Pruebas4

Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.). inherit address-objects from templates. define a common standard template configuration for firewalls. standardize server profiles and authentication configuration across all stacks. standardize log-forwarding profiles for security polices across all stacks.

Which statement regarding HA timer settings is true?. Use the Moderate profile for typical failover timer settings. Use the Critical profile for faster failover timer settings. Use the Aggressive profile for slower failover timer settings. Use the Recommended profile for typical failover timer settings.

When you navigate to Network > GlobalProtect > Portals > Agent > (config) > App and look in the Connect Method section, which three options are available? (Choose three.). A. user-logon (always on). B. certificate-logon. C. pre-logon then on-demand. D. on-demand (manual user initiated connection). E. post-logon (always on).

What is the best description of the HA4 Keep-alive Threshold (ms)?. A. the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. D. the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?. A. Phase 2 SAs are synchronized over HA2 links. B. Phase 1 and Phase 2 SAs are synchronized over HA2 links. C. Phase 1 SAs are synchronized over HA1 links. D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. A. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. B. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates". C. Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration. D. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".

A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?. A. Layer 2. B. Virtual Wire. C. Tap. D. Layer 3.

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.). A. certificate authority (CA) certificate. B. server certificate. C. client certificate. D. certificate profile.

When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can be implemented using a phased approach in alignment with Palo Alto Networks best practices. What should you recommend?. A. Enable SSL decryption for known malicious source IP addresses. B. Enable SSL decryption for malicious source users. C. Enable SSL decryption for source users and known malicious URL categories. D. Enable SSL decryption for known malicious destination IP addresses.

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.). A. the web server requires mutual authentication. B. the website matches a category that is not allowed for most users. C. the website matches a high-risk category. D. the website matches a sensitive category.

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?. A. PDF Export under Panorama > templates. B. Variable CSV export under Panorama > templates. C. Managed Devices > Device Association. D. Manage variables under Panorama > templates.

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers..Where can the administrator find the corresponding logs after running a test command to initiate the VPN?. Traffic logs. Tunnel Inspections logs. Systems Logs. Configuration logs.

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?. A. Use the import option to pull logs. B. Use the scp logdb export command. C. Export the log database. D. Use the ACC to consolidate the logs.

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?. A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive. B. Use Decryption profiles to drop traffic that uses processor-intensive ciphers. C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic. D. Use RSA in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic.

An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID?. A. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange. B. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory. C. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory. D. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory.

What are three reasons for excluding a site from SSL decryption? (Choose three.). A. the website is not present in English. B. unsupported ciphers. C. certificate pinning. D. unsupported browser version. E. mutual authentication.

The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?. A. action 'reset-server' and packet capture 'disable'. B. action 'default' and packet capture 'single-packet'. C. action 'reset-both' and packet capture 'extended-capture'. D. action 'reset-both' and packet capture 'single-packet'.

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?. A. Add a firewall to both the device group and the template. B. Add the template as a reference template in the device group. C. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings. D. Specify the target device as the master device in the device group.

Which GlobalProtect component must be configured to enable Clientless VPN?. A. GlobalProtect satellite. B. GlobalProtect app. C. GlobalProtect portal. D. GlobalProtect gateway.

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?. A. You must set the interface to Layer 2, Layer 3, or virtual wire. B. The interface must be used for traffic to the required services. C. You must use a static IP address. D. You must enable DoS and zone protection.

Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks. How can the issue be corrected?. A. Override the value on the NYCFW template. B. Override a template value using a template stack variable. C. Enable "objects defined in ancestors will take higher precedence" under Panorama settings. D.Override the value on the Global template.

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?. A. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office. B. Create an Application Group and add business-systems to it. C. Create an Application Filter and name it Office Programs, then filter it on the office-programs subcategory. D. Create an Application Filter and name it Office Programs, then filter it on the business-systems category.

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?. A. Enterprise-Trusted-CA which is a self-signed CA. B. Enterprise-Root-CA which is a self-signed CA. C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA. D. Enterprise-Untrusted-CA which is a self-signed CA.

What best describes the HA Promotion Hold Time?. A. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost. B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously. C. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices. D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall it the firewall is operational again.

What is the best description of the HA4 Keep-alive Threshold (ms)?. A. the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional. C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. D. the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled: 1. End-users must not get the warning for the https://www.very-important-website.com/ website 2. End-users should get the warning for any other untrusted website Which approach meets the two customer requirements?. A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration. B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores. C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration. D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration.

In a Panorama template, which three types of objects are configurable? (Choose three.). A. certificate profiles. B. HIP objects. C. QoS profiles. D. security profiles. E. interface management profiles.

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA?. A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. C. Configure a Captive Portal authentication policy that uses an authentication sequence. D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

PBF can address which two scenarios? (Choose two.). A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link. B. providing application connectivity the primary circuit fails. C. enabling the firewall to bypass Layer 7 inspection. D. forwarding all traffic by using source port 78249 to a specific egress interface.

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?. A. IP Netmask. B. IP Range. C. IP Address. D. IP Wildcard Mask.

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?. A. review the configuration logs on the Monitor tab. B. use Test Policy Match to review the policies in Panorama. C. context-switch to the affected firewall and use the configuration audit tool. D. click Preview Changes under Push Scope.

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.). A. Create a no-decrypt Decryption Policy rule. B. Configure an EDL to pull IP addresses of known sites resolved from a CRL. C. Configure a Dynamic Address Group for untrusted sites. D. Create a Security Policy rule with a vulnerability Security Profile attached. E. Enable the ג€Block sessions with untrusted issuersג€ setting.

What is the function of a service route?. A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address. B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address. C. The service route is the method required to use the firewall's management plane to provide services to applications. D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?. A. Move the "Local" template above the "Global" template in the template stack. B. Perform a commit and push with the "Force Template Values" option selected. C. Override the values on the local firewall and apply the correct settings for each value. D. Move the "Global" template above the "Local" template in the template stack.

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?. SSL/TLS Service profile. SCEP. Certificate profile. OCSP Responder.

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface. What are three supported functions on the VWire interface? (Choose three.). A. IPSec. B. OSPF. C. SSL Decryption. D. QoS. E. NAT.

Where is information about packet buffer protection logged?. A. All entries are in the System log. B. All entries are in the Alarms log. C. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log. D. Alert entries are in the System log. Entries for dropped traffic, discarded sessions, and blocked IP addresses are in the Threat log.

Which statement is true regarding a Best Practice Assessment?. A. The BPA tool can be run only on firewalls. B. It provides a percentage of adoption for each assessment area. C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities. D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

which function is handled by the management plane (control plane) of a palo alto networks firewall. A. IPSec tunnel standup. B.Quality of Service. C. Logging. D. Signature matching for content inspection.

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.). A. self-signed CA certificate. B. server certificate. C. wildcard server certificate. D. client certificate. E. enterprise CA certificate.

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?. A. Guest devices may not trust the CA certificate used for the forward trust certificate. B. Guests may use operating systems that can't be decrypted. C. The organization has no legal authority to decrypt their traffic. D. Guest devices may not trust the CA certificate used for the forward untrust certificate.

A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules How will the rule order populate once pushed to the firewall?. A. shared device group policies, local policies, firewall device group policies. B. firewall device group policies, local policies, shared device group policies. C. local policies, firewall device group policies, shared device group policies. D. shared device group policies, firewall device group policies, local policies.

Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.). A. The environment requires real full-time redundancy from both firewalls at all times. B. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes. C. The environment requires Layer 2 interfaces in the deployment. D. The environment requires that all configuration must be fully synchronized between both members of the HA pair. E. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence.

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. A. Certificate profile. B. SSL/TLS Service profile. C. SSH Service profile. D. Decryption profile.

A company is using wireless controllers to authenticate users. Which source should be used for User-ID mappings?. A. server monitoring. B. XFF headers. C. Syslog. D. client probing.

While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column. What best explains these occurrences?. A. A handshake did take place, but the application could not be identified. B. A handshake took place, but no data packets were sent prior to the timeout. C. A handshake did not take place, and the application could not be identified. D. A handshake took place; however, there were not enough packets to identify the application.

A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table. Which two configurations should you check on the firewall? (Choose two.). A. Ensure that the OSPF neighbour state is "2-Way". B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section. C. Within the redistribution profile ensure that Redist is selected. D. In the redistribution profile check that the source type is set to "ospf.".

Which statement best describes the Automated Commit Recovery feature?. A. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails. B. It restores the running configuration on a firewall if the last configuration commit fails. C. It restores the running configuration on a firewall and Panorama if the last configuration commit fails. D. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.

A firewall administrator wants to avoid overflowing the company syslog server with traffic logs. What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?. A. Disable logging on security rules allowing DNS. B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS. C. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DNS. D. Create a security rule to deny DNS traffic with the syslog server in the destination.

An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?. A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate. B. Use an enterprise CA-signed certificate for the Forward Untrust certificate. C. Use the same Forward Trust certificate on all firewalls in the network. D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3. Which scenario will cause the Active firewall to fail over?. A. IP address 8.8.8.8 is unreachable for 1 second. B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds. C. IP address 4.2.2.2 is unreachable for 2 seconds. D. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

Unknow-udp. Known-udp.

A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?. A. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone. B. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone. C. Enable packet buffer protection in the outside zone. D. Create a Security rule to deny all ICMP traffic from the outside zone.

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However this network Palo Alto Networks PCNSE https://www.certification-questions.com segment cannot access the dedicated management interface due to the Security policy Without changing the existing access to the management interface how can the engineer fulfill this request?. A. Enable HTTPS in an Interface Management profile on the subinterface. B. Add the network segment's IP range to the Permitted IP Addresses list. C. Specify the subinterface as a management interface in Setup > Device > Interfaces. D. Configure a service route for HTTP to use the subinterface.

An engineer needs to see how many existing SSL decryption sessions are traversing a firewall. What command should be used?. A. debug sessions | match proxy. B. debug dataplane pool statistics | match proxy. C. show dataplane pool statistics | match proxy. D. show sessions all.

Which steps should an engineer take to forward system logs to email?. A. Create a new email profile under Device > server profiles; then navigate to Device > Log Settings > System and add the email profile under email. B. Enable log forwarding under the email profile in the Objects tab. C. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile. D. Enable log forwarding under the email profile in the Device tab.

C. D.

An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.). A. Check the HA Link Monitoring interface cables. B. Check High Availability > Active/Passive Settings > Passive Link State. C. Check the High Availability > Link and Path Monitoring settings. D. Check the High Availability > HA Communications > Packet Forwarding settings. E. Use the CLI command show high-availability flap-statistics.

Which statement accurately describes service routes and virtual systems?. A. Virtual systems can only use one interface for all global service and service routes of the firewall. B. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall. C. Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall. D. The interface must be used for traffic to the required external services.

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?. A. Upgrade the Log Collectors one at a time. B. Add Panorama Administrators to each Managed Collector. C. Upgrade all the Log Collectors at the same time. D. Add a Global Authentication Profile to each Managed Collector.

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?. A. in Threat General Settings, select "Report Grayware Files". B. within the log settings option in the Device tab. C. in WildFire General Settings, select "Report Grayware Files". D. within the log forwarding profile attached to the Security policy rule.

You have upgraded your Panorama and Log Collectors to 10.2.x. Before upgrading your firewalls using Panorama, what do you need do?. A. Commit and Push the configurations to the firewalls. B. Refresh your licenses with Palo Alto Network Support ג€" Panorama/Licenses/Retrieve License Keys from License Server. C. Refresh the Master Key in Panorama/Master Key and Diagnostic. D. Re-associate the firewalls in Panorama/Managed Devices/Summary.

when can be used to create dynamics address gropus?. Dynamic Address. Tags. FQDN Address. Region Objects.

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?. A. Threat log. B. Data Filtering log. C. WildFire Submissions log. D. URL Filtering log.

Which CLI command is used to determine how much disk space is allocated to logs?. A. debug log-receiver show. B. show system info. C. show system logdb-quota. D. show logging-status.

A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?. A. The three-way TCP handshake was observed, but the application could not be identified. B. The three-way TCP handshake did not complete. C. The traffic is coming across UDP, and the application could not be identified. D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?. A. There is insufficient application data after the TCP connection was established. B. The TCP connection was terminated without identifying any application data. C. The TCP connection did not fully establish. D. The client sent a TCP segment with the PUSH flag set.

Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?. A. Legacy. B. Management Only. C. Log Collector. D.Panorama.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all." Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?. A.Non-functional. B.Passive. C.Active-Secondary. D.Active.

The firewall identifies a popular application as an unknown-tcp. Which two options are available to identify the application? (Choose two.). A. Create a custom application. B. Create a custom object for the custom application server to identify the custom application. C. Submit an App-ID request to Palo Alto Networks. D. Create a Security policy to identify the custom application.

Select an d place. Static. OSPF External. EBGP. RIP.

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized. Which User-ID agent is sufficient in your network?. A. Windows-based agent deployed on each domain controller. B. PAN-OS integrated agent deployed on the firewall. C. Citrix terminal server agent deployed on the network. D. Windows-based agent deployed on the internal network a domain member.

A Panorama administrator configures a new zone and uses the zone in a new Security policy. After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?. A. merge with candidate config. B. include device and network templates. C. specify the template as a reference template. D. force template values.

A. B. C. D.

Drop and Drap. Globalprotect Gateway. Globalprotect Clientless. Globalprotect App. Globalprotect Portal.

Which two events trigger the operation of automatic commit recovery? (Choose two.). A. when an aggregate Ethernet interface component fails. B. when Panorama pushes a configuration. C. when a firewall performs a local commit. D. when a firewall HA pair fails over.

A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down?. A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question. B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question. C. Enable and configure a Link Monitoring Profile for the external interface of the firewall. D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?. A. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface. B. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface. C. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface. D. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.). A. The firewall is in multi-vsys mode. . B. The traffic is offloaded. C. The traffic does not match the packet capture filter. D. The firewall's DP CPU is higher than 50%.

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?. A. port mapping. B. server monitoring. C. client probing. D. XFF headers.

How does Panorama prompt VMWare NSX to quarantine an infected VM?. A. HTTP Server Profile. B. Syslog Server Profile. C. Email Server Profile. D. SNMP Server Profile.

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?. A. Enterprise-Trusted-CA which is a self-signed CA. B. Enterprise-Root-CA which is a self-signed CA. C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA. D. Enterprise-Untrusted-CA which is a self-signed CA..

An engineer must configure the Decryption Broker feature. Which Decryption Broker security chain supports bi-directional traffic flow?. A. Layer 2 security chain. B. Layer 3 security chain. C. Transparent Bridge security chain. D. Transparent Proxy security chain.

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?. A. Traffic Distribution profile. B. Path Quality profile. C. Certificate profile. D. SD-WAN interface profile.

Before you upgrade a Palo Alto Networks NGFW, what must you do?. A. Make sure that the PAN-OS support contract is valid for at least another year. B. Export a device state of the firewall. C. Make sure that the firewall is running a supported version of the app + threat update. D. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.). A. App-ID. B. Custom URL Category. C. User-ID Most. D. Destination Zone. E. Source Interface.

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization?. A. WildFire and Threat Prevention combine to minimize the attack surface. B. After 24 hours, WildFire signatures are included in the antivirus update. C. Protection against unknown malware can be provided in near real-time. D. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall.

What are two valid deployment options for Decryption Broker? (Choose two.). A. Transparent Bridge Security Chain. B. Transparent Mirror Security Chain. C. Layer 2 Security Chain. D. Layer 3 Security Chain.

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface? (Choose two.). A. Virtual router. B. Security zone. C. ARP entries. D. Netflow Profile.

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?. A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1. B. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1. C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1. D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1.

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?. A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. B. Add a WildFire subscription to activate DoS and zone protection features. C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems. D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software. Why did the bootstrap process fail for the VM-Series firewall in Azure?. A. All public cloud deployments require the /plugins folder to support proper firewall native integrations. B. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing. C. The /config or /software folders were missing mandatory files to successfully bootstrap. D. The /content folder is missing from the bootstrap package.

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?. A. 90Mbps. B. 75Mbps. C. 50Mbps. D. 300Mbps.

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs?. A. System Logs. B. Session Browser. C. You cannot find failover details on closed sessions. D. Traffic Logs.

The UDP-4501 protocol-port is used between which two GlobalProtect components?. A. GlobalProtect app and GlobalProtect satellite. B. GlobalProtect app and GlobalProtect portal. C. GlobalProtect app and GlobalProtect gateway. D. GlobalProtect portal and GlobalProtect gateway.

What is considered the best practice with regards to zone protection?. A. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs. B. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse. C. Set the Alarm Rate threshold for event-log messages to high severity or critical severity. D. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection.

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama?. A. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. B. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. C. A master device with Group Mapping configured must be set in the device group where the Security rules are. D. A User-ID Certificate profile must be configured on Panorama.

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?. A. a WildFire profile and a File Blocking profile. B. a Vulnerability Protection profile and a Decryption policy. C. a Vulnerability Protection profile and a QoS policy. D. a Decryption policy and a Data Filtering profile.

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?. A. Port Inspection. B. Certificate revocation. C. Content-ID. D. App-ID.

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.). A. upload-only. B. install and reboot. C. upload and install. D. upload and install and reboot. E. verify and install.

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?. A. Create an Application Override using TCP ports 443 and 80. B. Add the HTPP, SSL, and Evernote applications to the same Security policy. C. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL. D. Add only the Evernote application to the Security policy rule.

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?. A. To enable Gateway authentication to the Portal. B. To enable Portal authentication to the Gateway. C. To enable user authentication to the Portal. D. To enable client machine authentication to the Portal.

In the image, what caused the commit warning?. A. The CA certificate for FWDtrust has not been imported into the firewall. B. The FWDtrust certificate has not been flagged as Trusted Root CA. C. SSL Forward Proxy requires a public certificate to be imported into the firewall. D. The FWDtrust certificate does not have a certificate chain.

What are two characteristic types that can be defined for a variable? (Choose two.). A. zone. B. FQDN. C. IP netmask. D. path group.

Which benefit do policy rule UUIDs provide?. A . functionality for scheduling policy actions. B . the use of user IP mapping and groups in policies. C . cloning of policies between device-groups. D . an audit trail across a policy’s lifespan.

IKE Gateway profile. IPSec Crypto profile. IKE Crypto profile. IPSec tunnel settings.

While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile. If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?. A. Enable resources protection under the DoS Protection profile. B. Change the SYN flood action from Random Early Drop to SYN cookies. C. Increase the activate rate for the SYN flood protection. D. Change the DoS Protection profile type from aggregate to classified.

Add the tool address to the reconnaissance protection source address exclusion in the DOS Protecttion profile. Otras.

Client probing. Server Monitoring. Syslog. XFF Headers.

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?. A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1. B. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1. C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1. D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1.

En Panorama que cubre los Device Groups?. Policies. Objects. Network. Device.

En Panorama que cubre Templates?. Policies. Objects. Network. Device.

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?. A. IKE Gateway profile. B. IPSec Crypto profile. C. IPSec Tunnel settings. D. IKE Crypto profile.

What is the dependency for users to access services that require authentication?. A. An Authentication profile that includes those services. B. Disabling the authentication timeout. C. An authentication sequence that includes those services. D. A Security policy allowing users to access those services.

Which feature checks Panorama connectivity status after a commit?. A. Automated commit recovery. B. Scheduled config export. C. Device monitoring data under Panorama settings. D. HTTP Server profiles.

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?. A. The trusted certificate. B. The server certificate. C. The untrusted certificate. D. The root CA.

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?. A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a system log and can send email alerts. B. Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls. C. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall. D. Panorama provides information about system resources of the managed devices in the Managed Devices -> Health menu.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?. A. PAN-DB URL category in URL Filtering profile. B. Custom URL category in Security policy rule. C. Custom URL category in URL Filtering profile. D. EDL in URL Filtering profile.

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregated interface group?. A. They can have different hardware media such as the ability to mix fiber optic and copper. B. They can have a different interface type such as Layer 3 or Layer 2. C. They can have a different interface type from an aggregate interface group. D. They can have a different bandwidth.

An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?. A. Device administrator (read-only). B. System administrator (read-only). C. Firewall administrator (read-only). D. Superuser (read-only).

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?. A. Remove the Zone Protection profile from the zone setting. B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile. C. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile. D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?. A. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group. B. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group. C. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. D. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.). A. Use the show predefined xpath <value> command and review the output. B. Review the App Dependency application list from the Commit Status view. C. Open the security policy rule and review the Depends On application list. D. Reference another application group containing similar applications.

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.). A. Syslog. B. XFF Headers. C. Client Probing. D. Server Monitoring.

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?. A. Management only mode. B. Expired certificates. C. Outdated plugins. D. GlobalProtect agent version.

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints. The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue. What must be configured to enable the Connect Before Logon feature?. A. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand. B. Registry keys on the Windows system.s. C. X-Auth Support in the GlobalProtect Gateway Tunnel Settings. D. The Certificate profile in the GlobalProtect Portal Authentication Settings.

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?. A. A self-signed Certificate Authority certificate generated by the firewall. B. A Machine Certificate for the firewall signed by the organization's PKI. C. A web server certificate signed by the organization's PKI. D. A subordinate Certificate Authority certificate signed by the organization's PKI.

An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?. A. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls. B. Upgrade the firewalls upgrade log collectors, upgrade Panorama. C. Upgrade the firewalls upgrade Panorama, upgrade the log collectors. D. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama.

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.). A. SSH key. B. User logon. C. Short message service. D. One-Time password. E. Push.

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?. A. Use API calls to retrieve the configuration directly from the managed devices. B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama. C. import Device Configuration to Panorama followed by Export or Push Device Config Bundle. D. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices.

Which log type would provide information about traffic blocked by a Zone Protection profile?. A. Data Filtering. B. IP-Tag. C. Traffic. D. Threat.

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.). A. Path group. B. Zone. C. IP netmask. D. FQDN.

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.). A. /software. B. /opt. C. /license. D. /content. E. /plugins.

Which statement about High Availability timer settings is true. A. Use the Moderate timer for typical failover timer settings. B. Use the Critical timer for taster failover timer settings. C. Use the Recommended timer for faster failover timer settings. D. Use the Aggressive timer for taster failover timer settings.

What are two best practices for incorporating new and modified App-IDs? (Choose two.). A. Configure a security policy rule to allow new App-lDs that might have network-wide impact. B. Study the release notes and install new App-IDs if they are determined to have low impact. C. Perform a Best Practice Assessment to evaluate the impact or the new or modified App-IDs. D. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs.