Summer Goodies - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: av5rz84q

Exact2Pass Menu

Question # 4

Which statement is true regarding a Best Practice Assessment?

A.

The BPA tool can be run only on firewalls

B.

It provides a percentage of adoption for each assessment data

C.

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Full Access
Question # 5

Which administrator type utilizes predefined roles for a local administrator account?

A.

Superuser

B.

Role-based

C.

Dynamic

D.

Device administrator

Full Access
Question # 6

Match the cyber-attack lifecycle stage to its correct description.

Full Access
Question # 7

How is the hit count reset on a rule?

A.

select a security policy rule, right click Hit Count > Reset

B.

with a dataplane reboot

C.

Device > Setup > Logging and Reporting Settings > Reset Hit Count

D.

in the CLI, type command reset hitcount

Full Access
Question # 8

Which type security policy rule would match traffic flowing between the inside zone and outside zone within the inside zone and within the outside zone?

A.

global

B.

universal

C.

intrazone

D.

interzone

Full Access
Question # 9

Place the steps in the correct packet-processing order of operations.

Full Access
Question # 10

Match the Palo Alto Networks Security Operating Platform architecture to its description.

Full Access
Question # 11

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Full Access
Question # 12

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

A.

Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

B.

Untrust (any) to Untrust (1.1.1.100), web browsing - Allow

C.

Untrust (any) to Untrust (10.1.1.100), web browsing -Allow

D.

Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

Full Access
Question # 13

Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

A.

It functions like PAN-DB and requires activation through the app portal.

B.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

C.

IT eliminates the need for dynamic DNS updates.

D.

IT is automatically enabled and configured.

Full Access
Question # 14

Based on the security policy rules shown, ssh will be allowed on which port?

A.

80

B.

53

C.

22

D.

23

Full Access
Question # 15

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

A.

Device>Setup>Services

B.

Device>Setup>Management

C.

Device>Setup>Operations

D.

Device>Setup>Interfaces

Full Access
Question # 16

Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

A.

antivirus profile applied to outbound security policies

B.

data filtering profile applied to inbound security policies

C.

data filtering profile applied to outbound security policies

D.

vulnerability profile applied to inbound security policies

Full Access
Question # 17

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

A.

SAML

B.

TACACS+

C.

LDAP

D.

Kerberos

Full Access
Question # 18

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

A.

Add zones attached to interfaces to the virtual router

B.

Add interfaces to the virtual router

C.

Enable the redistribution profile to redistribute connected routes

D.

Add a static routes to route between the two interfaces

Full Access
Question # 19

You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

A.

Data Filtering Profile applied to outbound Security policy rules

B.

Antivirus Profile applied to outbound Security policy rules

C.

Data Filtering Profile applied to inbound Security policy rules

D.

Vulnerability Profile applied to inbound Security policy rules

Full Access
Question # 20

What is an advantage for using application tags?

A.

They are helpful during the creation of new zones

B.

They help with the design of IP address allocations in DHCP.

C.

They help content updates automate policy updates

D.

They help with the creation of interfaces

Full Access
Question # 21

A Security Profile can block or allow traffic at which point?

A.

after it is matched to a Security policy rule that allows traffic

B.

on either the data plane or the management plane

C.

after it is matched to a Security policy rule that allows or blocks traffic

D.

before it is matched to a Security policy rule

Full Access
Question # 22

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

Which Security profile should be applied?

A.

antivirus

B.

anti-spyware

C.

URL filtering

D.

vulnerability protection

Full Access
Question # 23

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

A.

Use the CLI enter the command reset rules all

B.

Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

C.

use the Reset Rule Hit Counter > All Rules option.

D.

Reboot the firewall.

Full Access
Question # 24

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

A.

block

B.

sinkhole

C.

alert

D.

allow

Full Access
Question # 25

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

A.

Review Policies

B.

Review Apps

C.

Pre-analyze

D.

Review App Matches

Full Access
Question # 26

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.

What is the correct process to enable this logging1?

A.

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session Start and click OK

B.

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session End and click OK

C.

This rule has traffic logging enabled by default no further action is required

D.

Select the interzone-default rule and click Override on the Actions tab select Log at Session End and click OK

Full Access
Question # 27

Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

A.

Signature Matching

B.

Network Processing

C.

Security Processing

D.

Security Matching

Full Access
Question # 28

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

A.

Palo Alto Networks Bulletproof IP Addresses

B.

Palo Alto Networks C&C IP Addresses

C.

Palo Alto Networks Known Malicious IP Addresses

D.

Palo Alto Networks High-Risk IP Addresses

Full Access
Question # 29

Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

A.

Policies> Security> Rule Usage> No App Specified

B.

Policies> Security> Rule Usage> Port only specified

C.

Policies> Security> Rule Usage> Port-based Rules

D.

Policies> Security> Rule Usage> Unused Apps

Full Access
Question # 30

Which objects would be useful for combining several services that are often defined together?

A.

shared service objects

B.

service groups

C.

application groups

D.

application filters

Full Access
Question # 31

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A.

Translation Type

B.

Interface

C.

Address Type

D.

IP Address

Full Access
Question # 32

Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

A.

DoS protection

B.

URL filtering

C.

packet buffering

D.

anti-spyware

Full Access