How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?
by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the botom of the Device Quarantine page and leveraging the appropriate XSOAR playbook by using security policies, log forwarding profiles, and log settings. by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GobalProtect gateway from a quarantined device. There is no native auto-quarantine feature so a custom script would need to be leveraged.
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two) Create a security policy rule with a vulnerability security profile attached Configure a dynamic address group for untrusted sites Create a no-decrypt decryption police Rule Enable the "block sessions with untrusted issuers" setting Configure an EDL to pull IP addresses of known sites resolved from a CRL.
Where is information about packet buffer protection logged? Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Thread log All entries are in the System log
All entries are in the Alarm log
All entries are in System log. Entries for dropped traffic, discarded sessions and blocked IP address are in the Thread log.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web UI? (Choose two.)
Certificate profile SSH service profile SSL/TLS service profile Server certificate.
In a Panorama template, which three types of objects are configurable? (Choose three.) HIP objects Certificate profiles
QoS profiles
Security profiles
Interface management profiles.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use? client certificate certificate authority (CA) certificate
machine certificate
server certificate
.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.) Source Interface
Destination Zone
App-ID Custom URL Category
User-ID
.
The UDP-4501 protocol-port is used between which two GlobalProtect components?
GlobalProtect app and GlobalProtect gateway
GlobalProtect portal and GlobalProtect gateway
GlobalProtect app and GlobalProtect satellite
GlobalProtect app and GlobalProtect portal.
A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.) Maximum TLS version
Certificate
Minimum TLS version
Authentication Algorithm
Encryption Algorithm.
SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well known certificate chain: Well-known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www very- important-website.com/website.
2. End-users should get the warning for any other untrusted website. Which approach meets the two customer requirements? Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box, and commit the configuration. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit Install the Well-Known-Intermediate-CA and Well-Known Root-CA certificates on allend-user systems in the user and local computer stores. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-known-RootCA select the Trusted Root CA check box and commit the configuration.
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate based administrator authentication to the web UI? (Choose two.) client certificate Server certificate
certificate authority (CA) certificate
certificate profile.
A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices. To install the certificate and key for an endpoint, which three components are required? (Choose three.) machine certificate local computer store
self-signed certificate
private key
server certificate.
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)
QOS Profile
DoS Protection Profile
Dos Protection policy
Zone Protection Profile.
What are two best practices for incorporating new and modified App- IDS? (Choose two.) Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs. Configure a security policy rule to allow new App-ID that might have network-wide impact
Study the release notes and install new App-IDs if they are determined to have low impact.
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes? review the configuration logs on the Monitor tab
context-switch to the affected firewall and use the configuration audit tool
click Preview Changes under Push Scope
use Test Policy Match to review the policies in Panorama.
What is the function of a service route?
The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source Interface and source IP address.
Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks service like the Customer Support Portal.
The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address.
The service route is the method required to use the firewalls management plane to provide service to applications.
What are three important considerations during SD-WAN configuration planning? (Choose three.)
connection throughput
branch and hub locations
IP Addresses
dynamic routing
link requirements.
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?
an Authentication policy with 'known-user' selected in the Source User field
a Security policy with 'known-user' selected in the Source User field
a Security policy with 'unknown' selected in the Source User field
an Authentication policy with 'unknown' selected in the Source User field.
When using certificate authentication for firewall administration, which method is used for authorization?
Radius Local LDAP Kerberos.
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decryption traffic from guest devices? The organization has no legal authority to decrypt their traffic. Guests may use operating systems that can't be decrypted. Guest devices may not trust the CA certificate used for the forward trust certificate. Guest devices may not trust the CA certificate Used for the forward untrust certificate.
Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?
template variables
a device group
the "Shared" device group
template stacks.
Which component enables you to configure firewall resource protection settings?
QoS Profile
DoS Protection Profile
DoS Protection policy
Zone Protection Profile.
A client wants to detect the use of weak and manufacturer-default passwords for loT devices.
Which option will help the customer?
Configure a Vulnerability Protection profile with alert mode.
Configure a Data Filtering profile with alert mode.
Configure an Antivirus profile with alert mode.
Configure an Anti-Spyware profile with alert mode.
.
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management. Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
An Interface Management profile with HTTP and HTTPS enabled should be configured.
An SSL/TLS Service profile should be configured with a certificate assigned.
A Certificate profile should be configured with a trusted root CA
An Authentication profile with the allow list of users should be configured.
.
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules. How can this be achieved?
by configuring User-ID group mapping in Panorama > User Identification
by configuring User-ID source device in Panorama > Managed Devices
by configuring Data Redistribution Client in Panorama > Data Redistribution
by configuring Master Device in Panorama > Device Groups
.
Which Security profile generates a packet threat type found in threat logs?
Wildfire Anti-Spyware
Zone Protection
Antivirus.
Which Panorama feature protects logs against data loss if a Panorama server fails?
Panorama HA with Log Redundancy ensures that t no logs are lost t if a server fails inside the HA Cluster
Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
Panorama Collector automatically ensures that no logs are lost if a server fails inside the collector group
Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?
Create a zone protection profile, enable reconnaissance protection, set action to block, and apply it to the outside zone
Create a Security rule to deny all ICMP traffic from the outside zone
Enable packet buffer protection in the outside zone.
Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone.
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.) URL categories
App-ID
source and destination IP addresses
source user
GlobalProtect HIP.
Which steps should an engineer take to forward system logs to email? Enable log forwarding under the email profile in the Objects tab.
Create a new email profile under Device > server profiles, then navigate to Device > log settings > System and add the email profile under email
Enable log forwarding under the email profile in the Device tab.
Create a new email profile under Device > server profiles; then navigate to Objects > Log forwarding profile >set log type to system and them add email profile.
An engineer needs to see how many existing SSL decryption sessions are traversing a firewall. What command should be used?
show session all
show dataplane pool statistics | match proxy
debug sessions | match proxy debug dataplane pool statistics | match proxy.
An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.)
Check the HA Link Monitoring interface cables
Use the CLI command show high-availability flap-statistics Check High Availability > Active/Passive Settings > Passive Link State
Check the High Availability > Link and Path Monitoring settings.
Check the High Availability > HA Communications > Packet Forwarding
.
|
