yango1

1.A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama. Which configuration is necessary to retrieve groups from Panorama?. Configure an LDAP Server profile and enable the User-ID service on the management interface. Configure a group mapping profile to retrieve the groups in the target template. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents. Configure a master device within the device groups.

3.In a firewall, which three decryption methods are valid? (Choose three). SSL Inbound Inspection. SSL Outbound Proxyless Inspection. SSL Inbound Proxy. Decryption Mirror. SSH Proxy.

4.While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?. show system setting ssl-decrypt certs. show systea setting ssl-decrypt certificate-cache. show systen setting ssl-decrypt certificate. debug dataplane show ssl-decrypt ssl-stats.

5.A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?. Create a Dynamic Admin with the Panorama Administrator role. Create a Custom Panorama Admin. Create a Device Group and Template Admin. Create a Dynamic Read only superuser.

6.How can packet butter protection be configured?. at me device level (globally to protect firewall resources and ingress zones, but not at the zone level. at the device level (globally) and it enabled globally, at the zone level. . at the interlace level to protect firewall resources. at zone level to protect firewall resources and ingress zones but not at the device level.

7.A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two). client certificate. certificate profile. certificate authority (CA) certificate. server certificate.

8.A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site?. IPsec tunnels using IKEv2. PPTP tunnels. GlobalProtect satellite. GlobalProtect client.

9.An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?. review the configuration logs on the Monitor tab. click Preview Changes under Push Scope. use Test Policy Match to review the policies in Panorama. context-switch to the affected firewall and use the configuration audit tool.

10.An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration Which two solutions can the administrator use to scale this configuration? (Choose two.). variables. template stacks. collector groups. virtual systems.

11.An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?. Obtain an enterprise CA-signed certificate for the Forward Trust certificate. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate. Use an enterprise CA-signed certificate for the Forward Untrust certificate. Use the same Forward Trust certificate on all firewalls in the network.

12.Before you upgrade a Palo Alto Networks NGFW, what must you do?. Make sure that the PAN-OS support contract is valid for at least another year. Export a device state of the firewall. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions. Make sure that the firewall is running a supported version of the app + threat update.

13.Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two). Zone Protection Profiles protect ingress zones. Zone Protection Profiles protect egress zones. DoS Protection Profiles are packet-based, not signature-based. DoS Protection Profiles are linked to Security policy rules.

14.Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?. show session all ssI-decrypt yes count yes. show session filter ssl-decryption yes total-count yes. show session all filter ssl-decrypt yes count yes. show session all filter ssl-decryption yes total-count yes.

15.To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Add the policy in the shared device group as a pre-rule. Reference the targeted device's templates in the target device group. Add the policy to the target device group and apply a master device to the device group. Clone the security policy and add it to the other device groups.

16.Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. No Direct Access to local networks. Satellite mode. Tunnel mode. IPSec mode.

17.What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three). configure a device block list. rename a vsys on a multi-vsys firewall. enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. add administrator accounts. change the firewall management IP address.

18.in a template you can configure which two objects? (Choose two.). SD WAN path quality profile. application group. IPsec tunnel. Monitor profile.

19.In a security-first network what is the recommended threshold value for content updates to be dynamically updated?. 1 to 4 hours. 6 to 12 hours. 24 hours. 36 hours.

20.An administrator needs to gather information about the CPU utilization on both the management plane and the data plane Where does the administrator view the desired data?. Monitor > Utilization. Resources Widget on the Dashboard. Support > Resources. Application Command and Control Center.

21.You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For. Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three). High. Medium. Critical. Informational. Low.

22.A variable name must start with which symbol?. $. &. !. #.

23.Which three statements accurately describe Decryption Mirror? (Choose three.). Decryption Mirror requires a tap interface on the firewall. Decryption, storage, inspection and use of SSL traffic are regulated in certain countries. Only management consent is required to use the Decryption Mirror feature. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.

26.When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?. The interface must be used for traffic to the required services. You must enable DoS and zone protection. You must set the interface to Layer 2 Layer 3. or virtual wire. You must use a static IP address.

27.An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?. Configure Prisma Access to learn group mapping via SAML assertion. Assign a master device in Panorama through which Prisma Access learns groups. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

28.What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?. Traffic is dropped because there is no matching SD-WAN policy to direct traffic. Traffic matches a catch-all policy that is created through the SD-WAN plugin. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

29.An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?. Automatically include users as members without having to manually create and commit policy or group changes. DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall. It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies. Schedule commits at a regular intervals to update the DUG with new users matching the tags specified.

30.Which configuration task is best for reducing load on the management plane?. Disable logging on the default deny rule. Enable session logging at start. Disable pre-defined reports. Set the URL filtering action to send alerts.

31.Which rule type controls end user SSL traffic to external websites?. SSL Outbound Proxyless Inspection. SSL Forward Proxy. SSL Inbound Inspection. SSH Proxy.

33.When you configure an active/active high availability pair which two links can you use? (Choose two). HA2 backup. HA3. Console Backup. HSCI-C.

36.When setting up a security profile which three items can you use? (Choose three). Wildfire analysis. anti-ransom ware. antivirus. URL filtering. decryption profile.

37.You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office. Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory. Create an Application Filter and name it Office Programs then filter on the business-systems category.

39.An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.

40.Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?. Layer 2. Tap. Layer 3. Decryption Mirror.

43.An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route. What are two reasons why the firewall might not use a static route? (Choose two.). no install on the route. duplicate static route. path monitoring on the static route. disabling of the static route.

44.A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two). The firewall did not install the session. The TCP connection terminated without identifying any application data. The firewall dropped a TCP SYN packet. There was not enough application data after the TCP connection was established.

45.A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?. Threat log. Data Filtering log. WildFire Submissions log. URL Filtering log.

46.A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?. certificate authority (CA) certificate. client certificate. machine certificate. server certificate.

47.During SSL decryption which three factors affect resource consumption1? (Choose three). TLS protocol version. transaction size. key exchange algorithm. applications that use non-standard ports. certificate issuer.

48.What are three types of Decryption Policy rules? (Choose three.). SSL Inbound Inspection. SSH Proxy. SSL Forward Proxy. Decryption Broker. Decryption Mirror.

49.Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?. performing a local firewall commit. removing the firewall as a managed device in Panorama. performing a factory reset of the firewall. removing the Panorama serial number from the ZTP service.

50.What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.). the website matches a category that is not allowed for most users. the website matches a high-risk category. the web server requires mutual authentication. the website matches a sensitive category.