PA2023-pt6

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.). LDAP. Log Ingestion. HTTP. Log Forwarding.

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?. Application port number translation. IPv6-to-IPv6 network prefix translation. Stateful translation to provide better security. IPv6-to-IPv6 host portion translation.

An administrator has been tasked with deploying SSL Forward Proxy. Which two types of certificates are used to decrypt the traffic? (Choose two.). Device certificate. Subordinate CA from the administrator’s own PKI infrastructure. Self-signed root CA. External CA certificate.

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A self-signed certificate generated on the firewall. A web server certificate signed by the organization’s PKI. A web server certificate signed by an external Certificate Authority. A subordinate Certificate Authority certificate signed by the organization’s PKI.

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the VoIP traffic issue?. Disable ALG under H.323 application. Increase the TCP timeout under H.323 application. Increase the TCP timeout under SIP application. Disable ALG under SIP application.

Which new PAN-OS 11.0 feature supports IPv6 traffic?. OSPF. IKEv1. DHCP Server. DHCPv6 Client with Prefix Delegation.

If a URL is in multiple custom URL categories with different actions, which action will take priority?. Block. Allow. Alert. Override.

Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?. Hello Interval. Monitor Fail Hold Up Time. Heartbeat Interval. Promotion Hold Time.

Which three items must be configured to implement application override? (Choose three.). Application filter. Application override policy rule. Custom app. Decryption policy rule. Security policy rule.

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?. Deny. Allow. Discard. Next VR.

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.). OSPF. IGRP. OSPFv3 virtual link. BGP. RIP.

A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commit times?. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings. Perform a device group push using the “merge with device candidate config” option. Update the apps and threat version using device-deployment. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.

An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?. 1. 2. 3. 4.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. Reload the running configuration and perform a Firewall local commit. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the “Force Template Values” option. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.

Where can a service route be configured for a specific destination IP?. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4. Use Device > Setup > Services > Services. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. Use Device > Setup > Services > Service Route Configuration > Customize > Destination.

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?. IKE Crypto Profile. Security policy. Proxy-IDs. PAN-OS versions.

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. Configuration. Data Filtering. Traffic. Threat.

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. Change destination NAT zone to Trust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change Source NAT zone to Untrust_L3. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.). Service Route Configuration. Dynamic Address Groups. NTP Server Address. Antivirus Profile. Authentication Profile.

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed. Add SSL and web-browsing applications to the same rule. Add web-browsing application to the same rule.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. Destination-Based Service Route. Inherit Global Setting. IPv6 Source or Destination Address. IPv4 Source Interface.