When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. IMAP HTTP FTP, SMB POP3,SMTP.
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. the default virtual router (If there is no default virtual router the engineer must create one during setup) the virtual router that routes the traffic that the Decryption Broker security chain inspects a virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB a virtual router that has no additional interfaces for passing data-plane traffic and no other configured routes than those used in for the security chain.
A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.
Where would you configure this setting? SD-WAN Interface profile ECMP setting on virtual router Path Quality profile Traffic Dtstnbution profile.
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol. Static OSPF External EBGP RIP.
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute location? 90Mbps 300Mbps 75Mbps 50Mbps.
What is the function of a service route? The service route is the method required to use the firewall's management plane to provide
services to applications The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal.
A user at an internal system queries the DNS server for their web server with a private IP of 10.250.241.131 in the webserver.
The DNS server returns an address of the web server's public address 200.1.1.10.
In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?
NAT Rule:
Source Zone: Trust_L3
Source IP: Any
Destination Zone: Untrust_L3
Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131
Security Rule:
Source Zone: Trust-L3
Source IP Any
Destination Zone: DMZ
Destination IP: 200.1.1.10 NAT Rule:
Source Zone: Untrust_L3
Source IP: Any
Destination Zone: DMZ
Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131
Security Rule:
Source Zone: Trust-L3
Source IP Any
Destination Zone: DMZ
Destination IP: 200.1.1.10 NAT Rule:
Source Zone: Trust_L3
Source IP: Any
Destination Zone: DMZ
Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131
Security Rule:
Source Zone: Untrust-L3
Source IP Any
Destination Zone: DMZ
Destination IP: 200.1.1.10 NAT Rule:
Source Zone: Untrust_L3
Source IP: Any
Destination Zone: Untrust_L3
Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131
Security Rule:
Source Zone: Untrust-L3
Source IP Any
Destination Zone: DMZ
Destination IP: 200.1.1.10.
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?
Layer 3 Virtual Wire Tap Layer 2.
When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend? Enable SSL decryption for known malicious source IP addresses Enable SSL decryption for source users and known malicious URL categories Enable SSL decryption for malicious source users Enable SSL decryption for known malicious destination IP addresses.
Where is information about packet buffer protection logged? Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log All entries are in the System log Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log All entries are in the Alarms log.
Which statement regarding HA timer settings is true? Use the Recommended profile for typical failover timer settings Use the Moderate profile for typical failover timer settings Use the Aggressive profile for slower failover timer settings. Use the Critical profile for faster failover timer settings.
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment.
]They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct? QoS is only supported on firewalls that have a single virtual system configured QoS can be used in conjunction with SSL decryption QoS is only supported on hardware firewalls QoS can be used on firewalls with multiple virtual systems configured.
Which GlobalProtect component must be configured to enable Chentless VPN? GlobalProtect satellite GlobalProtect app GlobalProtect portal GlobalProtect gateway.
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:4767
The PanGPS process failed to connect to the PanGPA process on port 4767 The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767 The PanGPA process failed to connect to the PanGPS process on port 4767 The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767.
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'? a Security policy with ‘known-user" selected in the Source User field an Authentication policy with 'unknown' selected in the Source User field a Security policy with 'unknown' selected in the Source User field an Authentication policy with 'known-user' selected in the Source User field.
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entnes about grayware in any of the logs of the corresponding firewall.
Which setting can the administrator configure on the firewall to log grayware verdicts? within the log settings option in the Device tab within the log forwarding profile attached to the Security policy rule in WildFire General Settings, select "Report Grayware Files" in Threat General Settings, select "Report Grayware Files".
Which protocol is supported by GlobalProtect Clientless VPN? HTTPS FTP RDP SSH.
Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three ) The environment requires real, full-time redundancy from both firewalls at all times The environment requires Layer 2 interfaces in the deployment The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence The environment requires that all configuration must be fully synchronized between both members of the HA pair The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes.
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured A master device with Group Mapping configured must be set in the device group where the Security rules are configured User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings A User-ID Certificate profile must be configured on Panorama.
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface. What are three supported functions on the VWire interface? (Choose three ) NAT QoS IPSec OSPF SSL Decryption.
What is considered the best practice with regards to zone protection? Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs If the levels of zone and DoS protection consume too many firewall resources, disable zone protection Set the Alarm Rate threshold for event-log messages to high severity or critical severity.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."
What is the cause of the issue? IPSec crypto profile mismatch IPSec protocol mismatch mismatched Proxy-IDs bad local and peer identification IP addresses in the IKE gateway.
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three ) user-logon (always on) pre-logon then on-demand on-demand (manual user initiated connection) post-logon (always on) certificate-logon.
When using certificate authentication for firewall administration, which method is used for authorization? Radius LDAP Kerberos Local.
What best describes the HA Promotion Hold Time? the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring
devices the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again.
A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only internet egress for the connected clients.
Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks 300Mbps
- Prisma Access for Mobile Users 1500 Users
- Cortex Data Lake 2TB
- Trusted Zones trust
- Untrusted Zones untrust
- Parent Device Group shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?
Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet.
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewals management plane is highly utilized.
Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks? PAN-OS integrated agent Captive Portal Citrix terminal server agent with adequate data-plane resources Windows-based User-ID agent on a standalone server.
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.
Which server OS platforms can be used for server monitoring with User-ID? Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory.
An administrator is building Security rules within a device group to block traffic to and from malicious locations.
How should those rules be configured to ensure that they are evaluated with a high priority? Create the appropriate rules with a Block action and apply them at the top of the Default Rules Create the appropriate rules with a Block action and apply them at the top of the Security Post- Rules. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules. Create the appropriate rules with a Block action and apply them at the top of the Security Pre- Rules.
An administrator is attempting to create policies tor deployment of a device group and template stack.
When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?
Specify the target device as the master device in the device group Enable "Share Unused Address and Service Objects with Devices" in Panorama settings Add the template as a reference template in the device group Add a firewall to both the device group and the template.
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two) Dos Protection policy QoS Profile Zone Protection Profile DoS Protection Profile.
Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application? No Direct Access to local networks Satellite mode Tunnel mode IPSec mode.
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy? Add the policy in the shared device group as a pre-rule Reference the targeted device's templates in the target device group Add the policy to the target device group and apply a master device to the device group Clone the security policy and add it to the other device groups.
Drag and Drop Question
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.
Application-based attack protocol-based attack volumetric attack.
A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.
To install the certificate and key for an endpoint, which three components are required? (Choose three.)
server certificate local computer store private key self-signed certificate machine certificate.
You need to allow users to access the office-suite applications of their choice.
How should you configure the firewall to allow access to any office-suite application?
Create an Application Group and add Office 365, Evernote Google Docs and Libre Office Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory. Create an Application Filter and name it Office Programs then filter on the business-systems category.
Refer to the diagram. An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups.
Where will the object need to be created within the device-group hierarchy?
Americas US East West.
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.) inherit address-objects from templates define a common standard template configuration for firewalls standardize server profiles and authentication configuration across all stacks standardize log-forwarding profiles for security polices across all stacks.
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel? The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.
A superuser is tasked with creating administrator accounts for three contractors.
For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Create a Dynamic Admin with the Panorama Administrator role Create a Custom Panorama Admin Create a Device Group and Template Admin Create a Dynamic Read only superuser.
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software.
Why did the bootstrap process fail for the VM-Series firewall in Azure?
All public cloud deployments require the /plugins folder to support proper firewall native integrations The /content folder is missing from the bootstrap package The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing The /config or /software folders were missing mandatory files to successfully bootstrap.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?
action 'reset-both' and packet capture 'extended-capture' action 'default' and packet capture 'single-packet' action 'reset-both' and packet capture 'single-packet' action 'reset-server' and packet capture 'disable'.
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
Use the import option to pull logs. Export the log database Use the scp logdb export command Use the ACC to consolidate the logs.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram? IP Netmask IP Wildcard Mask IP Address IP Range.
What are two best practices for incorporating new and modified App-IDs? (Choose two.) Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs Configure a security policy rule to allow new App-IDs that might have network-wide impact Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs Study the release notes and install new App-IDs if they are determined to have low impact.
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs? Traffic Logs System Logs Session Browser You cannot find failover details on closed sessions.
To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices. You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufacturers.
Given the scenario, choose the option for sending IP address-to-username mappings to the firewall
UID redistribution RADIUS syslog listener XFF headers.
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file?
Threat log Data Filtering log WildFire Submissions log URL Filtering log.
A customer is replacing their legacy remote access VPN solution.
The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.
Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones : trust
- Untrusted Zones : untrust
- Parent Device Group : shared
What must be configured on Prisma Access to provide connectivity to the resources in the datacenter? Configure a mobile user gateway in the region closest to the datacenter to enable connectivity to the datacenter Configure a remote network to provide connectivity to the datacenter Configure Dynamic Routing to provide connectivity to the datacenter Configure a service connection to provide connectivity to the datacenter.
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)
High Medium Critical Informational Low.
A standalone firewall with local objects and policies needs to be migrated into Panoram What procedure should you use so Panorama is fully managing the firewall? Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates" Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway? It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway It stops the tunnel-establishment processing to the GlobalProtect gateway immediately It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide? Automatically include users as members without having to manually create and commit policy or group changes
DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies Schedule commits at a regular intervals to update the DUG with new users matching the tags specified.
Which two statements are true for the DNS Security service? (Choose two.) It eliminates the need for dynamic DNS updates It functions like PAN-DB and requires activation through the app portal It removes the 100K limit for DNS entries for the downloaded DNS updates It is automatically enabled and configured.
Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two). Zone Protection Profiles protect ingress zones Zone Protection Profiles protect egress zones DoS Protection Profiles are packet-based, not signature-based DoS Protection Profiles are linked to Security policy rules.
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes? review the configuration logs on the Monitor tab click Preview Changes under Push Scope use Test Policy Match to review the policies in Panorama context-switch to the affected firewall and use the configuration audit tool.
What are two valid deployment options for Decryption Broker? (Choose two) Transparent Bridge Security Chain Layer 3 Security Chain Layer 2 Security Chain Transparent Mirror Security Chain.
Which benefit do policy rule UUIDs provide? functionality for scheduling policy actions the use of user IP mapping and groups in policies cloning of policies between device-groups an audit trail across a policy's lifespan.
Drag and Drop Question
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
Installer or IT administrator register ZTP firewalls by adding them to Panorama using firewall serial number and claim key. After connecting to the internet, the ZTP firewalls requests a divece certificate from the CSP in order to connect to the ZTP service. The ZTB firewalls connect to Panorama and the divece group and template configurations are pushed from Panorama to the ZTP firewalls the ZTP service pushes the panorama IP or FQDN to the ZTP firewalls Panorama registers the firewalls with the CSP. after the firewalls are successfully registered, the fireall is associated with the same ZTP tenant as the Panorama in the ZTP service.
Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection? Layer 3 Layer 2 Tap Decryption Mirror.
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.)
Authentication Algorithm Encryption Algorithm Certificate Maximum TLS version Minimum TLS version.
An administrator's device-group commit push is failing due to a new URL category. How should the administrator correct this issue? update the Firewall Apps and Threat version to match the version of Panorama change the new category action to "alert" and push the configuration again ensure that the firewall can communicate with the URL cloud verity that the URL seed tile has been downloaded and activated on the firewall.
Which three statements correctly describe Session 380280? (Choose three.) The application was initially identified as "ssl." The session has ended with the end-reason "unknown." The session cid not go through SSL decryption processing. The application shifted to "web-browsing." The session went through SSL decryption processing.
What are three reasons why an installed session can be identified with the "application incomplete" tag? (Choose three.) There was no application data after the TCP connection was established. The client sent a TCP segment with the PUSH flag set The TCP connection was terminated without identifying any application data. There is not enough application data after the TCP connection was established. The TCP connection did not fully establish.
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?
Vulnerability Protection profile DoS Protection profile Data Filtering profile URL Filtering profile.
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)? Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.
What is a key step in implementing WildFire best practices? Configure the firewall to retrieve content updates every minute. Ensure that a Threat Prevention subscription is active. In a mission-critical network, increase the WildFire size limits to the maximum value. In a security-first network, set the WildFire size limits to the minimum value.
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Preview Changes Policy Optimizer Managed Devices Health Test Policy Match.
In a template, you can configure which two objects? (Choose two.) Monitor profile application group SD-WAN path quality profile IPsec tunnel.
In URL filtering, which component matches URL patterns? live URL feeds on the management plane security processing on the data plane single-pass pattern matching on the data plane signature matching on the data plane.
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process? removing the Panorama serial number from the ZTP service performing a factory reset of the firewall performing a local firewall commit removing the firewall as a managed device in Panorama.
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate? show system setting ssl-decrypt certs show system setting ssl-decrypt certificate debug dataplane show ssl-decrypt ssl-stats show system setting ssl-decrypt certificate-cache.
Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?
Override the value on the NYCFW template. Override a template value using a template stack variable Override the value on the Global template Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing? show session all filter ssl-decryption yes total-count yes show session all ssl-decrypt yes count yes show session all filter ssl-decrypt yes count yes show session filter ssl-decryption yes total-count yes.
What is the function of a service route? The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address. The service route is the method required to use the firewall's management plane to provide services to applications. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting? Change the HA timer profile to "user-defined" and manually set the timers. Change the HA timer profile to "fast". Change the HA timer profile to "aggressive" or customize the settings in advanced profile. Change the HA timer profile to "quick" and customize in advanced profile.
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
Configure a remote network on PAN-OS Upgrade to a PAN-OS SD-WAN subscription Configure policy-based forwarding Deploy Prisma SD-WAN with Prisma Access.
How can packet buffer protection be configured? at zone level to protect firewall resources and ingress zones, but not at the device level at the interface level to protect firewall resources at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level at the device level (globally) and, if enabled globally, at the zone level.
A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?
Configure an LDAP Server profile and enable the User-ID service on the management interface. Configure a group mapping profile to retrieve the groups in the target template. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents. Configure a master device within the device groups.
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
WildFire logs System logs Threat logs Traffic logs.
A remote administrator needs firewall access on an untrusted interface.
Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)
certificate authority (CA) certificate server certificate client certificate certificate profile.
What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies? Traffic is dropped because there is no matching SD-WAN policy to direct traffic. Traffic matches a catch-all policy that is created through the SD-WAN plugin. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?
Configure Prisma Access to learn group mapping via SAML assertion. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access. Assign a master device in Panorama through which Prisma Access learns groups. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Configure a Captive Portal authentication policy that uses an authentication sequence. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.
In a device group, which two configuration objects are defined? (Choose two ) DNS Proxy address groups SSL/TLS profiles URL Filtering profiles.
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file? Threat log Data Filtering log WildFire Submissions log URL Filtering log.
A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users.
Which two settings must the customer configure? (Choose two.)
Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server. Configure Cortex Data Lake log forwarding and add the Splunk syslog server. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log
Forwarding profile to all of the security policy rules in Mobile_User_Device_Group. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog
server. Apply the Log Forwarding profile to all of the security policy rules in the Mobile_User_Device_Group.
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.) Permitted IP Addresses SSH HTTPS User-ID HTTP.
Which two features require another license on the NGFW? (Choose two.) SSL Inbound Inspection SSL Forward Proxy Decryption Mirror Decryption Broker.
What are three types of Decryption Policy rules? (Choose three.) SSL Inbound Inspection SSH Proxy SSL Forward Proxy Decryption Broker Decryption Mirror.
When setting up a security profile, which three items can you use? (Choose three.) Wildfire analysis anti-ransomware antivirus URL filtering decryption profile.
What are three reasons for excluding a site from SSL decryption? (Choose three.) the website is not present in English unsupported ciphers certificate pinning unsupported browser version mutual authentication.
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure? To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.
The following objects and policies are defined in a device group hierarchy.
Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
Address Objects
- Shared Address1
- Branch Address1
Policies
- Shared Policy1
- Branch Policy1 B. Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
Policies
- Shared Policy1
- Shared Policy2
- Branch Policy1 Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
- DC Address1
Policies
- Shared Policy1
- Shared Policy2
- Branch Policy1 Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
Policies
- Shared Policy1
- Branch Policy1.
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message? Verify that the IP addresses can be pinged and that routing issues are not causing the connection
failure. Check whether the VPN peer on one end is set up correctly using policy-based VPN. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken? Create a zone protection profile with flood protection configured to defend an entire egress zone
against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. Add a WildFire subscription to activate DoS and zone protection features. Replace the hardware firewall, because DoS and zone protection are not available with VM- Series systems. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.
Drag and Drop Question
Place the steps in the WildFire process workflow in their correct order.
The firewall hashes the file and look up a veredict in the WildFire database. However, the firewall does not find a match. Wildfire uses static analysis based on machine learning to analyze the file, in order to classify malicious features Regardless on the veredict, Wildfire uses a heuristic engine to examine the file and determines that the file exhibits suspicious behavior WildFire generates a new DNS, URL, categorization, and antivirus signatures for the new threat.
Drag and Drop Question
Please match the terms to their corresponding definitions.
management plane signature matching security processing network processing.
Drag and Drop Question
Match each GlobalProtect component to the purpose of that component.
GlobalProtect Gateway GlobalProtect Clientless GlobalProtect Portal GlobalProtect App.
Drag and Drop Question
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.
application-based attack Protocol-bases attack volumetric attack.
Drag and Drop Question
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order.
In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file log in to the Customer Support Portal CSP and navigate to tools > Best Practice Assessment. Upload or drag and drop the technical support file. Map the zone type and area of the architecture to each zone. Follow the steps to dowload the BPA report bundle.
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?
Monitor > Utilization Resources Widget on the Dashboard Support > Resources Application Command and Control Center.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not? Yes. because the action is set to "allow'' No because WildFire categorized a file with the verdict "malicious" Yes because the action is set to "alert" No because WildFire classified the seventy as "high.".
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known? PAN-OS integrated User-ID agent LDAP Server Profile configuration GlobalProtect Windows-based User-ID agent.
Before you upgrade a Palo Alto Networks NGFW what must you do? Make sure that the PAN-OS support contract is valid for at least another year Export a device state of the firewall Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions Make sure that the firewall is running a supported version of the app + threat update.
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used.
After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)
no install on the route duplicate static route path monitoring on the static route disabling of the static route.
During SSL decryption which three factors affect resource consumption1? (Choose three ) TLS protocol version transaction size key exchange algorithm applications that use non-standard ports certificate issuer.
An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the configuration? > ftp export mgmt-pcap from mgmt.pcap to <FTP host> > scp export mgmt-pcap from mgmt.pcap to (username@host:path) > scp export poap-mgmt from poap.mgmt to (username@host:path) > scp export pcap from pcap to (usernameQhost:path).
A variable name must start with which symbol? $ & ! #.
When setting up a security profile which three items can you use? (Choose three ) Wildfire analysis anti-ransom ware antivirus URL filtering decryption profile.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection? link state stateful firewall connection certificates profiles.
Given the following configuration, which route is used for destination 10.10.0.4? Route 4 Route 3 Route 1 Route 2.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three ) Destination Zone App-ID Custom URL Category User-ID Source Interface.
What are two characteristic types that can be defined for a variable? (Choose two) zone FQDN path group IP netmask.
As a best practice, which URL category should you target first for SSL decryption? Online Storage and Backup High Risk Health and Medicine Financial Services.
Which three statements accurately describe Decryption Mirror? (Choose three.) Decryption Mirror requires a tap interface on the firewall Decryption, storage, inspection and use of SSL traffic are regulated in certain countries Only management consent is required to use the Decryption Mirror feature You should consult with your corporate counsel before activating and using Decryption Mirror in a
production environment Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?
Protection against unknown malware can be provided in near real-time WildFire and Threat Prevention combine to provide the utmost security posture for the firewall After 24 hours WildFire signatures are included in the antivirus update WildFire and Threat Prevention combine to minimize the attack surface.
Drag and Drop Question
Match each SD-WAN configuration element to the description of that element.
SD-WAN interface profile Path Qualitu profile Traffic Distribution profile SD-WAN policy rule.
A traffic log might list an application as "not-applicable" for which two reasons? (Choose two ) The firewall did not install the session The TCP connection terminated without identifying any application data The firewall dropped a TCP SYN packet There was not enough application data after the TCP connection was established.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises Infrastructure.
The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
variables template stacks collector groups virtual systems.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas):
i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )
ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate
iii. Enterprise-lntermediate-CA
iv. Enterprise-Root-CA which is verified only as Trusted Root CA
An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com
The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.
The end-user's browser will show that the certificate for www example-website com was issued by which of the following? Enterprise-Untrusted-CA which is a self-signed CA Enterprise-Trusted-CA which is a self-signed CA Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA Enterprise-Root-CA which is a self-signed CA.
In a security-first network what is the recommended threshold value for content updates to be dynamically updated? 1 to 4 hours 6 to 12 hours 24 hours 36 hours.
PBF can address which two scenarios? (Select Two) forwarding all traffic by using source port 78249 to a specific egress interface providing application connectivity the primary circuit fails enabling the firewall to bypass Layer 7 inspection routing FTP to a backup ISP link to save bandwidth on the primary ISP link.
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration.
Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN preconfigured configuration would adapt to changes when deployed to the future site? IPsec tunnels using IKEv2 PPTP tunnels GlobalProtect satellite GlobalProtect client.
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three) configure a device block list rename a vsys on a multi-vsys firewall enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode add administrator accounts change the firewall management IP address.
Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines? You can configure Captive Portal with an authentication policy. IP-to-user mapping for Linux users can only be learned if the machine is joined to the domain. You can set up a group-based security policy to restrict internet access based on group membership You can deploy the User-ID agent on the Linux desktop machines.
The UDP-4501 protocol-port is used between which two GlobalProtect components? GlobalProtect app and GlobalProtect gateway GlobalProtect portal and GlobalProtect gateway GlobalProtect app and GlobalProtect satellite GlobalProtect app and GlobalProtect portal.
In a firewall, which three decryption methods are valid? (Choose three ) SSL Inbound Inspection SSL Outbound Proxyless Inspection SSL Inbound Proxy Decryption Mirror SSH Proxy.
Which CLI command displays the physical media that are connected to ethernetl/8? > show system state filter-pretty sys.si.p8.stats > show interface ethernetl/8 > show system state filter-pretty sys.sl.p8.phy > show system state filter-pretty sys.si.p8.med.
When you configure an active/active high availability pair which two links can you use? (Choose two) HA2 backup HA3 Console Backup HSCI-C.
An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption? Obtain an enterprise CA-signed certificate for the Forward Trust certificate Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate Use an enterprise CA-signed certificate for the Forward Untrust certificate Use the same Forward Trust certificate on all firewalls in the network.
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https //www firewall-do-not-trust-website com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
Forward-Untrust-Certificate Forward-Trust-Certificate Firewall-CA Firewall-Trusted-Root-CA.
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table.
Which two configurations should you check on the firewall? (Choose two.) Within the redistribution profile ensure that Redist is selected In the redistribution profile check that the source type is set to "ospf" In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section Ensure that the OSPF neighbor state is "2-Way".
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports.
The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?.
When overriding a template configuration locally on a firewall, what should you consider? Only Panorama can revert the override Panorama will lose visibility into the overridden configuration Panorama will update the template with the overridden value The firewall template will show that it is out of sync within Panorama.
Use the image below If the firewall has the displayed link monitoring configuration what will cause a failover? ethernet1/3 and ethernet1/6 going down etheme!1/3 going down ethernet1/6 going down ethernet1/3 or ethernet1/6 going down.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.) wildcard server certificate enterprise CA certificate client certificate server certificate self-signed CA certificate.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use? certificate authority (CA) certificate client certificate machine certificate server certificate.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant.
Which two statements are correct regarding the bootstrap package contents? (Choose two ) The /config /content and /software folders are mandatory while the /license and /plugin folders are optional The bootstrap package is stored on an AFS share or a discrete container file bucket The directory structure must include a /config /content, /software and /license folders The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder The bootstrap.xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces? (Choose two) A single transparent bridge security chain is supported per pair of interfaces L3 security chains support up to 32 security chains L3 security chains support up to 64 security chains A single transparent bridge security chain is supported per firewall.
An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls.
The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?
Panorama has no connection to Palo Alto Networks update servers Panorama does not have valid licenses to push the dynamic updates No service route is configured on the firewalls to Palo Alto Networks update servers Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
Which Panorama objects restrict administrative access to specific device-groups? templates admin roles access domains authentication profiles.
Which configuration task is best for reducing load on the management plane? Disable logging on the default deny rule Enable session logging at start Disable pre-defined reports Set the URL filtering action to send alerts.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic? Disable HA Disable the HA2 link Disable config sync Set the passive link state to 'shutdown.-.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17.
Which upgrade path maintains synchronization of the HA session (and prevents network outage)? Upgrade directly to the target major version Upgrade one major version at a time Upgrade the HA pair to a base image Upgrade two major versions at a time.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices.
The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization? Config Audit Policy Optimizer Application Groups Test Policy Match.
An engineer must configure the Decryption Broker feature.
Which Decryption Broker security chain supports bi-directional traffic flow? Layer 2 security chain Layer 3 security chain Transparent Bridge security chain Transparent Proxy security chain.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature? not-applicable incomplete unknown-ip unknown-udp.
In a Panorama template which three types of objects are configurable? (Choose three) HIP objects QoS profiles interface management profiles certificate profiles security profiles.
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email? exploitation IP command and control delivery reconnaissance.
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to: respond to changes in user behaviour or potential threats using manual policy changes respond to changes in user behaviour or potential threats without manual policy changes respond to changes in user behaviour or potential threats without automatic policy changes respond to changes in user behaviour and confirmed threats with manual policy changes.
What file type upload is supported as part of the basic WildFire service? ELF BAT PE VBS.
What is the maximum number of samples that can be submitted to WildFire manually per day? 1,000 2,000 5,000 15,000.
On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys? 1. Select Device > Certificate Management > Certificates > Device > Certificates
2. Import the certificate
3.Select Import Private key
4. Click Generate to generate the new certificate 1. Select Device > Certificates
2. Select Certificate Profile
3. Generate the certificate
4. Select Block Private Key Export 1. Select Device > Certificate Management > Certificates > Device > Certificates
2. Generate the certificate
3. Select Block Private Key Export
4. Click Generate to generate the new certificate 1. Select Device > Certificates
2. Select Certificate Profile
3. Generate the certificate
4. Select Block Private Key Export.
To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations.
Which one is the correct configuration &Panorama @Panorama $Panorama #Panorama.
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system NTFS and the initial configuration is stored in a file named init-cfg.txt. The contents of init- cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because: the bootstrap.xml file is a required file, but it is missing init-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml The USB must be formatted using the ext4 file system There must be commas between the parameter names and their values instead of the equal symbols The USB drive has been formatted with an unsupported file system.
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select? default-no-captive-portal default-authentication-bypass default-browser-challenge default-web-form.
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls USB port, and the firewall has been restarted using command: > request restart system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:
The bootstrap.xml file is a required file, but it is missing Firewall must be in factory default state or have all private data deleted for bootstrapping The hostname is a required parameter, but it is missing in init-cfg.txt PAN-CS version must be 9.1.x at a minimum, but the firewall is running 10.0.x The USB must be formatted using the ext3 file system. FAT32 is not supported.
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure PBP (Protocol Based Protection) BGP (Border Gateway Protocol) PGP (Packet Gateway Protocol) PBP (Packet Buffer Protection).
How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect? by adding the devices Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook by using security policies, log forwarding profiles, and log settings there is no native auto-quarantine feature so a custom script would need to be leveraged.
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image? ethernet1/7 ethernet1/5 ethernet1/6 ethernet1/3.
Which three items are important considerations during SD-WAN configuration planning? (Choose three.) branch and hub locations link requirements the name of the ISP IP Addresses.
Which option describes the operation of the automatic commit recovery feature? It enables a firewall to revert to the previous configuration if rule shadowing is detected. It enables a firewall to revert to the previous configuration if application dependency errors are found. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.
SD-WAN is designed to support which two network topology types? (Choose two.) point-to-point hub-and-spoke full-mesh ring.
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.) log forwarding auto-tagging XML API GlobalProtect agent User-ID Windows-based agent.
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.) Successful GlobalProtect Deployed Activity GlobalProtect Deployment Activity Successful GlobalProtect Connection Activity GlobalProtect Quarantine Activity.
Panorama provides which two SD-WAN functions? (Choose two.) network monitoring control plane data plane physical network links.
Which two events trigger the operation of automatic commit recovery? (Choose two.) when an aggregate Ethernet interface component fails when Panorama pushes a configuration when a firewall HA pair fails over when a firewall performs a local commit.
Which three items are import considerations during SD-WAN configuration planning? (Choose three.) link requirements the name of the ISP IP Addresses branch and hub locations.
Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.) On the App Dependency tab in the Commit Status window On the Application tab in the Security Policy Rule creation window On the Objects > Applications browsers pages On the Policy Optimizer's Rule Usage page.
Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log? Authentication Globalprotect Configuration System.
Which three split tunnel methods are supported by a GlobalProtect Gateway? video streaming application Client Application Process Destination Domain Source Domain Destination user/group URL Category.
Based on the image, what caused the commit warning? The CA certificate for FWDtrust has not been imported into the firewall. The FWDtrust certificate has not been flagged as Trusted Root CA. SSL Forward Proxy requires a public certificate to be imported into the firewall. The FWDtrust certificate does not have a certificate chain.
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong? A Certificate Profile that contains the client certificate needs to be selected. The source address supports only files hosted with an ftp://<address/file>. External Dynamic Lists do not support SSL connections. A Certificate Profile that contains the CA certificate needs to be selected.
In the following image from Panorama, why are some values shown in red? sg2 session count is the lowest compared to the other managed devices. us3 has a logging rate that deviates from the administrator-configured thresholds. uk3 has a logging rate that deviates from the seven-day calculated baseline. sg2 has misconfigured session thresholds.
Which is not a valid reason for receiving a decrypt-cert-validation error? Unsupported HSM Unknown certificate status Client authentication Untrusted issuer.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.) Rule Usage Hit counter will not be reset Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will reset.
Which statement accurately describes service routes and virtual systems? Virtual systems can only use one interface for all global service and service routes of the firewall The interface must be used for traffic to the required external services Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall Virtual systems cannot have dedicated service routes configured: and virtual systems always use the global service and service route settings for the firewall.
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted? There must be a certificate with both the Forward Trust option and Forward Untrust option selected A Decryption profile must be attached to the Decryption policy that the traffic matches A Decryption profile must be attached to the Security policy that the traffic matches There must be a certificate with only the Forward Trust option selected.
Which rule type controls end user SSL traffic to external websites? SSL Outbound Proxyless Inspection SSL Forward Proxy SSL Inbound Inspection SSH Proxy.
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version.
What is considered best practice for this scenario?
Perform the Panorama and firewall upgrades simultaneously Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version Upgrade Panorama to a version at or above the target firewall version Export the device state perform the update, and then import the device state.
When you configure a Layer 3 interface what is one mandatory step? Configure Security profiles, which need to be attached to each Layer 3 interface Configure Interface Management profiles which need to be attached to each Layer 3 interface Configure virtual routers to route the traffic for each Layer 3 interface Configure service routes to route the traffic for each Layer 3 interface.
An administrator wants to enable zone protection. Before doing so, what must the administrator consider? Activate a zone protection subscription. To increase bandwidth no more than one firewall interface should be connected to a zone Security policy rules do not prevent lateral movement of traffic between zones The zone protection profile will apply to all interfaces within that zone.
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes? The interface must be used for traffic to the required services You must enable DoS and zone protection You must set the interface to Layer 2 Layer 3, or virtual wire You must use a static IP address.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.) What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.) the website matches a high-risk category the web server requires mutual authentication the website matches a sensitive category.
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data? Monitor > Utilization Resources Widget on the Dashboard Support > Resources Application Command and Control Center.
An organization's administrator has the funds available to purchase more firewalls to increase the organization's security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect.
Is the SE's advice correct, and why or why not?
A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement. Yes. Firewalls are session-based, so they do not scale to millions of CPS. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems.
Which statement is true regarding a Best Practice Assessment? It shows how your current configuration compares to Palo Alto Networks recommendations It runs only on firewalls When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all áreas of network and security architecture.
When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay? OSPFv3 BGP OSPF RIP.
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons.
In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?
Allow the firewall to block the sites to improve the security posture Add the sites to the SSL Decryption Exclusion list to exempt them from decryption Install the unsupported cipher into the firewall to allow the sites to be decrypted Create a Security policy to allow access to those sites.
What is the best description of the HA4 Keep-Alive Threshold (ms)? the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two ) certificate profile server certificate SSH Service Profile SSL/TLS Service Profile.
|
