Chequeado ET

Question #1Topic 1 What is the preferred method for gathering User-ID mappings from Citrix VDI servers?. Agentless Server Monitoring. GlobalProtect with an internal gateway. The Windows User-ID agent. The Terminal Services agent.

Question #2Topic 1 A customer has a pair of Panorama HA appliances running local log collectors and wants to have log redundancy on logs forwarded from firewalls. Which two configuration options fulfill the customer’s requirement for log redundancy? (Choose two.). Panorama configured in HA provides log redundancy. A Collector Group must contain at least two Log Collectors. Log redundancy must be enabled per Collector Group. Panorama operational mode needs to be Dedicated Log Collector.

Question #3Topic 1 A customer has firewalls deployed at multiple data centers globally, and which are managed by a single Panorama pair. Each data center has multiple PA-7080 firewalls running PAN-OS 9.0. What are two recommended logging infrastructures across the data centers if the customer needs to log? (Choose two.). Distributed log collector. Single log collector in the main data center. Cortex Data Lake. Mixed mode Panorama.

Question #4Topic 1 In an HA active/active configuration, what is the purpose of APR load sharing?. share all IP addresses and provide Layer 4 through Layer 7 services when failure is detected. protect internal networks from an ARP flooding attack. sync the ARP table between the two firewalls. share an IP address and provide gateway services.

Question #5Topic 1 In a HA active/active configuration, which task does the session setup firewall perform?. threat scanning. NAT. Traffic log generation. decryption.

Question #6Topic 1 Which are two commands required to upgrade Expedition? (Choose two.). sudo apt-get update. sudo apt-get update expedition. sudo apt-get upgrade all. sudo apt-get install expedition-beta.

Question #7Topic 1 An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations. They have also purchased a Support license, a Threat license, a URL Filtering license, and a WildFire license for each firewall. What additional license do they need to purchase?. an IoT Security license for each deployed firewall. a Cortex Data Lake license. an IoT Security license for the perimeter firewall. an Enterprise Data Loss Prevention (DLP) license.

Question #8Topic 1 Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update? (Choose two.). when planning to enable the App-IDs immediately. when you want to immediately benefit from the latest threat prevention. when an organization operates a mission-critical network and has zero tolerance for downtime. when disabling facebook-base to disable all other Facebook App-IDs.

Question #9Topic 1 DRAG DROP - Identify the Stakeholder with their Role when planning a Firewall, Panorama, and Cortex XDR Deployment. Network Engineer. Security Engineer. System Administrator. Security Operations Analyst.

DRAG DROP - In Panorama, the web interface displays the security rules in evaluation order. Organize the security rules in the order in which they will be evaluated?. Shared pre-rules. Device group pre-rules. Local firewall rules. Device group post-rules. Shared post-rules.

Question #11Topic 1 A customer’s Palo Alto Networks NGFW currently has only one security policy allowing all traffic. They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an “allow any” rule. What should the consultant say about Expedition?. Live firewall traffic can be viewed on Expedition when connected to a firewall, and Expedition can automatically create and push policies to the firewall. The log flies can be viewed on Expedition, and right-clicking a log entry gives the option to create security policy from the log entry. By using the Machine Learning feature, Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic. Expedition cannot parse log files and therefore cannot be used for this purpose.

Question #12Topic 1 In Expedition, which objects are classified as “Ghost objects”?. Address objects that are not part of an Address Group. Address objects that are not applied in Security or NAT policies. Unused address objects. Addresses imported from Security and NAT policies without corresponding address objects.

Question #13Topic 1 (REVISAR) Which routing configuration should you recommend to a customer who wishes to actively use multiple pathways to the same destination?. RIPv2. BGP. EGMP. OSPF.

Question #14Topic 1 In HA active/active configuration, which are three options for load sharing? (Choose three.). Primary Device. IP Hash. Active Device. Source IP. IP Modulo.

Question #15Topic 1 A URL is categorized as both health-and-medicine and abused-drugs. The health-and-medicine category is set to “allow” and the abused-drugs category is set to “block”. Which two actions will be taken when this URL is visited? (Choose two.). block. log. allow. continue.

Question #16Topic 1 A company has deployed an Active/Passive 5280 HA pair with BGP configured to the company’s ISP. The lead firewall engineer has set the HA Timer to “Recommended”. Upon failing over the HA pair, there is a two-minute outage and internet traffic is dropped. What should the engineer do to eliminate or minimize the outage in the future?. Change the HA Timer to “Aggressive”. Enable Path Monitoring to the ISP. Ensure that “Graceful Restart” has been enabled on all peers. Change the HA Timer to “Advanced” with “Preemption Hold Time” of one minute.

Question #17Topic 1 Where and how is Expedition installed?. On a Windows Server, by running an installation script that will automatically download all dependencies. On an Ubuntu Server, by running an installation script that will automatically download all dependencies. On a Windows Server, by manually installing the application and all dependencies. On an Ubuntu server, by manually installing the application and all dependencies.

Question #18Topic 1 The corporate architect has questions about the authentication algorithms supported by TLSv1.3. Which two authentication algorithms are supported by Palo Alto Networks in TLSv1.3? (Choose two.). SHA384. SHA256. SHA1. MD5.

Question #19Topic 1 Review the customer scenario: - An organization has deployed an Active/Passive 7080 HA pair in their data center. - The 7080 firewall has three 100G NPCs installed in slots 1, 2, and 12. - In slots 1 and 2, the NPCs are being used to create two 200G Aggregate Ethernets with LACP to their switch infrastructure in a Layer 3 deployment with OSPF and BGP routing. - The networking team has received alerts via SolarWinds recently that the NPC in slot 1 has a high DP load and high network utilization on one of its two interfaces. What can you recommend to the team to balance the traffic more evenly and reduce high utilization of slot 1?. Enable ECMP with Symmetric Return. Enable Jumbo Packets. Change the Session Distribution Policy. Add a 100G interface from Slot 12 to the Aggregate Ethernet to provide more bandwidth.

Question #20Topic 1 A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer. After the initial configuration is completed and the changes are committed, phase 2 fails to establish. Which two changes may be required to fix the issue? (Choose two.). Add proxy IDs to the IPsec tunnel configuration. Verify that the certificate used for authentication is installed. Enable the NAT Traversal advanced option. Verify that PFS is enabled on both ends.

Question #21Topic 1 DRAG DROP - Match the command with the appropriate scenario for its use. Management plane resources. Data plane resources. State of various processes. Authentication log.

Question #22Topic 1 Your customer is setting up an IPsec VPN tunnel with a third party. The third-party device only supports policy-based IPsec VPN tunnels. What must be set up on the IPsec tunnel on the Palo Alto Networks Next-Generation Firewall to support policy-based tunnels?. policy-based forwarding. static route. Proxy-ID. DNS proxy.

Question #23Topic 1 Which category of Vulnerability Signatures is most likely to trigger false positive alerts?. info-leak. code-execution. phishing. brute-force.

Question #24Topic 1 What information is required in order to plan the deployment of a perimeter firewall?. the management IP of the DSL device provided by the ISP. The operating system and browser version of the management client. the link type and speed of the surrounding devices. the name of the Internet provider and the cost of the link.

Question #25Topic 1 A customer uses an application on the network that shows unknown-tcp application in the traffic logs. Which two actions can the administrator take to make the application display this information? (Choose two.). Create a custom application by using fingerprinting applications. Submit a request for a new App-ID on the Application & Threat Research Center. Create a customer application by using signatures. Submit a request for new App-ID with Unit-42.

Question #26Topic 1 What happens when a packet from an existing session is received by a firewall that is not the owner in an HA active/active configuration?. The firewall requests the sender to resend the packet. The firewall forwards the packet to the peer firewall over the HA3 link. The firewall takes ownership of the session from the peer firewall. The firewall drops the packet to prevent any L3 loops.

Question #27Topic 1 You have just completed a firewall migration project in Expedition. Expedition is not directly connected to a firewall. You decide to export the configuration. What two file types will be available to you in the download options? (Choose two.). a tech support file for the target firewall. the README file describing how to use the XML file. a TXT file with SET commands. an XML file to upload to the Palo Alto Networks device.

Question #28Topic 1 Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production? (Choose three.). import named configuration snapshot through the web interface. use load config partial command. use the device configuration import in Panorama. load the config in the web interface and commit. enter the configuration mode from the CLI.

Question #29Topic 1 DRAG DROP - Match the task for server settings in group mapping with its order in the process. Step 1. Step 2. Step 3. Step 4. Step 5.

Question #30Topic 1 DRAG DROP - Match the App-ID adoption task with its order in the process. Step 1. Step 2. Step 3. Step 4. Step 5.

Question #31Topic 1 TAC has requested a PCAP on your Panorama to see why the DNS app is having intermittent issues resolving FQDN. What is the appropriate CLI command?. tcpdump snaplen 53 filter “port 53”. tcp dump snaplen 0 filter “app dns”. tcpdump snaplen 0 filter “port 53”. tcp dump snaplen 53 filter “tcp 53”.

Question #32Topic 1 A firewall configuration is being migrated by Expedition from a third-party vendor to a Palo Alto Networks Next-Generation Firewall (NGFW.). Expedition flags one service as invalid following the import of the original configuration file. An engineer investigates and finds the invalid service to be ping which is used by the security policies. Which action should the engineer take?. Create an Application Override policy to override the ping service classification with ping application. Remove ping service from all the policies which reference it. Ignore the invalid flag in Expedition for the firewall to accept ping service. Use the search & replace in Expedition to replace the ping service classification with ping application.

Question #33Topic 1 SSL decryption has been implemented in a customer environment. The firewall protecting this environment is using PAN-OS 10.0. Users of an application are filing support cases claiming that a function of this application is no longer working. Where should the investigation for decryption issues begin?. the Correlated Events log. the “session end reason” column in the Traffic log. the CLI, using the less mp-log ikemgr.log command. the Decryption log.

Question #34Topic 1 What information is necessary to properly plan the deployment of a Panorama hardware appliance for firewall management?. Virtual router, zones, and interface configuration of the dataplane interface. ESXi Server location and routing to the Panorama appliance. Wiring, power, Console access, and management interface connectivity. Panorama Mode, number of managed devices, CPU, and memory allocation in the hypervisor.

Question #35Topic 1 Which additional license is required for the feature Host Information Profiles to function on Palo Alto Networks Next-Generation Firewalls?. Threat. WildFire. GlobalProtact gateway. IoT.

Question #36Topic 1 (REVISAR) What is the default port used by the Terminal Services agent to communicate with a firewall?. 5009. 5007. 636. 443.

Question #37Topic 1 (REVISAR) SSL Forward Proxy decryption is enabled on the firewall. When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates. The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates. Which two options will satisfy this requirement? (Choose two.). Create a PKI signed Forward Untrust enabled certificate. Create a self-signed Forward Untrust enabled certificate. Create a Decryption Profile with the “Block sessions with expired certificates” option enabled. Remove the Forward Untrust option from the Forward Trust certificate.

Question #38Topic 1 Your customer wants to implement Active/Active High Availability for their PA-5260 pair. The following conditions are true in their environment: -They are using multiple Layer 3 interfaces to process traffic. -Their routing topology requires the use of Network Address Translation policies to ensure that traffic can reach its destinations correctly. -They prefer to have the session workload distributed as evenly as possible to ensure both firewalls have lower resource utilization. -They make use of dynamic routing protocols on their virtual routers for route-based redundancy. -They chose to go with Active/Active for failover speed reasons. Which three of the following HA configurations should your customer ensure they use to meet these requirements? (Choose three.). HA1A, HA1B, and HA2 interfaces. HA1A, HA1B, HA2, and HA3 interfaces. Session selection algorithm – Primary Device. Active/Active HA Binding in the NAT policies. Session selection algorithm – First Packet.

Question #39Topic 1 Which CLI command should you use to verify whether all SFP, SFP+, or QSFP modules are installed in a firewall?. show system state filter sys.p*.phy. show system state filter sys.s*.p*.phy. show system info. show interface <interface name> detail.

Question #40Topic 1 Which three attributes can be used to exclude traffic from an SSL Decryption policy? (Choose three.). User-ID. URL Category. HIP Profile. Application. Destination.

Question #41Topic 1 Which two options describe the behavior of the “Direction” property in a WildFire Analysis Profile rule? (Choose two.). The both direction option matches all files that are seen by the firewall, regardless of whether the transfer is started by the connection initiator or responder. The download direction option matches files that the connection initiator received from the service it connected to. The upload direction option matches only files that were uploaded to the internet by a user on the Inside network. The both direction option matches all files, but only if the transfer is started by the connection initiator.

Question #42Topic 1 A company’s network operations engineer is documenting a solution and wants to know the default priority setting for an LACP connection. If no changes are made to the default configuration settings for the LACP, which priority setting should you share with the engineer?. 32,768. 100. 1. 65,535.

Question #43Topic 1 (REVISAR) Examine the configured Security policy rule. Which day one/Iron Skillet Security Profile Group is used to secure the traffic that is permitted through this rule?. Internal. Inbound. Default. Outbound.

Question #44Topic 1 In preparation for a cutover event, which two processes or procedures should be verified? (Choose two.). Auditing. Change management requirements. Roles and responsibilities. Logging and reporting.

Question #45Topic 1 A firewall that was previously connected to a User-ID agent server now shows disconnected. What is the likely cause?. The server has stopped listening on port 2010. The Domain Controller service account has been locked out. The agent is not running. The firewall was upgraded to a PAN-OS version that is not compatible with the agent version.

Question #46Topic 1 Why is a threshold used when content updates are installed?. To let the firewall load the content updates before it actually installs them. To ensure that the content update is installed only during a change window. To allow time to see if the content update gets redacted by Palo Alto Networks. To allow the content updated to be loaded on a Friday but installed over the weekend.

Question #47Topic 1 A Panorama superuser administrator needs to add a newly hired employee as a Panorama administrator. This employee needs to have their permissions restricted to only modify a specific set of policies and objects within the organization’s Panorama. What should the superuser administrator do to ensure that the new employee’s permissions are restricted?. Create the required Access Domain and add the appropriate device group. Create an authentication profile in the Panorama tab. Set the “allowed admins” value within the device group properties. Add access to shared objects by selecting the Shared-Only option.

Question #48Topic 1 DRAG DROP - A client initiates a SSL session with the server. The NGFW intercepts the client’s SSL request. For what happens next, match each SSL Forward Proxy task with its order in the process: Step 1. Step 2. Step 3. Step 4.

Question #49Topic 1 (REVISAR) Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLI command can you run to determine the number of logs per second sent by each firewall?. show logging status. debug log-receiver statistics. show log traffic. debug log-sender statistics.

Question #50Topic 1 A customer recently purchased a license for URL filtering and is having trouble activating PAN-DB. Which two commands can be used to troubleshoot this issue? (Choose two.). show system setting url-database. show device setting pan-db. request url-database license info. request license info Most Voted.

Question #51Topic 1 A customer used an in-house script to migrate an ASA Configuration with 1,250 address and service objects to a Panorama device group for that location. They are pushing the device group and template configuration to a PA-820 for the first time, and it fails with the following error: Error: Number of addresses, dynamic groups, external-ip-lists…. exceeded platform capacity (2500) What are the efficient ways to solve this problem? (Choose three.). Import the address and service objects directly to the PA-820 appliance. Verify the “share unused address and service objects with devices” setting in the Panorama GUI. Clean up and merge the device group address and service objects using Expedition. Upgrade to a PA-850 appliance, which supports 3,500 address and service objects. Upgrade the license capacity to allow more objects on the PA-820 appliance.

Question #52Topic 1 When planning the physical connectivity of Data Center segmentation firewalls (PA-5250s), which two elements must be accounted for? (Choose two.). Redundant power connections. Networking protocols in use by the surrounding infrastructure. HSRP IP and MAC Address. Interface types and number or interfaces available.

Question #53Topic 1 After running sudo apt-get update, which command should you run to upgrade the Expedition software packages on the Expedition VM?. sudo apt-get upgrade expedition-beta. sudo apt-get install expedition-beta. sudo apt-get upgrade. sudo apt-get autoupgrade.

Question #54Topic 1 (REVISAR) What are the three predefined external dynamic lists in PAN-OS that customers receive with their content and threat updates? (Choose three.). high-risk IP addresses. bulletproof IP addresses. known-malicious IP addresses. embargoed-country IP addresses. command-and-control IP addresses.

Question #55Topic 1 With its improved reliability and automation, Expedition 2 will install by using which of the following?. Red Hat Enterprise Linux (RHEL) 9. Ubuntu 16.04 and higher. Windows Server 2016. Ubuntu 20.04.

Question #56Topic 1 An administrator needs to create a new Antivirus Profile to address a virus that is spreading internally over SMB. To create a secure posture, the administrator should choose which set of actions for the SMB decoder in an Antivirus Profile?. Action – Allow; Wildfire Action - Allow. Action – Reset-Both; Wildfire Action – Reset-Both. Action – Drop; Wildfire Action – Reset-Both. Action – Reset-Both; Wildfire Action - Alert.

Question #57Topic 1 DRAG DROP - Identify the Stakeholder with their Role when planning a Firewall, Panorama, and Cortex XDR Deployment. Security Engineer. System Administrator. Security Operations Analyst. Network Engineer.

Question #58Topic 1 DRAG DROP - You have been tasked with performing a Firewall Migration and an App-ID for a customer. Place the tasks below in the proper order to ensure a successful migration and App-ID adoption. Acquire the configuration file from the customer. Import the configuration into Expedition or the tool of your choice and perform a like-for-like migration. Import and load the like-for-like configuration in the Next-Generation Firewall or Panorama. Allow traffic to match the service/port-based rules for a time period agreeable to the customer. Use the Policy Optimizer feature to observe which App-IDs have been seen in the logs for each rule. Clone App-ID rules above the port rules. Allow time for traffic to match App-ID rules. Ensure that the port rules are not getting hits. Delete port rules when they are not getting hits.

Question #59Topic 1 A firewall uses the default settings on the Device > Setup and the Policy > Security tabs. A LDAP server is connected to the INSIDE zone of the firewall and is assigned the CIDR range 10.10.20.10/24. The management network and the INSIDE zone are not connected through routing. The Windows User-ID agent is installed and started on the LDAP server using TCP port 5007 for communication. The Windows firewall is correctly configured to allow communication. The following error appears in the system log: User-ID Agent userid1(vsys1): Error: Failed to connect to 10.10.20.10(10.10.20.10):5007 details: none. What is causing the connection problem?. userid1 is configured as a LDAP proxy. A LDAP Server profile has not been configured yet. There is no security policy rule in place to allow the traffic. The User-ID agent is using the default service route settings.