Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)

A.

password profile

B.

access domain

C.

admin rote

D.

server profile

Full Access
Question # 5

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

A.

Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the allow list

D.

Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Full Access
Question # 6

Which statement best describes the use of Policy Optimizer?

A.

Policy Optimizer can display which Security policies have not been used in the last 90 days

B.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications

C.

Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists Admins can then manually enable policies they want to keep and delete ones they want to remove

Full Access
Question # 7

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

A.

The web session was unsuccessfully decrypted.

B.

The traffic was denied by security profile.

C.

The traffic was denied by URL filtering.

D.

The web session was decrypted.

Full Access
Question # 8

What is the main function of Policy Optimizer?

A.

reduce load on the management plane by highlighting combinable security rules

B.

migrate other firewall vendors’ security rules to Palo Alto Networks configuration

C.

eliminate “Log at Session Start” security rules

D.

convert port-based security rules to application-based security rules

Full Access
Question # 9

An administrator should filter NGFW traffic logs by which attribute column to determine if the entry is for the start or end of the session?

A.

Receive Time

B.

Type

C.

Destination

D.

Source

Full Access
Question # 10

Which solution is a viable option to capture user identification when Active Directory is not in use?

A.

Cloud Identity Engine

B.

group mapping

C.

Directory Sync Service

D.

Authentication Portal

Full Access
Question # 11

What must first be created on the firewall for SAML authentication to be configured?

A.

Server Policy

B.

Server Profile

C.

Server Location

D.

Server Group

Full Access
Question # 12

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

A.

Tagged

B.

Intrazone

C.

Universal

D.

Interzone

Full Access
Question # 13

Arrange the correct order that the URL classifications are processed within the system.

Full Access
Question # 14

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?

A.

Domain Credential

B.

IP User

C.

Group Mapping

D.

Valid Username Detected Log Severity

Full Access
Question # 15

Which action results in the firewall blocking network traffic with out notifying the sender?

A.

Drop

B.

Deny

C.

Reset Server

D.

Reset Client

Full Access
Question # 16

An administrator has configured a Security policy where the matching condition includes a single application and the action is deny

If the application s default deny action is reset-both what action does the firewall take*?

A.

It sends a TCP reset to the client-side and server-side devices

B.

It silently drops the traffic and sends an ICMP unreachable code

C.

It silently drops the traffic

D.

It sends a TCP reset to the server-side device

Full Access
Question # 17

Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

A.

TACACS

B.

SAML2

C.

SAML10

D.

Kerberos

E.

TACACS+

Full Access
Question # 18

Which statements is true regarding a Heatmap report?

A.

When guided by authorized sales engineer, it helps determine te areas of greatest security risk.

B.

It provides a percentage of adoption for each assessment area.

C.

It runs only on firewall.

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Full Access
Question # 19

Selecting the option to revert firewall changes will replace what settings?

A.

The running configuration with settings from the candidate configuration

B.

The candidate configuration with settings from the running configuration

C.

The device state with settings from another configuration

D.

Dynamic update scheduler settings

Full Access
Question # 20

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on Panorama?

A.

NAT Target Tab

B.

NAT Active/Active HA Binding Tab

C.

NAT Translated Packet Tab

D.

NAT Policies General Tab

Full Access
Question # 21

Why should a company have a File Blocking profile that is attached to a Security policy?

A.

To block uploading and downloading of specific types of files

B.

To detonate files in a sandbox environment

C.

To analyze file types

D.

To block uploading and downloading of any type of files

Full Access
Question # 22

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition, the configuration was not saved prior to

making the changes.

Which action will allow the administrator to undo the changes?

A.

Load configuration version, and choose the first item on the list.

B.

Load named configuration snapshot, and choose the first item on the list.

C.

Revert to last saved configuration.

D.

Revert to running configuration.

Full Access
Question # 23

Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)

A.

facebook

B.

facebook-chat

C.

facebook-base

D.

facebook-email

Full Access
Question # 24

What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)

A.

Service

B.

User

C.

Application

D.

Address

E.

Zone ab

Full Access
Question # 25

Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )

A.

Network Processing Engine

B.

Single Stream-based Engine

C.

Policy Engine

D.

Parallel Processing Hardware

Full Access
Question # 26

Based on the screenshot what is the purpose of the group in User labelled ''it"?

A.

Allows users to access IT applications on all ports

B.

Allows users in group "DMZ" lo access IT applications

C.

Allows "any" users to access servers in the DMZ zone

D.

Allows users in group "it" to access IT applications

Full Access
Question # 27

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A.

Translation Type

B.

Interface

C.

Address Type

D.

IP Address

Full Access
Question # 28

How are service routes used in PAN-OS?

A.

By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network

B.

To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services

C.

For routing, because they are the shortest path selected by the BGP routing protocol

D.

To route management plane services through data interfaces rather than the management interface

Full Access
Question # 29

Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on the Objective

Full Access
Question # 30

Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

A.

URL filtering

B.

Antivirus

C.

WildFire

D.

Threat Prevention

Full Access
Question # 31

How often does WildFire release dynamic updates?

A.

every 5 minutes

B.

every 15 minutes

C.

every 60 minutes

D.

every 30 minutes

Full Access
Question # 32

Based on the network diagram provided, which two statements apply to traffic between the User and Server networks? (Choose two.)

A.

Traffic is permitted through the default intrazone "allow" rule.

B.

Traffic restrictions are possible by modifying intrazone rules.

C.

Traffic restrictions are not possible, because the networks are in the same zone.

D.

Traffic is permitted through the default interzone "allow" rule.

Full Access
Question # 33

Which prevention technique will prevent attacks based on packet count?

A.

zone protection profile

B.

URL filtering profile

C.

antivirus profile

D.

vulnerability profile

Full Access
Question # 34

Which Security profile can you apply to protect against malware such as worms and Trojans?

A.

data filtering

B.

antivirus

C.

vulnerability protection

D.

anti-spyware

Full Access
Question # 35

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

A.

Override

B.

Allow

C.

Block

D.

Continue

Full Access
Question # 36

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

A.

Auth KO because RADIUS server lost user and password for SYS01 Admin

B.

Auth KO because LDAP server is not reachable

C.

Auth OK because of the Auth Profile Local

D.

Auth OK because of the Auth Profile TACACS -

Full Access
Question # 37

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?

A.

Select the unified log entry in the side menu.

B.

Modify the number of columns visible on the page

C.

Modify the number of logs visible on each page.

D.

Select the system logs entry in the side menu.

Full Access
Question # 38

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

A.

Panorama > Device Deployment > Dynamic Updates > Schedules > Add

B.

Panorama > Device Deployment > Content Updates > Schedules > Add

C.

Panorama > Dynamic Updates > Device Deployment > Schedules > Add

D.

Panorama > Content Updates > Device Deployment > Schedules > Add

Full Access
Question # 39

Which component is a building block in a Security policy rule?

A.

decryption profile

B.

destination interface

C.

timeout (min)

D.

application

Full Access
Question # 40

In the PAN-OS Web Interface, which is a session distribution method offered under NAT Translated Packet Tab to choose how the firewall assigns sessions?

A.

Destination IP Hash b

B.

Concurrent Sessions

C.

Max Sessions

D.

IP Modulo

Full Access
Question # 41

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A.

syslog

B.

RADIUS

C.

UID redistribution

D.

XFF headers

Full Access
Question # 42

Which objects would be useful for combining several services that are often defined together?

A.

shared service objects

B.

service groups

C.

application groups

D.

application filters

Full Access
Question # 43

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

Full Access
Question # 44

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.

What object is best suited for this configuration?

A.

Application Group

B.

Tag

C.

External Dynamic List

D.

Application Filter

Full Access
Question # 45

Based on the screenshot what is the purpose of the included groups?

A.

They are only groups visible based on the firewall's credentials.

B.

They are used to map usernames to group names.

C.

They contain only the users you allow to manage the firewall.

D.

They are groups that are imported from RADIUS authentication servers.

Full Access
Question # 46

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

Which Security profile should be applied?

A.

antivirus

B.

anti-spyware

C.

URL filtering

D.

vulnerability protection

Full Access
Question # 47

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

A.

Blometric scanning results from iOS devices

B.

Firewall logs

C.

Custom API scripts

D.

Security Information and Event Management Systems (SIEMS), such as Splun

E.

DNS Security service

Full Access
Question # 48

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

A.

Create an anti-spyware profile and enable DNS Sinkhole

B.

Create an antivirus profile and enable DNS Sinkhole

C.

Create a URL filtering profile and block the DNS Sinkhole category

D.

Create a security policy and enable DNS Sinkhole

Full Access
Question # 49

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

A.

URL traffic

B.

vulnerability protection

C.

anti-spyware

D.

antivirus

Full Access
Question # 50

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

A.

User identification

B.

Filtration protection

C.

Vulnerability protection

D.

Antivirus

E.

Application identification

F.

Anti-spyware

Full Access
Question # 51

What are three factors that can be used in domain generation algorithms? (Choose three.)

A.

cryptographic keys

B.

time of day

C.

other unique values

D.

URL custom categories

E.

IP address

Full Access
Question # 52

What is used to monitor Security policy applications and usage?

A.

Policy Optimizer

B.

App-ID

C.

Security profile

D.

Policy-based forwarding

Full Access
Question # 53

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

A.

Application Category

B.

Source

C.

File Size

D.

Direction

Full Access
Question # 54

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.

Which Security profile feature could have been used to prevent the communications with the command-and-control server?

A.

Create a Data Filtering Profile and enable its DNS sinkhole feature.

B.

Create an Antivirus Profile and enable its DNS sinkhole feature.

C.

Create an Anti-Spyware Profile and enable its DNS sinkhole feature.

D.

Create a URL Filtering Profile and block the DNS sinkhole URL category.

Full Access
Question # 55

What is the default action for the SYN Flood option within the DoS Protection profile?

A.

Alert

B.

Random Early Drop

C.

Reset-client

D.

Sinkhole

Full Access
Question # 56

What are three valid ways to map an IP address to a username? (Choose three.)

A.

using the XML API

B.

DHCP Relay logs

C.

a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

D.

usernames inserted inside HTTP Headers

E.

WildFire verdict reports

Full Access
Question # 57

An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.

Which Security profile should be used?

A.

Antivirus

B.

URL filtering

C.

Anti-spyware

D.

Vulnerability protection

Full Access
Question # 58

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped.

Which type of NAT was configured?

A.

Static IP

B.

Dynamic IP

C.

Destination NAT

D.

Dynamic IP and Port

Full Access
Question # 59

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

A.

Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B.

Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

C.

Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

D.

Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

E.

Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Full Access
Question # 60

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Full Access
Question # 61

Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

A.

It functions like PAN-DB and requires activation through the app portal.

B.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

C.

IT eliminates the need for dynamic DNS updates.

D.

IT is automatically enabled and configured.

Full Access
Question # 62

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

A.

interzone

B.

shadowed

C.

intrazone

D.

universal

Full Access
Question # 63

What are two valid selections within an Anti-Spyware profile? (Choose two.)

A.

Default

B.

Deny

C.

Random early drop

D.

Drop

Full Access
Question # 64

An administrator needs to allow users to use only certain email applications.

How should the administrator configure the firewall to restrict users to specific email applications?

A.

Create an application filter and filter it on the collaboration category, email subcategory.

B.

Create an application group and add the email applications to it.

C.

Create an application filter and filter it on the collaboration category.

D.

Create an application group and add the email category to it.

Full Access
Question # 65

Review the Screenshot:

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the

SERVER zone to the DMZ on SSH only.

Which rule group enables the required traffic?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 66

Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

A.

Path monitoring does not determine if route is useable

B.

Route with highest metric is actively used

C.

Path monitoring determines if route is useable

D.

Route with lowest metric is actively used

Full Access
Question # 67

Which link in the web interface enables a security administrator to view the security policy rules that match new application signatures?

A.

Review Apps

B.

Review App Matches

C.

Pre-analyze

D.

Review Policies

Full Access
Question # 68

Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

A.

Prisma SaaS

B.

AutoFocus

C.

Panorama

D.

GlobalProtect

Full Access
Question # 69

Which feature enables an administrator to review the Security policy rule base for unused rules?

A.

Security policy tags

B.

Test Policy Match

C.

View Rulebase as Groups

D.

Policy Optimizer

Full Access
Question # 70

When creating a custom URL category object, which is a valid type?

A.

domain match

B.

host names

C.

wildcard

D.

category match

Full Access
Question # 71

Where in Panorama Would Zone Protection profiles be configured?

A.

Shared

B.

Templates

C.

Device Groups

D.

Panorama tab

Full Access
Question # 72

Which feature enables an administrator to review the Security policy rule base for unused rules?

A.

Test Policy Match

B.

Policy Optimizer

C.

View Rulebase as Groups

D.

Security policy tags eb

Full Access
Question # 73

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?

A.

SAML

B.

Multi-Factor Authentication

C.

Role-based

D.

Dynamic

Full Access
Question # 74

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

A.

application filter

B.

URL category

C.

HIP profile

D.

application group

Full Access
Question # 75

View the diagram.

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 76

What does an application filter help you to do?

A.

It dynamically provides application statistics based on network, threat, and blocked activity,

B.

It dynamically filters applications based on critical, high, medium, low. or informational severity.

C.

It dynamically groups applications based on application attributes such as category and subcategory.

D.

It dynamically shapes defined application traffic based on active sessions and bandwidth usage.

Full Access
Question # 77

Which rule type is appropriate for matching traffic occurring within a specified zone?

A.

Interzone

B.

Universal

C.

Intrazone

D.

Shadowed

Full Access
Question # 78

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?

A.

>show system fqdn

B.

>request fqdn show system

C.

>request show system fqdn

D.

>request system fqdn show

Full Access
Question # 79

Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)

A.

Static IP

B.

Dynamic IP / Port Fallback

C.

Dynamic IP

D.

Dynamic IP and Port (DIPP)

Full Access
Question # 80

What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?

A.

Increase the backup capacity for configuration backups per firewall

B.

Increase the per-firewall capacity for address and service objects

C.

Reduce the configuration and session synchronization time between HA pairs

D.

Reduce the number of objects pushed to a firewall

Full Access
Question # 81

Which three configuration settings are required on a Palo Alto networks firewall management interface?

A.

default gateway

B.

netmask

C.

IP address

D.

hostname

E.

auto-negotiation

Full Access
Question # 82

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

B)

C)

D)

A.

Option

B.

Option

C.

Option

D.

Option

Full Access
Question # 83

An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

A.

Reset-server

B.

Block

C.

Deny

D.

Drop

Full Access
Question # 84

Given the detailed log information above, what was the result of the firewall traffic inspection?

A.

It was blocked by the Anti-Virus Security profile action.

B.

It was blocked by the Anti-Spyware Profile action.

C.

It was blocked by the Vulnerability Protection profile action.

D.

It was blocked by the Security policy action.

Full Access
Question # 85

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

A.

Use the CLI enter the command reset rules all

B.

Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

C.

use the Reset Rule Hit Counter > All Rules option.

D.

Reboot the firewall.

Full Access
Question # 86

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

A.

Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

B.

Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

C.

In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

D.

In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Full Access
Question # 87

Which administrative management services can be configured to access a management interface?

A.

HTTP, CLI, SNMP, HTTPS

B.

HTTPS, SSH telnet SNMP

C.

SSH: telnet HTTP, HTTPS

D.

HTTPS, HTTP. CLI, API

Full Access
Question # 88

Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

A.

local username

B.

dynamic user group

C.

remote username

D.

static user group

Full Access
Question # 89

Which profile should be used to obtain a verdict regarding analyzed files?

A.

WildFire analysis

B.

Vulnerability profile

C.

Content-ID

D.

Advanced threat prevention

Full Access
Question # 90

Based on the security policy rules shown, ssh will be allowed on which port?

A.

80

B.

53

C.

22

D.

23

Full Access
Question # 91

Which System log severity level would be displayed as a result of a user password change?

A.

High

B.

Critical

C.

Medium

D.

Low

Full Access
Question # 92

Which dynamic update type includes updated anti-spyware signatures?

A.

Applications and Threats

B.

GlobalProtect Data File

C.

Antivirus

D.

PAN-DB

Full Access
Question # 93

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?

A.

check now

B.

review policies

C.

test policy match

D.

download

Full Access
Question # 94

Which feature must be configured to enable a data plane interface to submit DNS queries originated from the firewall on behalf of the control plane?

A.

Service route

B.

Admin role profile

C.

DNS proxy

D.

Virtual router

Full Access
Question # 95

An administrator would like to create a URL Filtering log entry when users browse to any gambling website. What combination of Security policy and Security profile actions is correct?

A.

Security policy = drop, Gambling category in URL profile = allow

B.

Security policy = deny. Gambling category in URL profile = block

C.

Security policy = allow, Gambling category in URL profile = alert

D.

Security policy = allow. Gambling category in URL profile = allow

Full Access
Question # 96

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

A.

Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic

B.

Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

C.

Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application

D.

Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

Full Access
Question # 97

To what must an interface be assigned before it can process traffic?

A.

Security Zone

B.

Security policy

C.

Security Protection

D.

Security profile

Full Access
Question # 98

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

A.

HIP profile

B.

Application group

C.

URL category

D.

Application filter

Full Access
Question # 99

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

A.

Rule Usage Filter > No App Specified

B.

Rule Usage Filter >Hit Count > Unused in 30 days

C.

Rule Usage Filter > Unused Apps

D.

Rule Usage Filter > Hit Count > Unused in 90 days

Full Access
Question # 100

Which two configuration settings shown are not the default? (Choose two.)

A.

Enable Security Log

B.

Server Log Monitor Frequency (sec)

C.

Enable Session

D.

Enable Probing

Full Access
Question # 101

Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?

A.

URL Filtering > Inline Categorization

B.

URL Filtering > Categories

C.

URL Filtering > URL Filtering Settings

D.

URL Filtering > HTTP Header Insertion

Full Access
Question # 102

Which option lists the attributes that are selectable when setting up an Application filters?

A.

Category, Subcategory, Technology, and Characteristic

B.

Category, Subcategory, Technology, Risk, and Characteristic

C.

Name, Category, Technology, Risk, and Characteristic

D.

Category, Subcategory, Risk, Standard Ports, and Technology

Full Access
Question # 103

How many zones can an interface be assigned with a Palo Alto Networks firewall?

A.

two

B.

three

C.

four

D.

one

Full Access
Question # 104

Which type firewall configuration contains in-progress configuration changes?

A.

backup

B.

running

C.

candidate

D.

committed

Full Access
Question # 105

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

A.

Layer-ID

B.

User-ID

C.

QoS-ID

D.

App-ID

Full Access
Question # 106

Place the following steps in the packet processing order of operations from first to last.

Full Access
Question # 107

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

A.

Objects > Dynamic Updates > Review App-IDs

B.

Device > Dynamic Updates > Review Policies

C.

Device > Dynamic Updates > Review App-IDs

D.

Objects > Dynamic Updates > Review Policies

Full Access
Question # 108

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A.

on either the data place or the management plane.

B.

after it is matched by a security policy rule that allows traffic.

C.

before it is matched to a Security policy rule.

D.

after it is matched by a security policy rule that allows or blocks traffic.

Full Access