option
Cuestiones
ayuda
daypo
CREAR TEST
buscar.php

PCNSE-2025-Final

COMENTARIOS ESTADÍSTICAS RÉCORDS
REALIZAR TEST
Título del Test:
PCNSE-2025-Final

Descripción:
PCNSE Final

Fecha de Creación: 2025/07/28

Categoría: Informática

Número Preguntas: 311

Valoración:(0)
COMPARTE EL TEST
Nuevo ComentarioNuevo Comentario
Comentarios
NO HAY REGISTROS
Temario:

An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, would most likely stop only the Traffic logs from being sent from the NGFW to Panorama?. A. B. C. D.

Refer to the exhibit which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?. Ethernet1/7. Ethernet1/3. Ethernet1/5. Ethernet1/6.

The UDP-4501 protocol port is used between which two GP components?. GlobalProtect app and GlobalProtect gateway. GlobalProtect app and GlobalProtect portal. GlobalProtect portal and GlobalProtect gateway. GlobalProtect app and GlobalProtect satellite.

In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?. 6 to 12 hours. 24 hours. 1 to 4 hours. 36 hours.

Which statement is correct given the following messages from the PanGPA.log on the Global Protect app? Failed to connect to server at port:4767. The PanGPS process failed to connect to the PanGPA process on port 4767. The Global Protect app failed to connect to the Global Protect Portal on port 4767. The Global Protect app failed to connect to the Global Protect Gateway on port 4767. The PanGPA process failed to connect to the PanGPS process on port 4767.

SSL forward proxy decryption is configured, but the firewall uses untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well known certificate chain: Well-known-intermediate and Well-known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled: 1. End-users must not get the warning for the https://www.important-website.com/ website. 2. End-users should get the warning for any other untrusted website. Which approach meets the two customer requirements?. Navigate to Device > Certificate management > Certificates > Default trusted certificate authorities, import Well-known-intermediate-CA and Well-known-Root-CA select the trusted root CA check box, and commit the configuration. Navigate to Device > Certificate management > Certificate > Device Certificates, import Well-known-intermediate-CA and Well-known-Root-CA select the trusted root CA check box, and commit the configuration. Clear the forward untrust certificate check box on the untrusted-CA certificate and commit the configuration. Instant the Well-known-intermediate-CA and Well-known-Root-CA certificate on all end-users and local computer stores.

With the default TCP and UDP setting on the firewall, what will be the identified application in the following session?. Unknown-tcp. Incomplete. Insufficient-data. Unknown-udp.

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?. IP Wildcard Mask. IP Range. IP netmask. IP address.

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewall to Panorama. However, pre-existing logs from the firewall are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama. Use the import option to pull logs. Export the log database. Use the ACC to consolidate the logs. Use the scp.logdb export command.

Based on the graphic, which statement accurately describes the output shown in the server monitoring panel?. The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.

Which Global Protect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. IPSEC mode. Tunnel mode. No Direct-Access to local networks. Satellite mode.

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?. Specify the target device as the master device in the device group. Add the template as a reference template in the device group. Enable "Shared Unused Address and service objects with devices" in Pan orama settings. Add a firewall to both the device group and the template.

Which protocol is supported by Global Protect clientless VPN. SSH. FTP. RDP. HTTPS.

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses change?. The "Shared" device group. Template variables. Template stacks. A device group.

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not stablishing. What command could the engineer run to see the current state of the BGP state between the two devices?. show routing protocol bgp peer. show routing protocol bgp state. show routing protocol bgp rib-out. show routing protocol bgp summary.

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories. Which set of steps does the administrator need to take in the URL filtering profile to prevent credential phishing on the firewall?. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit. Choose the URL categories in the user credential submission column and set action to block Select the URL filtering setting and enable domain credential filter Commit. Choose the URL categories in the User credential submission column and set action to block Select the User credential Detection tab and select use IP User mapping Commit. Choose the URL categories in the user credential submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit.

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?. Use the Dynamic IP address type. Set up certificate authentication. Enable Passive mode. Configure the peer address as an FQDN.

Select and place. Management plane. Signature matching. Security prcessing. Network processing.

Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?. Panorama. Log Collector. Management only. legacy.

What is the best description of the cluster synchronization timeout (min)?. The maximum time that the local firewall waits before going to active state when another cluster member is preventing the cluster from fully synchronizing. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. The timeframe that a passive or active secondary firewall will wait before taking over as the active or active-primary firewall. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft AD servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory servers resides in 192.168.28.32, and the Microsoft Exchange servers reside in 102.168.28.48/28. What information does the administrator need to provide in the User Identification > Discovery section?. The IP-address and corresponding server type (Microsoft AD or Microsoft Exchange) for each of the six servers. Network 192.168.28.32/27 with server type Microsoft. One IP address of a Microsoft AD server and "Auto Discover" enabled to automatically obtain all five of the other servers. Network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange.

An administrator connects a new fiber cable and transceiver to interface eth1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rx-power, vendor name, and part number by using the CLI?. show chassis status slot 21. show system state filter-pretty sys.s1.*. show system state filter sw.dev.interface.config. show system state filter ethernet1/1.

Which Panorama feature protects logs against data loss if a Panorama server fails?. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA cluster. Panorama collector Group with log redundancy ensures that no logs are lost if a server fails inside the collector group. Panorama collector group automatically ensures that no logs are lost if a server fails inside the collector group. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA cluster.

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?. Use the scheduled config push to schedule commit to Panorama and also push to devices. Use the scheduled config export to schedule push to devices and separately schedule an API call to commit all Panorama changes. Use the scheduled config push to schedule push to devices and separately schedule an API call to commit all Panorama changes. Use the scheduled config export to schedule commit to Panorama and also push to devices.

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects. The firewall rejects the pushed configuration and the commit fails. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones, it will update the references to the objects accordingly and fully commit the pushed configuration.

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?. LDAP Server Profile configuration. GlobalProtect. PAN-OS integrated User-ID agent. Windows based User-ID agent.

Given the screenshot, how did the firewall handle the traffic?. Traffic was allowed by profiled but denied by policy as a threat. Traffic was allowed by policy but denied by profile as a nonstandard port. Traffic was allowed by policy but denied by profile as a threat. Traffic was allowed by policy but denied by profile as encrypted.

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted. What is the result of traffic that matches the "Alert-Threats" profile match list?. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?. Configure the TAP interface for segment X on the firewall. Configure a new vsys for segment X on the firewall. Configure vwire interfaces for segment X on the firewall. Configure a Layer 3 interface for segment X on the firewall.

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?. The modification will not be visible in Panorama. Only Panorama can revert the override. Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within Panorama.

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL forward trust certificate?. A Web server certificate signed by the organization's PKI. A subordinate Certificate Authority certificate signed by the organization's PKI. A self-signed certificate authority certificate generated by the firewall. A Machine Certificate for the firewall signed by the organization's PKI.

What is the best definition of the heartbeat interval?. The frequency at which the HA peers exchange ping. The frequency at which the HA peers check link or path availability. The interval in milliseconds between hello packets. The interval during which the firewall will remain active following a link monitor failure.

A network administrator is troubleshooting an issue with Phase 2 of an IPSEC VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?. IPSEC Crypto profile. IKE Gateway profile. IKE Crypto profile. IPSEC Tunnel setting.

Given the following snippet of a wildfire submission log, did the end user successfully download a file?. No, because the action for the wildfire-virus is "reset-both". Yes, because the final action is set to "allow". Yes, because both the web-browsing application and the flash file have the "alert" action. No, because the URL generated an alert.

During the implementation of SSK Forward Proxy decryption, an administrator import the company's Enterprise Root CA and intermediate CA certificates onto the firewall. The company's root and intermediate CA certificates are also distributed to trusted devices using group policy and global protect. Additional device certificates and or subordinate certificates requiring an enterprise CA chain of trust are signed by the company's intermediate CA. Which method should the administrator use when creating Forward Trust and forward Untrust certificates on the firewall for use with decryption?. Generate a single self-signed CA certificate for Forward Trust and another for Forward Trust. Generate a single/subordinate CA certificate for both Forward Trust and forward untrust. Generate two subordinate CA certificates, one for forward trust and one for forward untrust. Generate a CA certificate for forward trust and a self-signed CA for forward untrust.

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the threat logs. What should the administrator do to allow the tool to scan through the firewall?. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile. Remove the Zone Protection profile from the zone setting. Change the TCP port scan action from block to alert in the Zone Protection profile. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down blocked user activity and locate the user(s) that could be compromised bya botnet?. Click the hyperlink for the ZeroAccess.Gen threat. Click the hyperlink for the botnet threat category. Click the source user with the highest threat count. Click the left arrow beside the ZeroAccess.Gen threat.

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?. Only one vsys or one firewall ca be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group. Multiple vsys and firewalls can be assigned to a device group and a multi-vsys firewall can have each vsys in a different device group. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewall can be assigned to a device group and a multi-vsys firewall must have all its vsys in a single device group.

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI which CLI command can the engineer use?. test vpn gateway. test vpn ike-sa. test vpn flow. test vpn tunnel.

Based on the screenshots above, and with no configuration inside the template stack itself, what access will the device permit on its Management port?. The firewall will allow HTTP, Telnet, HTTPS, SSH, and ping from IP addresses defined as $permited-subnet-1. The firewall will allow HTTP, Telnet, HTTPS, SSH, and ping from IP addresses defined as $permited-subnet-2. The firewall will allow HTTP, Telnet, HTTPS, SSH, and ping from IP addresses defined as $permited-subnet-1 and $permited-subnet-2. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and ping from IP addresses defined as $permited-subnet-1 and $permited-subnet-2.

As a best practice, logging at session start should be used in which case?. On all allow rules. Only when log at session end is enabled. Only on deny rules. While troubleshooting.

What must be configured to apply tags automatically to User-ID logs?. Log settings. Group mapping. Log Forwarding profile. User mapping.

Review the screenshots and consider the following information: 1. FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC 2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups. Which IP address will be pushed to the firewall inside Address Object Server-1?. Server-1 on FW-1 will have IP 2.2.2.2 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1. Server-1 on FW-1 will have IP 3.3.3.3 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 1.1.1.1 Server-1 will not be pushed to FW-2.

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?. Management only mode. GlobalProtect agent version. Expired certificates. Outdated plugins.

An administrator needs to identify which NAT policy is being used for internet traffic. From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?. Click Session browser and review the session details. Clock Traffic view ensure that the source or destination NAT columns are included and review the information in the detailed log view. Clock App Scope > Network monitor and filter the report for NAT rules. Clock traffic view and review the information in the detailed log view.

An administrator wants to use LDAP, TACACS+ and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the authentication profile in the order Kerberos, LDAP, and TACACS+?. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user. If the authentication times out for the first authentication profile in the authentication sequence, no further authentication attempts will be made. The firewall evaluates the profiles in the alphabetical order the authentication profiles have been named until one profile successfully authenticates the user. The priority assigned to the Authentication profile defines the order of the sequence.

An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewalls dashboard is showing as down. What could an administrator do to troubleshoot the issue?. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface settings. Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for the heartbeat backup. Check peer IP address for heartbeat backup to Device > High availability > HA communications > Packet Forwarding settings. Go to Device > High availability > HA communications > General > and check the Heartbeat Backup under Election settings.

Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?. No, because the severity is high and the verdict is malicious. Because this is an example from a defeated phishing attack. Yes, because the action is set to "allow". Yes, because the action is set to "alert".

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls. What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?. Configure a floating IP between the firewall pairs. On one pair of firewalls, run the CLI command: set network interface vlan arp. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send e-mail alerts. Panorama provides visibility all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.

Which log type would provide information about traffic blocked by a Zone Protection profile?. Traffic. IP-Tag. Threat. Data Filtering.

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?. CVE column. The profile rule action. Exception tab. The profile rule threat name.

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below. What should be the NAT rule destination zone be set to?. Outside. DMZ. Inside. None.

Which source is the most reliable for collecting User-ID user mapping?. Microsoft Exchange. GlobalProtect. Microsoft Active Directory. Syslog Listener.

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?. Objects > Log Forwarding. Device > Log Settings. Monitor > Logs > System. Panorama > Managed devices.

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy. Which PAN-OS proxy method should be configured to maintain this type of traffic flow?. Explicit proxy. SSL forward proxy. Transparent proxy. DNS proxy.

Which type of zone will allow different virtual systems to communicate with each other?. External. Tunnel. Virtual Wire. Tap.

An engineer configures SSL decryption in order to have more visibility to the internal user's traffic when it is egresssing the firewall. Which three types of interfaces support SSL Forward Proxy? (Choose three). Layer 2. Virtual Wire. High availability (HA). TAP. Layer3.

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?. Additional Master Hold Up Time. Promotion Hold Time. Heartbeat Interval. Monitor Fail Hold Up Time.

Which three methods are supported for split tunneling in the Global Protect Gateway? (Choose three). Destination Domain. URL Category. Source Domain. Client Application Process. Destination user/group. Video streaming application.

An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two). Inherit settings from the Shared group. Inherit IPSec crypto profiles. Inherit parent Security policy rules and objects. Inherit all Security policy rules and objects.

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. Push the Template first, then push Device Group to the newly managed firewall. Push the Device Group first, then push Template to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall. Ensure Force Template Values is checked when pushing configuration.

An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. Threat. Traffic. Configuration. Data Filtering.

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy methods versus a transparent proxy methods? (Choose two). It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request. No client configuration is required for explicit proxy, which simplifies the deployment complexity. Explicit proxy supports interception of traffic using non-standard HTTPS ports. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security prolicy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic?. It matches to the New App-IDs downloaded in the last 90 days. It matches to the New App-IDs in the most recently installed content releases. It matches to the New App-IDs downloaded in the last 30 days. It matches to the New App-IDs installed since the last time the firewall was rebooted.

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only the ssh request coming from IP 172.16.15.1. In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 172.16.15.10 Application: ssh. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: dynamic-ip-and-port / ethernet 1/4 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server. NAT Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust Source IP: 192.168.15.0/4 Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule:.

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three). NTP Server Address. Service Route Configuration. Antivirus Profile. Authentication Profile. Dynamic Address Groups.

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?. A User-ID agent on the LDAP server. A Master Device. Authentication Portal. A service route to the LDAP server.

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?. URL filtering profile. Vulnerability Protection profile. DoS Protection profile. Data Filtering profile.

An administrator is considering deploying WildFire globally. What should the administrator consider with regards to the WildFire analysis process?. Palo Alto Networks owns and maintains one global could and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. The WildFire Global Could only provides bare metal analysis.

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?. Both the active and passive firewalls, which then synchronize with each other. Both the active and passive firewalls independently, with no synchronization afterward. The passive firewall, which then synchronizes to the active firewall. The active firewall, which then synchronizes to the passive firewall.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?. Configure log compression and optimization features on all remote firewalls. Any configuration on an M-500 would address the insufficient bandwidth concerns. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?. Export device state. Load configuration version. Save candidate config. Load named configuration snapshot.

An engineer is reviewing policies after a PAN-OS upgrade. What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot? (Choose two). Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will not be reset. Rule Usage Hit counter will reset.

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment. Which two pieces of information should the consultant provide the client regarding Web Proxy authentication? (Choose two). Kerberos or SAML authentication need to be configured. RADIUS is not supported for explicit or transparent Web Proxy. LDAP or TACACS+ authentication need to be configured. RADIUS is only supported for a transparent Web Proxy.

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?. PAN-OS versions. IKE Crypto Profile. Proxy-IDs. Security policy.

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?. The security rule with any other security rule selected. The running configuration with the candidate configuration of the firewall. Application configured in the rule with their dependencies. Applications configured in the rule with applications seen from traffic matching the same rule.

What can be used as an action when creating a Policy-Based Forwarding (PBF) policy?. Deny. Discard. Allow. Next VR.

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two). Encryption algorithm. TLS protocol version. Number of blocked sessions. Number of security zones in decryption policies.

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two). LDAP. HTTP. Log Forwarding. Log Ingestion.

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should be review with their leadership before implementation?. Legal compliance regulations and acceptable usage policies. URL risk-based category distinctions. Cipher documentation supported by the endpoint operating system. Browser-supported cipher documentation.

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?. ECMP. OSPF. ASBR. OSPFV3.

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two). A server certificate. A certificate authority (CA) certificate. A subject alternative name. A private key.

A security engineer needs firewall management access on a trusted interface. Which three settings are required on a SSL/TLS service profile to provide secure Web UI authentication? (Choose three). Certificate. Maximum TLS version. Minimum TLS version. Encryption Algorithm. Authentication Algorithm.

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface management profile to secure management access? (Choose three). SSH. HTTPS. HTTP. Permitted IP Addresses. User-ID.

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two). Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to no Set "Asymmetric Path" to Bypass. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject-Non-syn-TCP" to Global Set "Asymmetric Path" to Global. set deviceconfig setting session tcp-reject-non-syn no. > set session tcp-reject-non-syn no.

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.). OSPF. IGRP. OSPFv3 virtual link. RIP. BGP.

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2. Which three platforms support PAN-OS 10.2? (Choose three). PA-220. PA-5000 series. PA-800 series. PA-3400 series. PA-500.

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three). Schedules. Install. Verify. Check dependencies. Revert content.

An engineer needs to collect user-id mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two). Syslog. Client probing. XFF headers. Server monitoring.

View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (choose two.). Google-video has a higher priority and more bandwidth than WebEx. Facetime has a higher priority but lower bandwidth than Zoom. SMTP has a higher priority but lower bandwidth than Zoom. DNS has a higher priority and more bandwidth than SSH.

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three). SSH key. Short message service. Push. One-Time password. User Logon.

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two). Decryption policy to decrypt the traffic and see the tag. Deny policy for the tagged traffic. An Allow policy for the initial traffic. A Deny policy with the "tag" App-ID to block the tagged traffic.

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose two). Create a Tunnel inspection policy. Exclude video traffic. Block traffic that is not work-related. Enable decryption.

An engineer is bootstrapping a VM-Series firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three). /opt. /license. /plugins. /content. /software.

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two). Address groups. SSL/TLS profiles. URL filtering profiles. DNS Proxy.

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned. Which two actions could an administrator take to troubleshoot this issue? (Choose two). Look for configuration problems in Network > virtual router > OSPF. In the WebUI, view Runtime Stats in the logical router. Run the CLI command show advanced-routing ospf neighbor. In the WebUI, view the Runtime Stats in the virtual router.

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two). ICMP Drop. TCP Drop. SYN Random Early drop. TCP Port Scan block.

A network security administrator has been tasked with deploying User-ID in their organization. What are three valid methods of collecting User-ID information in a network? (Choose three). XML API. Windows User-ID agent. Dynamic user groups. External dynamic list. Global Protect.

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?. Monitor > Utilization. Support > Resources. Resources Widget on the Dashboard. Application Command and Control Center.

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.). GlobalProtect Quarantine Activity. GlobalProtect Deployment Activity. Successful GlobalProtect Deployed Activity. Successful GlobalProtect Connection Activity.

Which link is responsible for synchronizing sessions between high availability (HA) peers?. HA1. HA2. HA3. HA4.

What are three prerequisites for credential phishing prevention to function? (Choose three.). Select the action for Site Access for each category. Set phishing category to block in the URL Filtering profile. Add the URL filtering profile to one or more Security policy rules. Enable Device-ID in the zone. In the URL filtering profile, use the drop-down list to enable user credential detection.

An engineer is tasked with decrypting web traffic in an environment without an established PKI. When using a self-signed certificate generated on the firewall, which type of certificate should be installed on client devices to ensure there are no client browser warnings when decrypting approved web traffic?. The same certificate as the Forward Trust certificate. An Enterprise Root CA certificate. A Public Root CA certificate. The same certificate as the Forward Untrust certificate.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the "Force Template Values" option. Perform a device group commit push from Panorama using the "Include Device and Network Templates" option. Reload the running configuration and perform a Firewall local commit.

In a template, which two objects can be configured? (Choose two.). SD-WAN path quality profile. Monitor profile. IPsec tunnel. application group.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Clone the security policy and add it to the other device groups. Add the policy to the target device group and apply a master device to the device group. Reference the targeted device’s templates in the target device gro. Add the policy in the shared device group as a pre-rule.

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?. Resource Protection. TCP Port Scan Protection. Flood Protection. Packet Based Attack Protection.

A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commit times?. Perform a device group push using the “merge with device candidate config” option. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config. Update the apps and threat version using device deployment. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?. Check whether the VPN peer on one end is set up correctly using policy-based VPN. In the IPsec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.

An engineer is configuring a firewall with three interfaces: - MGT connects to a switch with internet access. - Ethernet1/1 connects to an edge router. - Ethernet1/2 connects to a virtualization network. The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface. Set DNS and Palo Alto Networks Services to use the MGT source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. Set DDNS and Palo Alto Networks Services to use the MGT source interface.  .

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). SSL/TLS Service. Decryption. Interface Management. HTTP Server.

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it explicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. Add SSL application to the same rule. Add SSL and web-browsing applications to the same rule. SSL and web-browsing must both be explicitly allowed. Add web-browsing application to the same rule.

Where can a service route be configured for a specific destination IP?. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. Use Device > Setup > Services > Services. Use Device > Setup > Services > Service Route Configuration > Customize > Destination.

Which three items must be configured to implement application override? (Choose three.). Application override policy rule. Application filter. Security policy rule. Custom app. Decryption policy rule.

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the VoIP traffic issue?  . Increase the TCP timeout under H.323 application. Increase the TCP timeout under SIP application. Disable ALG under H.323 application. Disable ALG under SIP application.

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator accounts 1 on the firewall? (Choose three.). Kerberos. LDAP. RADIUS. TACACS+. SAML.

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change destination NAT zone to Trust_L3. Change Source NAT zone to Untrust_L3. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

A traffic log might list an application as "not-applicable" for which two reasons? (Choose two.). The firewall did not install the session. The TCP connection terminated without identifying any application data. There was not enough application data after the TCP connection was established. The firewall dropped a TCP SYN packet.

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two). Console Backup. HSCI. HA3. HA2 backup.

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.). Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. Rename a vsys on a multi-vsys firewall. Change the firewall management IP address. Add administrator accounts. Configure a device block list.

Which three authentication types can be used to authenticate users? (Choose three.). Cloud authentication service. Local database authentication. Kerberos single sign-on. PingID. GlobalProtect client.

Which statements describe session. The session went through SSL decryption processing. The session did not go through SSL decryption processing. The session has ended with the end-reason unknown. The application has been identified as web-browsing.

A network security engineer is going to enable Zone Protection on several security zones. How can the engineer ensure that Zone Protection events appear in the firewall’s logs?. Access the CLI on each firewall and enter the command set system setting additional-threat-log on. No action is needed. Zone Protection events appear in the threat logs by default. Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall. Select the check box "Log packet-based attack events" in the Zone Protection profile.

Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER DG device group?. Shared pre-rules DATACENTER_DG pre-rules Rules configured locally on the firewall Shared post-rules DATACENTER_DG post-rules Shared default rules. Shared pre-rules DATACENTER_DG pre-rules Rules configured locally on the firewall DATACENTER_DG post-rules Shared post-rules Shared default rules. Shared pre-rules DATACENTER_DG pre-rules Rules configured locally on the firewall DATACENTER_DG post-rules Shared post-rules DATACENTER_DG default rules. Shared pre-rules DATACENTER_DG pre-rules Rules configured locally on the firewall Shared post-rules DATACENTER_DG post-rules DATACENTER_DG default rules.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?. Active-secondary. Initial. Tentative. Passive.

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. SSH Service profile. Decryption profile. SSL/TLS Service profile. Certificate profile.

A company wants to implement threat prevention to take action without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.). Layer 3. Virtual Wire. TAP. Layer 2.

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity. The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet. Which profile is the engineer configuring?. Packet Buffer Protection. DoS Protection. Vulnerability Protection. Zone Protection.

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.). QoS on the egress interface for the traffic flows. A QoS policy for each application ID. A QoS profile defining traffic classes. An Application Override policy for the SSL traffic. QoS on the ingress interface for the traffic flows.

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA?. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. Configure a Captive Portal authentication policy that uses an authentication sequence. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged. Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?. Syslog listener. Captive portal. Agentless User-ID with redistribution. Standalone User-ID agent.

Why would a traffic log list an application as "not-applicable"?. The application is not a known Palo Alto Networks App-ID. The TCP connection terminated without identifying any application data. There was not enough application data after the TCP connection was established. The firewall denied the traffic before the application match could be performed.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?. Monitor Fail Hold Up Time. Promotion Hold Time. Hello Interval. Heartbeat Interval.

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption. Create a Security policy to allow access to those sites. Install the unsupported cipher into the firewall to allow the sites to be decrypted. Allow the firewall to block the sites to improve the security posture.

If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?. Post-NAT source address. Post-NAT destination address. Pre-NAT destination address. Pre-NAT source address.

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.). Email scheduler. Log Forwarding profile. Dynamic updates. SSL decryption exclusion. Login banner.

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.). ECDHE. DHE. ECDSA. RSA.

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.). Configure the DNS server locally on the firewall. Override the DNS server on the template stack. Configure a service route for DNS on a different interface. Change the DNS server on the global template.

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server or DHCP agent configuration. Which interface mode can the engineer use to generate Enhanced Application Logs (EALs) for classifying Internet of Things (IoT) devices while receiving broadcast DHCP traffic?. Layer 3. Tap. Layer 2. Virtual wire.

Which statement applies to HA timer settings?. Use the Critical profile for faster failover timer settings. Use the Recommended profile for typical failover timer settings. Use the Aggressive profile for slower failover timer settings. Use the Moderate profile for typical failover timer settings.

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?". Phase 1 and Phase 2 SAs are synchronized over HA3 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 2 SAs are synchronized over HA2 links.

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.). Low. Informational. High. Critical. Medium.

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?. Record Route in IP Option Drop options. TCP Fast Open in the Strip TCP options. Ethernet SGT Protection. Stream ID in the IP Option Drop options.

Which three statements accurately describe Decryption Mirror? (Choose three). Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries. Decryption Mirror requires a tap interface on the firewall. Only management consent is required to use the Decryption Mirror feature. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?. New sessions and is global. New sessions and is not global. Existing sessions and is global. Existing sessions and is not global.

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?. External zones are required because the same external zone can be used on different virtual systems. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance. To allow traffic between zones in different virtual systems without the traffic leaving the appliance. Multiple external zones are required in each virtual system to allow the communications between virtual systems.

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server. Novell Directory, Microsoft Exchange, and Microsoft Active Directory. Novell Directory, Microsoft Terminal Server, and Microsoft Active Directory.

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.). Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs. Select the action "download-only" when configuring an Applications and Threats update schedule. Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day, and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task?. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall, and check the log rates during the peak time. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time.

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSv1.3 support for management access. What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL. Required: Download and install the latest PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use?. show session all filter nat-rule-source. show session all filter nat source. show running nat-rule ippool rule "rule_name". show running nat-policy.

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)". By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)". By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)". By navigating to Monitor > Logs > Threat, applying filter "(subtype eq virus)".

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed. How should email log forwarding be configured to achieve this goal?. With the relevant configuration log filter inside Device > Log Settings. With the relevant system log filter inside Device > Log Settings. With the relevant system log filter inside Objects > Log Forwarding. With the relevant configuration log filter inside Objects > Log Forwarding.

A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?. Pre-NAT source IP address Post-NAT source zone. Pre-NAT source IP address Pre-NAT source zone. Post-NAT source IP address Post-NAT source zone. Post-NAT source IP address Pre-NAT source zone.

The server team is concerned about the high volume of logs forwarded to their syslog server. It is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS Traffic logs can be excluded from syslog forwarding. How should Syslog log forwarding be configured?. With "( app neq dns-base )" Traffic log filter inside Objects > Log Forwarding. With "( app neq dns-base )" Traffic log filter inside Device > Log Settings. With "( port.dst neq 53 )" Traffic log filter inside Device > Log Settings. With "( port.dst neq 53 )" Traffic log filter inside Objects > Log Forwarding.

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall. What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two). Log Forwarding Profile is configured but not added to security rules in the data center firewall. User-ID is not enabled in the Zone where the users are coming from in the data center firewall. HIP Match log forwarding is not configured under Log Settings in the device tab. HIP profiles are configured but not added to security rules in the data center firewall.

Which log type is supported in the Log Forwarding profile?. Tunnel. Configuration. User-ID. GlobalProtect.

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following: threat type: spyware category: dns-c2 threat ID: 100001111 Which set of steps should the administrator take to configure an exception for this signature?. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tab Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit.

A firewall administrator is configuring an IPSec tunnel between a company’s HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address. Which two actions are required for this scenario to work? (Choose two.). On the HQ firewall, enable DDNS under the interface used for the IPSec tunnel. On the HQ firewall, select peer IP address type FQDN. On the remote location firewall, select peer IP address type Dynamic. On the remote location firewall, enable DDNS under the interface used for the IPSec tunnel.

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?. Ethernet. Loopback. VLAN. Tunnel.

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.). Configure the decryption profile. Configure a SSL/TLS service profile. Configure SSL decryption rules. Define a Forward Trust Certificate.

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?. Cortex Data Lake. On Palo Alto Networks Update Servers. M600 Log Collectors. Panorama.

When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?. show system setting ssl-decrypt certificate. debug dataplane show ssl-decrypt ssl-certs. show system setting ssl-decrypt certs. show system setting ssl-decrypt certificate-cache.

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks. The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate. What else should the administrator do to stop packet buffers from being overflowed?. Apply DOS profile to security rules allow traffic from outside. Enable packet buffer protection for the affected zones. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. Add a Zone Protection profile to the affected zones.

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.). collector groups. variables. template stacks. virtual systems.

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?. an Authentication policy with 'known-user' selected in the Source User field. a Security policy with 'known-user' selected in the Source User field. a Security policy with 'unknown' selected in the Source User field. an Authentication policy with 'unknown' selected in the Source User field.

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules. How can this be achieved?. by configuring Master Device in Panorama > Device Groups. by configuring User-ID source device in Panorama > Managed Devices. by configuring Data Redistribution Client in Panorama > Data Redistribution. by configuring User-ID group mapping in Panorama > User Identification.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?. EDL in URL Filtering profile. Custom URL category in Security policy rule. Custom URL category in URL Filtering profile. PAN-DB URL category in URL Filtering profile.

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?. Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption. Use the highest TLS protocol version to maximize security. Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority.

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?. Built-in Actions within Objects > Log Forwarding Profile. Data Patterns within Objects > Custom Objects. Logging and Reporting Settings within Device > Setup > Management. Custom Log Format within Device Server Profiles > Syslog.

What happens when the log forwarding built-in action with tagging is used?. Destination IP addresses of selected unwanted traffic are blocked. Destination zones of selected unwanted traffic are blocked. Selected unwanted traffic source zones are blocked. Selected logs are forwarded to the Azure Security Center.

A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule. Which set of steps should the engineer take to accomplish this objective?. Create a source a NAT rule (NAT-Rule-1) to translate 10.0.0.0/23 with source address translation set to dynamic IP and port. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. Place (NAT-Rule-2) above (NAT-Rule-1). Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. Check the box for negate option to negate this IP subnet from NAT translation. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. Check the box for negate option to negate this IP from the NAT translation. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0.0/23 with source address translation set to dynamic IP and port. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. Place (NAT-Rule-1) above (NAT-Rule-2).

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three.). Enable User-ID. Configure a URL profile to block the phishing category. Create a URL filtering profile. Create a decryption policy rule. Create an anti-virus profil.

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ server that uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88. Referring to the NAT configuration and traffic logs provided, how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address," both external servers as "Destination Address" and Source Translation remaining as is with bidirectional option enabled. Sharing a single NAT IP is possible for outbound connectivity, not for inbound; therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6, DMZ server 2. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.

PBF can address which two scenarios? (Select Two). providing application connectivity the primary circuit fails. enabling the firewall to bypass Layer 7 inspection. forwarding all traffic by using source port 78249 to a specific egress interface. routing FTP to a backup ISP link to save bandwidth on the primary ISP link.

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request?. Configure a service route for HTTP to use the subinterface. Add the network segment’s IP range to the Permitted IP Addresses list. Enable HTTPS in an Interface Management profile on the subinterface. Specify the subinterface as a management interface in Setup > Device > Interfaces.

What are two requirements of IPSec in transport mode? (Choose two.). NAT Traversal. Auto generated key. IKEv1. DH-group 20 (ECP-384 bits).

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server. By default, which component of the Palo Alto Networks firewall architecture is responsible for log forwarding and should be checked for early signs of overutilization?. Packet buffers. Dataplane CPU. Management plane CPU. On-chip packet descriptors.

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three.). External zones with the virtual systems added. Layer 3 zones for the virtual systems that need to communicate. Route added with next hop next-vr by using the VR configured in the virtual system. Route added with next hop set to "none," and using the interface of the virtual systems that need to communicate. Virtual systems visible to one another.

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.). MS Office. APK. Powershell scripts. ELF. VBscripts.

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?. Perform synchronization of routes, IPSec security associations, and User-ID information. Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow. Perform session cache synchronization for all HA cluster members with the same cluster ID. Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.). HIP Match. Traffic. Configuration. Threat.

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls? 1. Increase the frequency of the applications and threats dynamic updates. Increase the frequency of the antivirus dynamic updates. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus. Enable the "Report Grayware Files" option in Device > Setup > WildFire.

What does the User-ID agent use to find login and logout events in syslog messages?. Log Forwarding profile. Syslog Parse profile. Syslog Server profile. Authentication log.

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.). Telemetry feature is using traffic logs and packet captures to collect data. Telemetry feature is automatically enabled during PAN-OS installation. Telemetry data is shared in real time with Palo Alto Networks. Telemetry data is uploaded into Strata Logging Service.

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity. Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.). Static tags. LDAP attributes. Dynamic tags. Source IP address.

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values: Source zone: Outside and source IP address 1.2.2.2 Destination zone: Outside and destination IP address 2.2.2.1 The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone. Which destination IP address and zone should the engineer use to configure the security policy?. Destination Zone DMZ, Destination IP address 10.10.10.1. Destination Zone Outside, Destination IP address 2.2.2.1. Destination Zone DMZ, Destination IP address 2.2.2.1. Destination Zone Outside, Destination IP address 10.10.10.14.

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices. What protections does this policy provide to the enterprise?. It allows for complete visibility into certificate data, ensuring secure connections to all websites. It encrypts all certificate information to maintain privacy and compliance with local regulations. It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers. It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

Which log type is supported in the Log Forwarding Profile?. User-ID. GlobalProtect. Tunnel. Configuration.

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?. Firewall management. Ingress for the client traffic. Egress for the outgoing traffic to the internet. Loopback for the proxy.

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.). Firewalls which support route-based VPNs. Firewalls which support policy-based VPNs. The remote device is a Palo Alto Networks firewall. The remote device is a non-Palo Alto Networks firewall.

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter. What must the administrator consider as they prepare to configure the decryption policy?. Obtain or generate the self-signed certificate with private key in the firewall. Obtain or generate the server certificate and private key from the datacenter server. Obtain or generate the forward trust and forward untrust certificate from the datacenter server. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions.

Which HA firewall state describes the firewall that is currently processing traffic?. Active. Active-primary. Initial. Active-secondary.

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs. How can the administrator ensure that User-IDs are populated in the traffic logs?. Enable User-ID on the expected trusted zones. Create a Group Mapping for the GlobalProtect Group. Add the users to the proper Dynamic User Group. Enable Captive Portal on the expected source interfaces.

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1. How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?. show counter global filter delta yes | match 10.1.1.1. show counter global filter packet-filter yes delta yes. show counter global filter severity drop. debug dataplane packet-diag set capture stage drop.

Which three sessions are created by a NGFW for web proxy? (Choose three.). A session for proxy to web server. A session for web server to client. A session for proxy to authentication server. A session for DNS proxy to DNS servers. A session for client to proxy.

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.). VBS. Python. perl. PS1.

What type of NAT is required to configure transparent proxy?. Source translation with Dynamic IP and Port. Destination translation with Static IP. Source translation with Static IP. Destination translation with Dynamic IP.

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing. Which installer package file should the administrator download from the support site?. Tainstall-11.0.0.msi. Uainstall-11.0.0.msi. UaCredinstall64-11.0.0.msi. GlobalProtect64-6.2.1.msi.

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?. It can run on multiple virtual systems without issue. It can run only on a single virtual system. It can run only on a virtual system with an alias named "web proxy". It can run on a single virtual system and multiple virtual systems.

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values. What are the default values for ping interval and ping count before a failover is triggered?. Ping interval of 200 ms and ping count of 10 failed pings. Ping interval of 5000 ms and ping count of three failed pings. Ping interval of 200 ms and ping count of three failed pings. Ping interval of 5000 ms and ping count of 10 failed pings.

What should an engineer consider when setting up the DNS proxy for web proxy?. DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible. A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server. A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy. Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

An administrator plans to install the Windows-Based User-ID Agent. What type of Active Directory (AD) service account should the administrator use?. System Account. Dedicated Service Account. Enterprise Administrator. Domain Administrator.

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?. PAN-OS Integrated User-ID Agent. PAN-OS XML API. Windows-Based User-ID Agent. Terminal Server Agent for User Mapping.

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file. What does Advanced WildFire do when the link is clicked?. Performs malicious content analysis on the linked page and the corresponding PE file. Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file. Does not perform malicious content analysis on either the linked page or the corresponding PE file. Performs malicious content analysis on the linked page, but not the corresponding PE file.

A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two.) 1. Email. TLS. SSL. HTTP.

A company wants to deploy IPv6 on its network, which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?. Network > Zone Settings. Do not enable on each interface. Device > Setup Settings. Do not enable on each interface. Device > Setup Settings. Enable on each interface. Network > Zone Settings. Enable on each interface.

Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.). HA cluster members must be the same firewall model and run the same PAN-OS version. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces. HA cluster members must share the same zone name. Panorama must be used to manage HA cluster members.

An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed. Which set of actions should the engineer take to achieve this goal?. Create a new log forwarding profile Add a new match list for threat log type Define the filter Select the syslog forward method. Open the current log forwarding profile Open the existing match list for threat log type Define the filter Select the syslog forward method. Open the current log forwarding profile Add a new match list for threat log type Define the filter Select the syslog forward method. Create a new log forwarding profile Add a new match list for threat log type Define the filter Select the Panorama and syslog forward methods.

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation log 1 to verify that unwanted traffic is not allowed?. Managed Devices Health. Test Policy Match. Policy Optimizer. Preview Changes.

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take? 1. Select the appropriate DH Group under the IPSec Crypto profile. Enable PFS under the IKE gateway advanced options. Add an authentication algorithm in the IPSec Crypto profile. Enable PFS under the IPSec Tunnel advanced options.

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates". Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates". Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration.

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?. Create Security Profiles for Antivirus and Anti-Spyware. Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting > Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification. Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source user. Enable GlobalProtect Gateway Agent for HIP Notification. Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device-object. Enable GlobalProtect Portal Agent for HIP Notification. Create Security Profiles for Antivirus and Anti-Spyware. Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device-object. Enable GlobalProtect Gateway Agent for HIP Notification.

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?. It downgrades the protocol to ensure compatibility. It automatically adds the server to the SSL Decryption Exclusion list. It blocks all communication with the server indefinitely. It generates a decryption error message but allows the traffic to continue decryption.

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service. The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing. Which action is the most operationally efficient for the security engineer to find and implement the exception?. Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions. Select 'Show all signatures' within the Vulnerability Protection Profile under Exceptions. Review traffic logs to add the exception from there. Open a support case.

A company has a PA-3220 NGFW at the edge of its network and wants to use Active Directory groups in its Security policy rules. There are 150 groups in its Active Directory. An engineer has been provided 800 Active Directory groups to be used in the Security policy rules. What is the engineer’s next step?. Create a Group Mapping with 800 groups in the Group Include List. Create two Group Mappings, each with 400 groups in the Group Include List. Create a Group Include List with the 800 Active Directory groups. Create two Group Include Lists, each with 400 Active Directory groups.

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90. When firewall-01 is rebooted, is there any action taken by the firewalls?. Yes – Firewall-02 takes over as the active-primary firewall; firewall-01 takes over as the active-primary member after it becomes functional. No – Neither firewall takes any action because firewall-01 cannot be rebooted when configured with device priority of 9. No – Neither firewall takes any action because firewall-02 is already the active-primary member. Yes – Firewall-02 takes over as the active-primary firewall; firewall-02 remains the active-primary member after firewall-01 becomes functional.

What is the benefit of the artificial intelligence operations (AIOps) Plugin for Panorama?. The AIOps plugin in Panorama retroactively checks the policy changes during the commits. The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment. It automatically pushes the configuration to Panorama after strengthening the overall security posture. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama.

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?. Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group. Configure a dynamic address group for the addresses to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these addresses when logs are generated in the threat log. Under Device → User Identification → Trusted Source Address, add the condition "NOT malicious.". Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the "Actions" tab in "Signature Policies," select "block-user. Configure a User-ID agent for the users to be blocked. In a rule containing that user group, set the action to "Deny," and apply Threat Prevention profiles. This will automatically block any malicious users detected in the threat log.

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?. Confirm the file types and direction are configured correctly in the WildFire analysis profile. Configure the appropriate actions in the antivirus security profile. Confirm the file size limits are configured correctly in the WildFire general settings. Configure the appropriate actions in the file blocking profile.

An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?. Panorama does not support policy inheritance across device groups containing firewalls deployed in different hypervisors when using multiple plugins. Panorama must use the same plugin version numbers for both AWS and NSX-V environments before device group inheritance can function properly. Panorama requires the objects to be overridden in the child device group before firewalls in different hypervisors can inherit Security policies. Panorama by default does not allow different hypervisors in parent/child device groups, but this can be overridden with the command set device-group allow-multi-hypervisor enable.

What must be taken into consideration when preparing a log forwarding design for all of a customer's deployed Palo Alto Networks firewalls?. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings". The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected. Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules. App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected.

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two.). Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated. Create or update a Vulnerability Protection profile to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected. Verify the NGFWs have the Advanced DNS Security and Advanced Threat Prevention licenses installed and validated. Create or update an Anti-Spyware profile, go to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected.

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two.). IPSEC with Hybrid ID exchange. IKEv2 with Hybrid Key exchange. IKEv2 with Post-Quantum Pre-shared Keys. IKEv1 only to deactivate the use of public key encryption.

Which two actions can the administrative role called "vsysadmin" perform? (Choose two.). Commit changes made to the candidate configuration of the assigned vsys. Create and edit Security policies and security profiles for only the assigned vsys. Configure resource limits for the NGFW system. Configure interfaces and subinterfaces that exist in the assigned vsys.

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?. Change the "GlobalProtect Portal -> Agent -> App -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Gateway -> Agent -> Client Settings -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Gateway -> Agent -> Network Services -> Split Tunnel -> No direct access to local network" setting to "off". Change the "GlobalProtect Portal -> Satellite -> Gateways -> No direct access to local network" setting to "off".

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?. Add specific applications that are seen when creating cloned rules. Create a custom application and define it by the correct TCP and UDP ports. Add the relevant container application when creating cloned rules. Create an application filter based on the existing application category and risk.

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?. The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW's management CPU. The PAN-OS integrated User-ID agent must be a member of the Active Directory domain. The standalone User-ID agent must run directly on the domain controller server. The standalone User-ID agent consumes fewer resources on the NGFW's management CPU.

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?. Add service accounts running on that machine to the "Ignore User List" in the User-ID agent setup. Remove the identity redistribution rules synced from Cloud Identity Engine from the User-ID agent configuration. Remove the rate-limiting rule that is assigned to User A access from the User ID agent configuration. Add the subnets of both the user machine and the resource to the Include List in the User ID agent configuration.

Which translated port number should be used when configuring a NAT rule for transparent proxy?. 443. 80. 8080. 4443.

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two.). User-ID. Authentication. GlobalProtect. WildFire.

Which operation Will impact the performance of the management plane?. Generating a SaaS Application report. WildFire submissions. DoS protection. decrypting SSL sessions.

An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?. 1. 2. 3. 4.

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three). Install and reboot. Upload and install. Upload-only. Upload and install and reboot. Verify and install.

Which new PAN-OS 11.0 feature supports IPv6 traffic?. DHCP Serve. OSPF. IKEv1. DHCPv6 Client with Prefix Delegation.

If a URL is in multiple custom URL categories with different actions, which action Will take priority?. Alert. Allow. Block. Override.

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from Other locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes. The engineer reviews the following CLI output for ethernet1/1. Which setting should be modified on ethernet1/1 to remedy this problem?. Enable the Ignore IPv4 Don't Fragment (DF) setting. Adjust the TCP maximum segment size (MSS) value. Change the subnet mask from /23 to /24. Lower the interface MTU value below 1500.

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A self-signed certificate generated on the firewall. A subordinate certificate Authority certificate signed by the organization's PKI. A web server certificate signed by an external Certificate Authority. A web serve/certificate signed by the organization's PKI.

An administrator has been tasked with configuring decryption policies. Which decryption best practice should they consider?. Place firewalls where administrator can opt to bypass the firewall when needed. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications. Decrypt all trafic that traverses the firewall so that it can be scanned for threats.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?. A Decryption profile must be attached to the Decryption policy that the traffic matches. There must be a certificate with only the Forward Trust option selected. A Decryption profile must be attached to the Security policy that the traffic matches. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?. DOS protection. QoS. Tunnel inspection. NAT.

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?. Tunnel Monitor. Zone protection. Passive Mode. Replay Protection.

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram. Which template values will be configured on the firewall if each template has an SSL/TLS Sevice profile configured named Management?. Values in efw01ab.chi. Values in Chicago. Values in Datacenter. Values in Global Settings.

Which rule type controls end user SSL traffic to external websites?. SSL Outbound Proxyless Inspection. SSH Proxy. SSL Forward Proxy. SSL Inbound Inspection.

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama?. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. A User-ID certificate profile must be configured on PAnorama. The security rules must be targeted to a firewall in the device group and have Group Mapping configured. A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?. Upgrade the firewalls, upgrade log collectors, upgrade Panorama. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors.

+ A firewall administrator has confirmed reports of a website not displaying as expected and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.). Move the policy with action decrypt to the top of the decryption policy rulebase. Temporarily disable SSL decryption for all websites to troubleshoot the issue. Create a policy-based "No Decrypt" rule in the decryption policy to exclude specific traffic from decryption. Disable SSL handshake logging. Investigate decryption logs of the specific traffic to determine reasons for failure.

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies, the administrator must update all the IPSec VPNs with new pre-shared keys. Where are the pre-shared keys located on the firewall?. Network/Network Profiles/IKE Crypto. Network/IPSec Tunnels. Network/Network Profiles/IKE Gateways. Network/Network Profiles/IPSec Crypto.

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?. Add the certificate CN to the SSL decryption exclusion list to allow traffic without decryption. Contact the Site administrator the expired certificate to request updates or renewal. check for expired certificated and take appropriate actions to block or allow access based on business needs. Enable certificate revocation checking to deny to sites with revoked certificates.

An administrator plans to install the Windows User-ID agent on a domain member system. What is a best practice for choosing where to install the User-ID agent?. On the same RODC that is used for credential detection. on the DC holding the schema master FSMO role. In close proximity to the servers it will be monitoring. In close proximity to the firewalls it will be providing user-id to.

Which protocol is natively supported by GlobalProtect Clientless VPN?. HTTPS. SSH. FTP. RDP.

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?. show routing route type management. debug dataplane internal vif route 250. debug dataplane internal vif route 255. show routing route type service-route.

A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?. IPv6 for internal gateways. Single or multiple internal gateways. Split DNS and HIP checks. Multiple external gateways.

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.). Schedule. Custom Application. Source Interface. Source Device.

A firewall administrator manages sets of firewalls which must have two unique idle timeout values. Datacenter firewalls need to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?. Create two separate template stacks, one each for Datacenter and Branch Office, and verify that Datacenter_Template and BranchOffice_Template are at the bottom of their stack. Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template. Create two separate template stacks, one each for Datacenter and Branch Office, and verify that Datacenter_Template and Branch Office_Template are at the top of their stack. Create one template stack and place the Datacenter_Template in higher priority than BranchOffice_Template.

A security engineer has configured a GlobalProtect portal agent with four gateways. Which GlobalProtect Gateway will users connect to based on the chart provided?. South. West. East. Central.

A customer would like to support Apple Bonjour in their environment for ease of configuration. Which type of interface is needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?. Layer 2 interface. Virtual Wire interface. Layer 3 interface. Loopback interface.

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor but wants to use AppID while identifying policies that are no longer needed. Which Panorama tool can help this organization?. Policy Optimizer. Application Groups. Config Audit. Test Policy Match.

What is the most likely reason for this decryption error log?. The certificate fingerprint could not be found. The client receive a CA certificate that has expired or is not valid. The client expected a certificate from a different CA than the one provided. Entrust is not a trusted root certificate authority (CA).

Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?. The first route installed. Bidirectional Forwarding Detection. The route with the lowest administrative distance. The route with the highest administrative distance.

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management. Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?. A Certificate profile with a trusted root CA. An Interface Management profile with HTTP and HTTPS enabled. An Authentication profile with the allow list of users. An SSL/TLS Service profile with a certificate assigned.

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?. Policy Optimizer. Preview Changes. Managed Devices Health. Test Policy Match.

A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?. Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface's IP. Validate that all upstream devices will allow and property route the outbound traffic to the external destinations needed. Create a service route that sets the source interface to the data plane interface in question. Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface.

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) steps have been completed in Panorama (Panorama upgraded, backups made, content updates and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer. Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability. Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer. Upgrade both HA peers at the same time using Panorama's "Group HA Peers" option to ensure version consistency.

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?. Tunnel monitor. ToS Header. Proxy IDs. GRE encapsulation.

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow Evernote?. Create an application Override using TCP ports 443 and 80. Add only the Evernote application to the security policy-rule. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL. Add the HTTP, SSL and Evernote applications to the same Security policy.

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three). User certificate. Voice. Fingerprint. SMS. One-time password.

An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?. PBF > Static route > Security policy enforcement. NAT > Security policy enforcement > OSPF. BGP > PBF > NAT. PBF > Zone Protection Profiles > Packet Buffer Protection.

When you import the configuration of an HA pair into Panorama; how do you prevent the import from affecting ongoing traffic?. Set the passive link state to "shutdown.". Disable the HA2 link. Disable HA. Disable config sync.

Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been installed in client systems. The self-signed CA certificate has the same CN as the forward trust and untrust certificates. The forward trust certificate has not been signed by the self-signed root CA certificate. The forward untrust certificate has not been signed by the self-signed root CA certificate.

An engineer troubleshoots a high availability (HA) link that is unreliable. Where can the engineer view what time the interface went down?. Device > High Availability > Active/Passive Settings. Dashboard > Widgets > High Availability. Monitor > Logs > System. Monitor > Logs > Traffic.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any" There is one link group configured containing member interfaces eth1/1 and eth1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet/1 link goes down due to a failure?. Non-Functional. Passive. Active. Active-Secondary.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is currently processing traffic?. Active-primary. Passive. Active. Initial.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?. SSL decryption policy. SSL Decryption profile. Comfort pages. Authentication Portal.

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?. Stateful firewall connection. link.state. profiles. certificates.

Given the following configuration, which route is used for destination 10.10.0.4. Route 4. Route 2. Route 3. Route 1.

A superuser is tasked with creating administrator accounts for three contractor. For compliance purposes all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects which type of role-based access is most appropriate for this project?. Create a Dynamic Read only superuser. Create a Dynamic Admin with the Panorama administrator role. Create a Custom Panorama Admin. Create a Device Group and Template Admin.

Which CLI command displays the physical media that are connected to ethernet1/8?. >show system state filter-pretty sys.s1.p8.stats. >show system state filter pretty sys.s1.p8.med. >show system state filter-pretty sys.s1.p8.phy. >show interface ethernet1/8.

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair. Based on the image below, what - if any - action was taken by the active firewall when the link failed?. No action was taken because Path Monitoring is disabled. The active firewall failed over to the passive HA member due to an AE1 Link Group failure. The active firewall failed over to the passive HA member because "any" is selected to the Link Monitoring "Failure Condition". No action was taken because interface ethernet1/1 did not fail.

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing session over which HA port?. HA2. HA3. HA1. HA4.

An administrator is assigning a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three). Less-trusted internal IP subnets. High risk traffic categories. Known malicious IP space. Public-facing servers. Financial, health, and government traffic categories.

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working. Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two). Match IKE version on both firewalls. Configure Local identification on Site B firewall. Disable passive mode on Site A firewall. Enable NAT Traversal on Site B firewall.

An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules. Create the appropriate rules with a Block action and apply them at the top of the Default Rules. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

A firewall engineer has determined that, in an application developed by the company's internal team, session often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Access to Palo Alto Networks website and raise a support request through the Customer Support Portal. Create a custom application with specific timeout, then create an Application Override rule and reference the custom application. Create a custom application with specific timeout and signatures based on patterns discovered in packet captures. Access to Palo Alto Networks website and complete the online form to request a new application to be added to App-ID.

A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication. what is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?. Display a M-200 as a User-ID collector. Deploy the Global Protect vsys as a User-ID data hub. Deploy Windows User-ID agents on each domain controller. Deploy a PAN-OS integrated User-ID agent on each vsys.

An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level?. "Managed Devices > Device Association". Variable CSV export under "Panorama>Templates". PDF Export under "Panorama>Templates". Manage variables under "Panorama>Templates".

An administrator needs to evaluate a recent policy change that was commited and pushed to a firewall device group. How should the administrator identify the configuration changes?. Review the configuration logs on the Monitor tab. Click Preview Changes under Push Scope. Use Test Policy Match to review the policies in Panorama. Context switch to the affected firewall and use the configuration audit tool.

When using certificate authentication for firewall administration, which method is used for authorization?. Local. Radius. LDAP. Kerberos.

Which tool can gather information about the application patterns when defining a signature for a custom application?. Policy optimizer. Expedition. Wireshark. Data filtering logs.

A threat intelligence team has requested more than a dozen Snort signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?. Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls. Create custom vulnerability signatures manually on one firewall export them and then import them to the rest of the firewalls. Create custom vulnerability signatures manually in Panorama, and push them to the firewalls. Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors. Upgrade the firewalls, upgrade log collectors, upgrade Panorama. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls.

A firewall administrator has confirmed reports of a website not displaying as expected and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.). Move the policy with action decrypt to the top of the decryption policy rulebase. Disable SSL handshake logging. Create a policy-based "No Decrypt" rule in the decryption policy to exclude specific traffic from decryption. Temporarily disable SSL decryption for all websites to troubleshoot the issue. Investigate decryption logs of the specific traffic to determine reasons for failure.

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls?. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls. Upload the image to Panorama > Software menu, and deploy it to the firewalls.

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use?. test routing route ip 10.2.5.3. test routing fib-lookup ip 10.2.5.0/24 virtual-router default. test routing fib-lookup ip 10.2.5.3 virtual-router default. test routing route ip 10.2.5.3 virtual-router default.

A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter. Only Panorama must be patched to the target PAN-OS version before updating the firewalls. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls.

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface? (Choose two.). Server certificate. Certificate Profile. SSL/TLS Service Profile. CA certificate.

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter. What can the administrator do to limit the captured traffic to the newly configured filter?. In the GUI under Monitor > Packet Capture > Manage Filters, under ingress interface, select an interface. Command line > debug dataplane packet-diag clear filter all. In the GUI under Monitor > Packet Capture > Manage Filters, under the Non-IP field, select "exclude". Command line > debug dataplane packet-diag clear filter-marked-session all.

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to theGlobal Protect gateway?. It keeps trying to establish an IPSec tunnel to the Global Protect gateway. It tries to establish a tunnel to the Global Protect gateway using SSL/TLS. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS. It stops the tunnel-establishment processing to the Global Protect gateway immediately.

Forwarding of which two log types is configured in Device -> log settings? choose two. configuration. traffic. HIP match. Threat.

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?. The number of permitted IP addresses on the management interface. The timeout value for admin sessions. The amount of decrypted traffic. The number of mapped User-ID groups.

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates. What must occur to have Antivirus signatures update?. An advanced threat Prevention license is required see the Dynamic Updates for Antivirus. An antivirus license must be obtained before dynamic updates can be downloaded or installed. Install the application and threats updates first, then refresh the dynamic updates. An antivirus license is needed first, then use a security profile for antivirus needs to be created.

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?. Test vpn ipsec-sa tunnel tunel_name. Show vpn ipsec-sa tunnel tunel_name. Test vpn ike-sa gateway gateway_name. Debug ike stat.

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?. egress for the outgoing traffic to the internet. loopback for the proxy. ingress for the client traffic. firewall management.

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user. What configuration change is necessary to implement this troubleshooting solution for the user?. Enable SSL tunnel within the Global Protect gateway remote user's settings. Increase the user's VPN bandwidth allocation in the GlobalProtect settings. Enable SSL tunnel over TCP in a new agent configuration for the specific user. Modify the user's client to prioritize UDP traffic for GlobalProtect.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. IPv6 Source or Destination address. Destination based Service Route. IPv4 Source Interface. Inherit Global Setting.

After implementing a new NGFW, a firewall engineer is alerted to a VoIP traffic issue. After troubleshooting, the engineer confirms that the firewall is altering the voice packets payload. What can the engineer do to solve the VoIP traffic issue?. Increase the TCP timeout under SIP application. Increase the TCP timeout under H.323 application. Disable ALG under SIP application. Disable ALG under H.323 application.

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three.). Create a decryption policy rule. Create a URL filtering profile. Configure a URL profile to block the phishing category. Create an anti-virus profile. Enable User-ID.
Denunciar Test