New Year Goodies - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: av5rz84q

Exact2Pass Menu

Question # 4

An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the devce-oroup hierarchy Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

A.

Policy Optimizer

B.

Test Policy Match

C.

Preview Changes

D.

Managed Devices Health

Full Access
Question # 5

An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

A.

Activate a zone protection subscription.

B.

To increase bandwidth no more than one firewall interface should be connected to a zone

C.

Security policy rules do not prevent lateral movement of traffic between zones

D.

The zone protection profile will apply to all interfaces within that zone

Full Access
Question # 6

An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane

Which CLI command should the administrator use to obtain the packet capture for validating the configuration^

A.

> ftp export mgmt-pcap from mgmt.pcap to

B.

> scp export mgmt-pcap from mgmt.pcap to {usernameQhost:path>

C.

> scp export pcap-mgmt from pcap.mgiat to (username@host:path)

D.

> scp export pcap from pcap to (usernameQhost:path)

Full Access
Question # 7

Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

A.

Domain Sub-CA

B.

Domain-Root-Cert

C.

Certificate from Default Trusted Certificate Authorities

D.

Forward-Trust

Full Access
Question # 8

What are two valid deployment options for Decryption Broker? (Choose two)

A.

Transparent Bridge Security Chain

B.

Layer 3 Security Chain

C.

Layer 2 Security Chain

D.

Transparent Mirror Security Chain

Full Access
Question # 9

Which rule type controls end user SSL traffic to external websites?

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSL Inbound Inspection

D.

SSH Proxy

Full Access
Question # 10

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

A.

The User-ID agent is connected to a domain controller labeled lab-client.

B.

The host lab-client has been found by the User-ID agent.

C.

The host lab-client has been found by a domain controller.

D.

The User-ID agent is connected to the firewall labeled lab-client.

Full Access
Question # 11

An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

A.

WildFire updates

B.

NAT

C.

NTP

D.

antivirus

E.

File blocking

Full Access
Question # 12

In which two types of deployment is active/active HA configuration supported? (Choose two.)

A.

TAP mode

B.

Layer 2 mode

C.

Virtual Wire mode

D.

Layer 3 mode

Full Access
Question # 13

A variable name must start with which symbol?

A.

$

B.

&

C.

!

D.

#

Full Access
Question # 14

In a Panorama template which three types of objects are configurable? (Choose three)

A.

HIP objects

B.

QoS profiles

C.

interface management profiles

D.

certificate profiles

E.

security profiles

Full Access
Question # 15

What is the purpose of the firewall decryption broker?

A.

Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools

B.

Force decryption of previously unknown cipher suites

C.

Inspection traffic within IPsec tunnel

D.

Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools

Full Access
Question # 16

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

A.

set deviceconfig interface speed-duplex 1Gbps-full-duplex

B.

set deviceconfig system speed-duplex 1Gbps-duplex

C.

set deviceconfig system speed-duplex 1Gbps-full-duplex

D.

set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Full Access
Question # 17

What are two benefits of nested device groups in Panorama? (Choose two.)

A.

Reuse of the existing Security policy rules and objects

B.

Requires configuring both function and location for every device

C.

All device groups inherit settings form the Shared group

D.

Overwrites local firewall configuration

Full Access
Question # 18

How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

A.

by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device

B.

by using secunty policies, log forwarding profiles, and log settings.

C.

by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook

D.

There is no native auto-quarantine feature so a custom script would need to be leveraged.

Full Access
Question # 19

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

A.

Red Hat Enterprise Virtualization (RHEV)

B.

Kernel Virtualization Module (KVM)

C.

Boot Strap Virtualization Module (BSVM)

D.

Microsoft Hyper-V

Full Access
Question # 20

On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

A.

1.Select Device > Certificate Management > Certificates >Devace > Certificates

2. Import the certificate.

3 Select Import Private Key

4 Click Generate to generate the new certificate

B.

1 Select Device > Certificates

2 Select Certificate Profile

3 Generate the certificate

4 Select Block Private Key Export.

C.

1 Select Device > Certificates

2 Select Certificate Profile.

3 Generate the certificate

4 Select Block Private Key Export

D.

1 Select Device > Certificate Management > Certificates > Device > Certificates

2 Generate the certificate

3 Select Block Private Key Export

4 Click Genet ale to generate the new certificate.

Full Access
Question # 21

Which method will dynamically register tags on the Palo Alto Networks NGFW?

A.

Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)

B.

Restful API or the VMware API on the firewall or on the User-ID agent

C.

XML-API or the VMware API on the firewall or on the User-ID agent or the CLI

D.

XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Full Access
Question # 22

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

A.

Block sessions with expired certificates

B.

Block sessions with client authentication

C.

Block sessions with unsupported cipher suites

D.

Block sessions with untrusted issuers

E.

Block credential phishing

Full Access
Question # 23

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

A.

The settings assigned to the template that is on top of the stack.

B.

The administrator will be promoted to choose the settings for that chosen firewall.

C.

All the settings configured in all templates.

D.

Depending on the firewall location, Panorama decides with settings to send.

Full Access
Question # 24

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.

Which solution in PAN-OS® software would help in this case?

A.

application override

B.

Virtual Wire mode

C.

content inspection

D.

redistribution of user mappings

Full Access
Question # 25

Which logs enable a firewall administrator to determine whether a session was decrypted?

A.

Correlated Event

B.

Traffic

C.

Decryption

D.

Security Policy

Full Access
Question # 26

At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

A.

exploitation

B.

IP command and control

C.

delivery

D.

reconnaissance

Full Access
Question # 27

If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?

A.

Mapping to the IP address of the logged-in user.

B.

First four letters of the username matching any valid corporate username.

C.

Using the same user’s corporate username and password.

D.

Marching any valid corporate username.

Full Access
Question # 28

VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

A.

Zone Protection

B.

DoS Protection

C.

Web Application

D.

Replay

Full Access
Question # 29

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.

How would the administrator establish the chain of trust?

A.

Use custom certificates

B.

Enable LDAP or RADIUS integration

C.

Set up multi-factor authentication

D.

Configure strong password authentication

Full Access
Question # 30

Which log file can be used to identify SSL decryption failures?

A.

Configuration

B.

Threats

C.

ACC

D.

Traffic

Full Access
Question # 31

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

A.

BGP (Border Gateway Protocol)

B.

PBP (Packet Buffer Protection)

C.

PGP (Packet Gateway Protocol)

D.

PBP (Protocol Based Protection)

Full Access
Question # 32

Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

A.

Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions

B.

Enable User-ID on the zone object for the destination zone

C.

Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions

D.

Enable User-ID on the zone object for the source zone

E.

Configure a RADIUS server profile to point to a domain controller

Full Access
Question # 33

A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.

Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

A.

application: web-browsing; service: application-default

B.

application: web-browsing; service: service-https

C.

application: ssl; service: any

D.

application: web-browsing; service: (custom with destination TCP port 8080)

Full Access
Question # 34

Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

A.

X-Auth IPsec VPN

B.

GlobalProtect Apple IOS

C.

GlobalProtect SSL

D.

GlobalProtect Linux

Full Access
Question # 35

The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

A.

Server Certificate

B.

Client Certificate

C.

Authentication Profile

D.

Certificate Profile

Full Access
Question # 36

Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

A.

The devices are pre-configured with a virtual wire pair out the first two interfaces.

B.

The devices are licensed and ready for deployment.

C.

The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.

D.

A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.

E.

The interface are pingable.

Full Access
Question # 37

A logging infrastructure may need to handle more than 10,000 logs per second.

Which two options support a dedicated log collector function? (Choose two)

A.

Panorama virtual appliance on ESX(i) only

B.

M-500

C.

M-100 with Panorama installed

D.

M-100

Full Access
Question # 38

Firewall administrators cannot authenticate to a firewall GUI.

Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

A.

ms log

B.

authd log

C.

System log

D.

Traffic log

E.

dp-monitor .log

Full Access
Question # 39

YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:

* ethernet1/1, Zone: Untrust (Internet-facing)

* ethernet1/2, Zone: Trust (client-facing)

A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.

Which setting for class 6 with throttle YouTube traffic?

A.

Outbound profile with Guaranteed Ingress

B.

Outbound profile with Maximum Ingress

C.

Inbound profile with Guaranteed Egress

D.

Inbound profile with Maximum Egress

Full Access
Question # 40

How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

A.

Enable support for non-standard syslog messages under device management

B.

Check the custom-format check box in the syslog server profile

C.

Select a non-standard syslog server profile

D.

Create a custom log format under the syslog server profile

Full Access
Question # 41

Which field is optional when creating a new Security Policy rule?

A.

Name

B.

Description

C.

Source Zone

D.

Destination Zone

E.

Action

Full Access
Question # 42

A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.

What action will bring the VPN up and allow traffic to start passing between the sites?

A.

Change the Site-B IKE Gateway profile version to match Site-A,

B.

Change the Site-A IKE Gateway profile exchange mode to aggressive mode.

C.

Enable NAT Traversal on the Site-A IKE Gateway profile.

D.

Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Full Access
Question # 43

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

A.

Configure the management interface as HA3 Backup

B.

Configure Ethernet 1/1 as HA1 Backup

C.

Configure Ethernet 1/1 as HA2 Backup

D.

Configure the management interface as HA2 Backup

E.

Configure the management interface as HA1 Backup

F.

Configure ethernet1/1 as HA3 Backup

Full Access
Question # 44

Which two events trigger the operation of automatic commit recovery? (Choose two.)

A.

when an aggregate Ethernet interface component fails

B.

when Panorama pushes a configuration

C.

when a firewall HA pair fails over

D.

when a firewall performs a local commit

Full Access
Question # 45

What can missing SSL packets when performing a packet capture on dataplane interfaces?

A.

The packets are hardware offloaded to the offloaded processor on the dataplane

B.

The missing packets are offloaded to the management plane CPU

C.

The packets are not captured because they are encrypted

D.

There is a hardware problem with offloading FPGA on the management plane

Full Access
Question # 46

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

What can be done to simplify the NAT policy?

A.

Configure ECMP to handle matching NAT traffic

B.

Configure a NAT Policy rule with Dynamic IP and Port

C.

Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

D.

Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Full Access
Question # 47

How does Panorama handle incoming logs when it reaches the maximum storage capacity?

A.

Panorama discards incoming logs when storage capacity full.

B.

Panorama stops accepting logs until licenses for additional storage space are applied

C.

Panorama stops accepting logs until a reboot to clean storage space.

D.

Panorama automatically deletes older logs to create space for new ones.

Full Access
Question # 48

A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:

* Users outside the company are in the "Untrust-L3" zone.

* The web server physically resides in the "Trust-L3" zone.

* Web server public IP address: 23.54.6.10

* Web server private IP address: 192.168.1.10

Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

A.

Destination IPof 23.54.6.10

B.

UntrustL3 for both Source and Destination Zone

C.

Destination IP of 192.168.1.10

D.

UntrustL3 for Source Zone and Trust-L3 for Destination Zone

Full Access
Question # 49

What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

A.

The firewalls must have the same set of licenses.

B.

The management interfaces must to be on the same network.

C.

The peer HA1 IP address must be the same on both firewalls.

D.

HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Full Access
Question # 50

Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

A.

Configuring the administrative Distance for RIP to be lower than that of OSPF Int.

B.

Configuring the metric for RIP to be higher than that of OSPF Int.

C.

Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.

D.

Configuring the metric for RIP to be lower than that OSPF Ext.

Full Access
Question # 51

Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

A.

From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes

B.

Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.

C.

From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.

D.

Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.

E.

Log in the Panorama CLI of the dedicated Log Collector

Full Access
Question # 52

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.

Given the following zone information:

•DMZ zone: DMZ-L3

•Public zone: Untrust-L3

•Guest zone: Guest-L3

•Web server zone: Trust-L3

•Public IP address (Untrust-L3): 1.1.1.1

•Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

A.

Untrust-L3

B.

DMZ-L3

C.

Guest-L3

D.

Trust-L3

Full Access
Question # 53

A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

A.

Create a Dynamic Admin with the Panorama Administrator role

B.

Create a Custom Panorama Admin

C.

Create a Device Group and Template Admin

D.

Create a Dynamic Read only superuser

Full Access
Question # 54

Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.

Full Access
Question # 55

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.

It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS

D.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS

Full Access
Question # 56

Which three statements accurately describe Decryption Mirror? (Choose three.)

A.

Decryption Mirror requires a tap interface on the firewall

B.

Decryption, storage, inspection and use of SSL traffic are regulated in certain countries

C.

Only management consent is required to use the Decryption Mirror feature

D.

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment

E.

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

Full Access
Question # 57

in URL filtering, which component matches URL patterns?

A.

live URL feeds on the management plane

B.

security processing on the data plane

C.

signature matching on the data plane

D.

single-pass pattern matching on the data plane

Full Access
Question # 58

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A.

Disable HA

B.

Disable the HA2 link

C.

Disable config sync

D.

Set the passive link state to 'shutdown.-

Full Access
Question # 59

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A.

PAN-OS integrated User-ID agent

B.

LDAP Server Profile configuration

C.

GlobalProtect

D.

Windows-based User-ID agent

Full Access
Question # 60

Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

A.

Layer 2

B.

Tap

C.

Layer 3

D.

Decryption Mirror

Full Access