An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.) Configuration Logs System Logs Task Manager Traffic Logs.
SAML SLO is supported for which two firewall features? (Choose two.) GlobalProtect Portal CaptivePortal WebUI CLI.
What is the purpose of the firewall decryption broker? Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools Force decryption of previously unknown cipher suites Inspection traffic within IPsec tunnel Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.) video streaming application Client Application Process Destination Domain Source Domain Destination user/group URL Category.
Based on the image, what caused the commit warning? The CA certificate for FWDtrust has not been imported into the firewall The FWDtrust certificate has not been flagged as Trusted Root CA. SSL Forward Proxy requires a public certificate to be imported into the firewall. The FWDtrust certificate does not have a certificate chain.
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against
resource exhaustion. When platform utilization is considered, which steps must the administrator
take to configure and apply packet buffer protection? Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per
ingress zone. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per
ingress zone. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection
pre egress zone Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer
Protection per zone.
Which feature can provide NGFWs with User-ID mapping information? Web Captcha Native 802.1q authentication GlobalProtect Native 802.1x authentication.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.) Rule Usage Hit counter will not be reset Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will reset.
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong? A Certificate Profile that contains the client certificate needs to be selected. The source address supports only files hosted with an ftp://<address/file>. External Dynamic Lists do not support SSL connections. A Certificate Profile that contains the CA certificate needs to be selected.
Which is not a valid reason for receiving a decrypt-cert-validation error? Unsupported HSM Unknown certificate status Client authentication Untrusted issuer.
In the following image from Panorama, why are some values shown in red? sg2 session count is the lowest compared to the other managed devices. us3 has a logging rate that deviates from the administrator-configured thresholds. uk3 has a logging rate that deviates from the seven-day calculated baseline. sg2 has misconfigured session thresholds.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version? Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or
template stacks An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1
state When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template
stacks will be removed automatically. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.) CRL CRT OCSP Cert-Validtaion-Profile SSL/TLS Service Profile.
Which administrative authentication method supports authorization by an external service? Certificates LDAP RADIUS SSH key.
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario? The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP Each firewall will have a separate floating IP, and priority will determine which firewall has the
primary IP The firewalls do not use floating IPs in active/active HA The firewalls will share the same interface IP address, and device 1 will use the floating IP if device
0 fails.
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application? GlobalProtect version 4.0 with PAN-OS 8.1
GlobalProtect version 4.1 with PAN-OS 8.1 GlobalProtect version 4.1 with PAN-OS 8.0 GlobalProtect version 4.0 with PAN-OS 8.0.
How does Panorama prompt VMWare NSX to quarantine an infected VM? HTTP Server Profile Syslog Server Profile Email Server Profile SNMP Server Profile.
An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.) Exhibit A Exhibit B Exhibit C Exhibit D.
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.) Create a no-decrypt Decryption Policy rule. Configure an EDL to pull IP addresses of known sites resolved from a CRL Create a Dynamic Address Group for untrusted sites Create a Security Policy rule with vulnerability Security Profile attached. Enable the “Block sessions with untrusted issuers” setting.
.
Which CLI command is used to simulate traffic going through the firewall and determine which
Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
check find test sim.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW Configure log compression and optimization features on all remote firewalls Any configuration on an M-500 would address the insufficient bandwidth concerns.
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.) Virtual router Security zone ARP entries Netflow Profile.
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans? Anti-Spyware WildFire Vulnerability Protection Antivirus.
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site? Preconfigured GlobalProtect satellite Preconfigured GlobalProtect client Preconfigured IPsec tunnels Preconfigured PPTP Tunnels.
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall? 0 99 1 255.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama? The Passive firewall, which then synchronizes to the active firewall The active firewall, which then synchronizes to the passive firewall Both the active and passive firewalls, which then synchronize with each other Both the active and passive firewalls independently, with no synchronization afterward.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? Option A Option B Option C Option D.
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile? To enable Gateway authentication to the Portal To enable Portal authentication to the Gateway To enable user authentication to the Portal To enable client machine authentication to the Portal.
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed? The settings assigned to the template that is on top of the stack. The administrator will be promoted to choose the settings for that chosen firewall. All the settings configured in all templates Depending on the firewall location, Panorama decides with settings to send.
Which method will dynamically register tags on the Palo Alto Networks NGFW? Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC) Restful API or the VMware API on the firewall or on the User-ID agent XML-API or the VMware API on the firewall or on the User-ID agent or the CLI XML API or the VM Monitoring agent on the NGFW or on the User-ID agent.
How does an administrator schedule an Applications and Threats dynamic update while delaying
installation of the update for a certain amount of time? Configure the option for “Threshold” Disable automatic updates during weekdays Automatically “download only” and then install Applications and Threats later, after the administrator approves the update Automatically “download and install” but with the “disable new applications” option used.
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled? Device>Setup>Services>AutoFocus Device> Setup>Management >AutoFocus Device>Setup>WildFire>AutoFocus Device>Setup> Management> Logging and Reporting Settings AutoFocus is enabled by default on the Palo Alto Networks NGFW.
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage? Security policy rule allowing SSL to the target server Firewall connectivity to a CRL Root certificate imported into the firewall with “Trust” enabled Importation of a certificate from an HSM.
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.) Red Hat Enterprise Virtualization (RHEV) Kernel Virtualization Module (KVM) Boot Strap Virtualization Module (BSVM) Microsoft Hyper-V.
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log? web-browsing and 443 SSL and 80 SSL and 443 web-browsing and 80.
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data? Security policy Decryption policy Authentication policy Application Override policy.
A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”. Which action will this cause configuration on the matched traffic? The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to “Deny” The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny.”.
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down? Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question: Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question: Enable and configure a Link Monitoring Profile for the external interface of the firewall. Configure path monitoring for the next hop gateway on the default route in the virtual router.
What are two benefits of nested device groups in Panorama? (Choose two.) Reuse of the existing Security policy rules and objects Requires coniguring both function and location for every device All device groups inherit settings form the Shared group
Overwrites local firewall configuration
.
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x enabled wireless network device that has no native integration with PAN-OS software? XML API Port Mapping Client Probing Server Monitoring.
Which Captive Portal mode must be configured to support MFA authentication? NTLM Redirect Single Sign-On Transparent.
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement? Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols) Layer 3 interfaces, but configuring EIGRP on the attached virtual router.
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080 application: web-browsing; service: application-default application: web-browsing; service: service-https application: ssl; service: any application: web-browsing; service: (custom with destination TCP port 8080).
If the firewall has the link monitoring configuration, what will cause a failover? ethernet1/3 and ethernet1/6 going down ethernet1/3 going down ethernet1/3 or Ethernet1/6 going down ethernet1/6 going down.
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software? Okta DUO RADIUS PingID.
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps? set deviceconfig interface speed-duplex 1Gbps-full-duplex set deviceconfig system speed-duplex 1Gbps-duplex set deviceconfig system speed-duplex 1Gbps-full-duplex set deviceconfig Interface speed-duplex 1Gbps-half-duplex.
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS® software would help in this case? Application override Redistribution of user mappings Virtual Wire mode Content inspection.
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW? Use the debug dataplane packet-diag set capture stage firewall file command. Enable all four stages of traffic capture (TX, RX, DROP, Firewall) Use the debug dataplane packet-diag set capture stage management file command Use the tcpdump command.
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality? Port Inspection Certificate revocation Content-ID App-ID.
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean? The three-way TCP handshake was observed, but the application could not be identified. The three-way TCP handshake did not complete. The traffic is coming across UDP, and the application could not be identified. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.) Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow Untrust (Any) to Untrust (10.1.1.1), ssh -Allow Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow Untrust (Any) to DMZ (10.1.1.1), ssh –Allow Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow.
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make? Option A Option B Option C Option D Option E.
Which three settings are defined within the Templates object of Panorama? (Choose three.) Setup Virtual Routers Interfaces Security Application Override.
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.) Application Override policy Security policy to identify the custom application Custom application Custom Service object.
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab? Admin Role WebUI Authentication Authorization.
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.) WildFire updates NAT NTP antivirus File blocking.
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama Pre-existing logs from the firewalls are not appearing in PanoramA. Which action would enable the firewalls to send their pre-existing logs to Panorama? Use the import option to pull logs into Panorama A CLI command will forward the pre-existing logs to Panorama. Use the ACC to consolidate pre-existing logs. The log database will need to exported form the firewalls and manually imported into Panorama.
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes. How quickly will the firewall receive back a verdict? More than 15 minutes 5 minutes 10 to 15 minutes 5 to 10 minutes.
VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior? Zone Protection DoS Protection Web Application Replay.
Which Palo Alto Networks VM-Series firewall is valid? VM-25 VM-800 VM-50 VM-400.
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly? Option A Option B Option C Option D.
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW? Custom application System logs show an application error and neither signature is used. Downloaded application Custom and downloaded application signature files are merged and both are used.
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.) .dll .exe .src .apk .pdf .jar.
Refer to the exhibit. Which will be the egress interface if the traffic’s ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113? ethernet1/6 ethernet1/3 ethernet1/7 ethernet1/5.
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.) Kerberos PAP SAML TACACS+ RADIUS LDAP.
Which event will happen if an administrator uses an Application Override Policy? Threat-ID processing time is decreased. The Palo Alto Networks NGFW stops App-ID processing at Layer 4. The application name assigned to the traffic by the security rule is written to the Traffic log. App-ID processing time is increased.
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general? Deny application facebook-chat before allowing application facebook Deny application facebook on top Allow application facebook on top Allow application facebook before denying application facebook-chat.
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers? Enable packet buffer protection on the Zone Protection Profile Apply an Anti-Spyware Profile with DNS sinkholing. Use the DNS App-ID with application-default. Apply a classified DoS Protection Profile.
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft? Mapping to the IP address of the logged-in user First four letters of the username matching any valid corporate username Using the same user’s corporate username and password. Marching any valid corporate username.
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources? Client Probing Terminal Services agent GlobalProtect Syslog Monitoring.
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the managemente interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded? Security policy rule CRL Service route Scheduler.
Which feature prevents the submission of corporate login information into website forms? Data filtering User-ID File blocking Credential phishing prevention.
Which option is part of the content inspection process? Packet forwarding process SSL Proxy re-encrypt IPsec tunnel encryption Packet egress process.
In a virtual router, which object contains all potential routes? MIB RIB SIP FIB.
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL. Which action will stop the second and subsequent encrypted BitTorrent connections from being
allowed as SSL? Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy Disable the exclude cache option for the firewall Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.
Refer to the exhibit. Which certificates can be used as a Forwarded Trust certificate? Certificate from Default Trust Certificate Authorities Domain Sub-CA Forward_Trust Domain-Root-Cert.
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services? Configure a Decryption Profile and select SSL/TLS services. Set up SSL/TLS under Polices > Service/URL Category>Service. Set up Security policy rule to allow SSL communication. Configure an SSL/TLS Profile.
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW? ACC. System Logs App Scope Session Browser.
Which protection feature is available only in a Zone Protection Profile? SYN Flood Protection using SYN Flood Cookies ICMP Flood Protection Port Scan Protection UDP Flood Protections.
Which CLI command can be used to export the tcpdump capture? scp export tcpdump from mgmt.pcap to <username@host:path> scp extract mgmt-pcap from mgmt.pcap to <username@host:path> scp export mgmt-pcap from mgmt.pcap to <username@host:path> download mgmt.-pcap.
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates? A scheduler will need to be configured for application signatures. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers A Threat Prevention license will need to be installed A service route will need to be configured.
Which three options are supported in HA Lite? (Choose three.) Virtual link Active/passive deployment Synchronization of IPsec security associations Configuration synchronization Session synchronization.
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number? debug system details show session info show system info show system details.
During the packet flow process, which two processes are performed in application identification? (Choose two.) Pattern based application identification Application override policy match Application changed from content inspection Session application identified.
.
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days? Session Browser Application Command Center TCP Dump Packet Capture.
The certificate information displayed in the following image is for which type of certificate? Exhibit: Forward Trust certificate Self-Signed Root CA certificate Web Server certificate Public CA signed certificate.
Which three steps will reduce the CPU utilization on the management plane? (Choose three.) Disable SNMP on the management interface Application override of SSL application. Disable logging at session start in Security policies. Disable predefined reports. Reduce the traffic being decrypted by the firewall.
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website? URL Filtering profile Zone Protection profile Anti-Spyware profile Vulnerability Protection profile.
How can a candidate or running configuration be copied to a host external from Panorama? Commit a running configuration. Save a configuration snapshot Save a candidate configuration Export a named configuration snapshot.
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites? SSL Forward Proxy SSL Inbound Inspection TLS Bidirectional proxy SSL Outbound Inspection.
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats. Which option would achieve this result?
Create a custom App-ID and enable scanning on the advanced tab. Create an Application Override policy. Create a custom App-ID and use the “ordered conditions” check box Create an Application Override policy and custom threat signature for the application.
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.) View the System logs and look for the error messages about BGP Perform a traffic pcap on the NGFW to see any BGP problems View the Runtime Stats and look for problems with BGP configuration. View the ACC tab to isolate routing issues.
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.) View Runtime Stats in the virtual router View System logs. Add a redistribution profile to forward as BGP updates. Perform a traffic pcap at the routing stage.
Which three firewall states are valid? (Choose three.) Active Functional Pending Passive Suspended.
Which virtual router feature determines if a specific destination IP address is reachable? Heartbeat Monitoring Failover Path Monitoring Ping-Path.
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement? Decryption Mirror interface with the Threat Analysis license Virtual Wire interface with the Decryption Port Export license Tap interface with the Decryption Port Mirror license Decryption Mirror interface with the associated Decryption Port Mirror license.
When is the content inspection performed in the packet flow process? after the application has been identified before session lookup before session lookup after the SSL Proxy re-encrypts the packet.
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted? In the details of the Traffic log entries Decryption log Data Filtering log In the details of the Threat log entries.
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack? Vulnerability Protection Anti-Spyware URL Filtering Antivirus.
Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?” Descendant objects will take precedence over other descendant objects Descendant objects will take precedence over ancestor objects. Ancestor objects will have precedence over descendant objects. Ancestor objects will have precedence over other ancestor objects.
|
