Palo Alto 3

140- Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?. QoS. DOS Protection. NAT. Tunnel Inspection.

141- Based on the screenshots above, what is the correct order in which the various rules are deployed to firewall inside the DATACENTER DG device group?. Shared pre-rules, DATACENTER_DG pre-rules, rules configured locally on the firewall, DATACENTER_DG post-rules, shared post-rules, DATACENTER_DG default rules. Shared pre-rules, DATACENTER_DG pre-rules, rules configured locally on the firewall, shared post-rules, DATACENTER_DG post-rules, DATACENTER_DG default rules. Shared pre-rules, DATACENTER_DG pre-rules, rules configured locally on the firewall, shared post-rules, DATACENTER_DG post-rules, shared default rules. Shared pre-rules, DATACENTER_DG pre-rules, rules configured locally on the firewall, DATACENTER_DG post-rules, shared post-rules, shared default rules.

142- An engineer is monitoring an Active/Active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?. Active. Active-primary. Active-secondary. Initial.

143- A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. SSL/TLS service profile. SSH service profile. Decryption profile. Certificate profile.

144- An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?. Replay protection. Tunnel monitor. Passive mode. Zone protection.

145- An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram. Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?. Values in Chicago. Values in efw01ab.chi. Values in Datacenter. Values in Global Settings.

146- An administrator configures a site-to-site IPsec tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?. Tunnel monitor. Proxy IDs. GRE encapsulation. ToS header.

147- An engineer in configuring a Protection profile to defend specific endpoints and resources against malicious activity. The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet. Which profile is the engineer configuring?. Zone protection. Vulnerability protection. Packet buffer protection. DOS protection.

148- An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow Evernote?. Add the HTTP, SSL, and Evernote applications to the same security policy. Add the Evernote application to the security policy rule, then add a second security policy rule containing both HTTP and SSL. Add only the Evernote application to the security-policy rule. Create an application override using TCP ports 443 and 40.

149- Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three). SMS. Fingerprint. One-time password. User certificate. Voice.

150- An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three). QoS on the ingress interface for the traffic flows. QoS on the egress interface for the traffic flows. QoS profile defining traffic classes. QoS policy for each application ID. An application Override policy for the SSL traffic.

151- An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?. NAT > Security Policy Enforcement > OSPF. PBF > Static route > Security Policy Enforcement. BGP > PBF > NAT. PBF > Zone Protection > Packet Buffer Protection.

152- An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi factor (MFA) to enforce MFA. What should the enterprise do to use PAN-OS MFA?. Use a credential Phishing agent to detect, prevent and migrate credential phishing campaigns. Configure a captive portal authentication policy that uses an authentication sequence. Create an authentication profile and assign another authentication factor to be used by a Captive portal authentication policy. Configure a Captive portal authentication policy that uses an authentication profile that references a RADIUS profile.

153- A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged. Given the information, what is the best choice fore deploying User-ID to ensure maximum coverage?. Syslog listener. Agentless User-ID with redistribution. Captive portal. Standalone User-ID.

154- Why would a traffic log list an application as "not-applicable"?. There was not enough application data after the TCP connection was established. The application is not a known Palo Alto Networks App-ID. The firewall denied the traffic before the application match could be performed. The TCP connection terminated without identifying any application data.

155- When you import the configuration of ah HA pair into Panorama, how do you prevent the import from affecting the ongoing traffic?. Disable config sync. Set the passive link to "shutdown". Disable HA. Disable the HA2 link.

156- An administrator for a small LLC has created a series of certificate as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they notices that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been installed in client systems. The forward trust certificate has not been signed by the self-signed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates. The forward untrust certificate has not been signed by self-signed root CA certificate.

157- An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event. Which timer determines the frequency between packets sent to verify that the HA functionality on the other firewall is operational?. Monitor Fail Hold Up time. Hello interval. Promotion hold time. Heartbeat interval.

158- During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons in this case the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?. Install the unsupported cipher into the firewall to allow the sites to be decrypted. Allow the firewall to block the sites to improve the security posture. Create a security policy to allow access to those sites. Add the sites to the SSL decryption exclusion list to exempt them from decryption.

159- If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?. Post-NAT destination address. Post-NAT source address. Pre-NAT source address. Pre-NAT destination address.

An engineers needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three). Log forwarding profile. Email scheduler. Login banner. Dynamic Updates. SSL decryption exclusion.

161- An engineer troubleshoots a high availability (HA) link that is unreliable. Where can the engineer view what time the interface went down?. Monitor > Logs > Traffic. Device > High Availability > Active/Passive settings. Dashboard > Widgets > High Availability. Monitor > Log > System.

162- Which two key exchange algorithms consume the most resources when decrypting SSL traffic?. ECDHE. ECDSA. DHE. RSA.

163- An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions, can be taken to ensure that only the specific firewall is affected during this process? (Choose two). Change the DNS server on the global template. Configure a service route for DNS on a different interface. Configure the DNS server locally on the firewall. Override the DNS server on the template stack.

164- An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with Failure Condition set to "any", There is one link group configured containing member interfaces ethernet 1/1 and ethernet 1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet 1/1 link goes down due to failure?. Non-functional. Passive. Active. Active-secondary.

165- A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server or DHCP agent configuration. Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying Internet of Things (loT) devices while receiving broadcast DHCP traffic?. Virtual Wire. Layer 2. Layer 3. Tap.

166- An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, would most likely stop only the Traffic logs from being sent from the NGFW to Panorama?. Security Policy Rule. Panorama Settings. Syslog Server Profile. Panorama Settings / Panorama Server.

167- Which statement applies to HA timer settings?. Use the critical profile for faster failover timer settings. Use the aggressive profile for slower failover timer settings. Use the recommended profile for typical failover timer. Use the moderate profile for typical failover timer settings.

168- Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?. Comfort pages. SSL decryption profile. SSL decryption policy. Authentication portal.

169- What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and a server to secure an SSL/TLS connection?. Stateful firewall connection. Certificates. Profiles. Link state.

170- A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.What should the engineer do to complete the configuration?. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

171- Given the following configuration, which route is used for destination?. Route 4. Route 3. Route 2. Route 1.

172- What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAS)?. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

173- A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?". Create a Custom Panorama Admin. Create a Dynamic Admin with the Panorama Administrator role. Create a Dynamic Read-only superuser. Create a Device Group and Template Admin.

174- You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.). High. Informational. Critical. Low. Medium.

175- A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified actions are taken upon them?. Record route in IP option drop options. Ethernet SGT protection. Stream ID in the IP option drop options. TCP fast open in the strip tcp options.

176- Which three statements accurately describe Decryption Mirror? (Choose three). You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment. Only management consent is required to use the Decryption Mirror future. Decryption Mirror requires a tap interface on the firewall. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.

177- Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?. New session and is global. Existing sessions and is not ​ global. Existing sessions and is global. New sessions and is not global.

178- Which CLI command displays the physical media that are connected to ethernet1/8?. > show system state filter-pretty sys.s1.p8.med. > show system state filter-pretty sys.s1. p8. stats. > show system state filter-pretty sys.s1.p8.phy. > show interface ethernet1/8.

179- Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?. Multiple external zones are required in each virtual system to allow the communications between virtual systems. To allow traffic between zones in different virtual systems without the traffic is leaving the appliance. External zones are required because the same external zone can be used on different virtual systems. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance.

180- Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory.

181- A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.). Select the action "download-only" when configuring an Applications and Threats update schedule. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs. Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours. Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

182- All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task?. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

183- An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair. Based on the image below, what - if any - action was taken by the active firewall when the link failed?. No action was taken because interface ethernet 1/1 did not fail. The active firewall failed ​ over to the passive HA member due to an AEI Link Group failure. The active firewall failed ​ over to the passive HA member because ​ "any" is selected for the link monitoring "failure condition". No action was taken because path Monitoring is disabled.

184- When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?. HA4. HA3. HA2. HA1.

185- An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.). Public-facing servers. Financial, health, and government traffic categories. Less-trusted internal IP subnets. high risk traffic categories. Known malicious IP space.

186- A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSv1.3 support for management access. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.Required: Download PAN-OS 10.2.0.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

187- A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working. Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.). Enable NAT Traversal on Site B firewall. Match IKE version on both firewalls. Disable passive mode on Site A firewall. Configure Local Identification on Site B firewall.

188- An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?. Create the appropriate rules with a Block action and apply them at the top of the Default Rules. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules.

189- A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use?. show session all filter nat-rule-source. show running nat-policy. show session all filter nat source. show running nat-rule-ippool rule "rule_name".

190 - A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures. Access the Palo Alto Networks website and raise a support request through ​ the customer support portal. Create a custom application with specific timeouts, then create an application override rule and reference the custom application. Access the Palo Alto Networks website and complete the online form to request a new a new application to be added to the app-id.

191- Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq virus)”. By navigating to Monitor > Logs > WildFire Submissions, applying filter “(subtype eq wildfire-virus)”. By navigating to Monitor > Logs > Traffic, applying filter “(subtype eq virus)”. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq wildfire-virus)”.

192- A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed. How should email log forwarding be configured to achieve this goal?. With the relevant system log filter inside Device > Log Settings. With the relevant configuration log filter inside Device > Log Settings. With the relevant configuration log filter inside Objects > Log Forwarding. With the relevant system log filter inside Objects > Log Forwarding.

193- A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?. Pre-NAT source IP address –Pre-NAT source zone. Post-NAT source IP address –Post-NAT source zone. Post-NAT source IP address –Pre-NAT source zone. Pre-NAT source IP address –Post-NAT source zone.

194- A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication. What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings. Deploy a M-200 as a User-ID collector. Deploy the GlobalProtect vsys as a User-ID data hub. Deploy Windows User-ID agents on each domain controller. Deploy a PAN-OS integrated User-ID agent on each vsys.

195- The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured?. With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding. With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings. With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings. With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.

196- A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall. What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.). HIP Match log forwarding is not configured under Log Settings in the device tab. Log Forwarding Profile is configured but not added to security rules in the data center firewall. HIP profiles are configured but not added to security rules in the data center firewall. User ID is not enabled in the Zone where the users are coming from in the data center firewall.

195- Which log type is supported in the log forwarding profile. global protect. configuration. user-id. tunnel.

196- A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following: threat type: spyware category: dns-c2 threat ID: 1000011111 Which set of steps should the administrator take to configure an exception for this signature. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the exceptions ​ tabs and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit.

197- An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level. managed devices > device association. manage variables under ​ panorama > templates. PDF export under ​ panorama > templates. variable CSV export under panorama > templates.

198- A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address. Which two actions are required for this scenario to work? (Choose two.). On the HQ firewall select peer IP address type FQDN. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel. On the remote location firewall select peer IP address type Dynamic. On the remote location firewall enable DDNS under the interface used for the IPSec tunnel.

199- Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall. Loopback. VLAN. Tunnel. Ethernet.

200- Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.). Define a Forward Trust Certificate. Configure the decryption profile. Configure SSL decryption rules. Configure a SSL/TLS service profile.