IT Certification Guaranteed, The Easy Way! Exam : PCNSE Title : Palo Alto Networks Certified Network Security Engineer Vendor : Palo Alto Networks Version : V16.35 1 IT Certification Guaranteed, The Easy Way! NO.1 When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile? A. To enable Gateway authentication to the Portal B. To enable Portal authentication to the Gateway C. To enable user authentication to the Portal D. To enable client machine authentication to the Portal Answer: C Explanation: The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite. https://www.paloaltonetworks.com/documentation/71/pan-os/web-interfacehelp/globalprotect/network-globalprotect-portals NO.2 For which two functions is the management plane responsible? (Choose two.) A. Protocol decoding B. Reassembling packets C. Forwarding logs D. Answering HTTP requests Answer: CD NO.3 In order to route traffic between layer 3 interfaces on the PAN firewall you need: A. VLAN B. Vwire C. Security Profile D. Virtual Router Answer: D NO.4 Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS?software? A. XML API B. Port Mapping C. Client Probing D. Server Monitoring Answer: A Explanation: Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent 2 IT Certification Guaranteed, The Easy Way! NO.5 When using the predefined default antivirus profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all. (select four) A. IMAP - Alert B. IMAP - Reset-both C. HTTP - Alert D. HTTP - Reset-both E. FTP, SMB - Alert F. FTP, SMB - Reset-both G. POP3, SMTP - Alert H. POP3, SMTP - Reset-both Answer: ADFG Explanation: The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/antivirus-profiles NO.6 Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Which method should company.com use to immediately address this traffic on a Palo Alto Networks device? A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic. B. Wait until an official Application signature is provided from Palo Alto Networks. C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic Answer: D NO.7 Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only? A. Disable Server Response Inspection B. Apply an Application Override C. Disable HIP Profile D. Add server IP Security Policy exception Answer: A Explanation: In the Other Settings section, select the option to Disable Server Response Inspection. This setting disables the antivirus and anti-spyware scanning on the server-side responses, and thus reduces the load on the firewall. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic3 IT Certification Guaranteed, The Easy Way! security-policies NO.8 View the GlobalProtect configuration screen capture. What is the purpose of this configuration? A. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1. B. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1. C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client. D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server. Answer: C NO.9 In which two types of deployment is active/active HA configuration supported? (Choose two.) A. Layer 3 mode B. TAP mode C. Virtual Wire mode D. Layer 2 mode Answer: AC NO.10 Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.) A. Create a no-decrypt Decryption Policy rule. B. Configure an EDL to pull IP addresses of known sites resolved from a CRL. C. Create a Dynamic Address Group for untrusted sites D. Create a Security Policy rule with vulnerability Security Profile attached. E. Enable the "Block sessions with untrusted issuers" setting. Answer: AD Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objectsdecryption-profile NO.11 Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal? A. Assign an IP address on each tunnel interface at each site B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces 4 IT Certification Guaranteed, The Easy Way! D. Create new VPN zones at each site to terminate each VPN connection Answer: C NO.12 Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon? A. Certificate revocation list B. Trusted root certificate C. Machine certificate D. Online Certificate Status Protocol Answer: C Explanation: The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre- installed machine certificate before the user has logged in. https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_60/globalprotect-quick-configs/remote-access-vpn-with-pre-logon NO.13 Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal? A. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 B. Create new VPN zones at each site to terminate each VPN connection. C. Assign an IP address on each tunnel interface at each site. D. Assign OSPF Area 0.0.0.0 to all Ethernet and tunnel interfaces. Answer: D Explanation: OSPF Area Types include the Backbone Area, Area 0, is the core of an OSPF network. The backbone has the reserved area ID of 0.0.0.0. All other areas are connected to it and all traffic between areas must traverse it. All routing between areas is distributed through the backbone area. While all other OSPF areas must connect to the backbone area, this connection doesn't need to be direct and can be made through a virtual link. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/networking/configure-ospf NO.14 When configuring the firewall for packet capture, what are the valid stage types? A. receive, management, transmit, and non-syn B. receive, management, transmit, and drop C. receive, firewall, send, and non-syn D. receive, firewall, transmit, and drop Answer: D NO.15 Which feature can be configured on VM-Series firewalls? A. aggregate interfaces B. machine learning C. multiple virtual systems 5 IT Certification Guaranteed, The Easy Way! D. GlobalProtect Answer: D NO.16 Which of the following are valid Subscriptions for the Next Generation Platform? [Select All that apply] A. URL Filtering B. Support C. User ID D. Content ID E. SSL Decryption F. Threat Prevention G. App ID Answer: ABF NO.17 Server Message Block (SMB), a common file-sharing application, is slow when passing through a Palo Alto Networks firewall. The Network Security Administrator created an application override policy, assigning all SMB traffic to a custom application, to resolve the slowness issue. Why does this configuration resolve the issue? A. Security policy assignment is being done more efficiently. B. Zone Protection is no longer being applied. C. Layer 7 processing has been disabled for SMB traffic. D. Layer 4 processing has been disabled for the SMB traffic. Answer: C NO.18 A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network? A. Zone Protection Policy with UDP Flood Protection B. QoS Policy to throttle traffic below maximum limit C. Security Policy rule to deny trafic to the IP address and port that is under attack D. Classified DoS Protection Policy using destination IP only with a Protect action Answer: D Explanation: Step 1: Configure a DoS Protection profile for flood protection. 1. Select Objects > Security Profiles > DoS Protection and Add a profile Name. 2. Select Classified as the Type. 3. For Flood Protection, select the check boxes for all of the following types of flood protection: SYN Flood UDP Flood ICMP Flood ICMPv6 Flood 6 IT Certification Guaranteed, The Easy Way! Other IP Flood Step 2: Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic. This step include: (Optional) For Destination Address, select Any or enter the IP address of the device you want to protect. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/configure-dosprotection-against-flooding-of-new-sessions NO.19 Which event will happen if an administrator uses an Application Override Policy? A. Threat-ID processing time is decreased. B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4. C. The application name assigned to the traffic by the security rule is written to the Traffic log. D. App-ID processing time is increased. Answer: B NO.20 A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and assign untagged (native) traffic to its own zone. Which option differentiates multiple VLANs into separate zones? A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object. B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the "Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address. D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. Answer: B Explanation: Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configureinterfaces/virtual-wire-interfaces/vlan-tagged-traffic.html NO.21 People are having intermittent quality issues during a live meeting via a web application. 7 IT Certification Guaranteed, The Easy Way! How can the performance of this application be improved? A. Use QoS Profile to define QoS Classes and a QoS Policy B. Use QoS Classes to define QoS Profile C. Use QoS Classes to define QoS Profile and QoS Policy D. Use QoS Profile to define QoS Classes Answer: A NO.22 If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft? A. Mapping to the IP address of the logged-in user. B. First four letters of the username matching any valid corporate username. C. Using the same user's corporate username and password. D. Marching any valid corporate username. Answer: A NO.23 An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement? A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols) D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router Answer: A NO.24 Which option is part of the content inspection process? A. Packet forwarding process B. SSL Proxy re-encrypt C. IPsec tunnel encryption D. Packet egress process Answer: A NO.25 An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario? A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP. B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP. C. The firewalls do not use floating IPs in active/active HA. D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails. Answer: A 8 IT Certification Guaranteed, The Easy Way! Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ipaddress-and-virtual-mac-address NO.26 What are the differences between using a service versus using an application for Security Policy match? A. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action if the port being used is a member of the application standard port list. B. There are no differences between "service" or "application". Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers C. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used D. Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification Answer: C NO.27 The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.) A. View the System logs and look for the error messages about BGP. B. Perform a traffic pcap on the NGFW to see any BGP problems. C. View the Runtime Stats and look for problems with BGP configuration. D. View the ACC tab to isolate routing issues. Answer: AC NO.28 Which option describes the operation of the automatic commit recovery feature? A. It enables a firewall to revert to the previous configuration if rule shadowing is detected. B. It enables a firewall to revert to the previous configuration if application dependency errors are found. C. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure. D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure. Answer: D NO.29 Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two) A. The devices are pre-configured with a virtual wire pair out the first two interfaces. B. The devices are licensed and ready for deployment. C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections. D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone. 9 IT Certification Guaranteed, The Easy Way! E. The interfaces are pingable. Answer: AC Explanation: https://popravak.wordpress.com/2014/07/31/initial-setup-of-palo-alto-networks-next-generationfirewall/ NO.30 Firewall administrators cannot authenticate to a firewall GUI. Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.) A. ms log B. authd log C. System log D. Traffic log E. dp-monitor log Answer: CD NO.31 Which method does an administrator use to integrate all non-native MFA platforms in PANOS?software? A. Okta B. DUO C. RADIUS D. PingID Answer: C NO.32 Select all the platform components that Wildfire automatically updates after finding malicious activity in previously unknown files, URLs and APKs? A. Decrypt (Port-Mirroring) B. Mobile (Global Protect) C. Anti-Virus (Threat) D. Content/Web Filtering (Pan-DB) E. Anti-Malware signatures (WildFire) F. Management (Panorama) G. Anti Command & Control signatures (Threat) Answer: CDG NO.33 An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: 10 IT Certification Guaranteed, The Easy Way! What could be the cause of this problem? A. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA. B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA. C. The shared secrets do not match between the Palo Alto firewall and the ASA D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA Answer: A Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/vpns/interpret-vpn-errormessages NO.34 Refer to the exhibit. Which certificates can be used as a Forwarded Trust certificate? A. Certificate from Default Trust Certificate Authorities B. Domain Sub-CA C. Forward_Trust D. Domain-Root-Cert Answer: B Explanation: Domain Sub-CA as it is a CA and has a key which is required for a Forward Trust Certificate. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0 11 IT Certification Guaranteed, The Easy Way! NO.35 Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B? A. Enable on Site-A only B. Enable on Site-B only with Passive Mode C. Enable on Site-A and Site-B D. Enable on Site-B only Answer: C Explanation: NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device that sits between the two gateways. A gateway can see only the public (globally routable) IP address of the NAT device. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpnconcepts NO.36 Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.) A. maximum file size B. file types C. application D. direction Answer: BCD NO.37 Ethernet1/1 has been configured with the following subinterfaces: The following security policy rule is applied: The Interface Management Profile permits the following: 12 IT Certification Guaranteed, The Easy Way! A customer is trying to ping 10.10.10.1 from VLAN 799 IP 10.10.10.2/24. What will be the result of this ping? A. The ping will not be successful because there is no management profile attached to ethernet1/1.799. B. The ping will not successful because the management profile applied to ethernet1/1 allows ping. C. The ping will not be successful because the security policy does not apply to VLAN 799. D. The ping will not be successful because the virtual router is different from the other subinterfaces. E. The ping will not successful because the security policy permits this traffic. Answer: A NO.38 How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW? A. Use the debug dataplane packet-diag set capture stage firewall file command. B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall). C. Use the debug dataplane packet-diag set capture stage management file command. D. Use the topdump command. Answer: D Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-OnManagement-Interface/ta-p/55415 13 IT Certification Guaranteed, The Easy Way! NO.39 How can a candidate or running configuration be copied to a host external from Panorama? A. Commit a running configuration. B. Save a configuration snapshot. C. Save a candidate configuration. D. Export a named configuration snapshot. Answer: D NO.40 A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment? A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole B. File Blocking profiles applied to outbound security policies with action set to alert C. Vulnerability Protection profiles applied to outbound security policies with action set to block D. Antivirus profiles applied to outbound security policies with action set to alert Answer: A Explanation: Starting with PAN-OS 6.0, DNS sinkhole is an action that can be enabled in Anti-Spyware profiles. A DNS sinkhole can be used to identify infected hosts on a protected network using DNS traffic in environments where the firewall can see the DNS query to a malicious URL. The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain name to resolve to a definable IP address (fake IP) that is given to the client. If the client attempts to access the fake IP address and there is a security rule in place that blocks traffic to this IP, the information is recorded in the logs. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/tap/58891 NO.41 Which method will dynamically register tags on the Palo Alto Networks NGFW? A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC) B. Restful API or the VMware API on the firewall or on the User-ID agent C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent Answer: D NO.42 An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement? A. Decryption Mirror interface with the Threat Analysis license B. Virtual Wire interface with the Decryption Port Export license C. Tap interface with the Decryption Port Mirror license 14 IT Certification Guaranteed, The Easy Way! D. Decryption Mirror interface with the associated Decryption Port Mirror license Answer: D NO.43 True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud. A. True B. False Answer: A NO.44 What must be used in Security Policy Rule that contain addresses where NAT policy applies? A. Pre-NAT addresse and Pre-NAT zones B. Post-NAT addresse and Post-Nat zones C. Pre-NAT addresse and Post-Nat zones D. Post-Nat addresses and Pre-NAT zones Answer: C Explanation: NAT Policy Rule Functionality Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules NO.45 True or False: DSRI degrades the performance of a firewall? A. True B. False Answer: B NO.46 A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5- minute window for analysis. The firewall is configured to check for verdicts every 5 minutes. How quickly will the firewall receive back a verdict? A. More than 15 minutes B. 5 minutes C. 10 to 15 minutes D. 5 to 10 minutes Answer: D NO.47 Which Palo Alto Networks VM-Series firewall is valid? A. VM-25 B. VM-800 C. VM-50 D. VM-400 Answer: C 15 IT Certification Guaranteed, The Easy Way! NO.48 How quickly are Wildfire updates about previously unknown files now being delivered from the cloud to customers with a WildFire subscription (as of version 6.1)? A. 15 minutes B. 30 minutes C. 1 day D. 5 minutes E. 60 minutes Answer: D NO.49 Which DoS protection mechanism detects and prevents session exhaustion attacks? A. Packet Based Attack Protection B. Flood Protection C. Resource Protection D. TCP Port Scan Protection Answer: C NO.50 An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack? A. Vulnerability Protection B. Anti-Spyware C. URL Filtering D. Antivirus Answer: A NO.51 Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content IDs to traffic? A. Select download-and-install B. Select download-only C. Select download-and-install, with "Disable new apps in content update" selected D. Select disable application updates and select "Install only Threat updates" Answer: A NO.52 An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection? A. Enable and configure the Packet Buffer protection thresholds. Enable Packet Buffer Protection per ingress zone. B. Enable and then configure Packet Buffer thresholds Enable Interface Buffer protection. C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone. 16 IT Certification Guaranteed, The Easy Way! D. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection pre egress zone. E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone. Answer: A Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/zone-protection-and-dosprotection/configure-zone-protection-to-increase-network-security/configure-packet-bufferprotection NO.53 Which operation will impact performance of the management plane? A. DoS protection B. WildFire submissions C. generating a SaaS Application report D. decrypting SSL sessions Answer: C Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK NO.54 An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage? A. Security policy rule allowing SSL to the target server B. Firewall connectivity to a CRL C. Root certificate imported into the firewall with "Trust" enabled D. Importation of a certificate from an HSM Answer: C NO.55 If malware is detected on the internet perimeter, what other places in the network might be affected? A. Cloud B. Endpoints C. Branch Offices D. All of the above E. Data Center Answer: D NO.56 Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system? A. Panorama Log Settings B. Panorama Log Templates C. Panorama Device Group Log Forwarding D. Collector Log Forwarding for Collector Groups Answer: A Explanation: 17 IT Certification Guaranteed, The Easy Way! https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managelog-collection/enable-log-forwarding-from-panorama-to-external-destinations NO.57 Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.) A. Block sessions with expired certificates B. Block sessions with client authentication C. Block sessions with unsupported cipher suites D. Block sessions with untrusted issuers E. Block credential phishing Answer: AD Explanation: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/nodecryption-decryption-profile NO.58 A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall. Which interface configuration will accept specific VLAN IDs? Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two) A. A report can be created that identifies unclassified traffic on the network. B. Different security profiles can be applied to traffic matching rules 2 and 3. C. Rule 2 and 3 apply to traffic on different ports. D. Separate Log Forwarding profiles can be applied to rules 2 and 3. Answer: AD NO.59 Which three items are import considerations during SD-WAN configuration planning? (Choose three.) A. link requirements B. the name of the ISP C. IP Addresses D. branch and hub locations Answer: ACD NO.60 Only two Trust to Untrust allow rules have been created in the Security policy - Rule1 allows google-base - Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses 18 IT Certification Guaranteed, The Easy Way! SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found. Which action will allow youtube.com display in the browser correctly? A. Add SSL App-ID to Rule1 B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it C. Add the DNS App-ID to Rule2 D. Add the Web-browsing App-ID to Rule2 Answer: C NO.61 Which CLI command enables an administrator to check the CPU utilization of the dataplane? A. show running resource-monitor B. debug data-plane dp-cpu C. show system resources D. debug running resources Answer: A NO.62 How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers? A. Select a non-standard syslog server profile B. Check the custom-format check box in the syslog server profile. C. Enable support for non-standard syslog messages under device management. D. Create a custom log format under the syslog server profile. Answer: D Explanation: To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/configure-syslogmonitoring.html NO.63 Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic? A. check B. find C. test D. sim Answer: C NO.64 A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. How should this be accomplished? 19 IT Certification Guaranteed, The Easy Way! A. Create a Template with the appropriate lKE Gateway settings. B. Create a Device Group with the appropriate lPSec tunnel settings. C. Create a Device Group with the appropriate IKE Gateway settings. D. Create a Template with the appropriate lPSec tunnel settings. Answer: D Explanation: Note: The administrator of the satellite must enter the credentials when the satellite connects to the portal. This is done on the satellite by navigating to Network > IPSec Tunnels and choosing "gateway info" and then clicking on "Enter Credentials". NO.65 Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW? A. ACC B. System Logs C. App Scope D. Session Browser Answer: D NO.66 Which three function are found on the dataplane of a PA-5050? (Choose three) A. Protocol Decoder B. Dynamic routing C. Management D. Network Processing E. Signature Match Answer: BDE Explanation: In these devices, dataplane zero, or dp0 for short, functions as the master dataplane and determines which dataplane will be used as the session owner that is responsible for processing and inspection. The data plane provides all data processing and security detection and enforcement, including: * (B) All networking connectivity, packet forwarding, switching, routing, and network address translation * Application identification, using the content of the applications, not just port or protocol * SSL forward proxy, including decryption and re-encryption * Policy lookups to determine what security policy to enforce and what actions to take, including scanning for threats, logging, and packet marking * Application decoding, threat scanning for all types of threats and threat prevention * Logging, with all logs sent to the control plane for processing and storage E: The following diagram depicts both the hardware and software architecture of the next- generation firewall 20 IT Certification Guaranteed, The Easy Way! Incorrect Answers: C: Management is done in the control plane. https://www.niap-ccevs.org/st/st_vid10392-st.pdf NO.67 How does Panorama handle incoming logs when it reaches the maximum storage capacity? A. Panorama discards incoming logs when storage capacity full. B. Panorama stops accepting logs until licenses for additional storage space are applied C. Panorama stops accepting logs until a reboot to clean storage space. D. Panorama automatically deletes older logs to create space for new ones. Answer: D Explanation: When Panorama reaches the maximum capacity, it automatically deletes older logs to create space for new ones. https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/set-uppanorama/determine-panorama-log-storage-requirements NO.68 After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem? A. A Server Profile has not been configured for logging to this Panorama device. B. Panorama is not licensed to receive logs from this particular firewall. C. The firewall is not licensed for logging to this Panorama device. D. None of the firewall's policies have been assigned a Log Forwarding profile Answer: D 21 IT Certification Guaranteed, The Easy Way! Explanation: In order to see entries in the Panorama Monitor > Traffic or Monitor > Log screens, a profile must be created on the Palo Alto Networks device (or pushed from Panorama) to forward log traffic to Panorama. Steps: 1. Go to Policies > Security and open the Options for a rule. 2. Under Log Setting, select New for Log Forwarding to create a new forwarding profile: Etc. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-a-Profile-to-ForwardLogs-to-Panorama/ta-p/54038 NO.69 On March 10, 2016, between 11:00 am and 11:30 am, users reported that web-browsing traffic to the IP address 1.1.1.1 failed. Which filter can be applied to the traffic logs to show how many users were affected during this time frame? A. ( time_generated leq `2016/03/10 11:30:00') and ( app is web-browsing ) B. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( addr.dst in 1.1.1.1) C. ( time_generated leq `2016/03/10 11:00:00') and ( time_generated geq `2016/03/10 11:30:00') and ( app eq web-browsing ) D. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( app neq web-browsing ) Answer: B 22 IT Certification Guaranteed, The Easy Way! NO.70 An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.) A. B. C. D. 23 IT Certification Guaranteed, The Easy Way! Answer: AD NO.71 A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two.) A. Static Route B. BGP C. OSPFv3 D. RIP Answer: AC Explanation: C: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support for IPv6 addresses and prefixes. A: How to Set Default Route for IPv6 Traffic Steps 1. Go to Network > Virtual Router 2. Add a Virtual Router and go to Static Routes > IPv6. 3. Add a Static Route: E. Set destination (example, IPV4 0.0.0.0/0) as ::0/ F. Select the Interface G. Set the Next Hop IP address https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/networkingfeatures/ospf-v3-support https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-Default-Route-for-IPv6Traffic/ta-p/52731 NO.72 Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services? A. Configure a Decryption Profile and select SSL/TLS services. B. Set up SSL/TLS under Polices > Service/URL Category>Service. C. Set up Security policy rule to allow SSL communication. 24 IT Certification Guaranteed, The Easy Way! D. Configure an SSL/TLS Profile. Answer: D NO.73 A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: DMZ zone: DMZ-L3 Public zone: Untrust-L3 Guest zone: Guest-L3 Web server zone: Trust-L3 Public IP address (Untrust-L3): 1.1.1.1 Private IP address (Trust-L3): 192.168.1.50 What should be configured as the destination zone on the Original Packet tab of NAT Policy rule? A. Untrust-L3 B. DMZ-L3 C. Guest-L3 D. Trust-L3 Answer: A Explanation: Create the NAT policy. 1. Select Policies > NAT and click Add. 2. Enter a descriptive Name for the policy. 3. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop down. 4. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop- down in the Source Address Translation section of the screen and then click Add. Select the address object you just created. 5. Click OK to save the NAT policy. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configurenat- policies NO.74 The automated Correlation Engine uses correlation objects to analyze the logs for patterns. When a match occurs: A. The Correlation Engine blocks the connection B. The Correlation Engine generates a correlation event C. The Correlation Engine displays a warning message to the end user D. The Correlation Engine dumps the alarm log Answer: B NO.75 A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy? A. Configure ECMP to handle matching NAT traffic 25 IT Certification Guaranteed, The Easy Way! B. Configure a NAT Policy rule with Dynamic IP and Port C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option D. Create a new Destination NAT Policy rule that marches the existing traffic and enable the Bidirectional option Answer: C Explanation: https://live.paloaltonetworks.com/t5/Learning-Articles/What-does-the-Bi-directional-NAT-FeatureProvide/ta-p/60593 NO.76 Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company. What would be the administrator's next step? A. Right-Click on the bittorrent link and select Value from the context menu B. Create a global filter for bittorrent traffic and then view Traffic logs. C. Create local filter for bittorrent traffic and then view Traffic logs. D. Click on the bittorrent application link to view network activity Answer: D Explanation: The application filter is a dynamic item that is created by selecting filter options (Category, Subcategory, Technology) in the application browser. Any new applications coming to PAN-OS in a content update that match the same filters, the set will automatically be added to the Application Filter created. For example, when a 'peer-to-peer' is selected as a Technology Filter, that filter will automatically update if a new application gets added to that category in the latest content package. https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Block-Traffic-Based-on-ApplicationFilters-with-an/ta-p/59965 NO.77 A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ 26 IT Certification Guaranteed, The Easy Way! zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443. A. Rule #1: application: web-browsing; service: application-default; action: allowRule #2: application: ssl; service: application-default; action: allow B. Rule #1: application: web-browsing; service: service-https; action: allowRule #2: application: ssl; service: application-default; action: allow C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow D. Rule #1: application: web-browsing; service: service-http; action: allowRule #2: application: ssl; service: application-default; action: allow Answer: B Explanation: If decrypted traffic matches the web-browsing application. Then the firewall will log it as webbrowsing over ssl (443) and will never match if it is set to "application-default". https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEyCAK NO.78 When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama? A. Load configuration version B. Save candidate config C. Export device state D. Load named configuration snapshot Answer: C NO.79 A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk. What action will bring the VPN up and allow traffic to start passing between the sites? A. Change the Site-B IKE Gateway profile version to match Site-A, B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode. C. Enable NAT Traversal on the Site-A IKE Gateway profile. D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A Answer: D NO.80 What are three valid method of user mapping? (Choose three) A. Syslog B. XML API C. 802.1X D. WildFire E. Server Monitoring Answer: ABE NO.81 Which client software can be used to connect remote Linux client into a Palo Alto Networks 27 IT Certification Guaranteed, The Easy Way! Infrastructure without sacrificing the ability to scan traffic and protect against threats? A. X-Auth IPsec VPN B. GlobalProtect Apple IOS C. GlobalProtect SSL D. GlobalProtect Linux Answer: D Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkiCAC NO.82 A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise?( Choose three) A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually uploading. B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall. C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall. D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one firewall. E. Download and install PAN-OS 7.0.4 directly on each firewall. F. Download and push PAN-OS 7.0.4 from Panorama to each firewall. Answer: AEF NO.83 A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface? (Choose two.) A. Virtual router B. Security zone C. ARP entries D. Netflow Profile Answer: AB NO.84 Which device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall? A. Universal B. Master C. Global D. Shared Answer: D Explanation: Select the Parent Device Group (default is Shared) that will be just above the device group you are creating in the device group hierarchy. https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/managefirewalls/add-a-device-group#_26700 28 IT Certification Guaranteed, The Easy Way! NO.85 An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment? A. Use config-drive on a USB stick. B. Use an S3 bucket with an ISO. C. Create and attach a virtual hard disk (VHD). D. Use a virtual CD-ROM with an ISO. Answer: D NO.86 A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)? A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server. B. Add a Vulnerability Protection Profile to block the attack. C. Add QoS Profiles to throttle incoming requests. D. Add a DoS Protection Profile with defined session count. Answer: D NO.87 Which option is an IPv6 routing protocol? A. RIPv3 B. OSPFv3 C. OSPv3 D. BGP NG Answer: B NO.88 A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured. What can be the cause of this problem? A. No Zone has been configured on Ethernet 1/4. B. Interface Ethernet 1/1 is in Virtual Wire Mode. C. DNS has not been properly configured on the firewall. D. DNS has not been properly configured on the host. Answer: A NO.89 A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile. What should be done next? A. Click the simple-critical rule and then click the Action drop-down list. B. Click the Exceptions tab and then click show all signatures. 29 IT Certification Guaranteed, The Easy Way! C. View the default actions displayed in the Action column. D. Click the Rules tab and then look for rules with "default" in the Action column. Answer: B Explanation: All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto Networks. You can view the default action by navigating to Objects > Security Profiles > Anti- Spyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click the Exceptions tab and then click Show all signatures and you will see a list of the signatures with the default action in the Action column. To change the default action, you must create a new profile and then create rules with a non-default action, and/or add individual signature exceptions to Exceptions in the profile. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-upantivirus-anti-spyware-and-vulnerability-protection.html NO.90 Which GlobalProtect Client connect method requires the distribution and use of machine certificates? A. At-boot B. Pre-logon C. User-logon (Always on) D. On-demand Answer: B NO.91 PAS-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC). Which license must the firewall have to obtain new correlation objectives? A. Threat Prevention B. Application Center C. GlobalProtect D. URL Filtering Answer: A Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/automatedcorrelation-engine-concepts NO.92 Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log? A. Log B. Alert C. Allow D. Default Answer: B NO.93 Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain username-to-IP-address mapping? 30 IT Certification Guaranteed, The Easy Way! A. Aerohive Wireless Access Point B. Microsoft Terminal Services C. Palo Alto Networks Captive Portal D. Microsoft Active Directory Answer: B Explanation: Configure User Mapping for Terminal Server Users Individual terminal server users appear to have the same IP address and therefore an IP address to username mapping is not sufficient to identify a specific user. To enable identification of specific users on Windows-based terminal servers, the Palo Alto Networks Terminal Services agent (TS agent) allocates a port range to each user. It then notifies every connected firewall about the allocated port range, which allows the firewall to create an IP address-port-user mapping table and enable user- and group-based security policy enforcement. Incorrect Answers: A: If you want to integrate Aerohive with Palo Alto the suggested route is to run a script on a Kiwi Syslog Server which parses the Aerohive log and then updates the Palo Alto with Username/IP address mapping. A working VB script for Kiwi is provided below. Etc. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/user-id/configure-usermapping-for-terminal-server-users NO.94 What is exchanged through the HA2 link? A. hello heartbeats B. User-ID information C. session synchronization D. HA state information Answer: C NO.95 Which one of these is not a factor impacting sizing decisions? A. Decryption B. Sessions C. Redundancy D. Number of applications E. Performance F. Number of rules Answer: D NO.96 In High Availability, which information is transferred via the HA data link? A. session information B. heartbeats C. HA state information D. User-ID information Answer: A 31 IT Certification Guaranteed, The Easy Way! NO.97 Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall. A. B. C. D. 32 IT Certification Guaranteed, The Easy Way! Answer: B NO.98 Which three options are supported in HA Lite? (Choose three.) A. Virtual link B. Active/passive deployment C. Synchronization of IPsec security associations D. Configuration synchronization E. Session synchronization Answer: BCD NO.99 What are the three Security Policy Rule Type classifications supported in PAN-OS 7.0? (Choose three.) A. Default B. Global C. Interzone D. Intrazone E. Universal F. ExternalZone Answer: CDE Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-andInterzone-Rules/ta-p/57491 NO.100 Which of the following are critical features of a Next Generation Firewall that provide Breach prevention? Choose two. A. Alarm generation of known threats traversing the device B. Application Visibility and URL Categorization C. Endpoint and server scanning for known malware D. Processing all traffic across all ports & protocols, in both directions E. Centralized or distributed log collectors Answer: BD NO.101 A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q 33 IT Certification Guaranteed, The Easy Way! trunk interface Which interface type and configuration setting will support this design? A. Trunk interface type with specified tag B. Layer 3 interface type with specified tag C. Layer 2 interface type with a VLAN assigned D. Layer 3 subinterface type with specified tag Answer: D NO.102 Which option is an IPv6 routing protocol? A. OSPFv3 B. BGP NG C. OSPFv2 D. RIPv3 Answer: A Explanation: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support for IPv6 addresses and prefixes. https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/networkingfeatures/ospf- v3-support NO.103 What are three valid options when creating a new security policy? (Choose three.) A. Reset All B. Reset client C. Block D. Deny All E. Alert F. Deny G. Allow Answer: BFG Explanation: NO.104 Which two options prevent the firewall from capturing traffic passing through it? (Choose two.) A. The firewall is in multi-vsys mode. 34 IT Certification Guaranteed, The Easy Way! B. The traffic is offloaded. C. The traffic does not match the packet capture filter. D. The firewall's DP CPU is higher than 50%. Answer: B,C NO.105 A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem? A. DHCP has been set to Auto. B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode. C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode. D. DNS has not been properly configured on the firewall Answer: B Explanation: In a Layer 2 deployment, the firewall provides switching between two or more interfaces. Each group of interfaces must be assigned to a VLAN object in order for the firewall to switch between them. In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/getting-started/basicinterface-deployments NO.106 The certificate information displayed in the following image is for which type of certificate? A. Forward Trust certificate B. Self-Signed Root CA certificate C. Web Server certificate 35 IT Certification Guaranteed, The Easy Way! D. Public CA signed certificate Answer: B NO.107 Which CLI command displays the current management plane memory utilization? A. > show system info B. > show system resources C. > show running resource-monitor D. > debug management-server show Answer: B Explanation: When running show system resources from the PAN-OS CLI, the top process in the output shows 9999% CPU utilization. The following is an example output: > show system resources https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-ResourceCommandDisplays-CPU-Utilization-of-9999/ta-p/58149 NO.108 Which Panorama administrator types require the configuration of at least one access domain? (Choose two.) A. Role Based B. Custom Panorama Admin C. Device Group D. Dynamic E. Template Admin Answer: CE NO.109 A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator 36 IT Certification Guaranteed, The Easy Way! decides to use Panorama to deploy the configurations. How should this be accomplished? A. Create a Template with the appropriate IKE Gateway settings B. Create a Template with the appropriate IPSec tunnel settings C. Create a Device Group with the appropriate IKE Gateway settings D. Create a Device Group with the appropriate IPSec tunnel settings Answer: B NO.110 Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two) A. Configure the management interface as HA3 Backup B. Configure Ethernet 1/1 as HA1 Backup C. Configure Ethernet 1/1 as HA2 Backup D. Configure the management interface as HA2 Backup E. Configure the management interface as HA1 Backup F. Configure ethernet1/1 as HA3 Backup Answer: BE Explanation: E: For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls. Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network. B: 1. In Device > High Availability > General, edit the Control Link (HA1) section. 2. Select the interface that you have cabled for use as the HA1 link in the Port drop down menu. Set the IP address and netmask. Enter a Gateway IP address only if the HA1 interfaces are on separate subnets. Do not add a gateway if the devices are directly connected. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/high-availability/configureactive-passive-ha NO.111 Which three types of software will receive a Grayware verdict from WildFire? (Choose Three) A. Browser Toolbar B. Trojans C. Ransomeware D. Potentially unwanted programs E. Adware. Answer: ADE Explanation: https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfirefeatures/wildfire-grayware-verdict NO.112 Which tool provides an administrator the ability to see trends in traffic over periods of time, 37 IT Certification Guaranteed, The Easy Way! such as threats detected in the last 30 days? A. Session Browser B. Application Command Center C. TCP Dump D. Packet Capture Answer: B NO.113 Which is not a valid reason for receiving a decrypt-cert-validation error? A. Unsupported HSM B. Unknown certificate status C. Client authentication D. Untrusted issuer Answer: A Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networkingfeatures/ssl-ssh-session-end-reasons NO.114 Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.) A. log forwarding auto-tagging B. XML API C. GlobalProtect agent D. User-ID Windows-based agent Answer: BD NO.115 Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general? A. Deny application facebook-chat before allowing application facebook B. Deny application facebook on top C. Allow application facebook on top D. Allow application facebook before denying application facebook-chat Answer: A NO.116 An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW? A. Custom application B. System logs show an application error and neither signature is used. C. Downloaded application D. Custom and downloaded application signature files are merged and both are used Answer: A 38 IT Certification Guaranteed, The Easy Way! NO.117 Which two options prevent the firewall from capturing traffic passing through it? (Choose two.) A. The firewall is in multi-vsys mode. B. The traffic is offloaded. C. The traffic does not match the packet capture filter. D. The firewall's DP CPU is higher than 50%. Answer: BC NO.118 An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall? A. 0 B. 99 C. 1 D. 255 Answer: D NO.119 An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama. Which action would enable the firewalls to send their pre-existing logs to Panorama? A. Use the import option to pull logs into Panorama. B. A CLI command will forward the pre-existing logs to Panorama. C. Use the ACC to consolidate pre-existing logs. D. The log database will need to exported form the firewalls and manually imported into Panorama. Answer: D NO.120 TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows. A. TRUE B. FALSE Answer: A NO.121 For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.) A. ingress processing errors B. rule match with action "deny" C. rule match with action "allow" D. equal-cost multipath Answer: AB NO.122 In the following image from Panorama, why are some values shown in red? 39 IT Certification Guaranteed, The Easy Way! A. sg2 session count is the lowest compared to the other managed devices. B. us3 has a logging rate that deviates from the administrator-configured thresholds. C. uk3 has a logging rate that deviates from the seven-day calculated baseline. D. sg2 has misconfigured session thresholds. Answer: C Explanation: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/panoramafeatures/device-monitoring-through-panorama NO.123 Support for which authentication method was added in PAN-OS 7.0? A. RADIUS B. LDAP C. Diameter D. TACACS+ Answer: D Explanation: Devices now support Terminal Access Controller Access-Control System Plus ( TACACS+) protocol for authenticating administrative users. TACACS+ provides greater security than RADIUS insofar as it encrypts usernames and passwords (instead of just passwords), and is also more reliable (it uses TCP instead of UDP). https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0release-information/authentication-features#91847 NO.124 What happens when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? A. The internal host tried to resolve a DNS query by connecting to a rogue DNS server. B. A malicious domain tried to contact an internal DNS server. C. A rogue DNS server used the sinkhole address to direct traffic to a known malicious domain. D. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. Answer: D NO.125 A distributed log collection deployment has dedicated Log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first? A. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments B. Revert to a previous configuration 40 IT Certification Guaranteed, The Easy Way! C. Remove the device from the Collector Group D. Remove the cable from the management interface. reload the Log Collector and then re-connect that cable Answer: C Explanation: In a distributed log collection deployment, where you have dedicated Log Collectors, if you need a device to send logs to Panorama instead of sending logs to the Collector Group, you must remove the device from the Collector group. https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managelog-collection/remove-a-firewall-from-a-collector-group#_24966 NO.126 A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers. Which VPN configuration would adapt to changes when deployed to the future site? A. Preconfigured GlobalProtect satellite B. Preconfigured GlobalProtect client C. Preconfigured PIsec tunnels D. Preconfigured PPTP Tunnels Answer: A NO.127 If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed? A. The settings assigned to the template that is on top of the stack. B. The administrator will be promoted to choose the settings for that chosen firewall. C. All the settings configured in all templates. D. Depending on the firewall location, Panorama decides with settings to send. Answer: A Explanation: Panorama evaluates the templates listed in a stack configuration from top to bottom, with higher templates having priority. https://docs.paloaltonetworks.com/panorama/7-1/panorama-admin/panoramaoverview/templates-and-template-stacks NO.128 A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex. Which CLI command will help identify the issue? A. test routing fib virtual-router vr1 B. show routing route type static destination 98.139.183.24 C. test routing fib-lookup ip 98.139.183.24 virtual-router vr1 D. show routing interface Answer: C Explanation: This document explains how to perform a fib lookup for a particular destination within a particular 41 IT Certification Guaranteed, The Easy Way! virtual router on a Palo Alto Networks firewall. 1. Select the desired virtual router from the list of virtual routers configured with the command: > test routing fib-lookup virtual-router <value> 2. Specify a destination IP address: > test routing fib-lookup virtual-router default ip <ip address> https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Perform-FIB-Lookup-for-a- Particular -Destination/ta-p/52188 NO.129 What is the default behavior when a Certificate Profile is configured to use both CRL and OCSP? A. CRL will be preferred B. The option will the lower timeout value will be preferred. C. The firewall will use the first profile to respond. D. OCSP will be preferred. Answer: D Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/certificatemanagement/configure-a-certificate-profile NO.130 An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded? A. Security policy rule B. CRL C. Service route D. Scheduler Answer: C Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC NO.131 Which hardware platform should I consider if the customer needs at least 1 Gbps of Threat Prevention throughput and the ability to handle at least 250K sessions? A. Any PA-5000 or PA-7000 series firewall B. Only the PA-3060 firewall and higher C. Any PA-3000, PA-5000, or PA-7000 series firewall D. Only the PA-3050 firewall and higher Answer: C NO.132 In a virtual router, which object contains all potential routes? A. MIB B. RIB C. SIP 42 IT Certification Guaranteed, The Easy Way! D. FIB Answer: B NO.133 Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accoumplish this goal? A. Assign an IP address on each tunnel interface at each site B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces D. Create new VPN zones at each site to terminate each VPN connection Answer: C NO.134 An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab? A. Admin Role B. WebUI C. Authentication D. Authorization Answer: A NO.135 Which PAN-OS?policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data? A. Security policy B. Decryption policy C. Authentication policy D. Application Override policy Answer: C NO.136 A customer wants to set up a site-to-site VPN using tunnel interfaces? Which two formats are correct for naming tunnel interfaces? (Choose two.) A. tunnel.1 B. vpn-tunnel.1 C. tunnel.1025 D. vpn-tunnel.1024 Answer: AC NO.137 The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real time, the applications taking up the most bandwidth? A. QoS Statistics B. Applications Report 43 IT Certification Guaranteed, The Easy Way! C. Application Command Center (ACC) D. QoS Log Answer: A Explanation: Select Network > QoS to view the QoS Policies page and click the Statistics link to view QoS bandwidth, active sessions of a selected QoS node or class, and active applications for the selected QoS node or class. For example, see the statistics for ethernet 1/1 with QoS enabled: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configureqos NO.138 A company.com wants to enable Application Override. Given the following screenshot: Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two) 44 IT Certification Guaranteed, The Easy Way! A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines. B. Traffic will be forced to operate over UDP Port 16384. C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base". D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines. Answer: CD Explanation: An application override policy is changes how the Palo Alto Networks firewall classifies network traffic into applications. An application override with a custom application prevents the session from being processed by the App-ID engine, which is a Layer-7 inspection. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-OverridePolicy/ta-p/60044 NO.139 Which command can be used to validate a Captive Portal policy? A. eval captive-portal policy <criteria> B. request cp-policy-eval <criteria> C. test authentication-policy-match <criteria> D. debug cp-policy <criteria> Answer: C Explanation: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/test-theconfiguration/test-policy-matches NO.140 A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and- control (C2) servers. Which Security Profile type will prevent these behaviors? A. Anti-Spyware B. WildFire C. Vulnerability Protection 45 IT Certification Guaranteed, The Easy Way! D. Antivirus Answer: A Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/anti-spyware-profiles NO.141 Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two) A. Vulnerability Object B. DoS Protection Profile C. Data Filtering Profile D. Zone Protection Profile Answer: BD Explanation: B: There are two DoS protection mechanisms that the Palo Alto Networks firewalls support. * Flood Protection - Detects and prevents attacks where the network is flooded with packets resulting in too many half-open sessions and/or services being unable to respond to each request. In this case the source address of the attack is usually spoofed. * Resource Protection - Detects and prevent session exhaustion attacks. In this type of attack, a large number of hosts (bots) are used to establish as many fully established sessions as possible to consume all of a system's resources. You can enable both types of protection mechanisms in a single DoS protection profile. D: Provides additional protection between specific network zones in order to protect the zones against attack. The profile must be applied to the entire zone, so it is important to carefully test the profiles in order to prevent issues that may arise with the normal traffic traversing the zones. When defining packets per second (pps) thresholds limits for zone protection profiles, the threshold is based on the packets per second that do not match a previously established session. Incorrect Answers: A: Vulnerability protection stops attempts to exploit system flaws or gain unauthorized access to systems. For example, this feature will protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. C: Data Filtering helps to prevent sensitive information such as credit card or social security numbers from leaving a protected network. https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/aboutsecurity-profiles NO.142 When performing the "ping" test shown in this CLI output: 46 IT Certification Guaranteed, The Easy Way! What will be the source address in the ICMP packet? A. 10.46.64.94 B. 10.30.0.93 C. 192.168.93.1 D. 10.46.72.93 Answer: A NO.143 Which two virtualization platforms officially support the deployment of Palo Alto Networks VM- Series firewalls? (Choose two.) A. Red Hat Enterprise Virtualization (RHEV) B. Kernel Virtualization Module (KVM) C. Boot Strap Virtualization Module (BSVM) D. Microsoft Hyper-V 47 IT Certification Guaranteed, The Easy Way! Answer: BD NO.144 Which three fields can be included in a pcap filter? (Choose three) A. Egress interface B. Source IP C. Rule number D. Destination IP E. Ingress interface Answer: BDE NO.145 A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.) A. Application Override policy. B. Security policy to identify the custom application. C. Custom application. D. Custom Service object. Answer: AC NO.146 Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose two) A. Brute-force signatures B. BrightCloud Url Filtering C. PAN-DB URL Filtering D. DNS-based command-and-control signatures Answer: CD Explanation: C: PAN-DB categorizes URLs based on their content at the domain, file and page level, and receives updates from WildFire cloud-based malware analysis environment every 30 minutes to make sure that, when web content changes, so do categorizations. This continuous feedback loop enables you to keep pace with the rapidly changing nature of the web, automatically. D: DNS is a very necessary and ubiquitous application, as such, it is a very commonly abused protocol for command-and-control and data exfiltration. This tech brief summarizes the DNS classification, inspection and protection capabilities supported by our next-generation security platform, which includes: 1. Malformed DNS messages (symptomatic of vulnerability exploitation attack). 2. DNS responses with suspicious composition (abused query types, DNS-based denial of service attacks). 3. DNS queries for known malicious domains. Our ability to prevent threats from hiding within DNS The passive DNS network feature allows you to opt-in to share anonymized DNS query and response data with our global passive DNS network. The data is continuously mined to discover malicious domains that are then added to the PAN-OS DNS signature set that is delivered daily, enabling timely detection of compromised hosts within the network and the disruption of command-and-control channels that rely on name resolution. 48 IT Certification Guaranteed, The Easy Way! https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/e n_US/resources/techbriefs/dns-protection NO.147 Which two features does PAN-OS software use to identify applications? (Choose two.) A. transaction characteristics B. session number C. pot number D. application layer payload Answer: AC Explanation: Signatures are then applied to allowed traffic to identify the application based on unique application properties and related [transaction characteristics]. The signature also determines if the application is being used on its [default port or it is using a non-standard port.] If the traffic is allowed by policy, the traffic is then scanned for threats and further analyzed for identifying the application more granularly. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/app-id-overview.html NO.148 Which Captive Portal mode must be configured to support MFA authentication? A. NTLM B. Redirect C. Single Sign-On D. Transparent Answer: B NO.149 A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down? A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question. B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question. C. Enable and configure a Link Monitoring Profile for the external interface of the firewall. D. Configure path monitoring for the next hop gateway on the default route in the virtual router. Answer: B Explanation: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/network/networknetwork-profiles-monitor# NO.150 Based on the following image, what is the correct path of root, intermediate, and end-user certificate? 49 IT Certification Guaranteed, The Easy Way! A. Palo Alto Networks > Symantec > VeriSign B. VeriSign > Symantec > Palo Alto Networks C. Symantec > VeriSign > Palo Alto Networks 50 IT Certification Guaranteed, The Easy Way! D. VeriSign > Palo Alto Networks > Symantec Answer: B NO.151 Which virtual router feature determines if a specific destination IP address is reachable? A. Heartbeat Monitoring B. Failover C. Path Monitoring D. Ping-Path Answer: C NO.152 Which three settings are defined within the Templates object of Panorama? (Choose three.) A. Setup B. Virtual Routers C. Interfaces D. Security E. Application Override Answer: ABC NO.153 Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log? A. Authentication B. Globalprotect C. Configuration D. System Answer: D NO.154 Refer to exhibit. An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms? A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external 51 IT Certification Guaranteed, The Easy Way! services. B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW. C. Configure log compression and optimization features on all remote firewalls. D. Any configuration on an M-500 would address the insufficient bandwidth concerns. Answer: C NO.155 What are two benefits of nested device groups in Panorama? (Choose two.) A. Reuse of the existing Security policy rules and objects B. Requires configuring both function and location for every device C. All device groups inherit settings form the Shared group D. Overwrites local firewall configuration Answer: AC Explanation: https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/device-groups/device-grouphierarchy# NO.156 An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans? A. Anti-Spyware B. Instruction Prevention C. File Blocking D. Antivirus Answer: D NO.157 What is the name of the debug save file for IPSec VPN tunnels? A. set vpn all up B. test vpn ike-sa C. request vpn IPsec-sa test D. Ikemgr.pcap Answer: D NO.158 An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats. Which option would achieve this result? A. Create a custom App-ID and enable scanning on the advanced tab. B. Create an Application Override policy. C. Create a custom App-ID and use the "ordered conditions" check box. D. Create an Application Override policy and custom threat signature for the application. 52 IT Certification Guaranteed, The Easy Way! Answer: A NO.159 What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version? A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks. B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state. C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically. D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1. Answer: A Explanation: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-panos-81/upgradedowngrade-considerations NO.160 Which three rule types are available when defining polices in Panorama? (Choose three.) A. Clean Up Rules B. Stealth Rules C. Post Rules D. Pre Rules E. Default Rules Answer: CDE Explanation: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managefirewalls/manage-the-rule-hierarchy NO.161 Which three steps will reduce the CPU utilization on the management plane? (Choose three.) A. Disable SNMP on the management interface. B. Application override of SSL application. C. Disable logging at session start in Security policies. D. Disable predefined reports. E. Reduce the traffic being decrypted by the firewall. Answer: ACD NO.162 Which three items are important considerations during SD-WAN configuration planning? (Choose three.) A. branch and hub locations B. link requirements C. the name of the ISP D. IP Addresses Answer: ABD 53 IT Certification Guaranteed, The Easy Way! NO.163 What are five benefits of Palo Alto Networks NGFWs (Next Generation Firewalls)? (Select the five correct answers.) A. Convenient configuration Wizard B. Comprehensive security platform designed to scale functionality over time C. Predictable throughput D. Easy-to-use GUI which is the same on all models E. Seemless integration with the Threat Intelligence Cloud F. Identical security subscriptions on all models Answer: BCDEF NO.164 Which two settings can be configured only locally on the firewall and not pushed from a Panorama template stack? (Choose two.) A. HA1 IP Address B. Master Key C. Zone Protection Profile D. Network Interface Type Answer: AB NO.165 The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal? A. Server Certificate B. Client Certificate C. Authentication Profile D. Certificate Profile Answer: A Explanation: Specify the network settings to enable agents to connect to the portal. If you have not yet created the network interface for the portal, see Create Interfaces and Zones for GlobalProtect for instructions. If you haven't yet created an SSL/TLS service profile for the portal, see Deploy Server Certificates to the GlobalProtect Components. https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-adminguide/set- up-the-globalprotect-infrastructure/set-up-access-to-the-globalprotect-portal#47470 NO.166 SAML SLO is supported for which two firewall features? (Choose two.) A. GlobalProtect Portal B. CaptivePortal C. WebUI D. CLI Answer: AB Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configuresaml-authentication NO.167 A network design change requires an existing firewall to start accessing Palo Alto Updates 54 IT Certification Guaranteed, The Easy Way! from a data plane interface address instead of the management interface. Which configuration setting needs to be modified? A. Service route B. Default route C. Management profile D. Authentication profile Answer: A NO.168 VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior? A. Zone Protection B. DoS Protection C. Web Application D. Replay Answer: D Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/set-up-site-to-sitevpn/set-up-an-ipsec-tunnel NO.169 True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can be scanned as it crosses the firewall with minimum amount of buffering, which in turn can allow advanced features like virus/malware scanning without effecting firewall performance A. True B. False Answer: A NO.170 To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled? A. Device>Setup>Services>AutoFocus B. Device> Setup>Management >AutoFocus C. AutoFocus is enabled by default on the Palo Alto Networks NGFW D. Device>Setup>WildFire>AutoFocus E. Device>Setup> Management> Logging and Reporting Settings Answer: B NO.171 What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator? A. The URL filtering policy to Block is enforced B. It will be translated successfully C. It will be redirected to www.2600.com D. User will get "HTTP Error 503 -Service unavailable" message Answer: A 55 IT Certification Guaranteed, The Easy Way! NO.172 Which three log-forwarding destinations require a server profile to be configured? (Choose three) A. SNMP Trap B. Email C. RADIUS D. Kerberos E. Panorama F. Syslog Answer: ABF Explanation: Enable a Log Forwarding Profile (see step 4 below). 1. Select Objects > Log Forwarding Profile and Add a new security profile group. 2. Give the profile group a descriptive Name to help identify it when adding the profile to security policies or security zones. 3. If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual systems. 4. Add settings for the Traffic logs, Threat logs, and WildFire logs: Select the Panorama check box for the severity of the Traffic, Threat, or WildFire logs that you want to be forwarded to Panorama. Specify logs that you want to forward to additional destinations: SNMP Trap destinations, Email servers, or Syslog servers. 5. Click OK to save the log forwarding profile. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/logforwarding-profiles.html NO.173 An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama? A. The Passive firewall, which then synchronizes to the active firewall B. The active firewall, which then synchronizes to the passive firewall C. Both the active and passive firewalls, which then synchronize with each other D. Both the active and passive firewalls independently, with no synchronization afterward Answer: C NO.174 Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.) A. Verify AutoFocus status using CLI. B. Check the WebUI Dashboard AutoFocus widget. C. Check for WildFire forwarding logs. D. Check the license E. Verify AutoFocus is enabled below Device Management tab. Answer: DE NO.175 Where can an administrator see both the management plane and data plane CPU utilization in the WebUI? 56 IT Certification Guaranteed, The Easy Way! A. System Utilization log B. System log C. Resources widget D. CPU Utilization widget Answer: C NO.176 When is the content inspection performed in the packet flow process? A. after the application has been identified B. before session lookup C. before the packet forwarding process D. after the SSL Proxy re-encrypts the packet Answer: A Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 NO.177 Which three firewall states are valid? (Choose three.) A. Active B. Functional C. Pending D. Passive E. Suspended Answer: ADE NO.178 Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.0? (Choose two.) A. VMware ESX B. AWS C. VMware NSX D. KVM Answer: AD Explanation: NO.179 A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps? A. set deviceconfig interface speed-duplex 1Gbps-full-duplex 57 IT Certification Guaranteed, The Easy Way! B. set deviceconfig system speed-duplex 1Gbps-duplex C. set deviceconfig system speed-duplex 1Gbps-full-duplex D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex Answer: C NO.180 Which hardware firewall platforms include both built-in front-to-back airflow and redundant power supplies? A. All PA-5000 and PA-7000 series firewall platforms B. All Palo Alto Networks hardware firewall platforms C. The PA-3060 firewall platform D. The PA-7000 series firewall platforms Answer: C NO.181 A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama? A. Device state and license files B. Configuration and serial number files C. Configuration and statistics files D. Configuration and Large Scale VPN (LSVPN) setups file Answer: A NO.182 Which Palo Alto Networks VM-Series firewall is supported for VMware NSX? A. VM-100 B. VM-200 C. VM-1000-HV D. VM-300 Answer: C Explanation: Licenses for the VM-Series NSX Edition Firewall In order to automate the provisioning and licensing of the VM-Series NSX Edition firewall in the VMware integrated NSX solution, two license bundles are available: One bundle includes the VM-Series capacity license (VM-1000-HV only), Threat Prevention license and a premium support entitlement. Another bundle includes the VM-Series capacity license (VM-1000-HV only) with the complete suite of licenses that include Threat Prevention, GlobalProtect, WildFire, PAN-DB URL Filtering, and a premium support entitlement. https://www.paloaltonetworks.com/documentation/70/virtualization/virtualization/about-the-vmseries-firewall/license-types-vm-series-firewalls.html NO.183 A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean? A. The three-way TCP handshake was observed, but the application could not be identified. B. The three-way TCP handshake did not complete. 58 IT Certification Guaranteed, The Easy Way! C. The traffic is coming across USP, and the application could not be identified. D. Data was received but was instantly discarded because of a Deny policy was applied before App- ID could be applied. Answer: B Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC NO.184 Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.) A. TACACS+ B. Kerberos C. PAP D. LDAP E. SAML F. RADIUS Answer: ADF NO.185 People are having intermittent quality issues during a live meeting via web application. A. Use QoS profile to define QoS Classes B. Use QoS Classes to define QoS Profile C. Use QoS Profile to define QoS Classes and a QoS Policy D. Use QoS Classes to define QoS Profile and a QoS Policy Answer: C NO.186 The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong? 59 IT Certification Guaranteed, The Easy Way! A. A Certificate Profile that contains the client certificate needs to be selected. B. The source address supports only files hosted with an ftp://<address/file>. C. External Dynamic Lists do not support SSL connections. D. A Certificate Profile that contains the CA certificate needs to be selected. Answer: D Explanation: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-usingExternal-Dynamic-Lists/ta-p/190414 NO.187 How is the Forward Untrust Certificate used? A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/ B. It is used when web servers request a client certificate. C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall. D. It is used for Captive Portal to identify unknown users. Answer: C Explanation: Though a single certificate can be used for both Forward Trust and Forward Untrust, creating a separate certificate specifically for Untrust (which must be generated as a CA) allows for easy differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure session. Verify the CA to be blocked, keeping in mind that doing so blocks access to all sites issued by this CA. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Prevent-Access-to-EncryptedWebsites-Based-on-Certificate/ta-p/57585 60 IT Certification Guaranteed, The Easy Way! NO.188 An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust? A. Use custom certificates B. Enable LDAP or RADIUS integration C. Set up multi-factor authentication D. Configure strong password authentication Answer: A NO.189 An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS? A. Enable QoS interface B. Enable QoS in the Interface Management Profile C. Enable QoS Data Filtering Profile D. Enable QoS monitor Answer: A NO.190 What are three valid actions in a File Blocking Profile? (Choose three) A. Forward B. Block C. Alret D. Upload E. Reset-both F. Continue Answer: BCF Explanation: You can configure a file blocking profile with the following actions: Forward - When the specified file type is detected, the file is sent to WildFire for analysis. A log is also generated in the data filtering log. Block - When the specified file type is detected, the file is blocked and a customizable block page is presented to the user. A log is also generated in the data filtering log. Alert - When the specified file type is detected, a log is generated in the data filtering log. Continue - When the specified file type is detected, a customizable response page is presented to the user. The user can click through the page to download the file. A log is also generated in the data filtering log. Because this type of forwarding action requires user interaction, it is only applicable for web traffic. Continue-and-forward - When the specified file type is detected, a customizable continuation page is presented to the user. The user can click through the page to download the file. If the user clicks through the continue page to download the file, the file is sent to WildFire for analysis. 61 IT Certification Guaranteed, The Easy Way! A log is also generated in the data filtering log. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/file-blockingprofiles.html NO.191 A spike in dangerous traffic is observed. Which of the following PanOS tabs would an administrator utilize to identify culpable users. A. ACC B. Monitor C. Objects D. Network E. Policies F. Device Answer: A NO.192 A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred? A. From the CLI issue use the show System log B. Apply the filter subtype eq ha to the System log C. Apply the filter subtype eq ha to the configuration log D. Check the status of the High Availability widget on the Dashboard of the GUI Answer: B NO.193 How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time? A. Configure the option for "Threshold". B. Disable automatic updates during weekdays. C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update. D. Automatically "download and install" but with the "disable new applications" option used. Answer: A NO.194 Which feature can provide NGFWs with User-ID mapping information? A. Web Captcha B. Native 802.1q authentication C. GlobalProtect D. Native 802.1x authentication Answer: C NO.195 A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS software would help in this case? A. Application override B. Redistribution of user mappings 62 IT Certification Guaranteed, The Easy Way! C. Virtual Wire mode D. Content inspection Answer: B NO.196 What is the URL for the full list of applications recognized by Palo Alto Networks? A. http://www.Applipedia.com B. http://www.MyApplipedia.com C. http://applipedia.paloaltonetworks.com D. http://applications.paloaltonetworks.com Answer: C NO.197 Which prerequisite must be satisfied before creating an SSH proxy Decryption policy? A. Both SSH keys and SSL certificates must be generated. B. No prerequisites are required. C. SSH keys must be manually generated. D. SSL certificates must be generated. Answer: B NO.198 An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make? A. 63 IT Certification Guaranteed, The Easy Way! B. 64 IT Certification Guaranteed, The Easy Way! C. D. 65 IT Certification Guaranteed, The Easy Way! E. Answer: B NO.199 If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites? A. SSL Forward Proxy B. SSL Inbound Inspection C. TLS Bidirectional proxy D. SSL Outbound Inspection Answer: A Explanation: https://live.paloaltonetworks.com/t5/Learning-Articles/Difference-Between-SSL-Forward-Proxy- and 66 IT Certification Guaranteed, The Easy Way! -Inbound-Inspection/ta-p/55553 NO.200 An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly? A. 67 IT Certification Guaranteed, The Easy Way! B. C. 68 IT Certification Guaranteed, The Easy Way! D. Answer: C NO.201 Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping? A. Microsoft Active Directory B. Microsoft Terminal Services C. Aerohive Wireless Access Point D. Palo Alto Networks Captive Portal Answer: B NO.202 Refer to the exhibit. 69 IT Certification Guaranteed, The Easy Way! Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113? A. ethernet1/6 B. ethernet1/3 C. ethernet1/7 D. ethernet1/5 Answer: D NO.203 The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080. Which NAT and security rules must be configured on the firewall? (Choose two) 70 IT Certification Guaranteed, The Easy Way! A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz- I3 zone using web-browsing application B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service. C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service. D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application. Answer: CD NO.204 A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers? A. Enable packet buffer protection on the Zone Protection Profile. B. Apply an Anti-Spyware Profile with DNS sinkholing. C. Use the DNS App-ID with application-default. D. Apply a classified DoS Protection Profile. Answer: D Explanation: "Packet Buffer Protection" is indeed an way to protect against resource exhaustion but it is not configured under "DOS Protection Profile". It is directly enabled under ZONES. NO.205 Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.) A. On the App Dependency tab in the Commit Status window B. On the Application tab in the Security Policy Rule creation window C. On the Objects > Applications browsers pages D. On the Policy Optimizer's Rule Usage page Answer: AB NO.206 Which URL Filtering Security Profile action logs the URL Filtering category to the URL 71 IT Certification Guaranteed, The Easy Way! Filtering log? A. Log B. Alert C. Allow D. Default Answer: B Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-filteringprofile-actions NO.207 Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.) A. Successful GlobalProtect Deployed Activity B. GlobalProtect Deployment Activity C. Successful GlobalProtect Connection Activity D. GlobalProtect Quarantine Activity Answer: BC NO.208 The firewall identifies a popular application as an unknown-tcp. Which two options are available to identify the application? (Choose two.) A. Create a custom application. B. Create a custom object for the custom application server to identify the custom application. C. Submit an Apple-ID request to Palo Alto Networks. D. Create a Security policy to identify the custom application. Answer: AC Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-custom-orunknown-applications NO.209 Which protection feature is available only in a Zone Protection Profile? A. SYN Flood Protection using SYN Flood Cookies B. ICMP Flood Protection C. Port Scan Protection D. UDP Flood Protections Answer: C NO.210 If the firewall has the link monitoring configuration, what will cause a failover? 72 IT Certification Guaranteed, The Easy Way! A. ethernet1/3 and ethernet1/6 going down B. ethernet1/3 going down C. ethernet1/3 or Ethernet1/6 going down D. ethernet1/6 going down Answer: A NO.211 An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and webbrowsing. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL. Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL? A. Create a decryption rule matching the encrypted BitTorrent traffic with action "No- Decrypt," and place the rule at the top of the Decryption policy. B. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy. C. Disable the exclude cache option for the firewall. D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule. Answer: D NO.212 How does Panorama prompt VMWare NSX to quarantine an infected VM? A. HTTP Server Profile B. Syslog Server Profile C. Email Server Profile D. SNMP Server Profile Answer: A Explanation: https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vmseries-firewall-on-vmware-nsx/dynamically-quarantine-infected-guests 73 IT Certification Guaranteed, The Easy Way! NO.213 In an enterprise deployment, a network security engineer wants to assign rights to a group of administrators without creating local administrator accounts on the firewall. Which authentication method must be used? A. Kerberos B. RADlUS with Vendor-Specific Attributes C. Certificate-based authentication D. LDAP Answer: C Explanation: As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate- based authentication involves the exchange and verification of a digital signature instead of a password. https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/set-uppanorama/configure-a-panorama-administrator-with-certificate-based-authentication-for-the-webinterface NO.214 A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test? A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source Answer: A Explanation: If you know the source or destination IP address, the test command from the CLI will search the security policies and display the best match: Example: > test security-policy-match source <source IP> destination <destination IP> protocol <protocol number> The output will show which policy rule will be applied to this traffic match based on the source and destination IP addresses. https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-PolicyApplies-to-a-Traffic-Flow/ta-p/53693 NO.215 A company has started utilizing WildFire in its network. Which three file types are supported? (Choose three.) A. JARs B. PSTs 74 IT Certification Guaranteed, The Easy Way! C. PDFs D. JPGs E. EXEs Answer: ACE Explanation: https://www.paloaltonetworks.com/documentation/70/wildfire/wf_admin/wildfire-overview/ wildfire- concepts.html NO.216 What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three) A. Clean B. Bengin C. Adware D. Suspicious E. Grayware F. Malware Answer: BEF Explanation: The WildFire verdicts are: Benign, Grayware, Malware. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/log-severitylevels-and-wildfire-verdicts NO.217 Which administrative authentication method supports authorization by an external service? A. Certificates B. LDAP C. RADIUS D. SSH keys Answer: C Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewalladministration/manage-firewall-administrators/administrative-authentication NO.218 The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match? A. 6-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone B. 5-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Protocol C. 7-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone D. 9-tuple match: Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source 75 IT Certification Guaranteed, The Easy Way! Security Zone, Destination Security Zone, Application, and URL Category Answer: A NO.219 The Network Security Administrator discovers that the company's NAT-aware SIP phone system is not working properly through the Palo Alto Networks firewall, even though SIP traffic is being allowed by policy. Which configuration change can resolve this issue? A. Disable ALG within the security policy that permits SIP traffic B. Create an application override policy to assign all traffic to and from SIP phones to the sip application C. Create a security policy that allows any traffic to and from SIP phones. D. Disable ALG within the SIP application Answer: D Explanation: NO.220 Which log file can be used to identify SSL decryption failures? A. Traffic B. ACC C. Configuration D. Threats Answer: A NO.221 Which logs enable a firewall administrator to determine whether a session was decrypted? 76 IT Certification Guaranteed, The Easy Way! A. Traffic B. Security Policy C. Decryption D. Correlated Event Answer: A NO.222 Which two interface types can be used when configuring GlobalProtect Portal?(Choose two) A. Virtual Wire B. Loopback C. Layer 3 D. Tunnel Answer: BC Explanation: GlobalProtect portal requires a Layer 3 or loopback interface for GlobalProtect clients to connect to. https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-adminguide/set- up-the-globalprotect-infrastructure/create-interfaces-and-zones-for-globalprotect NO.223 Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.) A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow D. Untrust (Any) to DMZ (10.1.1.1), ssh -Allow E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow Answer: CD NO.224 Given the following diagram: 77 IT Certification Guaranteed, The Easy Way! A VPN connection has been created to allow traffic from the Trust-L3 zone of Site A to reach the Trust-L3 zone of Site B. Each site is using tunnel.1 in the Untrust-L3 zone for the VPN connection. A static route needs to be added to the default virtual router in the Site A firewall to enable traffic from Site A to reach all workstations in Site B. Which static route configuration will satisfy the requirement? A. Name: Route-to-Site-B Destination: 172.16.20.0/24 Interface: tunnel.1 Next Hop: None B. Name: Route-to-Site-B Destination: 172.16.20.0/24 Interface: none Next Hop: 192.0.0.2 C. Name: Route-to-Site-B Destination: 172.16.20.1/24 Interface: tunnel.1 Next Hop: None D. Name: Route-to-Site-B Destination: 172.16.20.0/24 Interface: ethernet1/1 Next Hop: 192.0.0.1 Answer: A Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpn-withstatic-routing NO.225 Given these tables: 78 IT Certification Guaranteed, The Easy Way! SVR1 is a webserver hosted in the DMZ zone. The FQDN of www.myserver.com is registered to an external DNS provider and resolves to 203.1.200.123 in the Untrust-L3 zone. Users in the Trust-L3 zone use the external FQDN to access SVR1. Which NAT rule will process traffic sourced from the Trust-L3 zone destined for SVR1? A. NAT2 B. NAT4 C. NAT1 D. NAT3 Answer: D Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC NO.226 A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters? A. From the CLI, issue the show counter global filter pcap yes command. B. From the CLI, issue the show counter global filter packet-filter yes command. C. From the GUI, select show global counters under the monitor tab. D. From the CLI, issue the show counter interface command for the ingress interface. Answer: B Explanation: You can check global counters for a specific source and destination IP addresses by setting a packet filter. We recommend that you use the global counter command with a packet filter to get specific traffic outputs. These outputs will help isolate the issue between two peers. Use the following CLI command to show when traffic is passing through the Palo Alto Networks firewall from that source to destination. > show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 20.220 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv 6387398 4 info packet pktproc Packets received pkt_recv_zero 370391 0 info packet pktproc Packets received from QoS 0 Etc. https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-aspecific-source-and/ta-p/65794 NO.227 Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. 79 IT Certification Guaranteed, The Easy Way! Which Security policy rule will allow traffic to flow to the web server? A. Untrust (any) to Untrust (10.1.1.100), web browsing -Allow B. Untrust (any) to Untrust (1.1.1.100), web browsing -Allow C. Untrust (any) to DMZ (1.1.1.100), web browsing -Allow D. Untrust (any) to DMZ (10.1.1.100), web browsing -Allow Answer: C NO.228 An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS?software? A. Antivirus update package. B. Applications and Threats update package. C. User-ID agent. D. WildFire update package. Answer: B Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-panos-80/upgrade-the-firewall-to-pan-os-80/upgrade-an-ha-firewall-pair-to-pan-os-80 NO.229 What are the three key components of a successful Three Tab Demo? (Select the three correct answers.) A. Providing visibility into recently occurring threats and showing how to block those threats B. Showing how Palo Alto Networks' firewalls provide visibility into applications and control of those applications C. Presenting the information in the Network and Device tabs D. After setting match criteria in the Object tab showing how that data is presented in the logs E. Showing which users are running which applications and provide a method for controlling application access on a by user Answer: ABE 80 IT Certification Guaranteed, The Easy Way! NO.230 Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription? A. 10,000 B. 15,000 C. 7,500 D. 5,000 Answer: A NO.231 Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.) A. .dll B. .exe C. .fon D. .apk E. .pdf F. .jar Answer: DEF NO.232 The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network. Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two) A. test panoramas-connect 10.10.10.5 B. show panoramas-status C. show arp all I match 10.10.10.5 D. topdump filter "host 10.10.10.5 E. debug dataplane packet-diag set capture on Answer: BD Explanation: B: The show panorama-status command shows the Panorama connection status. Sample Output The following command shows information about the Panorama connection. username@hostname> show panorama-status Panorama Server 1 : 10.1.7.90 State : Unknown username@hostname> D: Issue The Managed Devices show not connected to Panorama and are not able to establish a new connection to Panorama. The Packet Capture on Panorama Management Interface shows SYN packets received from devices on port 3978, but no SYN ACK is sent from Panorama. > tcpdump filter "port 3978" > view-pcap mgmt-pcap mgmt.pcap 81 IT Certification Guaranteed, The Easy Way! https://live.paloaltonetworks.com/t5/Management-Articles/Managed-Devices-Unable-to-EstablishConnections-to-Panorama/ta-p/53248 https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-com/en_US/assets/pdf/technicaldocumentation/pan-os-5x/CLI_Reference_Guide-Panorama-5.1_PAN-OS-5.0.pdf NO.233 Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunnel is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces. Which Link Type setting will correct the error? A. Set ethernet1/21 to p2p B. Set tunnel.10 to p2p C. Set tunnel.10 to p2mp D. Set ethernet1/21 to p2mp Answer: B Explanation: We need to reconfigure the tunnel with the p2p link type. Note: Link type -Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for p2mp mode. References: https://www.paloaltonetworks.com/documentaiion/7l/pan-os/pan-os/vons/site-to-site-vpn-withospf NO.234 An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet. Which configuration will enable the firewall to download and install application updates 82 IT Certification Guaranteed, The Easy Way! automatically? A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet. B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary. C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection. D. Configure a Security policy rule to allow all traffic to and from the update servers. Answer: B NO.235 Which three split tunnel methods are supported by a GlobalProtect Gateway? A. video streaming application B. Client Application Process C. Destination Domain D. Source Domain E. Destination user/group F. URL Category Answer: ABC Explanation: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/globalprotectfeatures/split-tunnel-for-public-applications NO.236 An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources? A. Client Probing B. Terminal Services agent C. GlobalProtect D. Syslog Monitoring Answer: B NO.237 A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment? A. The two devices must share a routable floating IP address B. The two devices may be different models within the PA-5000 series C. The HA1 IP address from each peer must be on a different subnet D. The management port may be used for a backup control connection Answer: D Explanation: Set up the backup control link connection. 1. In Device > High Availability > General, edit the Control Link (HA1 Backup) section. 2. Select the HA1 backup interface and set the IPv4/IPv6 Address and Netmask. 83 IT Certification Guaranteed, The Easy Way! Note: Use the management port for the HA1 link. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-availability/configureactive-passive-ha NO.238 Starting with PAN-OS version 9.1, application dependency information is now reported in which two new locations? (Choose two.) A. on the App Dependency tab in the Commit Status window B. on the Policy Optimizer's Rule Usage page C. on the Application tab in the Security Policy Rule creation window D. on the Objects > Applications browser pages Answer: AC NO.239 Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application? A. GlobalProtect version 4.0 with PAN-OS 8.1 B. GlobalProtect version 4.1 with PAN-OS 8.1 C. GlobalProtect version 4.1 with PAN-OS 8.0 D. GlobalProtect version 4.0 with PAN-OS 8.0 Answer: B Explanation: https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-newfeatures/new-features-released-in-gp-agent-4_1/split-tunnel-for-public-applications NO.240 A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products? A. Pre Rules B. Post Rules C. Explicit Rules D. Implicit Rules Answer: B Explanation: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/ 1/ Panorama-Design-Planning.pdf NO.241 An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates? A. A scheduler will need to be configured for application signatures. B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers. C. A Threat Prevention license will need to be installed. 84 IT Certification Guaranteed, The Easy Way! D. A service route will need to be configured. Answer: A Explanation: The MGMT interface does not use Security Policies. A Service Route is needed if you are using interfaces other than the MGMT interface. NO.242 SD-WAN is designed to support which two network topology types? (Choose two.) A. point-to-point B. hub-and-spoke C. full-mesh D. ring Answer: BC Explanation: http://www.paloguard.com/datasheets/sd-wan.pdf NO.243 Which feature prevents the submission of corporate login information into website forms? A. Data filtering B. User-ID C. File blocking D. Credential phishing prevention Answer: D NO.244 A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked? A. Block all unauthorized applications using a security policy. B. Block all known internal custom applications. C. Create a File Blocking Profile that blocks Layer 4 and Layer 7 attacks. D. Create a WildFire Analysis Profile that blocks Layer4 and Layer 7 attacks. Answer: C Explanation: The firewall uses file blocking profiles two ways: to forward files to WildFire for analysis or to block specified file types over specified applications and in the specified session flow direction (inbound/outbound/both). You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile. You can also configure custom block pages that will appear when a user attempts to download the specified file type. This allows the user to take a moment to consider whether or not they want to download a file. Incorrect Answers: D: Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for WildFire analysis. Specify files to be forwarded for analysis based on application, file type, and transmission direction (upload or download). https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/file-blocking-profiles 85 IT Certification Guaranteed, The Easy Way! NO.245 A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface. Which interface type and configuration setting will support this design? A. Layer 3 subinterface type with specified tag B. Layer 3 interface type with specified tag C. Trunk interface type with specified lag D. Layer 2 interface type with a VLAN assigned Answer: A Explanation: The interface ethernet1/15 is configured as a layer 3 interface. Subinterfaces corresponding to each one of the VLAN are created off of the parent interface Ethernet 1/15. Each subinterface is assigned a VLAN tag and an IP address corresponding to the VLAN provides connectivity. Note: Inter VLAN routing with each VLAN in a unique IP subnet In order for network devices in different VLANs to communicate, a router must be used to route traffic between the VLANs. While VLANs help to control local traffic, if a device in one VLAN needs to communicate with a device in another VLAN, one or more routers must be used for inter VLAN communication. In this configuration a Palo Alto networks firewall can used to securely route traffic within the VLAN. This is also commonly called "one arm routing" or "router on a stick". NO.246 What does App-ID inspect to identify an application? A. Source IP B. Source Port C. TTL D. Data Payload E. Hash F. Encryption Key Answer: D NO.247 Refer to the exhibit. 86 IT Certification Guaranteed, The Easy Way! An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? A. B. 87 IT Certification Guaranteed, The Easy Way! C. D. 88 IT Certification Guaranteed, The Easy Way! Answer: A NO.248 Based on the image, what caused the commit warning? 89 IT Certification Guaranteed, The Easy Way! A. The CA certificate for FWDtrust has not been imported into the firewall. B. The FWDtrust certificate has not been flagged as Trusted Root CA. C. SSL Forward Proxy requires a public certificate to be imported into the firewall. D. The FWDtrust certificate does not have a certificate chain. Answer: D NO.249 What can missing SSL packets when performing a packet capture on dataplane interfaces? A. The packets are hardware offloaded to the offloaded processor on the dataplane B. The missing packets are offloaded to the management plane CPU C. The packets are not captured because they are encrypted D. There is a hardware problem with offloading FPGA on the management plane Answer: A NO.250 After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly. The following entry is appearing in the logs: Pfs group mismatched: my:0 peer:2 Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message? A. Update- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. B. Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2. 90 IT Certification Guaranteed, The Easy Way! C. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs D. Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2. Answer: D NO.251 If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server? A. TLS Bidirectional Inspection B. SSL Inbound Inspection C. SSH Forward Proxy D. SMTP Inbound Decryption Answer: B Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-sslinbound-inspection NO.252 Which two methods can be configured to validate the revocation status of a certificate? (Choose two.) A. CRL B. CRT C. OCSP D. Cert-Validation-Profile E. SSL/TLS Service Profile Answer: AC Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-management/setup-verification-for-certificate-revocation-status NO.253 Refer to Exhibit. A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC? A. 172.20.30.1 B. 172.20.40.1 C. 172.20.20.1 D. 172.20.10.1 Answer: C NO.254 Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log? 91 IT Certification Guaranteed, The Easy Way! A. web-browsing and 443 B. SSL and 80 C. SSL and 443 D. web-browsing and 80 Answer: A NO.255 Which two events trigger the operation of automatic commit recovery? (Choose two.) A. when an aggregate Ethernet interface component fails B. when Panorama pushes a configuration C. when a firewall performs a local commit D. when a firewall HA pair fails over Answer: BC NO.256 An administrator wants to upgrade an NGFW from PAN-OS 7.1.2 to PAN-OS 8.0.2. The firewall is not a part of an HA pair. What needs to be updated first? A. Applications and Threats B. XML Agent C. WildFire D. PAN-OS Upgrade Agent Answer: A Explanation: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/upgrade-to-pan-os80/upgrade-the-firewall-to-pan-os-80/upgrade-a-firewall-to-pan-os-80 NO.257 An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted? A. In the details of the Traffic log entries B. Decryption log C. Data Filtering log D. In the details of the Threat log entries Answer: A NO.258 An administrator needs to optimize traffic to prefer business-critical applications over noncritical applications. QoS natively integrates with which feature to provide service quality? A. Port Inspection B. Certificate revocation C. Content-ID D. App-ID Answer: D 92 IT Certification Guaranteed, The Easy Way! NO.259 A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080. A. application: web-browsing; service: application-default B. application: web-browsing; service: service-https C. application: ssl; service: any D. application: web-browsing; service: (custom with destination TCP port 8080) Answer: A NO.260 Which three options are available when creating a security profile? (Choose three) A. Anti-Malware B. File Blocking C. Url Filtering D. IDS/ISP E. Threat Prevention F. Antivirus Answer: BCF Explanation: Using the URL Category as match criteria allows you to customize security profiles (antivirus, antispyware, vulnerability, file-blocking, Data Filtering, and DoS) on a per-URL-category basis. NO.261 Which field is optional when creating a new Security Police rule? A. Description B. Destination Zone C. Action D. Name E. Source Zone Answer: A Explanation: The optional fields are: Description, Tag, Source IP Address and Destionation IP Address. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/components-of-asecurity-policy-rule#_43864 NO.262 Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two) A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode. C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes. D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode. E. Log in the Panorama CLI of the dedicated Log Collector 93 IT Certification Guaranteed, The Easy Way! Answer: BE Explanation: Step 1 (E): Access the Command Line Interface (CLI) on the M-100 appliance. When prompted, log in to the appliance. Step 2 (B): Switch from Panorama Mode to Log Collector Mode. 1. To switch to Log Collector mode, enter the following command: request system logger-mode logger 2. Enter Yes to confirm the change to Log Collector mode. The appliance will reboot. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the default admin account and the password assigned during initial configuration. https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-uppanorama/set-up-the-m-100-appliance#91340 NO.263 What are the main benefits of WildFire? (Select the three correct answers.) A. WildFire gathers information from possible threats detected by both NGFWs and Endpoints. B. It's a sandboxing environment that can detect malware by observing the behavior of unknown files. C. By using Palo Alto Networks' proprietary cloud-based architecture, quarantine holds on suspicious files are typically reduced to less than 30 seconds. D. By collecting and distributing malware signatures from every major anti-virus vendor, WildFire can provide comprehensive protection. E. Signatures for identified malware are quickly distributed globally to all Palo Alto Networks' customers' firewalls. Answer: BDE NO.264 A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address? A. Add an Anti-Spyware Profile to block attacking IP address B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server C. Add QoS Profiles to throttle incoming requests D. Add a tuned DoS Protection Profile Answer: D NO.265 Which CLI command displays the current management plan memory utilization? A. > show system info B. > show system resources C. > debug management-server show D. > show running resource-monitor Answer: B Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-CommandDisplays-CPU-Utilization-of-9999/ta-p/58149 94 IT Certification Guaranteed, The Easy Way! NO.266 A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny". Which action will this cause configuration on the matched traffic? A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny". B. The configuration will allow the matched session unless a vulnerability is detected. The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile. C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit. D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny." Answer: D Explanation: "Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-profiles.html# NO.267 How are IPV6 DNS queries configured to user interface ethernet1/3? A. Network > Virtual Router > DNS Interface B. Objects > CustomerObjects > DNS C. Network > Interface Mgrnt D. Device > Setup > Services > Service Route Configuration Answer: D Explanation: Configure the service routes. 1. Select Device > Setup > Services > Global and click Service Route Configuration. Note: For the purposes of activating your licenses and getting the most recent content and software updates, you will want to change the service route for DNS, Palo Alto Updates, URL Updates, WildFire, and AutoFocus. 2. Click the Customize radio button, and select one of the following: For a predefined service, select IPv4 or IPv6 and click the link for the service for which you want to modify the Source Interface and select the interface you just configured. https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/set-upnetwork-access-for-external-services NO.268 An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware monitors behavior without the user's knowledge. What is the expected verdict from WildFire? A. Malware B. Grayware C. Phishing D. Spyware 95 IT Certification Guaranteed, The Easy Way! Answer: B NO.269 Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?" A. Descendant objects will take precedence over other descendant objects. B. Descendant objects will take precedence over ancestor objects. C. Ancestor objects will have precedence over descendant objects. D. Ancestor objects will have precedence over other ancestor objects. Answer: C NO.270 When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall? A. When configuring Certificate Profiles B. When configuring GlobalProtect portal C. When configuring User Activity Reports D. When configuring Antivirus Dynamic Updates Answer: D NO.271 Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address? A. Set the type to Aggregate, clear the session's box and set the Maximum concurrent Sessions to 4000. B. Set the type to Classified, clear the session's box and set the Maximum concurrent Sessions to 4000. C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000. D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000. Answer: C NO.272 Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.) A. Kerberos B. PAP C. SAML D. TACACS+ E. RADIUS F. LDAP Answer: CDE Explanation: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/managefirewall-administrators/administrative-authentication 96 IT Certification Guaranteed, The Easy Way! NO.273 During the packet flow process, which two processes are performed in application identification? (Choose two.) A. Pattern based application identification B. Application override policy match C. Application changed from content inspection D. Session application identified. Answer: AB Explanation: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 NO.274 A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report? A. Blocked Activity B. Bandwidth Activity C. Threat Activity D. Network Activity Answer: D Explanation: The Network Activity tab of the Application Command Center (ACC) displays an overview of traffic and user activity on your network including: Top applications in use Top users who generate traffic (with a drill down into the bytes, content, threats or URLs accessed by the user) Most used security rules against which traffic matches occur In addition, you can also view network activity by source or destination zone, region, or IP address, ingress or egress interfaces, and GlobalProtect host information such as the operating systems of the devices most commonly used on the network. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/acc-tabs.html NO.275 Which interface configuration will accept specific VLAN IDs? A. Tab Mode B. Subinterface C. Access Interface D. Trunk Interface Answer: B Explanation: You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.ht ml NO.276 Wildfire may be used for identifying which of the following types of traffic? A. Malware B. DNS 97 IT Certification Guaranteed, The Easy Way! C. DHCP D. URL Content Answer: A NO.277 A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy? A. Configure ECMP to handle matching NAT traffic B. Configure a NAT Policy rule with Dynamic IP and Port C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bidirectional option Answer: C Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/natconfiguration- examples NO.278 A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's network engineers made configuration changes to the switches on both network segments, and connected them to the new firewall. Soon after the cutover, however, users began to complain about latency and some servers stopped communicating. There are no security policies that deny traffic between the two network segments. You suspect that there is an interface misconfiguration on ethernet1/1. Which two commands should be used to troubleshoot the issue? (Choose two.) A. show interface management B. show interface ethernet1/1 C. show interface logical D. show interface hardware Answer: BC NO.279 Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user? A. syslog listening B. server monitoring C. client probing D. port mapping Answer: A NO.280 Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.) A. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions 98 IT Certification Guaranteed, The Easy Way! B. Configure a RADIUS server profile to point to a domain controller C. Enable User-ID on the zone object for the source zone D. Enable User-ID on the zone object for the destination zone E. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions Answer: AC NO.281 Which CLI command can be used to export the tcpdump capture? A. scp export tcpdump from mgmt.pcap to <username@host:path> B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path> C. scp export mgmt-pcap from mgmt.pcap to <username@host:path> D. download mgmt.-pcap Answer: C NO.282 Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.) A. Short message service B. Push C. User logon D. Voice E. SSH key F. One-Time Password Answer: ABDF Explanation: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configuremulti-factor-authentication NO.283 A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab. What could cause this condition? A. The firewall does not have an active WildFire subscription. B. The engineer's account does not have permission to view WildFire Submissions. C. A policy is blocking WildFire Submission traffic. D. Though WildFire is working, there are currently no WildFire Submissions log entries. Answer: B NO.284 A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's engineers made configuration changes to the switches on both network segments, and connected them to the new firewall. Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1. Which two commands should be used to troubleshoot the issue? (Choose two) 99 IT Certification Guaranteed, The Easy Way! A. show interface hardware B. show interface management C. show interface ethernet1/1 D. show interface logical Answer: CD NO.285 Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.) A. Content-ID B. User-ID C. Applications and Threats D. Antivirus Answer: CD NO.286 A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information. - Users outside the company are in the "Untrust-L3" zone - The web server physically resides in the "Trust-L3" zone. - Web server public IP address: 23.54.6.10 - Web server private IP address: 192.168.1.10 Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two) A. Untrust-L3 for both Source and Destination zone B. Destination IP of 192.168.1.10 C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone D. Destination IP of 23.54.6.10 Answer: AD NO.287 Which three rule types are available when defining policies in Panorama? (Choose three.) A. Pre Rules B. Post Rules C. Default Rules D. Stealth Rules E. Clean Up Rules Answer: ABC Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-webinterface/defining-policies-on-panorama NO.288 PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC). Which license must the firewall have to obtain new correlation objectives? A. Application Center B. URL Filtering 100 IT Certification Guaranteed, The Easy Way! C. GlobalProtect D. Threat Prevention Answer: D NO.289 What is the purpose of the firewall decryption broker? A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools. B. force decryption of previously unknown cipher suites C. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools. D. inspect traffic within IPsec tunnels Answer: A Explanation: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryptionfeatures/decryption-broker NO.290 When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinkhole enabled, generating a traffic log. What will be the destination IP address in that log entry? A. The IP address specified in the sinkhole configuration. B. The IP address of the command-and-control server. C. The IP address of sinkhole.paloaltonetworks.com D. The IP address of one of the external DNS servers identified in the anti-spyware database. Answer: A Explanation: Change the "Action on DNS queries" to 'sinkhole'. Click in the Sinkhole IPv4 field and type in the fake IP. The example here shows using 1.1.1.1 for simplicity, but as long as this fake IP is not used inside of the network, then it should be Ok. Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (71.19.152.112). 101 IT Certification Guaranteed, The Easy Way! https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/tap/58891 NO.291 Given the following table. Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network? A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int. B. Configuring the metric for RIP to be higher than that of OSPF Int. C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext. 102 IT Certification Guaranteed, The Easy Way! D. Configuring the metric for RIP to be lower than that OSPF Ext. Answer: A Explanation: The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A, stating that it is the Active route. Administrative distance (AD) is an arbitrary numerical value assigned to dynamic routes, static routes and directly-connected routes. The value is used by vendor-specific routers to rank routes from most preferred to least preferred. When multiple paths to the same destination are available, the router uses the route with the lowest administrative distance and inserts the preferred route into its routing table. https://live.paloaltonetworks.com/t5/Management-Articles/Routing-Table-has-Multiple-Prefixes- for -the-Same-Route/ta-p/54781 NO.292 An administrator needs to upgrade an NGFW to the most current version of PANOS?software. The following is occurring: - Firewall has internet connectivity through e 1/1. - Default security rules and security rules allowing all SSL and webbrowsing traffic to and from any zone. - Service route is configured, sourcing update traffic from e1/1. - A communication error appears in the System logs when updates are performed. - Download does not complete. What must be configured to enable the firewall to download the current version of PAN-OS software? A. Static route pointing application PaloAlto-updates to the update servers B. Security policy rule allowing PaloAlto-updates as the application C. Scheduler for timed downloads of PAN-OS software D. DNS settings for the firewall to use for resolution Answer: D NO.293 What are the major families of file types now supported by Wildfire in PAN-OS 7.0? A. All executable files and all files with a MIME type B. All executable files, PDF files, Microsft Office files and Adobe Flash applets C. PE files, Microsoft Office, PDF, Java applets, APK, and Flash D. All executable files, PDF files and Microsft Office files Answer: C NO.294 What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.) A. The management interfaces must be on the same network. B. The firewalls must have the same set of licenses. C. The peer HA1 IP address must be the same on both firewalls. 103 IT Certification Guaranteed, The Easy Way! D. HA1 should be connected to HA1, either directly or with an intermediate Layer 2 device. Answer: BC Explanation: To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following requirements: The same set of licenses --Licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover. The same type of interfaces --Dedicated HA links, or a combination of the management port and in-band ports that are set to interface type HA. Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP address for both peers must be on the same subnet if they are directly connected or are connected to the same switch. Etc. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/highavailability/prerequisites-for-active-passive-ha#_74574 NO.295 Which three options does the WF-500 appliance support for local analysis? (Choose three) A. E-mail links B. APK files C. jar files D. PNG files E. Portable Executable (PE) files Answer: ACE Explanation: 104 IT Certification Guaranteed, The Easy Way! NO.296 Panorama provides which two SD-WAN functions? (Choose two.) A. network monitoring B. control plane C. data plane D. physical network links Answer: BC Explanation: How Does SD-WAN Work? Traditional WANs rely on physical routers to connect remote or branch users to applications hosted on data centers. Each router has a [data plane], which holds the information, and a [control plane], which tells the data where to go. Where data flows is typically determined by a network engineer or administrator who writes rules and policies, often manually, for each router on the network - a process that can be time-consuming and prone to errors. SD-WAN separates the control and management processes from the underlying networking hardware, making them available as software that can be easily configured and deployed. A centralized control pane means network administrators can write new rules and policies, and then 105 IT Certification Guaranteed, The Easy Way! configure and deploy them across an entire network at once. https://www.paloaltonetworks.com/cyberpedia/what-is-a-sd-wan NO.297 Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.) A. .dll B. .exe C. .src D. .apk E. .pdf F. .jar Answer: DEF NO.298 An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.) A. WildFire updates B. NAT C. NTP D. antivirus E. File blocking Answer: BDE NO.299 A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two) A. Panorama virtual appliance on ESX(i) only B. M-500 C. M-100 with Panorama installed D. M-100 Answer: BD NO.300 Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website? A. URL Filtering profile B. Zone Protection profile C. Anti-Spyware profile D. Vulnerability Protection profile Answer: A NO.301 If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type? A. Data Filtering B. WildFire Submissions C. Threat 106 IT Certification Guaranteed, The Easy Way! D. Traffic Answer: C NO.302 What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.) A. Rule Usage Hit counter will not be reset B. Highlight Unused Rules will highlight all rules. C. Highlight Unused Rules will highlight zero rules. D. Rule Usage Hit counter will reset. Answer: AB NO.303 Which data flow describes redistribution of user mappings? A. User-ID agent to firewall B. Domain Controller to User-ID agent C. User-ID agent to Panorama D. firewall to firewall Answer: D Explanation: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/configure-firewalls-toredistribute-user-mapping-informatio NO.304 YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall: - ethernet 1/1, Zone: Untrust (Internet-facing) - ethernet 1/2, Zone: Trust (client-facing) A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet 1/1 has a QoS profile called Outbound, and interface Ethernet 1/21 has a QoS profile called Inbound. Which setting for Class 6 will throttle YouTube traffic? A. Outbound profile with Guaranteed Ingress B. Inbound profile with Maximum Egress C. Inbound profile with Guaranteed Egress D. Outbound profile with Maximum Ingress Answer: B Explanation: Identify the egress interface for applications that you identified as needing QoS treatment. The egress interface for traffic depends on the traffic flow. If you are shaping incoming traffic, the egress interface is the internal-facing interface. If you are shaping outgoing traffic, the egress interface is the external-facing interface. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configureqos NO.305 Which CLI command enables an administrator to view details about the firewall including 107 IT Certification Guaranteed, The Easy Way! uptime, PAN-OS?version, and serial number? A. debug system details B. show session info C. show system info D. show system details Answer: C Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK NO.306 Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two.) A. They mitigate against volumetric attacks by leveraging known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities. B. They mitigate against attacks on a zone basis by providing reconnaissance protection against TCP/ UDP port scans and host sweeps. C. They mitigate against attacks by providing resource protection by limiting the number of sessions that can be used. D. They mitigate against attacks by utilizing "random early drop". Answer: CD Explanation: DOS In addition to flood protection, we also offer resources protection. This type of protection enforces a quota for your hosts. It restricts the maximum number of sessions allowed for a particular source IP address, destination IP address or IP source-destination pair. ZONE PROTECTION Zone protection policies allow the use of flood protection and have the ability to protect against port scanning\sweeps and packet based attacks. A few examples are IP spoofing, fragments, overlapping segments, reject tcp-non-syn. NO.307 A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.) A. ae.8 B. aggregate.1 C. ae.1 D. aggregate.8 Answer: AC NO.308 An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.) A. View Runtime Stats in the virtual router. B. View System logs. C. Add a redistribution profile to forward as BGP updates. 108 IT Certification Guaranteed, The Easy Way! D. Perform a traffic pcap at the routing stage. Answer: AB NO.309 Which three authentication factors does PAN-OS@software support for MFA? (Choose three.) A. Push B. Pull C. Okta Adaptive D. Voice E. SMS Answer: ADE NO.310 Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server? A. port mapping B. server monitoring C. client probing D. XFF headers Answer: A 109
