PA2023-PT3

In a device group, which two configuration objects are defined? (Choose two ). DNS Proxy. address groups. SSL/TLS profiles. URL Filtering profiles.

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA?. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Configure a Captive Portal authentication policy that uses an authentication sequence. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information. However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD. How can policies based on group mapping be learned and enforced in Prisma Access?. Configure Prisma Access to learn group mapping via SAML assertion. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access. Assign a master device in Panorama through which Prisma Access learns groups. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?. Traffic is dropped because there is no matching SD-WAN policy to direct traffic. Traffic matches a catch-all policy that is created through the SD-WAN plugin. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.). certificate authority (CA) certificate. server certificate. client certificate. certificate profile.

An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available. This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?. WildFire logs. System logs. Threat logs. Traffic logs.

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama. Which configuration is necessary to retrieve groups from Panorama?. Configure an LDAP Server profile and enable the User-ID service on the management interface. Configure a group mapping profile to retrieve the groups in the target template. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents. Configure a master device within the device groups.

How can packet buffer protection be configured?. at zone level to protect firewall resources and ingress zones, but not at the device level. at the interface level to protect firewall resources. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level. at the device level (globally) and, if enabled globally, at the zone level.

An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?. Configure a remote network on PAN-OS. Upgrade to a PAN-OS SD-WAN subscription. Configure policy-based forwarding. Deploy Prisma SD-WAN with Prisma Access.

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements. What is the correct setting?. Change the HA timer profile to "user-defined" and manually set the timers. Change the HA timer profile to "fast". Change the HA timer profile to "aggressive" or customize the settings in advanced profile. Change the HA timer profile to "quick" and customize in advanced profile.

What is the function of a service route?. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address. The service route is the method required to use the firewall's management plane to provide services to applications. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.

Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?. show session all filter ssl-decryption yes total-count yes. show session all ssl-decrypt yes count yes. show session all filter ssl-decrypt yes count yes. show session filter ssl-decryption yes total-count yes.

Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks. How can the issue be corrected?. Override the value on the NYCFW template. Override a template value using a template stack variable. Override the value on the Global template. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?. show system setting ssl-decrypt certs. show system setting ssl-decrypt certificate. debug dataplane show ssl-decrypt ssl-stats. show system setting ssl-decrypt certificate-cache.

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?. removing the Panorama serial number from the ZTP service. performing a factory reset of the firewall. performing a local firewall commit. removing the firewall as a managed device in Panorama.

In URL filtering, which component matches URL patterns?. live URL feeds on the management plane. security processing on the data plane. single-pass pattern matching on the data plane. signature matching on the data plane.

In a template, you can configure which two objects? (Choose two.). Monitor profile. application group. SD-WAN path quality profile. IPsec tunnel.

An organization's administrator has the funds available to purchase more firewalls to increase the organization's security posture. The partner SE recommends placing the firewalls as close as possible to the resources that they protect. Is the SE's advice correct, and why or why not?. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement. Yes. Firewalls are session-based, so they do not scale to millions of CPS. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems.

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?. Preview Changes. Policy Optimizer. Managed Devices Health. Test Policy Match.

What is a key step in implementing WildFire best practices?. Configure the firewall to retrieve content updates every minute. Ensure that a Threat Prevention subscription is active. In a mission-critical network, increase the WildFire size limits to the maximum value. In a security-first network, set the WildFire size limits to the minimum value.

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?. Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?. Vulnerability Protection profile. DoS Protection profile. Data Filtering profile. URL Filtering profile.

What are three reasons why an installed session can be identified with the "application incomplete" tag? (Choose three.). There was no application data after the TCP connection was established. The client sent a TCP segment with the PUSH flag set. The TCP connection was terminated without identifying any application data. There is not enough application data after the TCP connection was established. The TCP connection did not fully establish.

Which three statements correctly describe Session 380280? (Choose three.). The application was initially identified as "ssl.". The session has ended with the end-reason "unknown.". The session cid not go through SSL decryption processing. The application shifted to "web-browsing.". The session went through SSL decryption processing.

An administrator's device-group commit push is failing due to a new URL category. How should the administrator correct this issue?. update the Firewall Apps and Threat version to match the version of Panorama. change the new category action to "alert" and push the configuration again. ensure that the firewall can communicate with the URL cloud. verity that the URL seed tile has been downloaded and activated on the firewall.

A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.). Authentication Algorithm. Encryption Algorithm. Certificate. Maximum TLS version. Minimum TLS version.

Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?. Layer 3. Layer 2. Tap. Decryption Mirror.

Drag and Drop Question Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order. Installer or IT administrator registers ZTP firewalls by adding them to Panorama using direwall serial number and claim key. After connecting to the internet, the ZTP firewall requests a device certificate from the CSP in order to connect to the ZTP service. The ZTP firewalls connect to Panorama and the device group and template configurarions are pushed from Panorama to the ZTP firewalls. the ZTP service pushes the Panorama IP or FQDN to the ZTP firewalls. Panorama registers the firewalls with the CSP. After the firewalls are successfully registered. the firewall is associated with the same ZTP tenant as the Panorama in the ZTP service.

Which benefit do policy rule UUIDs provide?. functionality for scheduling policy actions. the use of user IP mapping and groups in policies. cloning of policies between device-groups. an audit trail across a policy's lifespan.

What are two valid deployment options for Decryption Broker? (Choose two). Transparent Bridge Security Chain. Layer 3 Security Chain. Layer 2 Security Chain. Transparent Mirror Security Chain.

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?. review the configuration logs on the Monitor tab. click Preview Changes under Push Scope. use Test Policy Match to review the policies in Panorama. context-switch to the affected firewall and use the configuration audit tool.

Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two). Zone Protection Profiles protect ingress zones. Zone Protection Profiles protect egress zones. DoS Protection Profiles are packet-based, not signature-based. DoS Protection Profiles are linked to Security policy rules.

Which two statements are true for the DNS Security service? (Choose two.). It eliminates the need for dynamic DNS updates. It functions like PAN-DB and requires activation through the app portal. It removes the 100K limit for DNS entries for the downloaded DNS updates. It is automatically enabled and configured.

An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?. Automatically include users as members without having to manually create and commit policy or group changes. DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall. It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies. Schedule commits at a regular intervals to update the DUG with new users matching the tags specified.

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates". Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three). High. Medium. Critical. Informational. Low.

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?. Management only mode. Expired certificates. Outdated plugins. GlobalProtect agent version.

Refer to the exhibit. Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?. Click the hyperlink for the Zero Access.Gen threat. Click the left arrow beside the Zero Access.Gen threat. Click the source user with the highest threat count. Click the hyperlink for the botnet Threat Category.

To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices. You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufacturers. Given the scenario, choose the option for sending IP address-to-username mappings to the firewall. UID redistribution. RADIUS. syslog listener. XFF headers.

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs?. Traffic Logs. System Logs. Session Browser. You cannot find failover details on closed sessions.

What are two best practices for incorporating new and modified App-IDs? (Choose two.). Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs. Configure a security policy rule to allow new App-IDs that might have network-wide impact. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs. Study the release notes and install new App-IDs if they are determined to have low impact.

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?. IP Netmask. IP Wildcard Mask. IP Address. IP Range.

Which statement is true regarding a Best Practice Assessment?. It shows how your current configuration compares to Palo Alto Networks recommendations. It runs only on firewalls. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in PanoramA. Which action would enable the firewalls to send their pre-existing logs to Panorama?. Use the import option to pull logs. Export the log database. Use the scp logdb export command. Use the ACC to consolidate the logs.

The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?. action 'reset-both' and packet capture 'extended-capture'. action 'default' and packet capture 'single-packet'. action 'reset-both' and packet capture 'single-packet'. action 'reset-server' and packet capture 'disable'.

When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?. OSPFv3. BGP. OSPF. RIP.

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software. Why did the bootstrap process fail for the VM-Series firewall in Azure?. All public cloud deployments require the /plugins folder to support proper firewall native integrations. The /content folder is missing from the bootstrap package. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing. The /config or /software folders were missing mandatory files to successfully bootstrap.

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?. Create a Dynamic Admin with the Panorama Administrator role. Create a Custom Panorama Admin. Create a Device Group and Template Admin. Create a Dynamic Read only superuser.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?. The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.

An engineer was tasked to simplify configuration of multiple firewalls with a specific set of configurations shared across all devices. Which two advantages would be gained by using multiple templates in a stack? (Choose two.). inherit address-objects from templates. define a common standard template configuration for firewalls. standardize server profiles and authentication configuration across all stacks. standardize log-forwarding profiles for security polices across all stacks.

Refer to the diagram. An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups. Where will the object need to be created within the device-group hierarchy?. Americas. US. East. West.

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office. Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the office-programs subcategory. Create an Application Filter and name it Office Programs then filter on the business-systems category.

A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices. To install the certificate and key for an endpoint, which three components are required? (Choose three.). server certificate. local computer store. private key. self-signed certificate. machine certificate.

Drag and Drop Question Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack. application-based attack. protocol-based attack. volumetric attack.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Add the policy in the shared device group as a pre-rule. Reference the targeted device's templates in the target device group. Add the policy to the target device group and apply a master device to the device group. Clone the security policy and add it to the other device groups.

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. No Direct Access to local networks. Satellite mode. Tunnel mode. IPSec modes.

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two). Dos Protection policy. QoS Profile. Zone Protection Profile. DoS Protection Profile.

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?. Specify the target device as the master device in the device group. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings. Add the template as a reference template in the device group. Add a firewall to both the device group and the template.

A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down?. Create and add a monitor profile with an action of fail over in the PBF rule in question. Create and add a monitor profile with an action of wait recover in the PBF rule in question. Configure path monitoring for the next hop gateway on the default route in the virtual router. Enable and configure a link monitoring profile for the external interface of the firewall.

An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID?. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory.

Your company has to Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized. Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?. PAN-OS integrated agent. Captive Portal. Citrix terminal server agent with adequate data-plane resources. Windows-based User-ID agent on a standalone server.

A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only internet egress for the connected clients. Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled: - Prisma Access for Remote Networks 300Mbps - Prisma Access for Mobile Users 1500 Users - Cortex Data Lake 2TB - Trusted Zones trust - Untrusted Zones untrust - Parent Device Group shared How can you configure Prisma Access to provide the same level of access as the current VPN solution?. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet.

What best describes the HA Promotion Hold Time?. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again.

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?. Allow the firewall to block the sites to improve the security posture. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption. Install the unsupported cipher into the firewall to allow the sites to be decrypted. Create a Security policy to allow access to those sites.

When using certificate authentication for firewall administration, which method is used for authorization?. Radius. LDAP. Kerberos. Local.

When you navigate to Network > GlobalProtect > Portals > Agent > (config) > App and look in the Connect Method section, which three options are available? (Choose three.). user-logon (always on). pre-logon then on-demand. on-demand (manual user initiated connection. post-logon (always on). certificate-logon.

An administrator analyzes the following portion of a VPN system log and notices the following issue: `Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0.` What is the cause of the issue?. IPSec crypto profile mismatch. IPSec protocol mismatch. mismatched Proxy-IDs. bad local and peer identification IP addresses in the IKE gateway.

What is considered the best practice with regards to zone protection?. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection. Set the Alarm Rate threshold for event-log messages to high severity or critical severity.

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface. What are three supported functions on the VWire interface? (Choose three ). NAT. QoS. IPSec. OSPF. SSL Decryption.

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama?. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. A master device with Group Mapping configured must be set in the device group where the Security rules are configured. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. A User-ID Certificate profile must be configured on Panorama.

Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three ). The environment requires real full-time redundancy from both firewalls at all times. The environment requires Layer 2 interfaces in the deployment. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence. The environment requires that all configuration must be fully synchronized between both members of the HA pair. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes.

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entnes about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?. within the log settings option in the Device tab. within the log forwarding profile attached to the Security policy rule. in WildFire General Settings, select "Report Grayware Files". in Threat General Settings, select "Report Grayware Files".

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?. a Security policy with 'known-user" selected in the Source User field. an Authentication policy with 'unknown' selected in the Source User field. a Security policy with 'unknown' selected in the Source User field. an Authentication policy with 'known-user' selected in the Source User field.

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app? Failed to connect to server at port:4767. The PanGPS process failed to connect to the PanGPA process on port 4767. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767. The PanGPA process failed to connect to the PanGPS process on port 4767. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767.

Which GlobalProtect component must be configured to enable Chentless VPN?. GlobalProtect satellite. GlobalProtect app. GlobalProtect portal. GlobalProtect gateway.

A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment. ]They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?. QoS is only supported on firewalls that have a single virtual system configured. QoS can be used in conjunction with SSL decryption. QoS is only supported on hardware firewalls. QoS can be used on firewalls with multiple virtual systems configured.

Which statement regarding HA timer settings is true?. Use the Recommended profile for typical failover timer settings. Use the Moderate profile for typical failover timer settings. Use the Aggressive profile for slower failover timer settings. Use the Critical profile for faster failover timer settings.

What is the best description of the HA4 Keep-Alive Threshold (ms)?. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Where is information about packet buffer protection logged?. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log. All entries are in the System log. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log. All entries are in the Alarms log.

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web UI? (Choose two.). certificate profile. server certificate. SSH Service Profile. SSL/TLS Service Profile.

A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?. Layer 3. Virtual Wire. Tap. Layer 2.

A user at an internal system queries the DNS server for their web server with a private IP of 10.250.241.131 in the webserver. The DNS server returns an address of the web server's public address 200.1.1.10. In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Trust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10.

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?. 90Mbps. 300 Mbps. 75Mbps. 50Mbps.

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive. Use Decryption profiles to drop traffic that uses processor-intensive ciphers.

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?. SSL/TLS Service profile. Certificate profile. SCEP. OCSP Responder.

In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two). The Network Activity tab will display all applications, including FTP. Threats with a severity of "high" are always listed at the top of the Threat Name list. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type. The ACC has been filtered to only show the FTP application.

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?. Variable CSV export under Panorama > templates. PDF Export under Panorama > templates. Manage variables under Panorama > templates. Managed Devices > Device Association.

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?. Certificate profile. Path Quality profile. SD-WAN Interface profile. Traffic Distribution profile.

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?. Decryption will function and there will be no effect to end users. Decryption will not function because self-signed root certificates are not supported. Decryption will not function until the certificate is installed on client systems. Decryption will function but users will see certificate warnings for each SSL site they visit.

An engineer is configuring Packet Buffer Protection on ingress zones to protect from singlesession DoS attacks. Which sessions does Packet Buffer Protection apply to?. It applies to existing sessions and is not global. It applies to new sessions and is global. It applies to new sessions and is not global. It applies to existing sessions and is global.

A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an address of 172.16.15.1. In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168.15.47) - Application: Web-browsing. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing.

An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?. Create the appropriate rules with a Block action and apply them at the top of the Default Rules. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules.

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?. show routing protocol bgp state. show routing protocol bgp peer. show routing protocol bgp summary. show routing protocol bgp rib-out.

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?. Configuration logs. System logs. Traffic logs. Tunnel Inspection logs.

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?. Export the log database. Use the import option to pull logs. Use the ACC to consolidate the logs. Use the scp logdb export command.

A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?. routes listed in the routing table with flags Oi. routes listed in the routing table with flags A/B. under the BGP Summary tab. routes listed in the forwarding table with BGP in the Protocol column.

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall. What should the administrator configure in order to connect the sites?. Generic Routing Encapsulation (GRE) Tunnels. GlobalProtect Satellite. SD-WAN. IKE Gateways.

A customer wants to set up a site-to-site VPN using tunnel interfaces. What format is the correct naming convention for tunnel interfaces?. tun.1025. tunnel.50. vpn.1024. gre1/2.

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path. What part of the network profile configuration should the engineer verify?. Destination IP. Threshold. Action. Interval.