Preguntas 501-570

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below What should the NAT rule destination zone be set to?. A. None. B. Inside. C. DMZ. D. Outside.

A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode. Which three elements must be in place before a transparent web proxy can function? (Choose three.). A. User-ID for the proxy zone. B. DNS Security license. C. Prisma Access explicit proxy license. D. Cortex Data Lake license. E. Authentication Policy Rule set to default-web-form.

Which type of zone will allow different virtual systems to communicate with each other?. A. Tap. B. Tunnel. C. Virtual Wire. D. External.

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy. Which PAN-OS proxy method should be configured to maintain this type of traffic flow?. A. SSL forward proxy. B. Explicit proxy. C. Transparent proxy. D. DNS proxy.

An engineer discovers the management interface is not routable to the User-ID agent. What configuration is needed to allow the firewall to communicate to the User-ID agent?. A. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP. B. Create a NAT policy for the User-ID agent server. C. Create a custom service route for the UID Agent. D. Add a static route to the virtual router.

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output. Which troubleshooting command should the engineer use to work around this issue?. A. set deviceconfig setting tcp asymmetric-path drop. B. set session tcp-reject-non-syn yes. C. set deviceconfig setting tcp asymmetric-path bypass. D. set deviceconfig setting session tcp-reject-non-syn no.

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?. A. Panorama. B. M600 Log Collectors. C. Cortex Data Lake. D. On Palo Alto Networks Update Servers.

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. A. Satellite mode. B. Tunnel mode. C. No Direct Access to local networks. D. IPSec mode.

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?. A. Create a Dynamic Admin with the Panorama Administrator role. B. Create a Dynamic Read only superuser. C. Create a Device Group and Template Admin. D. Create a Custom Panorama Admin.

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall. What should the administrator configure in order to connect the sites?. A. Generic Routing Encapsulation (GRE) Tunnels. B. GlobalProtect Satellite. C. SD-WAN. D. IKE Gateways.

A customer wants to set up a site-to-site VPN using tunnel interfaces. What format is the correct naming convention for tunnel interfaces?. A. tun.1025. B. tunnel.50. C. vpn.1024. D. gre1/2.

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path. What part of the network profile configuration should the engineer verify?. A. Destination IP. B. Threshold. C. Action. D. Interval.

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.). A. One-time password. B. User certificate. C. SMS. D. Voice. E. Fingerprint.

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.). A. LDAP. B. Log Ingestion. C. HTTP. D. Log Forwarding.

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?. A. Application port number translation. B. IPv6-to-IPv6 network prefix translation. C. Stateful translation to provide better security. D. IPv6-to-IPv6 host portion translation.

An administrator has been tasked with deploying SSL Forward Proxy. Which two types of certificates are used to decrypt the traffic? (Choose two.). A. Device certificate. B. Subordinate CA from the administrator’s own PKI infrastructure. C. Self-signed root CA. D. External CA certificate.

An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.). A. Inherit all Security policy rules and objects. B. Inherit settings from the Shared group. C. Inherit IPSec crypto profiles. D. Inherit parent Security policy rules and objects.

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A. A self-signed certificate generated on the firewall. B. A web server certificate signed by the organization’s PKI. C. A web server certificate signed by an external Certificate Authority. D. A subordinate Certificate Authority certificate signed by the organization’s PKI.

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the VoIP traffic issue?. A. Disable ALG under H.323 application. B. Increase the TCP timeout under H.323 application. C. Increase the TCP timeout under SIP application. D. Disable ALG under SIP application.

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. A. Ensure Force Template Values is checked when pushing configuration. B. Push the Template first, then push Device Group to the newly managed firewall. C. Push the Device Group first, then push Template to the newly managed firewall. D. Perform the Export or push Device Config Bundle to the newly managed firewall.

Which new PAN-OS 11.0 feature supports IPv6 traffic?. A. OSPF. B. IKEv1. C. DHCP Server. D. DHCPv6 Client with Prefix Delegation.

if a URL is in multiple custom URL categories with different actions, which action will take priority?. A. Block. B. Allow. C. Alert. D. Override.

An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event. Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?. A. Hello Interval. B. Monitor Fail Hold Up Time. C. Heartbeat Interval. D. Promotion Hold Time.

Which three items must be configured to implement application override? (Choose three.). A. Application filter. B. Application override policy rule. C. Custom app. D. Decryption policy rule. E. Security policy rule.

An engineer is configuring a firewall with three interfaces: • MGT connects to a switch with internet access. • Ethernet1/1 connects to an edge router. • Ethernet1/2 connects to a virtualization network. The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?. A. Set DNS and Palo Alto Networks Services to use the MGT source interface. B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. C. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface. D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.

An organization conducts research on the benefits of leveraging the web proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.). A. No client configuration is required for explicit proxy, which simplifies the deployment complexity. B. Explicit proxy supports interception of traffic using non-standard HTTPS ports. C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request. D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.). A. TACACS+. B. Kerberos. C. SAML. D. RADIUS. E. LDAP.

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?. A. insufficient-data. B. incomplete. C. not-applicable. D. unknown-tcp.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. A. Clone the security policy and add it to the other device groups. B. Add the policy to the target device group and apply a master device to the device group. C. Reference the targeted device’s templates in the target device group. D. Add the policy in the shared device group as a pre-rule.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?. A. The User-ID agent is connected to a domain controller labeled lab-client. B. The host lab-client has been found by the User-ID agent. C. The host lab-client has been found by a domain controller. D. The User-ID agent is connected to the firewall labeled lab-client.

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?. A. Deny. B. Allow. C. Discard. D. Next VR.

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.). A. OSPF. B. IGRP. C. OSPFv3 virtual link. D. BGP. E. RIP.

A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commit times?. A. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings. B. Perform a device group push using the “merge with device candidate config” option. C. Update the apps and threat version using device-deployment. D. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.

An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?. A. 1. B. 2. C. 3. D. 4.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. A. Reload the running configuration and perform a Firewall local commit. B. Perform a commit force from the CLI of the firewall. C. Perform a template commit push from Panorama using the “Force Template Values” option. D. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.

Where can a service route be configured for a specific destination IP?. A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4. B. Use Device > Setup > Services > Services. C. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. D. Use Device > Setup > Services > Service Route Configuration > Customize > Destination.

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?. A. IKE Crypto Profile. B. Security policy. C. Proxy-IDs. D. PAN-OS versions.

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. A. Configuration. B. Data Filtering. C. Traffic. D. Threat.

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?. A. A service route to the LDAP server. B. A User-ID agent on the LDAP server. C. A Master Device. D. Authentication Portal.

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. A. Change destination NAT zone to Trust_L3. B. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. C. Change Source NAT zone to Untrust_L3. D. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.). A. Service Route Configuration. B. Dynamic Address Groups. C. NTP Server Address. D. Antivirus Profile. E. Authentication Profile.

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. A. Add SSL application to the same rule. B. SSL and web-browsing must both be explicitly allowed. C. Add SSL and web-browsing applications to the same rule. D. Add web-browsing application to the same rule.

In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?. A. 1 to 4 hours. B. 6 to 12 hours. C. 24 hours. D. 36 hours.

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. A. Destination-Based Service Route. B. Inherit Global Setting. C. IPv6 Source or Destination Address. D. IPv4 Source Interface.

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.). A. A QoS policy for each application. B. An Application Override policy for the SIP traffic. C. A QoS profile defining traffic classes. D. QoS on the ingress interface for the traffic flows. E. QoS on the egress interface for the traffic flows.

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.). A. Rename a vsys on a multi-vsys firewall. B. Change the firewall management IP address. C. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. D. Add administrator accounts. E. Configure a device block list.

Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?. A. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules shared default rules. B. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - DATACENTER_DG default rules. C. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - shared default rules. D. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules DATACENTER_DG default rules.

A company wants to implement threat prevention to take action without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.). A. Virtual Wire. B. Layer 2. C. Layer 3. D. TAP.

Which operation will impact the performance of the management plane?. A. Enabling DoS protection. B. Enabling packet buffer protection. C. Decrypting SSL sessions. D. Generating a Saas Application report.

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?. A. Tunnel inspection. B. NAT. C. QoS. D. DOS protection.

Why would a traffic log list an application as "not-applicable"?. A. There was not enough application data after the TCP connection was established. B. The TCP connection terminated without identifying any application data. C. The firewall denied the traffic before the application match could be performed. D. The application is not a known Palo Alto Networks App-ID.

What must be configured to apply tags automatically based on User-ID logs?. A. Device ID. B. Log settings. C. Group mapping. D. Log Forwarding profile.

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10. What should the engineer do to complete the configuration?. A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward. B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53. C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse. D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?. A. Initial. B. Passive. C. Active-secondary. D. Tentative.

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.). A. Critical. B. High. C. Medium. D. Informational. E. Low.

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?. A. Applications configured in the rule with their dependencies. B. The security rule with any other security rule selected. C. Applications configured in the rule with applications seen from traffic matching the same rule. D. The running configuration with the candidate configuration of the firewall.

Given the following snippet of a WildFire submission log, did the end user successfully download a file?. A. Yes, because the final action is set to "allow.". B. No, because the action for the wildfire-virus is "reset-both.". C. No, because the URL generated an alert. D. Yes, because both the web-browsing application and the flash file have the "alert" action.

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.). A. Number of security zones in decryption policies. B. Encryption algorithm. C. TLS protocol version. D. Number of blocked sessions.

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes. The engineer reviews the following CLI output for ethernet1/1. Which setting should be modified on ethernet1/1 to remedy this problem?. A. Change the subnet mask from /23 to /24. B. Lower the interface MTU value below 1500. C. Adjust the TCP maximum segment size (MSS) value. D. Enable the Ignore IPv4 Don't Fragment (DF) setting.

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?. A. Values in Global Settings. B. Values in Datacenter. C. Values in efw01ab.chi. D. Values in Chicago.

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?. A. Replay Protection. B. Zone Protection. C. Tunnel Monitor. D. Passive Mode.

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?. A. Proxy IDs. B. ToS Header. C. GRE Encapsulation. D. Tunnel Monitor.

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic?. A. It matches to the New App-IDs downloaded in the last 90 days. B. It matches to the New App-IDs in the most recently installed content releases. C. It matches to the New App-IDs downloaded in the last 30 days. D. It matches to the New App-IDs installed since the last time the firewall was rebooted.

An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is currently processing traffic?. A. Passive. B. Initial. C. Active. D. Active-primary.

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.). A. Log Forwarding profile. B. SSL decryption exclusion. C. Email scheduler. D. Login banner. E. Dynamic updates.

An organization wants to begin decrypting guest and BYOD traffic. Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?. A. Authentication Portal. B. SSL Decryption profile. C. SSL decryption policy. D. comfort pages.

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.). A. ECDSA. B. ECDHE. C. RSA. D. DHE.

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.). A. Override the DNS server on the template stack. B. Configure the DNS server locally on the firewall. C. Change the DNS server on the global template. D. Configure a service route for DNS on a different interface.