Hardest Questions

80- An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (choose two). Inherit parent Security policy rules and objects. Inherit IPSec crypto profiles. Inherit settings from Shared group. Inherit all security policy rules and objects.

81- After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. Push the Template first, then push Device Group to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall. Ensure Force Template values is checked when pushing configuration. Push the Device Group first, then push Template to the newly managed firewall.

86- An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (choose three). NTP server Address. Service Route Configuration. Antivirus Profile. Authentication profile. Dynamic Address Groups.

127- Review the below. A firewall engineer creates a U-NAT rule to allow users In the trust zone access to a server in the same zone by using an external public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. Add source Translation to translate original source IP to the firewall eth1/2 interface translation. Change destination NAT zone to Trust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change Source NAT zone to Untrust_L3.

79- Which three methods are supported for split tunneling in the GlobalProtect Gateway? (choose three). URL category. Video streaming application. Destination Domain. Source Domain. Destination user/group. Client Application Process.

182- All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task?. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

156- An administrator for a small LLC has created a series of certificate as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they notices that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been installed in client systems. The forward trust certificate has not been signed by the self-signed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates. The forward untrust certificate has not been signed by self-signed root CA certificate.

196- A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall. What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.). HIP Match log forwarding is not configured under Log Settings in the device tab. Log Forwarding Profile is configured but not added to security rules in the data center firewall. HIP profiles are configured but not added to security rules in the data center firewall. User ID is not enabled in the Zone where the users are coming from in the data center firewall.

248- An administrator is tasked to provide secure access to applications running on a server in the company’s on-premises datacenter. What must the administrator consider as they prepare to configure the decryption policy?. Obtain or generate the server certificate and private key from the datacenter server. Obtain or generate the self-signed certificate with private key in the firewall. Obtain or generate the forward trust and forward untrust certificate from the datacenter server. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions.

228- An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request. Add the network segment’s IP range to the Permitted IP Addresses list. Enable HTTPS in an Interface Management profile on the subinterface. Configure a service route for HTTP to use the subinterface. Specify the subinterface as a management interface in Setup > Device > Interfaces.

223- Which two components are required to configure certificate-based authentication to the web UI when an administrator needs firewall access on a trusted interface? (Choose two.). Certificate Profile. Server certificate. CA certificate. SSL/TLS Service Profile.

291- A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two.). Create or update a Vulnerability Protection profile to the DNS Policies/DNS Zone Misconfiguration section, then add the domains to be protected. Create or update an Anti-Spyware profile, go to the DNS Policies/DNS Zone Misconfiguration section, then add the domains to be protected. Verify the NGFWs have the Advanced DNS Security and Advanced Threat Prevention licenses installed and validated. Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated.