An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on
the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the firewall to Panorama? Panorama Settings Panorama Servers Security policy Rule with log at session start and log at session end Syslog server profile Panorama Settings Receive time out.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
ethernet1/6 ethernet1/3 ethernet1/7 ethernet1/5.
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A. GlobalProtect app and GlobalProtect satellite
GlobalProtect app and GlobalProtect portal GlobalProtect app and GlobalProtect gateway GlobalProtect portal and GlobalProtect gateway.
In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
A. 1 to 4 hours 6 to 12 hours 24 hours 36 hours.
Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app?
Failed to connect to server at port:4767
A.
The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767 The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767 The PanGPS process failed to connect to the PanGPA process on port 4767 The PanGPA process failed to connect to the PanGPS process on port 4767.
A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to
provide secure
Web Ul authentication? (Choose three.)
A.
Authentication Algorithm Minimum TLS version Maximum TLS version Certificate Encryption Algorithm.
SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate.
End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/ website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements? Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA
and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root CA, select the Trusted Root CA check box, and commit the configuration.
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session? unknown-udp not-applicable insufficient-data incomplete.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram? IP Netmask IP Range IP Address IP Wildcard Mask.
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama? Use the import option to pull logs. Use the scp logdb export command. Export the log database. Use the ACC to consolidate the logs.
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel? The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.
Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application? Satellite mode Tunnel mode No Direct Access to local networks IPSec mode.
Which protocol is supported by GlobalProtect Clientless VPN? FTP HTTPS SSH RDP.
Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change? template variables the 'Shared' device group template stacks a device group.
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing.
What command could the engineer run to see the current state of the BGP state between the two devices? show routing protocol bgp rib-out show routing protocol bgp peer show routing protocol bgp summary show routing protocol bgp state.
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories.
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall? Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit.
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection? Use the Dynamic IP address type. Enable Passive Mode. Set up certificate authentication. Configure the peer address as an FQDN.
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)
Permitted IP Addresses SSH HTTPS User-ID HTTP.
Please Match The Term to their corresponding definitions Signature Matching Management Plane Network Processing Security Processing.
Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake? Legacy Management Only Log Collector Panorama.
What is the best description of the Cluster Synchronization Timeout (min)? The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
.
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames.
The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27.
The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28.
What information does the administrator need to provide in the User Identification > Discovery section? the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers network 192.168.28.32/27 with server type Microsoft.
An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up.
If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI? show system state filter sw.dev.interface.conf show chassis status slot s1 show system state filter-pretty sys.s1.* show system state filter ethernet1/1.
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture
cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.) #set deviceconfig setting session tcp-reject-non-syn no Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global
Set ג€Asymmetric Path" to Global Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set
"Asymmetric Path" to Bypass > set session tcp-reject-non-syn no.
Which Panorama feature protects logs against data loss if a Panorama server fails? Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this? Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
An engineer is pushing configuration from Panorama to a managed firewall.
What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall? The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. The firewall rejects the pushed configuration, and the commit fails. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known? LDAP Server Profile configuration GlobalProtect Windows-based User-ID agent PAN-OS integrated User-ID agent.
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.) OSPF IGRP OSPFv3 virtual link BGP RIP
.
Given the screenshot, how did the firewall handle the traffic? Traffic was allowed by policy but denied by profile as encrypted. Traffic was allowed by policy but denied by profile as a threat. Traffic was allowed by profile but denied by policy as a threat. Traffic was allowed by policy but denied by profile as a nonstandard port.
Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted.
What is the result of traffic that matches the “Alert -Threats” Profile Match List? The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take? Configure the TAP interface for segment X on the firewall Configure a Layer 3 interface for segment X on the firewall. Configure vwire interfaces for segment X on the firewall. Configure a new vsys for segment X on the firewall.
An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you consider?
Only Panorama can revert the override. The modification will not be visible in Panorama. Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within Panorama.
An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you consider?
Only Panorama can revert the override. Panorama will lose visibility into the overidden configuration Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within Panorama.
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate? A Machine Certificate for the firewall signed by the organization’s PKI A web server certificate signed by the organization’s PKI A subordinate Certificate Authority certificate signed by the organization’s PKI A self-signed Certificate Authority certificate generated by the firewall.
What is the best definition of the Heartbeat Interval? the interval during which the firewall will remain active following a link monitor failure the frequency at which the HA peers exchange ping the interval in milliseconds between hello packets the frequency at which the HA peers check link or path availability.
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.) PA-220 PA-800 Series PA-5000 Series PA-500 PA-3400 Series.
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.) Check dependencies Schedules Verify Revert content Install.
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer.
Where should this change be made? IKE Gateway profile IPSec Crypto profile IKE Crypto profile IPSec Tunnel settings.
Given the following snippet of a WildFire submission log, did the end user successfully download a file? Yes, because the final action is set to "allow." No, because the action for the wildfire-virus is "reset-both." No, because the URL generated an alert. Yes, because both the web-browsing application and the flash file have the "alert" action.
During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall.
The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect.
Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption? Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall.
After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
What should the administrator do to allow the tool to scan through the firewall? Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile. Remove the Zone Protection profile from the zone setting. Change the TCP port scan action from Block to Alert in the Zone Protection profile.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet? Click the hyperlink for the ZeroAccess.Gen threat. Click the source user with the highest threat count. Click the left arrow beside the ZeroAccess.Gen threat. Click the hyperlink for the botnet Threat Category.
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure? Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its vsys in a single device group. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single
device group.
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI.
Which CLI command can the engineer use? test vpn flow test vpn tunnel test vpn gateway test vpn ike-sa.
An engineer needs to collect User-ID mappings from the company’s existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.) Client probing XFF Headers Syslog Server Monitoring.
As a best practice, logging at session start should be used in which case? While troubleshooting Only on Deny rules Only when log at session end is enabled On all Allow rules.
What must be configured to apply tags automatically to User-ID logs? User mapping Log Forwarding profile Log settings Group mapping.
View the screenshots. A QoS profile and policy rules are configured as shown.
Based on this information, which two statements are correct? (Choose two.) SMTP has a higher priority but lower bandwidth than Zoom. Facetime has a higher priority but lower bandwidth than Zoom. google-video has a higher priority and more bandwidth than WebEx. DNS has a higher priority and more bandwidth than SSH.
Review the screenshots and consider the following information:
• FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG
• There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Server-1 on FW-1 will have IP 2.2.2.2
Server-1 will not be pushed to FW-2 Server-1 on FW-1 will have IP 3.3.3.3
Server-1 will not be pushed to FW-2 Server-1 on FW-1 will have IP 1.1.1.1
Server-1 will not be pushed to FW-2 Server-1 on FW-1 will have IP 4.4.4.4
Server-1 on FW-2 will have IP 1.1.1.1.
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.) Short message service Push User logon One-Time Password SSH key.
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.
When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?
GlobalProtect agent version Outdated plugins Management only mode Expired certificates.
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.) A Decryption policy to decrypt the traffic and see the tag A Deny policy with the “tag” App-ID to block the tagged traffic An Allow policy for the initial traffic A Deny policy for the tagged traffic.
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose two.) Enable decryption Exclude video traffic Create a Tunnel Inspection policy Block traffic that is not work-related.
An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow? From the Monitor tab, click Traffic view and review the information in the detailed log view From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules. From the Monitor tab, click Session Browser and review the session details.
An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow? Click Traffic view and review the information in the detailed log view Click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. Click App Scope > Network Monitor and filter the report for NAT rules. Click Session Browser and review the session details.
An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap
package directory structure? (Choose three.) /plugins /license /opt /content /software.
An administrator is configuring a Panorama device group.
Which two objects are configurable? (Choose two.) URL Filtering profiles SSL/TLS profiles Address groups DNS Proxy.
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was
configured the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.) Run the CLI command show advanced-routing ospf neighbor In the WebUI, view the Runtime Stats in the virtual router Look for configuration problems in Network > virtual router > OSPF In the WebUI, view Runtime Stats in the logical router.
In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy? The existing session is transferred to the active firewall. The firewall drops the session. The session is sent to fastpath. The firewall allows the session but does not decrypt the session.
An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewall's dashboard is showing as down.
What could an administrator do to troubleshoot the issue?
Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup Go to Device > High Availability > HA Communications > General > and check the Heartbeat Backup under Election Settings Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings.
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile.
What are two valid ways to enable Packet-Based Attack Protection? (Choose two.) TCP Drop ICMP Drop SYN Random Early Drop TCP Port Scan Block
.
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.
What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+? The priority assigned to the Authentication profile defines the order of the sequence. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.
Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not? No, because this is an example from a defeated phishing attack. Yes, because the action is set to “allow” No, because the severity is “high” and the verdict “malicious” Yes, because the action is set to “alert”.
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive.
The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict? Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN. On one pair of firewalls, run the CLI command: set network interface vlan arp. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. Configure a floating IP between the firewall pairs.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall? Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.
Which log type would provide information about traffic blocked by a Zone Protection profile? Data Filtering IP-Tag Threat Traffic.
An administrator would like to determine which action the firewall will take for a specific CVE.
Given the screenshot below, where should the administrator navigate to view this information? The profile rule action CVE column The profile rule threat name Exceptions tab.
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.) Global Protect External dynamic list Windows User-ID agent XML API Dynamic user groups.
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10.
Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to? None Inside DMZ Outside.
Which source is the most reliable for collecting User-ID user mapping? Microsoft Active Directory Microsoft Exchange GlobalProtect Syslog Listener.
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.
In which section is this configured? Monitor > Logs > System Objects > Log Forwarding Device > Log Settings Panorama > Managed Devices.
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall? Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls.
Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy.
Which PAN-OS proxy method should be configured to maintain this type of traffic flow? SSL forward proxy Explicit proxy Transparent proxy DNS proxy.
Which three types of interfaces support SSL Forward Proxy? (Choose three.) High availability (HA) Layer 3 Layer 2 Tap Virtual Wire.
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA
peer? Heartbeat Interval Promotion Hold Time Additional Master Hold Up Time Monitor Fail Hold Up Time.
Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.) video streaming application Client Application Process Destination Domain Source Domain Destination user/group URL Category.
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.) Inherit all Security policy rules and objects Inherit settings from the Shared group Inherit IPSec crypto profiles Inherit parent Security policy rules and objects.
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without
duplicating local configurations? Ensure Force Template Values is checked when pushing configuration. Push the Template first, then push Device Group to the newly managed firewall. Push the Device Group first, then push Template to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall.
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated? Configuration Data Filtering Traffic Threat.
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.) No client configuration is required for explicit proxy, which simplifies the deployment complexity. Explicit proxy supports interception of traffic using non-standard HTTPS ports. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic? It matches to the New App-IDs downloaded in the last 90 days. It matches to the New App-IDs in the most recently installed content releases. It matches to the New App-IDs downloaded in the last 30 days. It matches to the New App-IDs installed since the last time the firewall was rebooted.
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall? NAT Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Trust -
Destination IP: 172.16.15.10 -
Application: ssh NAT Rule:
Source Zone: Trust -
Source IP: 192.168.15.0/24 -
Destination Zone: Trust -
Destination IP: 192.168.15.1 -
Destination Translation: Static IP / 172.16.15.10
Security Rule:
Source Zone: Trust -
Source IP: 192.168.15.0/24 -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Application: ssh NAT Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Trust -
Destination IP: 192.168.15.1 -
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Application: ssh NAT Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Application: ssh.
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.) Service Route Configuration Dynamic Address Groups NTP Server Address Antivirus Profile Authentication Profile.
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules? A service route to the LDAP server A User-ID agent on the LDAP server A Master Device Authentication Portal.
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?
Vulnerability Protection profile DoS Protection profile Data Filtering profile URL Filtering profile.
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure? To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama? The passive firewall, which then synchronizes to the active firewall The active firewall, which then synchronizes to the passive firewall Both the active and passive firewalls, which then synchronize with each other Both the active and passive firewalls independently, with no synchronization afterward.
Refer to the exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has
reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW. Configure log compression and optimization features on all remote firewalls. Any configuration on an M-500 would address the insufficient bandwidth concerns.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama? Load configuration version Save candidate config Export device state Load named configuration snapshot.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.) Rule Usage Hit counter will not be reset. Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will reset.
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment.
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Kerberos or SAML authentication need to be configured. RADIUS is only supported for a transparent Web Proxy. RADIUS is not supported for explicit or transparent Web Proxy. LDAP or TACACS+ authentication need to be configured.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify? IKE Crypto Profile Security policy Proxy-IDs PAN-OS versions.
In the New App Viewer under Policy Optimizer, what does the compare
option for a specific rule allow an administrator to compare? Applications configured in the rule with their dependencies The security rule with any other security rule selected Applications configured in the rule with applications seen from traffic
matching the same rule The running configuration with the candidate configuration of the firewall.
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy? Deny Allow Discard Next VR.
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Number of security zones in decryption policies Encryption algorithm TLS protocol version Number of blocked sessions.
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.) LDAP Log Ingestion HTTP Log Forwarding.
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.
What should they review with their leadership before implementation? Browser-supported cipher documentation Cipher documentation supported by the endpoint operating system URL risk-based category distinctions Legal compliance regulations and acceptable usage policies.
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication.
Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link? ASBR OSPFv3 ECMP OSPF.
A network administrator wants to deploy SSL Inbound Inspection. What two attributes should the required certificate have? (Choose two.) a client certificate a private key a server certificate a subject alternative name.
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data? Resources Widget on the Dashboard Monitor > Utilization Support > Resource Application Command and Control Center.
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.) Successful GlobalProtect Deployed Activity GlobalProtect Deployment Activity Successful GlobalProtect Connection Activity GlobalProtect Quarantine Activity.
Which link is responsible for synchronizing sessions between high availability (HA) peers? HA1 HA2 HA3 HA4.
What are three prerequisites for credential phishing prevention to function? (choose three) Enable Device-ID in the zone Select the action for Site Access for each category In the URL filtering profile, use the drop down list to enable user credential detection Add the URL filtering profile to one or more Security policy rules Set phishing category to block in the URL Filtering profile.
An engineer is tasked with decrypting web traffic in an environment without an established PKI. When using a self-signed certificate generated on the firewall, which type of certificate should be installed on client devices to ensure there are no client browser warnings when decrypting approved web traffic? An enterprise Root CA certificate The same certificate as the Forward-Trust certificate The same certificate as Forward Untrust certificate A public Root CA certificate.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
Reload the running configuration and perform a Firewall local commit. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the “Force Template Values” option. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.
In a template, which two objects can be configured? (Choose two.) Monitor profile IPsec tunnel SD-WAN path quality profile Application group.
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy? Clone the security policy and add it to the other device groups. Add the policy to the target device group and apply a master device to the device group. Reference the targeted device’s templates in the target device group. Add the policy in the shared device group as a pre-rule.
Which DoS protection mechanism detects and prevents session exhaustion attacks against specific destinations?
Packet Based Attack Protection Flood Protection Resource Protection TCP Port Scan Protection.
Which operation will impact the performance of the management plane? DoS protection WildFire submissions generating a SaaS Application report decrypting SSL sessions.
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue? Add a firewall to both the device group and the template Add the template as a reference template in the device group Enable "Share Unused Address and Service Objects with Devices" in Panorama settings Specify the target device as the master device in the device group.
A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama.
They notice that commit times have drastically increased for the PA-220s after the migration.
What can they do to reduce commit times?
Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings. Perform a device group push using the “merge with device candidate config” option. Update the apps and threat version using device-deployment. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message? Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure. Check whether the VPN peer on one end is set up correctly using policy-based VPN. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
An engineer is configuring a firewall with three interfaces:
• MGT connects to a switch with internet access.
• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a virtualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic? Set DNS and Palo Alto Networks Services to use the MGT source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface Set DDNS and Palo Alto Networks Services to use the MGT source interface.
A company has configured a URL Filtering profile with override action on their firewall.
Which two profiles are needed to complete the configuration? (Choose two.) Decryption HTTP Server SSL/TLS Service Interface Management.
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.
When creating a new rule, what is needed to allow the application to resolve dependencies? Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed. Add SSL and web-browsing applications to the same rule. Add web-browsing application to the same rule.
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
1 2 3 4.
Where can a service route be configured for a specific destination IP? Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4 Use Device > Setup > Services > Services Use Device > Setup > Services > Service Route Configuration > Customize > IPv4 Use Device > Setup > Services > Service Route Configuration > Customize > Destination.
Which three items must be configured to implement application override? (Choose three.) Application override policy rule Custom app Decryption policy rule Security policy rule Application filter.
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.) upload-only install and reboot upload and install upload and install and reboot verify and install.
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue? Disable ALG under H.323 application Increase the TCP timeout under H.323 application Increase the TCP timeout under SIP application Disable ALG under SIP application.
Which new PAN-OS 11.0 feature supports IPv6 traffic? OSPF IKEv1 DHCP Server DHCPv6 Client with Prefix Delegation.
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.) Kerberos TACACS+ SAML RADIUS LDAP.
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM).
There did not appear to be direct integration between PAN-OS and the IDM solution.
How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users? Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected? Change destination NAT zone to Trust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change Source NAT zone to Untrust_L3. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
A traffic log might list an application as "not-applicable" for which two reasons? (choose two) The firewall did not install the session The firewall dropped a TCP SYN packet The TCP connection terminated without identifying any application data There was not enough application data after the TCP connection was established.
When you configure an active/active high availability pair, which two links can you use? (Choose two.) HA3 Console Backup HSCI-C HA2 backup.
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
Change the firewall management IP address Add administrator accounts Configure a device block list Enable operational modes such as normal mode, multi-vsys mode, or FIPS CC mode Rename a vsys on a multi-vsys firewall.
Which three authentication types can be used to authenticate users? (Choose three.) Local database authentication PingID Kerberos single sign-on GlobalProtect client Cloud authentication service.
Which three statements correctly describe Session 380280? (Choose three.) The application was initially identified as "ssl." The session has ended with the end-reason "unknown." The session did not go through SSL decryption processing. The application shifted to "web-browsing." The session went through SSL decryption processing.
If a URL is in multiple custom URL categories with different actions, which action will take priority? Block Allow Alert Override.
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Change the subnet mask from /23 to /24. Lower the interface MTU value below 1500. Adjust the TCP maximum segment size (MSS) value. Enable the Ignore IPv4 Don't Fragment (DF) setting.
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate? A self-signed certificate generated on the firewall A web server certificate signed by the organization’s PKI A web server certificate signed by an external Certificate Authority A subordinate Certificate Authority certificate signed by the organization’s PKI.
An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.) Device certificate Subordinate CA from the administrator’s own PKI infrastructure Self-signed root CA External CA certificate.
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. Decrypt all traffic that traverses the firewall so that it can be scanned for threats. Place firewalls where administrators can opt to bypass the firewall when needed. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.
A network security engineer is going to enable Zone Protection on several security zones. How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall. Select the check box "Log packet-based attack events" in the Zone Protection profile. Access the CLI in each firewall and enter the command set system setting additional-threat-log on No action is needed. Zone Protection events appear in the threat logs by default.
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections.
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them? Stream ID in the IP Option Drop options Record Route in IP Option Drop options Ethernet SGT Protection TCP Fast Open in the Strip TCP options.
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted? A Decryption profile must be attached to the Decryption policy that the traffic matches. There must be a certificate with both the Forward Trust option and Forward Untrust option selected. A Decryption profile must be attached to the Security policy that the traffic matches. There must be a certificate with only the Forward Trust option selected.
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Tunnel inspection NAT QoS DOS protection.
Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device
group? shared pre-rules
DATACENTER_DG pre-rules -
rules configured locally on the firewall
DATACENTER_DG post-rules -
shared post-rules
shared default rules shared pre-rules
DATACENTER_DG pre-rules -
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules -
DATACENTER_DG default rules shared pre-rules
DATACENTER_DG pre-rules -
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules -
shared default rules shared pre-rules
DATACENTER_DG pre-rules -
rules configured locally on the firewall
DATACENTER_DG post-rules -
shared post-rules
DATACENTER_DG default rules
.
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path? Initial Passive Active-secondary Tentative.
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.
Which profile should be configured in order to achieve this? Certificate profile SSL/TLS Service profile SSH Service profile Decryption profile.
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service.
What should an administrator configure to enable automatic failover to the backup tunnel? Replay Protection Zone Protection Tunnel Monitor Passive Mode.
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram.
Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?
Values in Global Settings Values in Datacenter Values in efw01ab.chi Values in Chicago.
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel? Proxy IDs ToS Header GRE Encapsulation Tunnel Monitor.
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.) Virtual Wire Layer 2 Layer 3 TAP.
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration? Destination-Based Service Route Inherit Global Setting IPv6 Source or Destination Address IPv4 Source Interface.
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Packet Buffer Protection Zone Protection Vulnerability Protection DoS Protection.
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and
web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Create an Application Override using TCP ports 443 and 80. Add the HTPP, SSL, and Evernote applications to the same Security policy. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL. Add only the Evernote application to the Security policy rule.
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.) One-time password User certificate SMS Voice Fingerprint.
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.) QoS on the egress interface for the traffic flows QoS on the ingress interface for the traffic flows A QoS profile defining traffic classes A QoS policy for each application ID An Application Override policy for the SSL traffic.
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence? PBF > Static route > Security policy enforcement BGP < PBF > NAT PBF > Zone Protection Profiles > Packet Buffer Protection NAT > Security policy enforcement > OSPF.
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems.
However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA? Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Configure a Captive Portal authentication policy that uses an authentication sequence. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage? agentless User-ID with redistribution Syslog listener captive portal standalone User-ID agent.
Why would a traffic log list an application as "not-applicable"? There was not enough application data after the TCP connection was
established. The TCP connection terminated without identifying any application data. The firewall denied the traffic before the application match could be
performed. The application is not a known Palo Alto Networks App-ID.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic? Disable HA. Disable the HA2 link. Set the passive link state to "shutdown." Disable config sync.
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also
installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings? The forward trust certificate has not been signed by the self-singed root CA certificate. The forward trust certificate has not been installed in client systems. The forward untrust certificate has not been signed by the self-singed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational? Hello Interval Monitor Fail Hold Up Time Heartbeat Interval Promotion Hold Time.
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?
Create a Security policy to allow access to those sites Install the unsupported cipher into the firewall to allow the sites to be decrypted Add the sites to the SSL Decryption Exclusion list to exempt them from decryption Allow the firewall to block the sites to improve the security posture.
If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule? Post-NAT destination address Pre-NAT destination address Pre-NAT source address Post-NAT source address.
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Log Forwarding profile SSL decryption exclusion Email scheduler Login banner Dynamic updates.
Where can the engineer view what time the interface went down?
Monitor > Logs > Traffic Device > High Availability > Active/Passive Settings Monitor > Logs > System Dashboard > Widgets > High Availability.
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.) ECDHE ECDSA RSA DHE.
An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.
Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.) Override the DNS server on the template stack. Configure the DNS server locally on the firewall. Change the DNS server on the global template. Configure a service route for DNS on a different interface.
An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Link and Path Monitoring is enabled with the Failure Condition set to `any`.
There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to `all`.
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure? Active Passive Active-Secondary Non-functional.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server or DHCP agent configuration. Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying Internet of Things (loT) devices while receiving broadcast DHCP traffic? Layer 3 Layer 2 Tap Virtual wire.
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic? Initial Passive Active-primary Active.
Which statement about High Availability timer settings is true? Use the Moderate timer for typical failover timer settings. Use the Critical timer for faster failover timer settings. Use the Aggressive timer for faster failover timer settings. Use the Recommended timer for faster failover timer settings.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted? Authentication Portal SSL Decryption profile SSL decryption policy comfort pages.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure SSL/TLS connection? link state profiles stateful firewall connection certificates.
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of
1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration? Enable DNS rewrite under the destination address translation in the
Translated Packet section of the NAT rule with the direction Forward. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to
192.168.1.10 with the destination port equal to UDP/53. Enable DNS rewrite under the destination address translation in the
Translated Packet section of the NAT rule with the direction Reverse. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to
1.1.1.10 with the destination port equal to UDP/53.
Given the following configuration, which route is used for destination 10.10.0.4?
set network virtual-router 2 routing-table ip static-route "Route 1" nexthop ip-address 192.168.1.2
set network virtual-router 2 routing-table ip static-route "Route 1" metric 30
set network virtual-router 2 routing-table ip static-route "Route 1" destination 10.10.0.0/24
set network virtual-router 2 routing-table ip static-route "Route 1" re route-table unicast
set network virtual-router 2 routing-table ip static-route "Route 2" nexthop ip-address 192.168.1.2
set network virtual-router 2 routing-table ip static-route "Route 2" metric 20
set network virtual-router 2 routing-table ip static-route "Route 2" destination 10.10.0.0/24
set network virtual-router 2 routing-table ip static-route "Route 2" route-table unicast
set network virtual-router 2 routing-table ip static-route "Route 3" nexthop ip-address 10.10.20.1
set network virtual-router 2 routing-table ip static-route "Route 3" metric 5
set network virtual-router 2 routing-table ip static-route "Route 3" destination 0.0.0.0/0
set network virtual-router 2 routing-table ip static-route "Route 3" route-table unicast
set network virtual-router 2 routing-table ip static-route "Route 4" nexthop ip-address 192.168.1.2
set network virtual-router 2 routing-table ip static-route "Route 4" metric 10
set network virtual-router 2 routing-table ip static-route "Route 4" destination 10.10.1.0/25
set network virtual-router 2 routing-table ip static-route "Route 4" route-table unicast Route 1 Route 3 Route 2 Route 4.
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)? Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project? Create a Dynamic Admin with the Panorama Administrator role. Create a Dynamic Read only superuser. Create a Device Group and Template Admin. Create a Custom Panorama Admin.
.
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Critical High Medium Informational Low.
Which three statements accurately describe Decryption Mirror? (Choose three.) Decryption, storage, inspection, and use of SSL traffic regulated in certain countries. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment. Decryption Mirror requires a tap interface on the firewall. Only management consent is required to use the Decryption Mirror future. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to? It applies to existing sessions and is not global It applies to existing sessions and is global It applies to new sessions and is global It applies to new sessions and is not global.
Which CLI command displays the physical media that are connected to ethernet1/8? > show system state filter-pretty sys.s1.p8.stats > show system state filter-pretty sys.s1.p8.med > show interface ethernet1/8 > show system state filter-pretty sys.s1.p8.phy.
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems? To allow traffic between zones in different virtual systems while the traffic is leaving the appliance Multiple external zones are required in each virtual system to allow the communications between virtual systems External zones are required because the same external zone can be used on different virtual systems To allow traffic between zones in different virtual systems without the traffic leaving the appliance .
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID? Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory.
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment which diverse directory services?
Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server Novell eDirectory, Microsoft Terminal Server, and Microsoft Exchange Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory.
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts? in Threat General Settings, select "Report Grayware Files" within the log settings option in the Device tab in WildFire General Settings, select "Report Grayware Files" within the log forwarding profile attached to the Security policy rule.
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours.
Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.) Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours. Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs. Select the action "download-only" when configuring an Applications and Threats update schedule.
All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors.
There is a known logging peak time during the day, and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task? Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall, and check the log rates during the peak time Navigate to Panorama > Managed Collectors, and open the Statistic window for each Log collector during the peak time Navigate to Monitor > Univied logs, set the filter to the peak time, and browse to the last page to find out how many logs has been received.
What can the Log Forwarding built-in action with tagging be used to accomplish? Forward selected logs to the Azure Security Center. Block the destination zones of selected unwanted traffic. Block the source zones of selected unwanted traffic. Block the destination IP addresses of selected unwanted traffic.
An administrator notices interface ethernet1/2 failed on the active firewall in an active I passive firewall high availability(HA) pair.
Based on the image below, what - if any - action was taken by the active firewall when the link failed?
No action was taken because interface ethernet1/1 did not fail. The active firewall failed over to the passive HA member due to an AE1 Link Group failure. No action was taken because Path Monitoring is disabled. The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring "Failure Condition".
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port? HA1 HA2 HA3 HA4.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.
Which three items should be prioritized for decryption? (Choose three.)
Financial, health, and government traffic categories Less-trusted internal IP subnets Known malicious IP space High-risk traffic categories Public-facing servers.
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the newTLSv1.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x? Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x. Optional: Download and install the latest preferred PAN-OS 10.1 release.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP assigned to the outside interface of the firewall. However, the use of dynamic peering is not working. Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (choose two)
Enable NAT Transversal on Site B firewall Configure Local Identification on Site B firewall Match IKE version on both firewalls Disable passive-mode on Site A Firewall .
An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority? Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules Create the appropriate rules with a Block action and apply them at the top of the Default Rules.
A firewall administrator wants to be able to see all NAT session that are going through a firewall with source NAT. Which CLI command can the administrator use? show session all filter nat-rule source show running nat-rule-ippdol rule "rule_name" show session all filter nat source show running nat-policy.
A firewall engineer has identified a problem with an application developed by the company's internal team, where sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. Which solution will take the least time to implement and will ensure the APP-ID engine is used to identity the application? Create a custom application with specific timeouts then create an Application Override rule and reference the custom application Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures Browse to Palo Alto Network website and complete the online form to request a new appliation to be added to APP-ID Browse to Palo Alto Network website and raise a support request through Customer Support Portal.
Following a review of firewall logs for traffic generated by malicious activity, how can administrator confirm that WildFire has identified a virus By Navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)" By Navigating to Monitor > Logs > Threat, applying filter "(subtype eq virus)" By Navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)" By Navigating to Monitor > Logs > Wildfire Submissions, applying filter "(subtype eq wildfire-virus)".
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security tram wants to generate email alerts when decryption rules are changed. How should email log forwarding be configured to achieve this goal? With the relevant configuration log filter inside Objects > Log Forwarding With the relevant system log filter inside Objects > Log Forwarding With the relevant configuration log filter inside Device > Log Settings With the relevant system log filter inside Device > Log Settings.
A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule? pre-NAT source IP Address
pre-NAT source zone pre-NAT source IP Address
post-NAT source zone post-NAT source IP Address
pre-NAT source zone post-NAT source IP Address
post-NAT source zone.
A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication.
What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings? Deploy a PAN-OS integrated User-ID agent on each vsys Deploy the GlobalProtect vsys as a User-ID data hub Deploy a M-200 as a User-ID collector Deploy Windows User-ID agents on each domain controller.
The server team is concerned about the high volume of logs forwarded to their syslog server. It is determine that DNS is generating the most logs per second. The risk and compiance team request that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS, traffic log can be excluded from syslog fowarding. How should Syslog log forwarding be configured?
With "(app neq dns-base)" Traffic log filter inside Objects > Log Forwarding With "(app neq dns-base)" Traffic log filter inside Device > Log Settings With "(port dns neq 53)" Traffic log filter inside Objects > Log Forwarding With "(port dns neq 53)" Traffic log filter inside Device > Log Settings.
A firewall administrator configures the HIP profiles on the edge firewall where Global Protect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profile. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall. What are two reasons why the administrator is not seeing HIP patch logs on the data center firewal? (choose two) HIP profiles are configured but not added to security rules in the data center fierewall Log Forwarding Profule is configured but not added to security rules in data center firewall HIP Match log forwarding is not configured under Log Settings in device tab. User ID is not enabled in the Zone where the users are comingfrom in the data center firewall.
Which log type is supported in Log Forwarding profile? Configuration GlobalProtect User-ID Tunnel.
A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat
prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature? Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit.
An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level? PDF Export under Panorama > templates Variable CSV export under Panorama > templates Managed Devices > Device Association Manage variables under Panorama > templates.
Which interface should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alton Networks firewall? VLAN Loopback Ethernet Tunnel.
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.) Configure the decryption profile. Configure SSL decryption rules. Define a Forward Trust Certificate. Configure a SSL / TLS service profile.
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed? Panorama M600 Log Collectors Cortex Data Lake On Palo Alto Networks Update Servers.
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate? show system setting ssl-decrypt certs show system setting ssl-decrypt certificate debug dataplane show ssl-decrypt ssl-stats show system setting ssl-decrypt certificate-cache.
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes? review the configuration logs on the Monitor tab use Test Policy Match to review the policies in Panorama context-switch to the affected firewall and use the configuration audit tool click Preview Changes under Push Scope.
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed? Apply DOS profile to security rules allow traffic from outside. Enable packet buffer protection for the affected zones. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. Add a Zone Protection profile to the affected zones.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.) virtual systems template stacks variables collector groups.
Which rule type controls end user SSL traffic to external websites?
SSL Outbound Proxyless Inspection SSL Forward Proxy SSL Inbound Inspection SSH Proxy.
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain? a Security policy with 'known-user' selected in the Source User field a Security policy with 'unknown' selected in the Source User field an Authentication policy with 'known-user' selected in the Source User field an Authentication policy with 'unknown' selected in the Source User field.
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved? by configuring User-ID group mapping in Panorama > User Identification by configuring Master Device in Panorama > Device Groups by configuring User-ID source device in Panorama > Managed Devices by configuring Data Redistribution Client in Panorama > Data Redistribution.
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. A master device with Group Mapping configured must be set in the device group where the Security rules are configured. A User-ID Certificate profile must be configured on Panorama.
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Custom URL category in URL Filtering profile PAN-DB URL category in URL Filtering profile EDL in URL Filtering profile Custom URL category in Security policy rule.
When using certificate authentication for firewall administration, which method is used for authorization? LDAP Radius Local Kerberos.
An engineer has been given approval to upgrade their environment to PAN-OS 10.2.
The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.
What is the recommended order when upgrading to PAN-OS 10.2? Upgrade the firewalls, upgrade log collectors, upgrade Panorama Upgrade the firewalls, upgrade Panorama, upgrade the log collectors Upgrade the log collectors, upgrade the firewalls, upgrade Panorama Upgrade Panorama, upgrade the log collectors, upgrade the firewalls.
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this ? Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to is resource limts. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall? Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority. Use the highest TLS protocol version to maximize security Use RSA instead of ECDSA for traffic that isn't senstive or high-priority. Use SSL Forward Proxy instead of SSL inbound inspection for decryption.
a firewall engineer is tasked with defining signatures for a custom applcation. which two sources can the engineer use to gather information about the application patterns? (choose two)
data filtering log Traffic logs Wireshark Policy Optimizer
.
A firewall administrator has confirmed reports of a website is not displaying as expected and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three) Move the policy with action deecrypt to the top of the decryption policy rulebase Disable SSL handshake logging Investigate decryption logs of the specific traffic to determine reasons for failure Create policy-based "No Decrypt" rule in the decryption policy to exclude specific traffic from decryption. Temporary disable SSL Decryption for all websites to troubleshoot the issue.
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can firewall engineer define the data to be added into ech forwarded log? Built-in Action within Objects > Log Forwarding Profile Data Patterns within Objects > Custom Objects Logging and Reporting Settings within Device > Setup > Management Custom Log Format within Device Server Profiles > Syslog.
What happens when the log forwarding built-in action with tagging is used? Destination zones of selected unwanted traffic are blocked. Selected unwanted traffic source zones are blocked Destination IP addresses of selected unwanted traffic are blocked Selected logs are forwarded to Azure Security Center.
A threat intelligence team has requested more than a dozen Snort signatures to be deployed on all perimeter Palo Alto Networks firewall. How does firewall engineer fulfill this request with the least time to implement? Use Panorama IPS Signature Converter to create custom vulnerability signatures and push them to the firewalls Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls Use Expedition to ceate custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls. Create Custom vulnerabilituy signatures manually in panorama, and push them to the firewalls.
Firewall engineer needs to update a company Panorama-managed firewall to the latest version of PAN-OS. Strict security requirements are blocking Internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls? Upload the image to Panorama > Dynamic Updates menu, and deploy Upload the image to Panorama > Software menu and deploy it to the firewalls Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
Which two items must be configured when implementing application ooverride and allowing traffic through the firewall? (Choose two) Application filter Custom app Application override policy or rule Security policy rule.
A firewall engineer creates or source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the Internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the Internet, and therefore should not be translated with the NAT rule. Which set of steps should the engineer take to accomplish this objective? 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23
2. Check the box for negate option to negate this IP subnet from NAT translation 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in original packet set to 10.0.0.10/32 and soirce translation set to none
3. Place (NAT-Rule-1) above (NAT-Rule-2) 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/23
2. Check the box for negate option to negate this IP subnet from NAT translation 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in original packet set to 10.0.0.10/32 and source translation set to none
3. Place (NAT-Rule-2) above (NAT-Rule-1).
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
A QoS policy for each application An Application Override policy for the SIP traffic A QoS profile defining traffic classes QoS on the ingress interface for the traffic flows QoS on the egress interface for the traffic flows.
|
