Month End Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

A.

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.

Update the apps and threat version using device-deployment

C.

Perform a device group push using the "merge with device candidate config" option

D.

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Full Access
Question # 5

Which Panorama feature protects logs against data loss if a Panorama server fails?

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Full Access
Question # 6

Please match the terms to their corresponding definitions.

Full Access
Question # 7

What should an engineer consider when setting up the DNS proxy for web proxy?

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Full Access
Question # 8

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Full Access
Question # 9

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Full Access
Question # 10

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Full Access
Question # 11

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Full Access
Question # 12

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Full Access
Question # 13

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

A.

Data Filtering

B.

Configuration

C.

Threat

D.

Traffic

Full Access
Question # 14

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Full Access
Question # 15

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Full Access
Question # 16

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Full Access
Question # 17

Exhibit.

Given the screenshot, how did the firewall handle the traffic?

A.

Traffic was allowed by profile but denied by policy as a threat.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by policy but denied by profile as encrypted.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Full Access
Question # 18

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Full Access
Question # 19

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)

A.

DNS Proxy

B.

SSL/TLS profiles

C.

address groups

D.

URL Filtering profiles

Full Access
Question # 20

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Full Access
Question # 21

Which source is the most reliable for collecting User-ID user mapping?

A.

Syslog Listener

B.

Microsoft Exchange

C.

Microsoft Active Directory

D.

GlobalProtect

Full Access
Question # 22

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

A.

Create a Dynamic Read only superuser.

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Device Group and Template Admin

D.

Create a Custom Panorama Admin

Full Access
Question # 23

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

A.

Management plane CPU

B.

Dataplane CPU

C.

Packet buffers

D.

On-chip packet descriptors

Full Access
Question # 24

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?

A.

show system setting ssl-decrypt certificate

B.

show system setting ssl-decrypt certs

C.

debug dataplane show ssl-decrypt ssl-certs

D.

show system setting ssl-decrypt certificate-cache

Full Access
Question # 25

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?

A.

Click Preview Changes under Push Scope

B.

Use Test Policy Match to review the policies in Panorama

C.

Review the configuration logs on the Monitor tab

D.

Context-switch to the affected firewall and use the configuration audit tool

Full Access
Question # 26

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?

A.

Set up certificate authentication.

B.

Use the Dynamic IP address type.

C.

Enable Passive Mode

D.

Configure the peer address as an FQDN.

Full Access
Question # 27

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Full Access
Question # 28

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?

A.

Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions.

B.

Obtain or generate the server certificate and private key from the datacenter server.

C.

Obtain or generate the self-signed certificate with private key in the firewall

D.

Obtain or generate the forward trust and forward untrust certificate from the datacenter server.

Full Access
Question # 29

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Full Access
Question # 30

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

A.

an Authentication policy with 'unknown' selected in the Source User field

B.

an Authentication policy with 'known-user' selected in the Source User field

C.

a Security policy with 'known-user' selected in the Source User field

D.

a Security policy with 'unknown' selected in the Source User field

Full Access
Question # 31

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Create an Application Override using TCP ports 443 and 80.

C.

Add the HTTP. SSL. and Evernote applications to the same Security policy.

D.

Add only the Evernote application to the Security policy rule.

Full Access
Question # 32

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

Full Access
Question # 33

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?

A.

Virtual ware

B.

Tap

C.

Layer 2

D.

Layer 3

Full Access
Question # 34

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)

A.

PA-220

B.

PA-800 Series

C.

PA-5000 Series

D.

PA-500

E.

PA-3400 Series

Full Access
Question # 35

An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.

• Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

A.

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B.

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C.

Set DNS and Palo Alto Networks Services to use the MGT source interface.

D.

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Full Access
Question # 36

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

A.

Apply DOS profile to security rules allow traffic from outside.

B.

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

C.

Enable packet buffer protection for the affected zones.

D.

Add a Zone Protection profile to the affected zones.

Full Access
Question # 37

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?

A.

Install the unsupported cipher into the firewall to allow the sites to be decrypted

B.

Allow the firewall to block the sites to improve the security posture.

C.

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption.

D.

Create a Security policy to allow access to those sites.

Full Access
Question # 38

Why would a traffic log list an application as "not-applicable”?

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Full Access
Question # 39

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Full Access
Question # 40

Where can a service route be configured for a specific destination IP?

A.

Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4

B.

Use Device > Setup > Services > Services

C.

Use Device > Setup > Services > Service Route Configuration > Customize > Destination

D.

Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

Full Access
Question # 41

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

A.

High availability (HA)

B.

Layer 3

C.

Layer 2

D.

Tap

E.

Virtual Wire

Full Access
Question # 42

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?

A.

Terminal Server Agent for User Mapping

B.

Windows-Based User-ID Agent

C.

PAN-OS Integrated User-ID Agent

D.

PAN-OS XML API

Full Access
Question # 43

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Full Access
Question # 44

‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

A.

Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user systems in the user and local computer stores:

B.

Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the configuration.

Full Access
Question # 45

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Full Access
Question # 46

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

B.

NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

C.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

D.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Full Access
Question # 47

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Full Access
Question # 48

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: ‘The company uses four Microsoft Active ‘servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User

A.

network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.40/28 Exchange

B.

network 192.188 28 32/27 with server type Microsoft

C.

one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers

D.

the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

Full Access
Question # 49

A firewall engineer is configuring quality of service (OoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule?

A.

Post-NAT source IP address Pre-NAT source zone

B.

Post-NAT source IP address Post-NAT source zone

C.

Pre-NAT source IP address Post-NAT source zone

D.

Pre-NAT source IP address Pre-NAT source zone

Full Access
Question # 50

Which new PAN-OS 11.0 feature supports IPv6 traffic?

A.

DHCPv6 Client with Prefix Delegation

B.

OSPF

C.

DHCP Server

D.

IKEv1

Full Access
Question # 51

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?

A.

Select the check box "Log packet-based attack events" in the Zone Protection profile

B.

No action is needed Zone Protection events appear in the threat logs by default

C.

Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall

D.

Access the CLI in each firewall and enter the command set system setting additional-threat-log on

Full Access
Question # 52

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?

A.

Create a Group Mapping with 800 groups in the Group Include List.

B.

Create two Group Include Lists, each with 400 Active Directory groups.

C.

Create a Group Include List with the 800 Active Directory groups.

D.

Create two Group Mappings, each with 400 groups in the Group Include List.

Full Access
Question # 53

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Full Access
Question # 54

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?

A.

Additional Master Hold Up Time

B.

Promotion Hold Time

C.

Monitor Fail Hold Up Time

D.

Heartbeat Interval

Full Access
Question # 55

Which two are required by IPSec in transport mode? (Choose two.)

A.

Auto generated key

B.

NAT Traversal

C.

IKEv1

D.

DH-group 20 (ECP-384 bits)

Full Access
Question # 56

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Full Access
Question # 57

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Full Access
Question # 58

Which three authentication types can be used to authenticate users? (Choose three.)

A.

Local database authentication

B.

PingID

C.

Kerberos single sign-on

D.

GlobalProtect client

E.

Cloud authentication service

Full Access
Question # 59

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

A.

Create a Group Mapping for the GlobalProtect Group.

B.

Enable Captive Portal on the expected source interfaces.

C.

Add the users to the proper Dynamic User Group.

D.

Enable User-ID on the expected trusted zones.

Full Access
Question # 60

An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?

A.

1- Open the current log forwarding profile.

2. Open the existing match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

B.

1. Create a new log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the Panorama and syslog forward methods.

C.

1. Open the current log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

D.

1. Create a new log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

Full Access
Question # 61

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Full Access
Question # 62

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

A.

DoS Protection profile

B.

Data Filtering profile

C.

Vulnerability Protection profile

D.

URL Filtering profile

Full Access
Question # 63

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

A.

Click the hyperlink for the Zero Access.Gen threat.

B.

Click the left arrow beside the Zero Access.Gen threat.

C.

Click the source user with the highest threat count.

D.

Click the hyperlink for the hotport threat Category.

Full Access
Question # 64

Which statement regarding HA timer settings is true?

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Full Access
Question # 65

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

A.

Voice

B.

Fingerprint

C.

SMS

D.

User certificate

E.

One-time password

Full Access
Question # 66

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

A.

upload-onlys

B.

install and reboot

C.

upload and install

D.

upload and install and reboot

E.

verify and install

Full Access
Question # 67

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Full Access
Question # 68

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Full Access
Question # 69

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

A.

Application Groups

B.

Policy Optimizer

C.

Test Policy Match

D.

Config Audit

Full Access
Question # 70

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

A.

Minimum TLS version

B.

Certificate

C.

Encryption Algorithm

D.

Maximum TLS version

E.

Authentication Algorithm

Full Access
Question # 71

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

A.

Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both external servers as "Destination Address." and Source Translation remaining as is with bidirectional option enabled

B.

Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

C.

Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.

D.

Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

Full Access
Question # 72

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

A.

ICMP Drop

B.

TCP Drop

C.

SYN Random Early Drop

D.

TCP Port Scan Block

Full Access
Question # 73

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?

A.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. * Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source HIP profile. Enable GlobalProtect Gateway Agent for HIP Notification.

B.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.

C.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Portal Agent for HIP Notification.

D.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification.

Full Access
Question # 74

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

A.

/content

B.

/software

C.

/piugins

D.

/license

E.

/opt

Full Access
Question # 75

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Full Access
Question # 76

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Full Access
Question # 77

PBF can address which two scenarios? (Choose two.)

A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Full Access
Question # 78

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Full Access
Question # 79

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Full Access
Question # 80

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

A.

It applies to existing sessions and is global.

B.

It applies to new sessions and is not global.

C.

It applies to existing sessions and is not global.

D.

It applies to new sessions and is global.

Full Access
Question # 81

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Full Access
Question # 82

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)

A.

External zones with the virtual systems added.

B.

Layer 3 zones for the virtual systems that need to communicate.

C.

Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate.

D.

Add a route with next hop next-vr by using the VR configured in the virtual system.

E.

Ensure the virtual systems are visible to one another.

Full Access
Question # 83

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

A.

Tunnel mode

B.

Satellite mode

C.

IPSec mode

D.

No Direct Access to local networks

Full Access
Question # 84

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Full Access
Question # 85

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Full Access
Question # 86

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS.

The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.

What is the recommended order of operational steps when upgrading?

A.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

B.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

Full Access
Question # 87

What is the best description of the Cluster Synchronization Timeout (min)?

A.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

D.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

Full Access
Question # 88

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Full Access