Summer Goodies - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: av5rz84q

Exact2Pass Menu

Question # 4

A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users

Which two settings must the customer configure? (Choose two)

A.

Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group

B.

Configure Cortex Data Lake log forwarding and add the Splunk syslog server

C.

Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group

D.

Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server

Full Access
Question # 5

Which Panorama objects restrict administrative access to specific device-groups?

A.

templates

B.

admin roles

C.

access domains

D.

authentication profiles

Full Access
Question # 6

Place the steps in the WildFire process workflow in their correct order.

Full Access
Question # 7

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

A.

It applies to existing sessions and is not global

B.

It applies to new sessions and is global

C.

It applies to new sessions and is not global

D.

It applies to existing sessions and is global

Full Access
Question # 8

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

A.

Add the policy in the shared device group as a pre-rule

B.

Reference the targeted device's templates in the target device group

C.

Add the policy to the target device group and apply a master device to the device group

D.

Clone the security policy and add it to the other device groups

Full Access
Question # 9

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

A.

Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

B.

Configure a security policy rule to allow new App-IDs that might have network-wide impact

C.

Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

D.

Study the release notes and install new App-IDs if they are determined to have low impact

Full Access
Question # 10

Match each SD-WAN configuration element to the description of that element.

Full Access
Question # 11

How can packet butter protection be configured?

A.

at me device level (globally to protect firewall resources and ingress zones, but not at the zone level

B.

at the device level (globally) and it enabled globally, at the zone level

C.

at the interlace level to protect firewall resources

D.

at zone level to protect firewall resources and ingress zones but not at the device level

Full Access
Question # 12

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version

What is considered best practice for this scenario?

A.

Perform the Panorama and firewall upgrades simultaneously

B.

Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version

C.

Upgrade Panorama to a version at or above the target firewall version

D.

Export the device state perform the update, and then import the device state

Full Access
Question # 13

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed

Which Panorama tool can help this organization?

A.

Config Audit

B.

Policy Optimizer

C.

Application Groups

D.

Test Policy Match

Full Access
Question # 14

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

A.

not-applicable

B.

incomplete

C.

unknown-ip

D.

unknown-udp

Full Access
Question # 15

With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

A.

incomplete

B.

unknown-tcp

C.

insufficient-data

D.

unknown-udp

Full Access
Question # 16

Which statement regarding HA timer settings is true?

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Full Access
Question # 17

An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

A.

Protection against unknown malware can be provided in near real-time

B.

WildFire and Threat Prevention combine to provide the utmost security posture for the firewall

C.

After 24 hours WildFire signatures are included in the antivirus update

D.

WildFire and Threat Prevention combine to minimize the attack surface

Full Access
Question # 18

Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

A.

show session all ssI-decrypt yes count yes

B.

show session filter ssl-decryption yes total-count yes

C.

show session all filter ssl-decrypt yes count yes

D.

show session all filter ssl-decryption yes total-count yes

Full Access
Question # 19

Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?

A.

Configuration

B.

GlobalProtect

C.

Authentication

D.

System

Full Access
Question # 20

An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

A.

Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

B.

Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only

C.

Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)

D.

Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Full Access
Question # 21

Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

A.

Zone Protection Profiles protect ingress zones

B.

Zone Protection Profiles protect egress zones

C.

DoS Protection Profiles are packet-based, not signature-based

D.

DoS Protection Profiles are linked to Security policy rules

Full Access
Question # 22

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

A.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured

B.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

D.

A User-ID Certificate profile must be configured on Panorama

Full Access
Question # 23

In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two )

A.

The Network Activity tab will display all applications, including FTP.

B.

Threats with a severity of "high" are always listed at the top of the Threat Name list

C.

Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

D.

The ACC has been filtered to only show the FTP application

Full Access
Question # 24

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

A.

Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"

B.

Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration

C.

Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration

D.

Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"

Full Access
Question # 25

Which option describes the operation of the automatic commit recovery feature?

A.

It enables a firewall to revert to the previous configuration if rule shadowing is detected

B.

It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

C.

It enables a firewall to revert to the previous configuration if application dependency errors are found

D.

It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure

Full Access
Question # 26

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

A.

Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.

B.

Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.

C.

Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.

D.

Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.

E.

Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Full Access
Question # 27

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.

Which Security Profile type will prevent this attack?

A.

Vulnerability Protection

B.

Anti-Spyware

C.

URL Filtering

D.

Antivirus

Full Access
Question # 28

An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.

Which option would achieve this result?

A.

Create a custom App-ID and enable scanning on the advanced tab.

B.

Create an Application Override policy.

C.

Create a custom App-ID and use the “ordered conditions” check box.

D.

Create an Application Override policy and custom threat signature for the application.

Full Access
Question # 29

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

A.

Security policy rule allowing SSL to the target server

B.

Firewall connectivity to a CRL

C.

Root certificate imported into the firewall with “Trust” enabled

D.

Importation of a certificate from an HSM

Full Access
Question # 30

An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.

Which configuration step needs to be configured to enable QoS?

A.

Enable QoS Data Filtering Profile

B.

Enable QoS monitor

C.

Enable Qos interface

D.

Enable Qos in the interface Management Profile.

Full Access
Question # 31

In a virtual router, which object contains all potential routes?

A.

MIB

B.

RIB

C.

SIP

D.

FIB

Full Access
Question # 32

The certificate information displayed in the following image is for which type of certificate?

Exhibit:

A.

Forward Trust certificate

B.

Self-Signed Root CA certificate

C.

Web Server certificate

D.

Public CA signed certificate

Full Access
Question # 33

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS® software can be upgraded?

A.

Security policy rule

B.

CRL

C.

Service route

D.

Scheduler

Full Access
Question # 34

Which CLI command can be used to export the tcpdump capture?

A.

scp export tcpdump from mgmt.pcap to

B.

scp extract mgmt-pcap from mgmt.pcap to

C.

scp export mgmt-pcap from mgmt.pcap to

D.

download mgmt.-pcap

Full Access
Question # 35

What are the differences between using a service versus using an application for Security Policy match?

A.

Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification

B.

Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used.

C.

There are no differences between "service" or "application” Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers.

D.

Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action it the port being used is a member of the application standard port list

Full Access
Question # 36

Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

A.

HA1 IP Address

B.

Network Interface Type

C.

Master Key

D.

Zone Protection Profile

Full Access
Question # 37

Which protection feature is available only in a Zone Protection Profile?

A.

SYN Flood Protection using SYN Flood Cookies

B.

ICMP Flood Protection

C.

Port Scan Protection

D.

UDP Flood Protections

Full Access
Question # 38

NO: 108

A customer wants to set up a site-to-site VPN using tunnel interfaces?

Which two formats are correct for naming tunnel interfaces? (Choose two.)

A.

Vpn-tunnel.1024

B.

vpn-tunne.1

C.

tunnel 1025

D.

tunnel. 1

Full Access
Question # 39

Which operation will impact the performance of the management plane?

A.

WildFire Submissions

B.

DoS Protection

C.

decrypting SSL Sessions

D.

Generating a SaaS Application Report.

Full Access
Question # 40

SAML SLO is supported for which two firewall features? (Choose two.)

A.

GlobalProtect Portal

B.

CaptivePortal

C.

WebUI

D.

CLI

Full Access
Question # 41

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

A.

ae.8

B.

aggregate.1

C.

ae.1

D.

aggregate.8

Full Access
Question # 42

An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?

A)

B)

C)

D)

E)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

Full Access
Question # 43

Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

A.

web-browsing and 443

B.

SSL and 80

C.

SSL and 443

D.

web-browsing and 80

Full Access
Question # 44

A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”. Which action will this cause configuration on the matched traffic?

A.

The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to “Deny”.

B.

The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile.

C.

The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.

D.

The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny.”

Full Access
Question # 45

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

What can be done to simplify the NAT policy?

A.

Configure ECMP to handle matching NAT traffic

B.

Configure a NAT Policy rule with Dynamic IP and Port

C.

Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

D.

Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Full Access
Question # 46

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

A.

In the details of the Traffic log entries

B.

Decryption log

C.

Data Filtering log

D.

In the details of the Threat log entries

Full Access
Question # 47

The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.

Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

A.

QoS Statistics

B.

Applications Report

C.

Application Command Center (ACC)

D.

QoS Log

Full Access
Question # 48

N NO: 39

A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.

Which CLI command syntax will display the rule that matches the test?

A.

test security -policy- match source destination destination port protocol

B.

show security rule source destination destination port protocol

C.

test security rule source destination destination port protocol

D.

show security-policy-match source destination destination port protocol

test security-policy-match source

Full Access
Question # 49

The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

A.

Server Certificate

B.

Client Certificate

C.

Authentication Profile

D.

Certificate Profile

Full Access
Question # 50

A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.

What should be done first?

A.

Remove the cable from the management interface, reload the log Collector and then re-connect that cable

B.

Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments

C.

remove the device from the Collector Group

D.

Revert to a previous configuration

Full Access
Question # 51

In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.

Which authentication method must be used?

A.

LDAP

B.

Kerberos

C.

Certification based authentication

D.

RADIUS with Vendor-Specific Attributes

Full Access
Question # 52

Palo Alto Networks maintains a dynamic database of malicious domains.

Which two Security Platform components use this database to prevent threats? (Choose two)

A.

Brute-force signatures

B.

BrightCloud Url Filtering

C.

PAN-DB URL Filtering

D.

DNS-based command-and-control signatures

Full Access
Question # 53

Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.

Which is the next hop IP address for the HTTPS traffic from Will's PC?

A.

172.20.30.1

B.

172.20.40.1

C.

172.20.20.1

D.

172.20.10.1

Full Access
Question # 54

A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex.

Which CLI command will help identify the issue?

A.

test routing fib virtual-router vr1

B.

show routing route type static destination 98.139.183.24

C.

test routing fib-lookup ip 98.139.183.24 virtual-router vr1

D.

show routing interface

Full Access
Question # 55

How is the Forward Untrust Certificate used?

A.

It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/

B.

It is used when web servers request a client certificate.

C.

It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.

D.

It is used for Captive Portal to identify unknown users.

Full Access
Question # 56

A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.

What could cause this condition?

A.

The firewall does not have an active WildFire subscription.

B.

The engineer's account does not have permission to view WildFire Submissions.

C.

A policy is blocking WildFire Submission traffic.

D.

Though WildFire is working, there are currently no WildFire Submissions log entries.

Full Access
Question # 57

How are IPV6 DNS queries configured to user interface ethernet1/3?

A.

Network > Virtual Router > DNS Interface

B.

Objects > CustomerObjects > DNS

C.

Network > Interface Mgrnt

D.

Device > Setup > Services > Service Route Configuration

Full Access
Question # 58

How does Panorama handle incoming logs when it reaches the maximum storage capacity?

A.

Panorama discards incoming logs when storage capacity full.

B.

Panorama stops accepting logs until licenses for additional storage space are applied

C.

Panorama stops accepting logs until a reboot to clean storage space.

D.

Panorama automatically deletes older logs to create space for new ones.

Full Access
Question # 59

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

A.

ms.log

B.

traffic.log

C.

system.log

D.

dp-monitor.log

E.

authd.log

Full Access
Question # 60

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

A.

DHCP has been set to Auto.

B.

Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.

C.

Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.

D.

DNS has not been properly configured on the firewall

Full Access
Question # 61

A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

A.

Pre Rules

B.

Post Rules

C.

Explicit Rules

D.

Implicit Rules

Full Access
Question # 62

A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

A.

Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.

B.

Traffic will be forced to operate over UDP Port 16384.

C.

Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".

D.

Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Full Access
Question # 63

Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

A.

Microsoft Active Directory

B.

Microsoft Terminal Services

C.

Aerohive Wireless Access Point

D.

Palo Alto Networks Captive Portal

Full Access
Question # 64

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

A.

Panorama Log Settings

B.

Panorama Log Templates

C.

Panorama Device Group Log Forwarding

D.

Collector Log Forwarding for Collector Groups

Full Access
Question # 65

Which three function are found on the dataplane of a PA-5050? (Choose three)

A.

Protocol Decoder

B.

Dynamic routing

C.

Management

D.

Network Processing

E.

Signature Match

Full Access
Question # 66

Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

A.

On the App Dependency tab in the Commit Status window

B.

On the Application tab in the Security Policy Rule creation window

C.

On the Objects > Applications browsers pages

D.

On the Policy Optimizer's Rule Usage page

Full Access
Question # 67

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

A.

The two devices must share a routable floating IP address

B.

The two devices may be different models within the PA-5000 series

C.

The HA1 IP address from each peer must be on a different subnet

D.

The management port may be used for a backup control connection

Full Access
Question # 68

A logging infrastructure may need to handle more than 10,000 logs per second.

Which two options support a dedicated log collector function? (Choose two)

A.

Panorama virtual appliance on ESX(i) only

B.

M-500

C.

M-100 with Panorama installed

D.

M-100

Full Access