PA4

A customer is adopting Microsoft Office 365 but is concerned about the potential security exposure that such a move could mean. The security analyst suggests using Aperture and the Palo Alto Network firewall together to provide data and network security. What are the two reasons this solution has been suggested? (Choose two.). The firewall secures data in transit between the network and the cloud. Aperture prevents users from using non-sanctioned SaaS applications. The firewall scans data that resides in the cloud for malware. Aperture scans data that resides in the cloud for sensitive information.

Which license is required to receive weekly dynamic updates to the correlation objects on the firewall and Panorama?. WildFire on the firewall, and AutoFocus on Panorama. URL Filtering on the firewall, and MindMeld on Panorama. Threat Prevention on the firewall, and Support on Panorama. GlobalProtect on the firewall, and Threat Prevention on Panorama.

What two advantages of the DNS Sinkholing feature? (Choose two). It can be deployed independently of an Anti-Spyware Profile. It is monitoring DNS requests passively for malware domains. It can work upstream from the internal DNS server. It is forging DNS replies to known malicious domains.

Which Palo Alto Networks security platform component should an administrator use to extend policies to remote users are not connecting to the internet from behind a firewall?. Threat Intelligence Cloud. Traps. GlobalProtect. Aperture.

A specific URL keeps appearing in URL filtering log entries, it was blocked successfully, but the administrator would like to investigate further. In which two ways would AutoFocus help this administrator? (Choose two.). Generate a list of IP addresses for use in Dynamic Address Groups on the firewall. Identify malicious files associated with this URL. Generate a correlation object that can be used to monitor associated activities. Identify malware campaigns associated with this URL.

How do Highly Suspicious artifacts in-AutoFocus help identify when an unknown, potential zero-day, targeted attack occur to allow one to adjust the security posture?. Highly Suspicious artifacts are associated with High-Risk payloads that are inflicting massive amounts of damage to end customers. All High Risk artifacts are automatically classified as Highly Suspicious. Highly Suspicious artifacts are High Risk artifacts that have been seen in very few samples. Highly Suspicious artifacts have been seen infecting a broad, significant range of companies.

What is the HA limitation specific to the PA-200 appliance?. Can be deployed in either an active/passive or active/active HA pair. Can only synchronize configurations and does not support session synchronization. Has a dedicated HA1 and HA2 ports, but no HA3. Is the only Palo Alto Networks firewall that does not have any HA capabilities.

How many recursion levels are supported for compressed files in PAN-OS 8.0?. 2. 5. 4. 3.

A customer is seeing an increase in the number of malicious files coming in from undetectable sources in their network. These files include doc and .pdf file types. The customer believes that someone has clicked an email that might have contained a malicious file type. The customer already uses a firewall with User-ID enabled. Which feature must also be enabled to prevent these attacks?. WildFire. App-ID. Custom App-ID rules. Content Filtering.

Which two components must to be configured within User-ID on a new firewall that has been implemented? (Choose two.). Group Mapping. 802.1X Authentication. Proxy Authentication. User mapping.

When a customer creates a new SLR report, what is the first step in generating a proper SLR report once logged in to the Partner Portal?. Click the Track my deals button to view your open Opportunities. Scroll down and click the New Security Lifecycle Review button. Click the Select files... button and find the relevant statsdump file on your local machine and click Upload. Select the appropriate Opportunity.

Which three items contain information about Command and Control (C&C) hosts? (Choose three.). Threat logs. Data filtering logs. Botnet reports. SaaS reports. WildFire analysts reports.

Which option is required to activate/retrieve a Device Management License on the M.100 Appliance after the Auth Codes have been activated on the Palo Alto Networks Support Site?. Generate a Tech Support File and call PANTAC. Select Device > Licenses and click activate feature using authorization code. Select PANORAMA > Licenses and click Activate feature using authorization code. Generate a State Dump File and upload it to the Palo Alto Network support portal.

What are three considerations when deploying User-ID. (Choose three.). Enable WMI probing in high security networks. User-ID can support a maximum of 15 hops. Specify included and excluded networks when configuring User-ID. Use a dedicated service account for User-ID services with the minimal permissions necessary. Only enable User-ID on trusted zones.

A price sensitive customer wants to prevent attacks on a windows 2008 Virtual Server. The server will max out at 100Mbps but needs to have 45,000 sessions to connect to multiple hosts within a data center Which VM instance should be used to secure the network by this customer?. VM-200. VM-100. VM-300. VM-50.

Which variable is used to regulate the rate of file submission to WildFire?. Based on the purchase license. Maximum number of files per minute. Available bandwidth. Maximum number of files per day.

Which four steps of the cyberattack lifecycle dose the Palo Alto Networks platform present? (Choose four). Breach the perimeter. Exfiltrate data. Weaponries vulnerabilities. Deliver the malware. Recon the target. Lateral movement.

Which certificate can be used to ensure that traffic coming from a specific server remains encrypted?. Forward entrust. SSL exclude certificate. Forward trust. SSL inbound inspection.

A client chooses to not block uncategorized websites. Which two additions should be made to help provide some protection? (Choose two.). A security policy rule using only known URL categories with the action set to allow. A file blocking profile to security policy rules that allow uncategorized websites to help reduce the risk of drive by dowloads. A URL filtering profile with the action set to continue for unknown URL categories to security policy rules that allow web access. A data filtering profile with a custom data pattern to security policy rules that deny uncategorized websites.

Which configuration creates the most comprehensive "best-practice" Anti Spyware profile to prevent command and Control traffic?. Clone the Strict Anti-Spyware Profile, enable DNS Sinkholing and Passive DNS Monitoring, and deploy this customized clone. Clone the Default Anti-Spyware Profile and enable DNS Sinkholing and Passive DNS Monitoring, and deploy this customized clone. Edit and deploy the Default Anti-Spyware Profile (DNS Sinkholing and Passive DNS Monitoring is already enabled). Edit and deploy the Strict Anti-Spyware Profile Profile (DNS Sinkholing and Passive DNS Monitoring is already enabled).

Given the following network diagram, an administrator is considering the use of Windows Log Forwarding and Global Catalog servers for User-ID implementation. What are two potential bandwidth and processing bottlenecks to consider? (Choose two.). Member Servers. Firewall. Domain Controllers. Windows Server.

What is a best practice when configuring a security policy to completely block a specific application?. One the Service/URL. Category tab, set the service to any. On the Actions tab, configure a file blocking security profile. On the Service/URL. Category tab, set the service to application-default. On the Service/URL. Category tab, manually specify a port/service.

What is the recommended way to ensure that firewalls have the most current set of signatures for up-to-date protection?. Store updates on an intermediary server and point all the firewalls to it. Monitor update announcements and manually push updates to firewalls. Utilize dynamic updates with an aggressive update schedule. Run a Perl script to regularly check for updates and alert when one in released.

XYZ Corporation has a legacy environment with asymmetric routing. The customer understands that Palo Alto Networks firewalls can support asymmetric routing with redundancy. Which two features must be enabled to meet the customer's requirements? (Choose two.). Virtual systems. HA active/active. Policy-based forwarding. HA active/passive.

Which four actions can be configured in an Anti-Spyware profile to address command-and- control traffic from compromised hosts? (Choose four.). Allow. Drop. Quarantine. Redirect. Alert. Reset.

How often are regularly scheduled update for the Anti-virus Application, Threats, and Wildfire subscription databases made available by Palo Alto Networks in PAN-OS 8.0?. Anti-Virus (Daily) Application (Weekly), Threats (Daily), Wildfire (5 Minutes). Anti-Virus (Weekly) Application (Daily), Threats (Daily), Wildfire (5 Minutes). Anti-Virus (Daily) Application (Weekly), Threats (Weekly), Wildfire (5 Minutes). Anti-Virus (Weekly) Application (Daily), Threats (Weekly), Wildfire (5 Minutes).

Which three signature-based Threat Prevention features of the firewall are informed by intelligence from the Threat Intelligence Cloud? (Choose three.). Vulnerability protection. Anti-Spyware. Anti-Virus. Botnet detection. App-ID protection.

Which design objective could be satisfied by vsys functionality?. Separation of routing tables used by different departments in company. Provide same-device high availability functionality for different departments in a company. Administrative separation of firewall policies used by different departments in company. Allocate firewall hardware resources to different departments in a company.

Which functionality is available to firewall users with an active Threat Prevention subscription, but no WildFire license?. PE file upload to WildFire. WildFire hybrid deployment. 5 minute WildFire updates to threat signatures. Access to the WildFire API.

How does SSL Forward Proxy decryption work?. SSL Forward Proxy decryption policy decrypts and inspects SSL/TLS traffic from internal users to the web. The SSL Forward Proxy Firewall creates a certificate intended for the client that is intercepted and altered by the firewall. If the server's certificate is signed by a CA that the firewall does not trust, the firewall will use the certificate only on Forward Trust. The firewall resides between the internal client and internal server to intercept traffic between the two.

Which three actions should be taken before deploying a firewall evaluation unit in the customer's environment? (Choose three.). Inform the customer that they will need to provide a SPAN port for the evaluation unit assuming a TAP mode deployment. Request that the customs make port 3978 available to allow the evaluation unit to communicate with Panorama. Reset the evaluation unit to factory default to ensure that data from any previous customer evaluation is removed. Upgrade the evaluation unit to the most current recommended firmware, unless a demo of the upgrade process is planned. Set expectations around which information will be presented in the Security Lifecycle Review because sensitive information may be made visible.

What are three sources of malware sample data for the Palo Alto Networks Threat Intelligence Cloud? (Choose three.). Third-Party data feeds, like the partnership with ProofPoint and the Cyber Threat Alliance. Palo Alto Networks AutoFocus generated Correlation Objects. Palo Alto Networks Next Generation Firewalls deployed with Wildfire Analysis Security Profiles. WF-500 configured as private clouds for privacy concerns. Palo Alto Networks non-firewall products, like Traps and Aperture.

What are three best practices for running an Ultimate Test Drive (UTD)? (Choose three.). It should be used to create pipeline and customer interest. It should be used to demonstrate the power of the platform. The lab documentation should be reviewed and tested. It should be led by Palo Alto Network employees. The required equipment should be shipped to lab site in advance.

An endpoint, inside an organization, is infected with known malware. The malware attempts to make a command and control connection to a C&C server via the destination IP address. Which mechanism prevent this connection from succeeding?. DNS Sinkholing. DNS Proxy. Anti-Spyware Signatures. Wildfire Analysis.

A prospective customer was the victim of a zero-day attack that compromised specific employees, who then became unwitting attack vectors. The customer does not want that to happen again. Which two Palo Alto Networks platform components will help this customer? (Choose two.). Traps. Correlation Objects. Wildfire. Autofocus.

Which two tabs in Panorama can be used to identify templates to define a common base configuration? (Choose two). Monitor Tab. Network Tab. Device Tab. Objects Tab. Policies Tab.

Which profile or policy should be applied to protect against port scans from the internet?. An App-ID security policy rule to block traffic sourcing from the untrust zone. Security profiles to security policy rules for traffic sourcing from the untrust zone. Interface management profile on the zone of the ingress interface. Zone protection profile on the zone of the ingress interface.

Which three application options can be selected in the security policy rule? (Choose three.). Application Group. Individual Application. Application Risk. Application Filter. Application Category.

A network covers three geographical areas: Americas, Europe (EMEA), and Asia (APAC). The APAC segment of the network consists of nine HA pairs of PA-3060 firewalls, generating a combined log output of 25 K logs per second. Only 14 days of traffic log retention is required. Two M-500s in HA management at the global level, with one M-100 with 4 TB of storage for APAC. Two M-500s in HA management at the global level, and one log collector-mode M-500 with 8 TB of storage for APAC. Two M-500s in HA management at the global level, and two log collector-mode M-500s in a log collector group with 16 TB of storage for APAC. Two Dual-mode M-500s in HA for both global management and storage. Each M-500 has 8 TB of storage.

The botnet report displays a confidence score of 1 to 5 indicating the likelihood of a botnet infection. Which three sources are used by the firewall as the basis of this score? (Choose three.). Bad Certificate Reports. Traffic Type. Botnet Reports. Number of Events. Executable Downloads. Threat Landscape.

Which two features are found in a next-generation firewall but are absent in a legacy firewall product? (Choose two). Identification of application is possible on any port. Traffic is separated by zones. Traffic control is based on IP, port, and protocol. Policy match is a based on application. Onboard SSL decryption capability is used.

What are five benefits of Palo Alto Networks NGFWs (Next Generation Firewalls)? (Select the five correct answers.). Convenient configuration Wizard. Comprehensive security platform designed to scale functionality over time. Predictable throughput. Easy-to-use GUI which is the same on all models. Seemless integration with the Threat Intelligence Cloud. Identical security subscriptions on all models.

Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two). The devices are pre-configured with a virtual wire pair out the first two interfaces. The devices are licensed and ready for deployment. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone. The interfaces are pingable.

When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinkhole enabled, generating a traffic log. What will be the destination IP address in that log entry?. The IP address specified in the sinkhole configuration. The IP address of the command-and-control server. The IP address of sinkhole.paloaltonetworks.com. The IP address of one of the external DNS servers identified in the anti-spyware database.

Which two interface types can be used when configuring GlobalProtect Portal?(Choose two). Virtual Wire. Loopback. Layer 3. Tunnel.

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?. Device>Setup>Services>AutoFocus. Device> Setup>Management >AutoFocus. AutoFocus is enabled by default on the Palo Alto Networks NGFW. Device>Setup>WildFire>AutoFocus. Device>Setup> Management> Logging and Reporting Settings.

Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.). Verify AutoFocus status using CLI. Check the WebUI Dashboard AutoFocus widget. Check for WildFire forwarding logs. Check the license. Verify AutoFocus is enabled below Device Management tab.

True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud. True. False.

Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose two). Brute-force signatures. BrightCloud Url Filtering. PAN-DB URL Filtering. DNS-based command-and-control signatures.

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?. XML API. Port Mapping. Client Probing. Server Monitoring.

What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three). Clean. Bengin. Adware. Suspicious. Grayware. Malware.

What are the three benefits of the Palo Alto Networks migration tool? (Choose three.). Conversion of existing firewall policies to Palo Alto Networks NGFW policies. Analysis of existing firewall environment. Assistance with the transition from POC to Production. Elimination of the need for consulting/professional services. The migration tool provides App-ID enhancements to improve Technical Support calls.

Palo Alto Networks publishes updated Command and Control signatures. How frequently should the related signatures schedule be set?. Once an hour. Once every minute. Once a week. Once a day.

A service provider has acquired a pair of PA-7080s for its data center to secure its customer base's traffic. The server provider's traffic is largely generated by smart phones and averages 6,000,000 concurrent sessions. Which Network Processing Card should be recommended in the Bill of Materials?. PA-7000-40G-NPC. PA-7000-20GQ-NPC. PA-7000-20GQXM-NPC. PA-7000-20G-NPC.

A customer is worried about unknown attacks, but due to privacy and regulatory issues, won't implement SSL decrypt. How can the platform still address this customer's concern?. It pivots the conversation to Traps on the endpoint preventing unknown exploits and malware there instead. It bypasses the need to decrypt SSL Traffic by analyzing the file while still encrypted. It shows how AutoFocus can provide visibility into targeted attacks at the industry sector. It overcomes reservations about SSL decrypt by offloading to a higher capacity firewall to help with the decrypt throughput.

Where are three tuning considerations when building a security policy to protect against modern day attacks? (Choose three). Create an anti-spyware profile to block all spyware. Create a vulnerability protection profile to block all the vulnerabilities with severity low and higher. Create an SSL Decryption policy to decrypt 100% of the traffic. Create an antivirus profile to block all content that matches and antivirus signature. Create a WildFire profile to schedule file uploads during low network usage windows.

Which two designs require virtual systems? (Choose two.). A shared gateway interface that does not need a full administrative boundary. A virtual router as a replacement for an internet-facing router. A single physical firewall shared by different organizations, each with unique traffic control needsc. A VMware NSX deployment that needs micros segmentation.

Which three network events are highlighted through correlation objects as a potential security risks? (Choose three.). Identified vulnerability exploits. Suspicious traffic patterns. Known command-and-control activity. Launch of an identified malware executable file. Endpoints access files from a removable drive.

In which two cases should the Hardware offering of Panorama be chosen over the Virtual Offering? (Choose two). Dedicated Logger Mode is required. Logs per second exceed 10,000. Appliance needs to be moved into data center. Device count is under 100.

Which three methods used to map users to IP addresses are supported in Palo Alto Networks firewalls? (Choose three.). Client Probing. TACACS. eDirectory monitoring. SNMP server. Lotus Domino. RADIUS. Active Directory monitoring.

What are two benefits of using Panorama for a customer who is deploying virtual firewalls to secure data center traffic? (Choose two.). It can monitor the virtual firewalls' physical hosts and Vmotion them as necessary. It can bootstrap the virtual firewall for dynamic deployment scenarios. It can manage the virtual firewalls' resource use, allowing for VM resource over- subscription. It can provide the Automated Correlation Engine functionality, which the virtual firewalls do not support.

Because of regulatory compliance a customer cannot decrypt specific types of traffic. Which license should an SE recommend to the customer who will be decrypting traffic on the Palo Alto Networks firewall?. App-ID, to use applications as match criteria in the decryption policy rules. SSL Decryption, for inbound inspection and granular Forward Proxy SSL decryption. Support, to request custom categories as match criteria in decryption policy rules. URL Filtering, to use predefined URL categories as match criteria in the decryption policy rules.

An administrator needs a PDF summary report that contains information compiled from existing reports based on data for the top 5 in each category. How often will the Administrator receive the report?. Bi-weekly. Daily. Weekly. Monthly.

Which three policies or certificates must be configured for SSL Forward Proxy decryption? (Choose three.). Forward trust certificate. Forward untrust certificate. A decrypt port mirror policy. Internal server certificate. A decryption policy.

What are two core values of the Palo Alto Network Security Platform? (Choose two). Sale enablement of all applications. Deployment of multiple point-based solutions to provide full security coverage. Prevention of cyberattacks. Threat remediation. Defense against threats with static security solution.

DNS sinkholing helps identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query (that is, the firewall cannot see the originator of DNS query) Which of the following Statements is true?. DNS Sinkholing requires the Vulnerability Protection Profile be enabled. Sinkholing malware DNS queries solves this visibilty problem by forging responses to the client host queries directed at fake domains created in a controlled "Fake Internet" called Zanadu which designed for testing and honeypots. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect the sinkhole IP address are most likely infected with malware. DNS Sinkholing requires a license SinkHole license in order to activate.

A customer is targeted by a true zero-day, targeted attack. However, the customer is protected by the Palo Alto Networks security platform. The attack leverages a previously unknown vulnerability in IE but utilizes existing hacking techniques on the endpoint. It is transported over standard HTTP traffic and conforms to the HTML standards. It then attempts to download from a website, compromised specifically for this attack, a custom piece of malware to run on the endpoints. Which element of the platform will stop this attack?. App-ID. PAN-DB. Traps. WildFire.

An SE is preparing an SLR report for a school and wants to emphasize URL filtering capabilities because the school is concerned that its students are accessing inappropriate websites. The URL categories being chosen by default in the report are not highlighting these types of websites. How should the SE show the customer the firewall can detect that these websites are being accessed?. Remove unwanted categories listed under "High Risk" and use relevant information. Create a footnote within the SLR generation tool. Edit the Key-Findings text to list the other types of categories that may be of interest. Produce the report and edit the PDF manually.

What are the two group options for database when creating a custom report? (Choose two). Oracle. SQL. Detailed Logs. Summary Databases.

A customer is concerned about malicious activity occurring directly on their endpoints and not visible to their firewalls. Which three actions does Traps execute during a security event beyond ensuring the prevention of this activity? (Choose three.). Informs WildFire and sends up a signature to the Cloud. Collects forensic information about the event. Communicates the status of the endpoint to the ESM. Notifies the user about the event. Remediates the event by deleting the malicious file.