PNC23-2023-octubre

An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the firewall to Panorama?.

Refer to the exhibit . Which will be the egress interface if the traffics ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?. ethernet1/6. ethernet1/3. ethernet1/7. ethernet1/5.

The UDP-4501 protocol-port is used between which two GlobalProtect components?. GlobalProtect app and GlobalProtect satellite. GlobalProtect app and GlobalProtect portal. GlobalProtect app and GlobalProtect gateway. GlobalProtect portal and GlobalProtect gateway.

In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?. 1 to 4 hours. 6 to 12 hours. 24 hours. 36 hours.

Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app? Failed to connect to server at port: 4767. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767. The PanGPS process failed to connect to the PanGPA process on port 4767. The PanGPA process failed to connect to the PanGPS process on port 4767.

A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.). Authentication Algorithm. Encryption Algorithm. Certificate. Maximum TLS version. Minimum ILS version.

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled: 1 End-users must not get the warning for the https://www.very-important-website.com/website. 2 End-users should get the warning for any other untrusted website. Which approach meets the two customer requirements? commit the configuration. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration. Install the Well-Known-Intermediate-CA and Well-Known Root-CA certificates on all end-user systems in the user and local computer stores. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import V Well-Known-Intermediate- CA and Well-Known-Root-CA select the Trusted Root CA check box, and commit the configuration.

with the default TCP and UDP settings on the firewall, what will be the identified application in the following session?. unknown-udp. not-applicable. insufficient-data. incomplete.

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?. IP Range. IP Netmask. IP Wildcard Mask. IP Address.

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?. Use the ACC to consolidate the logs. Use the import option to pull logs. Export the log database. Use the scp log db export command.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client. The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent.

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. Satellite mode. Tunnel mode. No Direct Access to local networks. IPSec mode.

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?. Add a firewall to both the device group and the template. Add the template as a reference template in the device group. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings. Specify the target device as the master device in the device group.

Which protocol is supported by GlobalProtect Clientless VPN?. FTP. HTTPS. SSH. RDP.

Which statement regarding HA timer settings is true?. Use the Moderate profile for typical failover timer settings. Use the Critical profile for faster failover timer settings. Use the Aggressive profile for slower failover timer settings. Use the Recommended profile for typical failover timer settings.

An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the firewall to Panorama?.

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?. template variables. the 'Shared' device group. template stacks. a device group.

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?. show routing protocol bgp rib-out. show routing protocol bgp peer. show routing protocol bgp summary. show routing protocol bgp state.

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories. Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit. Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit.

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?. Use the Dynamic IP address type. Enable Passive Mode. Set up certificate authentication. Configure the peer address as an FQDN.

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three. ). Permitted iP Addresses. SSH. HTTPS. User-ID. HTTP.

Please match the terms to their corresponding definitions. management plan. signature matching. security processing. network processing.

Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?. Legacy. Management Only. Log Collector. Panorama.

What is the best description of the Cluster Synchronization Timeout (min)?. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28. What information does the administrator need to provide in the User Identification > Discovery section?. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange. one IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically obtain all five of the other servers. network 192.168.28.32/27 with server type Microsoft.

An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up. If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?. show system state filter sw.dev.interface.config. show chassis status slot s1. show system state filter-pretty sys.s1.*. show system state filter ethernet1/1.

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.). set deviceconfig setting session tcp-reject-non-syn no. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path"to Global. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass. set session tcp-reject-non-syn no.

Which Panorama feature protects logs against data loss if a Panorama server fails?. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. The firewall rejects the pushed configuration, and the commit fails. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?. LDAP Server Profile configuration. GlobalProtect. Windows-based User-ID agent. PAN-OS integrated User-ID agent.

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.). OSPF. IGRP. OSPFv3 virtual link. BGP. RIP.

Given the screenshot, how did the firewall handle the traffic?. Traffic was allowed by policy but denied by profile as encrypted. Traffic was allowed by policy but denied by profile as a threat. Traffic was allowed by profile but denied by policy as a threat. Traffic was allowed by policy but denied by profile as a nonstandard port.

Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted. What is the result of traffic that matches the "Alert -Threats" Profile Match List?. The source address of SMTP traffic that matches a threat is automatically blocked as Bad Guys for 180 minutes. The source address of traffic that matches a threat is automatically blocked as Bad Guys for 180 minutes. The source address of traffic that matches a threat is automatically tagged as Bad Guys for 180 minutes. The source address of SMTP traffic that matches a threat is automatically tagged as Bad Guys for 180 minutes.

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?. Configure the TAP interface for segment X on the firewall. Configure a Layer 3 interface for segment X on the firewall. Configure virtual wire interfaces for segment X on the firewall. Configure a new vsys for segment X on the firewall.

An auditor is evaluating the configuration of panorama and notices a discrepancy between the panorama template and the local firewall configuration. Panorama will lose visibility into the overridden configuration. Only panorama can revert the override. Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within panorama.

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?. A Machine Certificate for the firewall signed by the organization's PKI. A web server certificate signed by the organization's PKI. A subordinate Certificate Authority certificate signed by the organization's PKI. A self-signed Certificate Authority certificate generated by the firewall.

What is the best definition of the Heartbeat Interval?. the interval during which the firewall will remain active following a link monitor failure. the frequency at which the HA peers exchange ping. the interval in milliseconds between hello packets. the frequency at which the HA peers check link or path availability.

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2. Which three platforms support PAN-OS 10.2? (Choose three.). PA-220. PA-800 Series. PA-5000 Series. PA-500. PA-3400 Series.

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.). Check dependencies. Schedules. Verify. Revert content. Install.

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?. IKE Gateway profile. IPSec Crypto profile. IKE Crypto profile. IPSec Tunnel settings.

Given the following snippet of a WildFire submission log, did the end user successfully download a file?. Yes, because the final action is set to "allow.". Yes, because both the web-browsing application and the flash file have the "alert" action. No, because the action for the wildfire-virus is "reset-both.". No, because the URL generated an alert.

Given the following snippet of a WildFire submission log, did the end user successfully download a file?. Yes, because the final action is set to "allow.". Yes, because both the web-browsing application and the flash file have the "alert" action. No, because the action for the wildfire-virus is "reset-both.". No, because the URL generated an alert.

uring the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA. Which method should the administrator use when creating Forward Thrust and Forward Untrust certificates on the firewall for use with decryption?. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile. Remove the Zone Protection profile from the zone setting. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?. Click the hyperlink for the ZeroAccess.Gen threat. Click the source user with the highest threat count. Click the left arrow beside the ZeroAccess.Gen threat. Click the hyperlink for the botnet Threat Category.

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its ways in a single device group. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI. Which CLI command can the engineer use?. test vpn flow. test vpn tunnel. test vpn gateway. test vpn ike-sa.

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.). Client probing. XFF Headers. Syslog. Server Monitoring.

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as Permitted-subnet-2. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as Permitted-subnet-1 and Spermitted-subnet-2. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

As a best practice, logging at session start should be used in which case?. While troubleshooting. Only on Deny rules. Only when log at session end is enabled. On all Allow rules.

What must be configured to apply tags automatically to User-ID logs?. User mapping. Log Forwarding profile. Log settings. Group mapping.

View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.). SMTP has a higher priority but lower bandwidth than Zoom. Facetime has a higher priority but lower bandwidth than Zoom. Google-video has a higher priority and more bandwidth than WebEx. DNS has a higher priority and more bandwidth than SSH.

Review the screenshots and consider the following information: • FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG • There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups Which IP address will be pushed to the firewalls inside Address Object Server-1?. Server-1 on FW-1 will have IP 2.2.2.2 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 3.3.3.3 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 1.1.1.1 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1.

Which three firewall multi-factor authentication factors are supported by PANOS? (Choose three.). Short message service. Push. User logon. One-Time Password. SSH key.

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PANOS 10.2, what is the potential cause of a failed install?. GlobalProtect agent version. Outdated plugins. Management only mode. Expired certificates.

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.). A Decryption policy to decrypt the traffic and see the tag. A Deny policy with the "tag" App-ID to block the tagged traffic. An Allow policy for the initial traffic. A Deny policy for the tagged traffic.

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose two.). Enable decryption. Exclude video traffic. Create a Tunnel Inspection policy. Block traffic that is not work-related.

An administrator needs to identify which NAT policy is being used for internet traffic. From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?. From the Monitor tab, click Traffic view and review the information in the detailed log view. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules. From the Monitor tab, click Session Browser and review the session details.

An administrator needs to identify which NAT policy is being used for internet traffic. From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?. Click Traffic view and review the information in the detailed log view. Click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. Click App Scope > Network Monitor and filter the report for NAT rules. Click Session Browser and review the session details.

An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.). /plugins. /license. /opt. /content. /software.

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.). URL Filtering profiles. SSL/TLS profiles. Address groups. DNS Proxy.

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured the administrator noticed that OSPF routes were not being learned. Which two actions could an administrator take to troubleshoot this issue? (Choose two.). Run the CLI command show advanced-routing ospf neighbor. In the WebUI, view the Runtime Stats in the virtual router. Look for configuration problems in Network > virtual router > OSPF. In the WebUI, view Runtime Stats in the logical router.

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.). TCP Drop. ICMP Drop. SYN Random Early Drop. TCP Port Scan Block.

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?. The priority assigned to the Authentication profile defines the order of the sequence. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewalls dashboard is showing as down. What could an administrator do to troubleshoot the issue?. Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup. Go to Device > High Availability > HA Communications > General > and check the Heartbeat Backup under Election Settings. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings.

Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?. No, because this is an example from a defeated phishing attack. Yes, because the action is set to "allow". No, because the severity is "high" and the verdict "malicious". Yes, because the action is set to "alert".

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls. What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN. On one pair of firewalls, run the CLI command: set network interface vlan arp. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. Configure a floating IP between the firewall pairs.

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

Which log type would provide information about traffic blocked by a Zone Protection profile?. Data Filtering. IP-Tag. Threat. Traffic.

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?. The profile rule action. CVE column. The profile rule threat name. Exceptions tab.

an network security administrator has been tasked with deploying User-ID in their organization. What are three valid methods of collecting User-ID information in a network? (choose three). XML API. External dynamic list. Windows User-ID agent. GlobalProtect. Dynamic user groups.

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a web server hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10.Refer to the routing and interfaces information below. What should the NAT rule destination zone be set to?. None. Inside. DMZ. Outside.

Which source is the most reliable for collecting User-ID user mapping?. Microsoft Active Directory. Microsoft Exchange. GlobalProtect. Syslog Listener.

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?. Monitor > Logs > System. Panorama > Managed Devices. Device > Log Settings. Objects > Log Forwarding.

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Most Voted. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy. Which PANOS proxy method should be configured to maintain this type of traffic flow?. SSL forward proxy. Explicit proxy. Transparent proxy. DNS proxy.

Which type of zone will allow different virtual systems to communicate with each other?. Тaр. Tunnel. Virtual Wire. External.

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is egressing the firewall. Which three types of interfaces support SSL Forward Proxy? (Choose three.). High availability (HA). Layer 3. Layer 2. Tap. Virtual Wire.

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?. Heartbeat Interval. Promotion Hold Time. Additional Master Hold Up Time. Monitor Fail Hold Up Time.

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.). video streaming application. Client Application Process. Destination Domain. Source Domain. Destination user/group. URL Category.

What are two benefits of nested device groups in Panorama? (Choose two.). Reuse of the existing Security policy rules and objects. Requires configuring both function and location for every device. All device groups inherit settings from the Shared group. Overwrites local firewall configuration.

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. Ensure Force Template Values is checked when pushing configuration. Push the Template first, then push Device Group to the newly managed firewall. Push the Device Group first, then push Template to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall.

An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. Configuration. Data Filtering. Traffic. Threat.

An organization conducts research on the benefits of leveraging the Web Proxy feature of PIANOS 11. 0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.). No client configuration is required for explicit proxy, which simplifies the deployment complexity. Explicit proxy supports interception of traffic using non-standard HTTPS ports. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

a firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make. How does the firewall identify the new App ID characteristic?. It matches to the New App-IDs downloaded in the last 90 days. It matches to the New App-IDs installed since the last time the firewall was rebooted. It matches to the New App-IDs downloaded in the last 30 days. It matches to the New App-IDs in the most recently installed content releases.

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1. In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?. NAT Rule: Source Zone: Trust- Source IP: Any- Destination Zone: Server- Destination IP: 172.16.15.10 - Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust- Source IP: Any- Destination Zone: Trust - Destination IP: 172.16.15.10 - Application: ssh. NAT Rule: Source Zone: Trust- Source IP: 192.168.15.0/24 Destination Zone: Server- Destination IP: 192.168.15.1 - Source Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust- Source IP: 192.168.15.10 - Destination Zone: Server - Destination IP: 172.16.15.10 - Application: ssh. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust- Destination IP: 192.168.15.1- Destination Translation: Static IP /172.16.15.10 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: ssh. NAT Rule: Source Zone: Trust- Source IP: Any Destination Zone: Server- Destination IP: 172.16.15.10 Source Translation: dynamic-ip-and-port / ethernet1/4 Security Rule: Source Zone: Trust - Source IP: Any Destination Zone: Server Destination IP: 172:16.15.10- Application: ssh.

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.). Service Route Configuration. Dynamic Address Groups. NTP Server Address. Antivirus Profile. Authentication Profile.

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?. A service route to the LDAP server. A User-ID agent on the LDAP server. A Master Device. Authentication Portal.

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?. Vulnerability Protection profile. DoS Protection profile. Data Filtering profile. URL Filtering profile.

An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?. The passive firewall, which then synchronizes to the active firewall. The active firewall, which then synchronizes to the passive firewall. Both the active and passive firewalls, which then synchronize with each other. Both the active and passive firewalls independently, with no synchronization afterward.

An organization has Palo Alto Networks Ngfw that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW. Configure log compression and optimization features on all remote firewalls. Any configuration on an M-500 would address the insufficient bandwidth concerns.

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?. Load configuration version. Safe candidate config. Export device state. Load named configuration snapshot.

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.). Rule Usage Hit counter will reset. Highlight Unused Rules will highlight zero rules. Highlight Unused Rules will highlight all rules. Rule Usage Hit counter will not be reset.

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment. Which two pieces of information should the consultant provide the client regarding Web Proxy authentication? (Choose two.). Kerberos or SAML authentication need to be configured. RADIUS is not supported for explicit or transparent Web Proxy. RADIUS is only supported for a transparent Web Proxy. LDAP or TACACS+ authentication need to be configured.

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?. IKE Crypto Profile. Security policy. Proxy-IDs. PAN-OS versions.

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?. Applications configured in the rule with their dependencies. The security rule with any other security rule selected. Applications configured in the rule with applications seen from traffic matching the same rule. The running configuration with the candidate configuration of the firewall.

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?. Deny. Allow. Discard. Next VR.

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.). Number of blocked sessions. Encryption algorithm. TLS protocol version. Number of security zones in decryption policies.

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two. ). LDAP. Log Ingestion. HTTP. Log Forwarding.

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?. Browser-supported cipher documentation. Cipher documentation supported by the endpoint operating system. URL risk-based category distinctions. Legal compliance regulations and acceptable usage policies.

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?. ASBR. OSPFv3. ECMP. OSPF.

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.). A certificate authority (CA) certificate. A private key. A server certificate. A subject alternative name.

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?. Resources Widget on the Dashboard. Monitor > Utilization. Support > Resources. Application Command and Control Center.

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.). Successful GlobalProtect Deployed Activity. GlobalProtect Deployment Activity. Successful GlobalProtect Connection Activity. GlobalProtect Quarantine Activity.

Which link is responsible for synchronizing sessions between high availability (HA) peers?. HА2. НАЗ. НА4. НА1.

What are three prerequisites for credential phishing prevention to function? (Choose three.). Set phishing category to block in the URL Filtering profile. Add the URL filtering profile to one or more Security policy rules. In the URL filtering profile, use the drop-down list to enable user credential detection. Enable Device-ID in the zone. Select the action for Site Access for each category.

An engineer is tasked with decrypting web traffic in an environment without an established PKI. When using a self-signed certificate generated on the firewall, which type of certificate should be installed on client devices to ensure there are no client browser warnings when decrypting approved web traffic?. The same certificate as the Forward Untrust certificate. The same certificate as the Forward Trust certificate. An Enterprise Root CA certificate. A Public Root CA certificate.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. Reload the running configuration and perform a Firewall local commit. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the "Force Template Values" option. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

In a template, you can configure which two objects? (Choose two.). Monitor profile. Application group. SD-WAN path quality profile. IPsec tunnel.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Clone the security policy and add it to the other device groups. Add the policy to the target device group and apply a master device to the device group. Reference the targeted device's templates in the target device group. Add the policy in the shared device group as a pre-rule.

Which DoS protection mechanism detects and prevents session exhaustion attacks?. Packet Based Attack Protection. Flood Protection. Resource Protection. TCP Port Scan Protection.

Which operation will impact the performance of the management plane?. DoS protection. WildFire submissions. Generating a SaaS Application report. Decrypting SSL sessions.

A company has recently migrated their branch office's PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commute times?. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings. Perform a device group push using the "merge with device candidate config" option. Update the apps and threat version using device-deployment. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure. Check whether the VPN peer on one end is set up correctly using policy-based VPN. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

An engineer is configuring a firewall with three interfaces: 1. MGT connects to a switch with internet access. 2. Ethernet1/1 connects to an edge router. 3. Ethernet1/2 connects to a virtualization network. The engineer needs to configure dynamic updates to use a data plane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?. Set DNS and Palo Alto Networks Services to use the MGT source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface. Set DDNS and Palo Alto Networks Services to use the MGT source interface.

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). Decryption. HTTP Server. SSL/TLS Service. Interface Management.

A firewall engineer reviews the PANOS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed. Add SSL and web-browsing applications to the same rule. Add web-browsing application to the same rule.

An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?. 1. 2. 3. 4.

Where can a service route be configured for a specific destination IP?. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. Use Device > Setup > Services > Services. Use Device > Setup > Services > Service Route Configuration > Customize > Destination. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4.

Which three items must be configured to implement application override? (Choose three.). Application filter. Application override policy rule. Custom app. Decryption policy rule. Security policy rule.

Which three actions can Panorama perform when deploying PANOS images to its managed devices? (Choose three.). upload-only. install and reboot. upload and install. upload and install and reboot. verify and install.

After implementing a new NGFW, a firewall engineer sees a VolP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the Voip traffic issue?. Disable ALG under H323 application. Increase the TCP timeout under H323 application. Increase the TCP timeout under SIP application. Disable ALG under SIP application.

Which new PAN-OS 11.0 feature supports IPv6 traffic?. OSPF. IKEv1. DHCP Server. DHCPv6 Client with Prefix Delegation.

Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.). Kerberos. PAP. SAML. TACACS+. RADIUS. LDAP.

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works expected?. Change Source NAT zone to Untrust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Add source Translation to translate original source IP to the firewall eth1/2 interface translation. Change destination NAT zone to Trust_L3.

A traffic log might list an application as "not-applicable" for which two reasons? (Choose two.). The firewall did not install the session. The TCP connection terminated without identifying any application data. There was not enough application data after the TCP connection was established. The firewall dropped a TCP SYN packet.

When you configure an active/active high availability pair, which two links can you use? (Choose two.). НАЗ. Console Backup. NSCLC. HA2 backup.

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three). configure a device block list. rename a vsys on a multi-vsys firewall. enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. add administrator accounts. change the firewall management IP address.

Which three authentication types can be used to authenticate users? (Choose three.). Local database authentication. PingID. Kerberos single sign-on. GlobalProtect client. Cloud authentication service.

which three statements correctly describe session 380280 ? (chosse two). The session has ended with the end-reason "unknown.". The session cid not go through SSL decryption processing. The application shifted to "web-browsing.". The session went through SSL decryption processing.

If a URL is in multiple custom URL categories with different actions, which action will take priority?. Override. Alert. Allow. Block.

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes. The engineer reviews the following CLI output for ethernet1/1. Which setting should be modified on ethernet1/1 to remedy this problem?. Adjust the TCP maximum segment size (MSS) value. Lower the interface UTM value below 1500. Enable the Ignore IPv4 Don't Fragment (DF) setting. Change the subnet mask from /23 to 124.

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A self-signed certificate generated on the firewall. A web server certificate signed by the organization's PKI. A web server certificate signed by an external Certificate Authority. A subordinate Certificate Authority certificate signed by the organization's PKI.

An administrator has been tasked with configuring decryption policies. Which description best practice should they consider?. Decrypt all traffic that traverses the firewall so that it can be scanned for threats. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications. Place firewalls where administrators can opt to bypass the firewall when needed.

A network security engineer is going to enable Zone Protection on several security zones.How can the engineer ensure that Zone Protection events appear in the firewall's logs?. Access the CLI in each firewall and enter the command set system setting additional-threat-log on. No action is needed. Zone Protection events appear in the threat logs by default. Select the checkbox "Log Zone Protection events" in the Content-ID settings of the firewall. Select the check box "Log packet-based attack events" in the Zone Protection profile.

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?. A Decryption profile must be attached to the Decryption policy that the traffic matches. There must be a certificate with both the Forward Trust option and Forward Untrust option selected. A Decryption profile must be attached to the Security policy that the traffic matches. There must be a certificate with only the Forward Trust option selected.

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?. Tunnel inspection. Qos. DoS protection. NAT.

Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules shared default rules. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - DATACENTER_DG default rules. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - shared default rules. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules DATACENTER_DG default rules.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration. Destination-Based Service Route. Inherit Global Setting. IPv6 Source or Destination Address. IPv4 Source Interface.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?. Initial. Passive. Active-secondary. Tentative.

A company wants to add threat prevention to the network without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.). Virtual Wire. Layer 2. ТАР. Layer 3.

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. Certificate profile. SSL/TLS Service profile. SSH Service profile. Decryption profile.

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?. Replay Protection. Tunnel Monitor. Zone Protection. Passive Mode.

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram. Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?. alues in Datacenter. Values in efw01ab.chi. Values in Global Settings. Values in Chicago.

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?. Proxy IDs. Tunnel Monitor. GRE Encapsulation. ToS Header.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. Destination-Based Service Route. Inherit Global Setting. IPv6 Source or Destination Address. IPv4 Source Interface.

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity. The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet. Which profile is the engineer configuring?. Packet Buffer Protection. Zone Protection. DoS Protection. Vulnerability Protection.

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?. Create an Application Override using TCP ports 443 and 80. Add the HTPP, SSL, and Evernote applications to the same Security policy. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL. Add only the Evernote application to the Security policy rule.

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.). One-time password. User certificate. SMS. Voice. Fingerprint.

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of SSL traffic. Which three elements should the administrator configure to address this issue? (Choose three.). QoS on the egress interface for the traffic flows. QoS on the ingress interface for the traffic flows. A QoS profile defining traffic classes. A QoS policy for each application ID. An Application Override policy for the SSL traffic.

An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?. PBF > Static route > Security policy enforcement. BGP < PBF > NAT. PBF > Zone Protection Profiles > Packet Buffer Protection. NAT > Security policy enforcement > OSPF.

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA?. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Configure a Captive Portal authentication policy that uses an authentication sequence. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged. Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?. agentless User-ID with redistribution. Syslog listener. captive portal. standalone User-ID agent.

Why would a traffic log list an application as "not-applicable"?. There was not enough application data after the TCP connection was established. The TCP connection terminated without identifying any application data. The firewall denied the traffic before the application match could be performed. The application is not a known Palo Alto Networks App-ID.

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?. Disable HA. Disable the HA2 link. Set the passive link state to "shutdown.". Disable config sync.

Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been signed by the self-singed root CA certificate. The forward trust certificate has not been installed in client systems. The forward untrust certificate has not been signed by the self-singed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event. Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?. Hello Interval. Monitor Fail Hold Up Time. Heartbeat Interval. Promotion Hold Time.

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?. Create a Security policy to allow access to those sites. Install the unsupported cipher into the firewall to allow the sites to be decrypted. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption. Allow the firewall to block the sites to improve the security posture.

If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?. Post-NAT destination address. Pre-NAT destination address. Pre-NAT source address. Post-NAT source address.

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.). Log Forwarding profile. Email scheduler. Login banner. SSL decryption exclusion. Dynamic updates.

An engineer troubleshoots a high availability (HA) link that is unreliable. Where can the engineer view what time the interface went down?. Device > High Availability > Active/Passive Settings. Dashboard > Widgets > High Availability. Monitor > Logs > System. Monitor > Logs > Traffic.

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.). ECDSA. DHE. RSA. ECDHE.

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.). Configure a service route for DNS on a different interface. Configure the DNS server locally on the firewall. Change the DNS server on the global template. Override the DNS server on the template stack.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to `any`. There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to `all`. Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?. Active. Passive. Active-Secondary. Non-functional.

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server or DHCP agent configuration. Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying Internet of Things (loT) devices while receiving broadcast DHCP traffic?. Layer 2. Virtual wire. Тap. Layer 3.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is currently processing traffic?. Initial. Passive. Active-primary. Active.

Which statement about High Availability timer settings is true?. Use the Moderate timer for typical failover timer settings. Use the Critical timer for faster failover timer settings. Use the Aggressive timer for faster failover timer settings. Use the Recommended timer for faster failover timer settings.

An organization wants to begin decrypting guest and BYOD traffic. Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?. Comfort pages. SSL Decryption profile. Authentication Portal. SSL decryption policy.

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?. link state. profiles. stateful firewall connection. certificates.