Protection Profile.

In a Zero Trust environment, why is it recommended to use "User-ID" instead of just IP addresses in Security policy rules?. To allow the firewall to perform hardware-level decryption. IP addresses are dynamic and do not provide persistent identity in modern networks. User-ID is required to enable the "application-default" service setting. Using User-ID reduces the CPU load on the Management Plane.

An analyst needs to configure a NAT policy to allow internal users to access the internet. The company only has one public IP address available on the firewall's outside interface. Which NAT type should be used?. Static IP. Dynamic IP. Dynamic IP and Port (DIPP). Bi-directional NAT.

An analyst notices latency on the firewall and wants to improve performance. Which steps can be taken to reduce management plane CPU while working to determine the underlying problem?. Disable log at session start and only log at session end. Enable log forwarding from the firewall to an external destination. Enable logging for intrazone-default and interzone-default security rules. Disable log at session end and only log at session start.

What is an important consideration when defining custom data patterns for data loss prevention (DLP) on Palo Alto Networks platforms? (Choose one answer). They do not require regular updates once deployed. They are less effective than predefined patterns and should be avoided. They should be specific and tested to minimize false positives and false negatives. They should be as broad as possible to cover all potential data types.

An organization needs to implement a security rule that allows users to access "Facebook" but prevents them from using "Facebook-Chat." What is the best way to achieve this?. Create a URL Filtering profile to block the chat URL. Create a security rule allowing the "Facebook-base" App-ID and another rule blocking the "Facebook-chat" App-ID. Use an Application Override rule for Facebook traffic. Block the specific IP addresses used by Facebook Chat.

A company requires that all file transfers only over HTTP (tcp/80 and tcp/8080) to SaaS storage must be inspected for data exfiltration. Traffic to encrypted HTTPS SaaS storage cannot be inspected based on the company decryption restrictions. When using a security profile group, which Security policy configuration meets this requirement?. One with data filtering to inspect all HTTP traffic on the web-browsing application using application-default for the service. One with URL filtering and file blocking to block all file uploads to the URL category online-storage-and-backup, then set the service to tcp/80 and tcp/8080. One with data filtering and the service set to tcp/80 and tcp/8080, then verify block threshold is set to "1" to stop exfiltration. One with data filtering and an application filter that matches "file-sharing" applications, then set the service to tcp/80 and tcp/8080.

A company wants to implement a security policy that only allows "web-browsing" if it is initiated by an authorized user. If the user is not identified, they should be prompted to authenticate via a web portal. Which policy type must be configured to trigger this portal?. Security Policy. Authentication Policy. Decryption Policy. NAT Policy.

An analyst wants to create a custom application for an internal tool that uses a specific proprietary protocol. Which information is required to ensure the firewall correctly identifies this application using App-ID?. Source and Destination IP addresses. Signature patterns found in the packet payload. The URL category of the server. The MAC address of the server.

A company wants to ensure that any file uploaded to a specific cloud storage provider is immediately analyzed for malware, even if the file has never been seen before. Which action should be set in the WildFire Analysis Profile?. Alert. Block. Continue. Forward.

A financial company is deploying NGFWs with the Advanced SD-WAN subscription to improve uptime and bandwidth across thousands of ATMs. The company requires that traffic flows to the internal application needed by the ATMs always use the path with the lowest latency and packet loss. Which unique SD-WAN rule parameters meet this criteria?. Application/Service: "Internal Application for ATMs" #Path Selection: "Best Available Path" in Traffic Distribution Profile. Application/Service: "Internal Application for ATMs" & "Management" in Path Quality Profile # Path Selection "Any.". Application/Service: "Internal Application for ATMs" #Path Selection "Weighted Distribution" in Traffic Distribution Profile. Application/Service: "Internal Application for ATMs" & "ATM Path(Custom)" in Path Quality Profile #Path Selection "Any.".

To comply with new regulations, a company requires all traffic logs related to the "HR-App" application across all Security policies be sent to a compliance syslog server. A Log Forwarding profile already exists to send logs to a default syslog server. What is the most efficient process for configuring an NGFW to comply with the new regulations without disrupting existing traffic logs being sent to the default syslog server?. Edit the existing Log Forwarding profile by adding a new match list consisting of Log Forwarding filter for the application named "HR-App" to direct logs to the compliance syslog server. Create a new Log Forwarding profile, update the profile with the details of the compliance syslog server and attach the profile to the relevant Security policy rule. Edit the existing Log Forwarding profile, add a new entry, use the filter builder to match on application "HR-App," and add the details for the compliance syslog server. Create a Log Forwarding profile and enable the predefined filter for "Application" In the associated dropdown, select or create a new application object with the name "HR-App," and add the details for the compliance syslog server.

An organization uses several different web-conferencing tools (Zoom, Microsoft Teams, WebEx). The analyst wants to create a single security rule to allow all these tools without listing each App-ID individually. What should the analyst create?. Application Filter. Application Group. Service Group. Custom App-ID.

An analyst is investigating why an App-ID for a custom application is showing as "unknown-tcp" in the Traffic logs. The application is running on port 8080. What is the most likely cause of this identification failure?. The firewall does not have a signature for the proprietary application. The Security policy is set to "application-default.". The traffic is being decrypted by an SSL Forward Proxy. The URL category is "private-ip-addresses.".

An analyst is creating a "Data Pattern" for DLP that needs to match a specific 10-digit customer account number that always starts with the letters "ACC". Which pattern type should be used?. File Properties. Regular Expression (Regex). Predefined Pattern. Custom Dictionary.

Which aspect of a network's current health does the Strata Cloud Manager (SCM) Device Health dashboard provide?. Health trends based on which CVEs are not remediated. Health score based on current physical hardware issues detected. Health score based on security profile feature adoption. Health trends for firewalls filtered by how long the issue has been experienced.

An analyst is troubleshooting a policy that is not matching traffic as expected. After reviewing the logs, the analyst sees that the traffic is matching a rule with a lower priority. Which feature allows the analyst to compare two rules side-by-side to identify the conflict?. Policy Optimizer. Rule Comparison. ACC (Application Command Center). Config Audit.

An analyst determines that several sanctioned, predefined applications are being intermittently blocked, even though there is an existing policy permitting them. An investigation reveals that the applications are using non-standard ports, which is causing them to be blocked. The applications are critical for business operations, and the analyst has approval to allow them. Which configuration adjustment should be implemented to ensure secure access to the applications?. Apply Disable Server Response Inspection (DSRI) to the existing Security policy to allow the non-standard ports. Disable App-ID and port filtering and rely solely on IP addresses of the applications to allow the non-standard ports. Clone the existing Security policy rule and include the non-standard ports under services. Clone the existing Security policy rule and include unknown-tcp and unknown-udp applications with service set to "any".

Which object type allows an analyst to group multiple IP addresses based on their geographical location (country) to simplify "Geo-blocking" policies?. Static Address Object. FQDN Address Object. Regions. Dynamic Address Group (DAG).

In Strata Cloud Manager (SCM), which logical container is used to group firewalls that share the same configuration requirements, such as those at a specific regional office?. Template Stacks. Snippets. Folders. Device Groups.

A company wants to ensure that its internal web server is only accessible from the internet on port 443, but the server is actually listening on port 8443. Which NAT configuration should be used?. Source NAT with Static IP translation. Destination NAT with Port Translation. Bi-directional NAT with Dynamic IP and Port. Hide NAT with Overload.

Which type of Security profile is required to prevent a "Brute Force" attack on a management portal or server by monitoring the rate of connection attempts?. Antivirus Profile. Anti-Spyware Profile. Vulnerability Protection Profile. URL Filtering Profile.

Which feature allows the firewall to automatically identify and categorize IoT (Internet of Things) devices based on their unique network behavior?. Device-ID. App-ID. User-ID. IoT Security Subscription.

A firewall administrator is creating an application override rule to bypass Layer 7 inspection for a pre-defined application. What is the expected behavior for Content-ID checks for this application?. WildFire will only use inline-ML checks instead of sending items to WildFire Cloud. Threat inspection will occur if the pre-defined application supports threat inspection. DNS Security will have degraded performance for advanced features. No additional security checks will occur due to there being only Layer 4 handling.

What is the function of a "Service" object in a Palo Alto Networks firewall configuration?. To define the Layer 7 App-ID signatures. To define the Layer 4 protocol (TCP/UDP) and port numbers. To specify the URL categories to be blocked. To set the QoS priority for specific traffic.

An analyst wants to allow users to visit "Social Networking" sites but prevent them from posting comments or uploading files. Which combination of Security Profile and Action is required?. URL Filtering Profile set to "Alert" for the category. URL Filtering Profile using a "URL Filtering Override.". URL Filtering Profile set to "Continue" for the category. URL Filtering Profile set to "Override" for HTTP Header Insertion.

An analyst needs to create a rule that allows a specific group of users to access a cloud application. The application's IP addresses change frequently, but the application is associated with a specific FQDN. What is the most efficient object type to use in this scenario?. Static Address Object. FQDN Address Object. Range Address Object. IP Multicast Object.

There are intermittent connectivity issues between two internal zones on a PA-Series firewall. Although the Security policies appear correctly configured, traffic between the zones is experiencing unexpected drops. Which troubleshooting step will isolate the root cause of this behavior?. Use the CLI command tcpdump filter and set the source and destination zones in the filter to capture and analyze traffic flows between zones, checking for packet loss on the data plane. Use the CLI command show system info to monitor CPU and memory usage, ensuring that resource constraints are not causing interfaces to drop packets between zones. Use the PAN-OS GUI Troubleshooting tool to review interface status, verify zone assignments, and confirm that all links are operational. Use the CLI command show system state filter sys.s1.* | match Error to find interface errors across all the interfaces.

In Panorama, which feature allows an analyst to group multiple Template Stacks together to push a common set of network configurations to a large number of firewalls simultaneously?. Device Groups. Variables. Template Groups. Managed Collectors.

Which tool should an analyst use to view a real-time, graphical representation of the top applications, users, and threats across the network to identify immediate anomalies?. Log Viewer. ACC (Application Command Center). Config Audit. Policy Optimizer.

An analyst notices latency on the firewall and wants to improve performance. Which steps can be taken to reduce management plane CPU while working to determine the underlying problem?. Enable log forwarding from the firewall to an external destination. Disable log at session end and only log at session start. Enable logging for intrazone-default and interzone-default security rules. Disable log at session start and only log at session end.

An analyst is configuring a security policy to allow an application that uses a dynamic range of ports. Instead of opening a wide range of ports, which Palo Alto Networks feature should be leveraged to identify the application based on its unique payload?. Service Objects. App-ID. Custom URL Categories. Dynamic Address Groups.

An administrator is using Strata Cloud Manager (SCM) and notices that several firewalls are reporting a low health score due to "Untrusted Certificates" being used for management. Which specific SCM dashboard provides the fastest way to identify which certificates are nearing expiration across the entire estate?. Command Center. Activity Insights. Policy Optimizer. Device Health Dashboard.

Based on the image below, what is a risk associated with this configuration? (Decryption Profile configured with Min Version TLSv1.3). Min Version setting of TLSv1.3 can cause compatibility issues with legacy applications or clients. Authentication algorithm selections can significantly increase resource consumption and cause performance degradation. Encryption algorithms 3DES and RC4 being disabled decreases security posture. Max Version setting of "Max" enables the use of Perfect Forward Secrecy (PFS) and cannot be decrypted.

Which security profile is specifically designed to protect against "Domain Generation Algorithms" (DGA) and DNS tunneling?. Anti-Spyware Profile. URL Filtering Profile. DNS Security Profile. Vulnerability Protection Profile.

An analyst needs to create a security rule to allow access to a specific web application that identifies itself as "web-browsing" but uses a custom, non-standard port of TCP 9000. Which configuration ensures the App-ID engine can still inspect this traffic?. Change the Service to "application-default.". Create a custom Service object for TCP 9000 and use it in the rule. Use an Application Override rule for port 9000. Change the application to "any" and the service to TCP 9000.

What are two valid pattern types in a Data Filtering profile? (Choose two.). Custom Dictionary. Proximity Pattern. File Properties. Regular Expression.

A Palo Alto Networks NGFW for a high-security environment is being configured and requires a security profile group that includes vulnerability protection. When configuring the action based on the severity of the threat types, what does Palo Alto Networks recommend? (Choose one answer). Use action "reset-both" for critical, high, and medium vulnerabilities. Use action "alert" for critical, high, and medium vulnerabilities. Use action "allow" for critical, high, and medium vulnerabilities. Use action "default" for critical, high, and medium vulnerabilities.

Which action ensures that a Panorama push will not fail due to pending local firewall changes?. Commit configurations locally on the device and then repeat the same configuration from Panorama. Disable "Merge with Device Candidate Config.". Enable "Force Template Values.". Enable both options "Include Device and Network Templates" and "Include Firewall Clusters.".

When using Strata Cloud Manager (SCM), which tool allows an analyst to automatically migrate local firewall configurations to a centralized management folder?. Strata Cloud Manager Transition. Policy Optimizer. Config Audit. Template Variable.

A security administrator needs to block access to a specific list of 500 malicious domains. These domains are updated daily by a third-party intelligence feed. What is the most efficient way to manage these domains as an object?. Create a Custom URL Category and manually paste the domains daily. Create an External Dynamic List (EDL) of type "Domain.". Create a Domain-based FQDN Address Group. Add the domains to the "Block List" of a URL Filtering profile.

An analyst is configuring an Anti-Spyware profile to identify infected internal hosts that are attempting to contact known malicious Command and Control (C2) servers. Which feature should be enabled to redirect these malicious DNS queries to a controlled internal IP address for forensic analysis?. DNS Security. DNS Sinkhole. DNS Proxy. Domain Generation Algorithm (DGA) Protection.

A firewall is showing high "Packet Buffer" utilization, causing network latency. Which type of traffic is most likely to cause this issue if it is not correctly managed?. Small UDP DNS queries. Large, high-throughput file transfers (Elephant Flows). Management plane API calls. ICMP keep-alive packets.

A user reports that a specific business application is dropping connection every few minutes. The analyst wants to see if the firewall's session table is reaching its limit for that specific user. Which tool should the analyst use?. ACC (Application Command Center). Session Browser. Rule Usage Filter. Policy Optimizer.

An analyst is configuring a "WildFire Analysis Profile." Which file types can be sent to the WildFire cloud for sandbox analysis?. Only .exe and .msi files. Only Microsoft Office documents. All file types supported by the Content-ID engine, including PDFs and APKs. Only encrypted files that cannot be decrypted locally.

A security administrator is creating an internet of things (IoT) Security policy and needs to select behaviors for the traffic. (Image characteristics: Evasive, Excessive Bandwidth Use, Used by Malware, Capable of File Transfer, Known Vulnerabilities, Tunnels Other Apps, Prone to Misuse, Pervasive) Which characteristic has the greatest impact to the risk level of applications?. Used by Malware. Pervasive. Tunnels Other Apps. Known Vulnerabilities.

What is the most granular method for ensuring that traffic to a firewall's public IP address on the public interface is translated to the private IP address of the web server?. Create one NAT policy, ensure the policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, and mark Bi-directional as "Yes.". Create one NAT policy, set the source address to the public IP address and destination address to the private IP address, and ensure Bi-directional is checked. Create two static NAT policies, ensure one policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, ensure the other policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address. Create one NAT policy, ensure the policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address, and mark Bi-directional as "Yes.".

How often should external dynamic lists be updated to ensure effective Security policy enforcement?. Once a week. As new threats are identified. Once a month. As frequently as the external source updates.

What is the purpose of the "Config Audit" feature in Panorama?. To compare the current running configuration with a previously saved version. To check if a firewall is running the latest software version. To automatically resolve IP address conflicts. To monitor the real-time CPU usage of the firewalls.

Which Strata Cloud Manager (SCM) feature provides a consolidated view of all high-priority security incidents across a global network, including those from firewalls and Prisma Access?. Activity Insights. Command Center. Policy Optimizer. Device Health Dashboard.

Beyond being a SaaS-based delivery platform, what is an advantage of Strata Cloud Manager (SCM) over Panorama? (Choose one answer). Live, inline best practice checks. Real-time alerting. Customizable dashboards. NGFW and Prisma Access management.

An analyst notices that a security rule intended to block a specific application is being bypassed. Upon investigation, the analyst finds that the traffic is matching a rule higher in the list. Which tool provides a visual "Shadowing" check to identify rules that will never be hit?. Config Audit. Policy Optimizer. Rule Usage Filter. ACC (Application Command Center).

What is the benefit of the Command Center's centralized dashboard in Strata Cloud Manager (SCM)?. Monitoring encryption for network performance optimization. Using AI to predict and prevent potential security incidents. Automatically patching security vulnerabilities. Monitoring and managing threats and operational health.

A user reports that they are being blocked from a website with a "Certificate Error." Which log will help the analyst determine if the firewall is blocking the session because the web server is using an expired certificate?. Traffic Log. Threat Log. Decryption Log. System Log.

Which log type should be checked first using Log Viewer when a user reports being unable to access a specific website?. Firewall/URL. Firewall/Traffic. Firewall/Threat. Firewall/DNS Security.

What is a primary benefit of using "Templates" within Panorama or Strata Cloud Manager?. To group firewalls based on their physical location. To manage Layer 2 and Layer 3 network configurations across multiple devices. To synchronize Security policy rules between firewalls. To automate the backup of firewall configurations.

An organization wants to decrypt outbound traffic to ensure no malware is hidden in HTTPS sessions. Which type of decryption policy must be configured on the firewall to act as a "Man-in-the-Middle"?. SSL Inbound Inspection. SSH Proxy. SSL Forward Proxy. Decryption Broker.

A financial institution must comply with a regulation that prohibits the decryption of any traffic destined for "Banking" or "Healthcare" websites. How should the analyst implement this requirement while still decrypting other web traffic?. Set the default Decryption Profile to "No-Decrypt.". Create a Decryption Policy with the action "No Decrypt" and select the relevant URL categories. Add the banking URLs to the "External Dynamic List.". Use a NAT policy to bypass the SSL engine for those categories.

A user reports that they can reach a website, but the page elements are not loading correctly. The analyst suspects that a security profile is silently dropping some of the web content. Which log, when filtered by the user's IP, will show the specific Content-ID match that is causing the partial page failure?. URL Filtering Log. Threat Log. Data Filtering Log. Traffic Log.

When performing a "Push to Devices" from Panorama, an analyst wants to ensure that the push only affects a specific firewall in a shared Device Group. Which option in the push window allows this granular selection?. Include Device and Network Templates. Force Template Values. Edit Selections. Merge with Device Candidate Config.

Which type of object should be used to ensure that a Security policy rule automatically updates when a new virtual machine is spun up in a public cloud environment and assigned a specific tag?. External Dynamic List (EDL). Dynamic Address Group (DAG). Static Address Group. Application Filter.

A company wants to ensure that all internal users are prevented from uploading sensitive documents to a specific personal cloud storage site. Which Security profile is specifically designed to inspect the content of file transfers for specific data patterns?. File Blocking Profile. Vulnerability Protection Profile. Data Filtering Profile. WildFire Analysis Profile.

What is the purpose of the "Config Audit" feature in Panorama?. To check if a firewall is running the latest software version. To compare the current running configuration with a previously saved version. To automatically resolve IP address conflicts. To monitor the real-time CPU usage of the firewalls.

Which SCM feature allows an administrator to see a "Safety Score" for a proposed policy change before it is committed to the firewalls?. Policy Optimizer. Activity Insights. Best Practice Assessment (BPA). Strata Cloud Manager (SCM) Copilot.

When pushing a configuration from Panorama to multiple firewalls, an analyst wants to ensure that a specific local interface setting on one firewall is not overwritten by the template value. Which feature should be used?. Template Stack. Template Variable. Device Group Override. Policy Optimizer.

Which action ensures that sensitive information such as medical records, financial transactions, and legal communications are not decrypted and that they maintain strong security?. Create a log forwarding filter to exclude sensitive information. Disable decryption globally to avoid exposing sensitive data. Create an SSL Inbound Inspection policy to identify users sending sensitive information. Create a no-decrypt policy for traffic matching specific URL categories.

A security administrator is creating an address object for a partner organization whose public IP address is unknown but who always uses a specific domain name. Which address object type should be used?. IP Range. IP Netmask. FQDN. Multicast.

An analyst notices an unusual amount of bandwidth being consumed by "web-browsing" traffic. Which ACC tab provides a breakdown of which specific URLs and URL Categories are responsible for this bandwidth usage?. Network Activity. Threat Activity. Blocked Activity. SSL Activity.

A security administrator wants to determine which action a URL Filtering profile will take on the URL "www.chatgpt.com". The firewall has a custom URL object with "www.chatgpt.com" as a member called "Permitted-AI." The URL "www.chatgpt.com" is also categorized as "Artificial-Intelligence," "Computer-and-Internet-Info," and "Low-Risk." The URL Filtering profile has the following in descending order: Artificial-Intelligence set to continue Computer-and-Internet-Info set to block Low-Risk set to alert Permitted-AI set to allow Which action will the URL Filtering profile take when traffic matches the "www.chatgpt.com" URL on a rule with this profile attached? (Choose one answer). Allow. Continue. Block. Alert.

A security analyst is using the Strata Cloud Manager (SCM) Policy Optimizer to create specific and focused rules. The analyst accepts the new rules from Policy Optimizer and updates the rule base, but the traffic does not hit these new rules. Which action needs to be taken to resolve this issue?. Execute a push configuration. Remove the original Security policy rule. Enable the newly created Security policy rules. Perform a commit.

A firewall administrator implementing Palo Alto Networks best practices on the company firewall reviews NGFW alerts in Strata Cloud Manager (SCM) and determines that one alert does not apply to this environment. If the administrator has no intention to resolve the underlying issue, what is the appropriate next step?. Click "Copilot" in the top right, and ask the Copilot to make an exception for the NGFW alert. Assign the NGFW alert to the "Dismiss" user. Change the NGFW alert priority to "Not Set.". Open the NGFW alert and click "Suppress" under "Actions.".

What are two valid pattern types in a Data Filtering profile? (Choose two.). Proximity Pattern. Custom Dictionary. File Properties. Regular Expression.

Which object allows an analyst to group different applications together based on a specific business function, such as "Social-Media" or "Collaboration," to simplify policy management?. Application Group. Application Filter. Service Group. Custom URL Category.

Which log type is the most useful for identifying if a user is repeatedly attempting to visit an "Unauthorized" website category that is being blocked by a security profile?. Traffic Log. URL Filtering Log. System Log. Authentication Log.

A user reports that they can reach a website, but the page elements are not loading correctly. The analyst suspects that a security profile is silently dropping some of the web content. Which log, when filtered by the user's IP, will show the specific Content-ID match that is causing the partial page failure?. Data Filtering Log. Threat Log. URL Filtering Log. Traffic Log.

Report abuse