Block 2

Question 1

58- Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

A. Configure a Decryption Profile and select SSL/TLS services.
B. Set up SSL/TLS under Policies > Service/URL Category > Service.
C. Set up Security policy rule to allow SSL communication.
D. Configure an SSL/TLS Profile.

Answer 1

D. Configure an SSL/TLS Profile.

Question 2

59- Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
A. ACC
B. System Logs
C. App Scope
D. Session Browser

Answer 2

D. Session Browser

Question 3

60- Which protection feature is available only in a Zone Protection Profile?
A. SYN Flood Protection using SYN Flood Cookies
B. ICMP Flood Protection
C. Port Scan Protection
D. UDP Flood Protections

Answer 3

C. Port Scan Protection

Question 4

61- Which CLI command can be used to export the tcpdump capture?

A. scp export tcpdump from mgmt.pcap to < username@host:path>
B. scp extract mgmt-pcap from mgmt.pcap to < username@host:path>
C. scp export mgmt-pcap from mgmt.pcap to < username@host:path>
D. download mgmt-pcap

Answer 4

C. scp export mgmt-pcap from mgmt.pcap to < username@host:path>

Question 5

62- An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.

Answer 5

A. A scheduler will need to be configured for application signatures.

Question 6

63- Which three options are supported in HA Lite? (Choose three.)

A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization

Answer 6

B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization

Question 7

64- Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OSֲ® version, and serial number?

A. debug system details
B. show session info
C. show system info
D. show system details

Answer 7

C. show system info

Question 8

65-During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. Pattern based application identification
B. Application override policy match
C. Application changed from content inspection
D. Session application identified

Answer 8

A. Pattern based application identification
B. Application override policy match

Question 9

66-Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

A. Session Browser
B. Application Command Center
C. TCP Dump
D. Packet Capture

Answer 9

B. Application Command Center

Question 10

68- Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

A. Disable SNMP on the management interface.
B. Application override of SSL application.
C. Disable logging at session start in Security policies.
D. Disable predefined reports.
E. Reduce the traffic being decrypted by the firewall.

Answer 10

A. Disable SNMP on the management interface.

C. Disable logging at session start in Security policies.

D. Disable predefined reports.

Question 11

69-Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?

A. URL Filtering profile
B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile

Answer 11

A. URL Filtering profile

Question 12

70-How can a candidate or running configuration be copied to a host external from Panorama?

A. Commit a running configuration.
B. Save a configuration snapshot.
C. Save a candidate configuration.
D. Export a named configuration snapshot.

Answer 12

D. Export a named configuration snapshot.

Question 13

71-If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites?

SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
SSL Outbound Inspection

Answer 13

SSL Forward Proxy

Question 14

72-An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

A. Create a custom App-ID and enable scanning on the advanced tab.
B. Create an Application Override policy.
C. Create a custom App-ID and use the ordered conditions check box.
D. Create an Application Override policy and a custom threat signature for the application.

Answer 14

A. Create a custom App-ID and enable scanning on the advanced tab.

Question 15

73-The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

A. View the System logs and look for the error messages about BGP.
B. Perform a traffic pcap on the NGFW to see any BGP problems.
C. View the Runtime Stats and look for problems with BGP configuration.
D. View the ACC tab to isolate routing issues.

Answer 15

A. View the System logs and look for the error messages about BGP.

C. View the Runtime Stats and look for problems with BGP configuration.

Question 16

74- An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

A. View Runtime Stats in the virtual router.
B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. Perform a traffic pcap at the routing stage.

Answer 16

A. View Runtime Stats in the virtual router.
B. View System logs.

Question 17

75-Which three firewall states are valid? (Choose three.)

A. Active
B. Functional
C. Pending
D. Passive
E. Suspended

Answer 17

A. Active
D. Passive
E. Suspended

Question 18

76-Which virtual router feature determines if a specific destination IP address is reachable?

A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path

Answer 18

C. Path Monitoring

Question 19

77-An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

A. Decryption Mirror interface with the Threat Analysis license
B. Virtual Wire interface with the Decryption Port Export license
C. Tap interface with the Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license

Answer 19

D. Decryption Mirror interface with the associated Decryption Port Mirror license

Question 20

78-When is the content inspection performed in the packet flow process?

A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet

Answer 20

A. after the application has been identified

Question 21

79-An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries

Answer 21

A. In the details of the Traffic log entries

Question 22

80-An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

A. Vulnerability Protection
B. Anti-Spyware
C. URL Filtering
D. Antivirus

Answer 22

A. Vulnerability Protection

Question 23

81-Which processing order will be enabled when a Panorama administrator selects the setting Objects defined in ancestors will take higher precedence?

A. Descendant objects will take precedence over other descendant objects.
B. Descendant objects will take precedence over ancestor objects.
C. Ancestor objects will have precedence over descendant objects.
D. Ancestor objects will have precedence over other ancestor objects

Answer 23

C. Ancestor objects will have precedence over descendant objects.

Question 24

82-An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication

Answer 24

A. Use custom certificates

Question 25

85-A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

A. Rule #1: application: web-browsing; service: application-default; action: allow
Rule #2: application: ssl; service: application-default; action: allow

B. Rule #1: application: web-browsing; service: service-http; action: allow
Rule #2: application: ssl; service: application-default; action: allow

C. Rule # 1: application: ssl; service: application-default; action: allow
Rule #2: application: web-browsing; service: application-default; action: allow

D. Rule #1: application: web-browsing; service: service-https; action: allow
Rule #2: application: ssl; service: application-default; action: allow

Answer 25

D. Rule #1: application: web-browsing; service: service-https; action: allow
Rule #2: application: ssl; service: application-default; action: allow

Question 26

86-Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

A. The firewall is in multi-vsys mode.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
D. The firewall’s DP CPU is higher than 50%.

Answer 26

B. The traffic is offloaded.
C. The traffic does not match the packet capture filter

Question 27

87-A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OSֲ® software would help in this case?

A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings

Answer 27

D. redistribution of user mappings

Question 28

88 - An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in the cloud). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

A. Use config-drive on a USB stick.
B. Use an S3 bucket with an ISO.
C. Create and attach a virtual hard disk (VHD).
D. Use a virtual CD-ROM with an ISO.

Answer 28

D. Use a virtual CD-ROM with an ISO.

Question 29

89-Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a No Decrypt action? (Choose two.)

A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing

Answer 29

A. Block sessions with expired certificates

D. Block sessions with untrusted issuers

Question 30

90-Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

A. port mapping
B. server monitoring
C. client probing
D. XFF headers

Answer 30

A. port mapping

Question 31

91-Which feature can be configured on VM-Series firewalls?

A. aggregate interfaces
B. machine learning
C. multiple virtual systems
D. GlobalProtect

Answer 31

D. GlobalProtect

Question 32

92-In High Availability, which information is transferred via the HA data link?
HA datalink = HA2

A. session information
B. heartbeats
C. HA state information
D. User-ID information

Answer 32

A. session information

Question 33

93-The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

A. Create a custom application.
B. Create a custom object for the custom application server to identify the custom application.
C. Submit an App-ID request to Palo Alto Networks.
D. Create a Security policy to identify the custom application.

Answer 33

A. Create a custom application.

C. Submit an App-ID request to Palo Alto Networks.

Question 34

94-If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption

Answer 34

B. SSL Inbound Inspection

Question 35

95-A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?
zone protection profile&raquo_space;> zone
Dos Protection profile&raquo_space;» DoS protection policy

A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
B. Add a Vulnerability Protection Profile to block the attack.
C. Add QoS Profiles to throttle incoming requests.
D. Add a DoS Protection Profile with defined session count.

Answer 35

D. Add a DoS Protection Profile with defined session count.

Question 36

96-Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

A. Verify AutoFocus status using the CLI test command.
B. Check the WebUI Dashboard AutoFocus widget.
C. Check for WildFire forwarding logs.
D. Check the license.
E. Verify AutoFocus is enabled below Device&raquo_space; Management tab.

Answer 36

D. Check the license.
E. Verify AutoFocus is enabled below Device&raquo_space; Management tab.

Question 37

97-Which CLI command enables an administrator to check the CPU utilization of the dataplane?

A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources

Answer 37

A. show running resource-monitor

Question 38

98-Which DoS protection mechanism detects and prevents session exhaustion attacks?

A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection

Answer 38

C. Resource Protection

Question 39

99-Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.)

A. Content-ID
B. User-ID
C. Applications and Threats
D. Antivirus

Answer 39

C. Applications and Threats
D. Antivirus

Question 40

101- Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

A. TACACS+
B. Kerberos
C. PAP
D. LDAP
E. SAML
F. RADIUS

Answer 40

A. TACACS+
E. SAML
F. RADIUS

Question 41

102-What is exchanged through the HA2 link?
Ha2 = HA data link

A. hello heartbeats
B. User-ID information
C. session synchronization
D. HA state information

Answer 41

C. session synchronization

Question 42

103-Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

A. Both SSH keys and SSL certificates must be generated.
B. No prerequisites are required.
C. SSH keys must be manually generated.
D. SSL certificates must be generated.

Answer 42

B. No prerequisites are required.

Question 43

104-A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

A. ae.8
B. aggregate.1
C. ae.1
D. aggregate.8

Answer 43

A. ae.8

C. ae.1

Question 44

105-Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.)

A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS

Answer 44

A. Push
D. Voice
E. SMS

Question 45

106 -VPN traffic intended for an administrator’s firewall is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

A. Zone Protection
B. Replay
C. Web Application
D. DoS Protection

Answer 45

B. Replay

Question 46

108-An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

A. Enable QoS interface
B. Enable QoS in the Interface Management Profile
C. Enable QoS Data Filtering Profile
D. Enable QoS monitor

Answer 46

A. Enable QoS interface

Question 47

109-Which log file can be used to identify SSL decryption failures?

A. Traffic
B. ACC
C. Configuration
D. Threats

Answer 47

A. Traffic

Question 48

110-A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)

A. tunnel.1
B. vpn-tunnel.1
C. tunnel.1025
D. vpn-tunnel.1024

Answer 48

A. tunnel.1

C. tunnel.1025

Question 49

112 - An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?

A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.

B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.

C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.

D. Configure a Security policy rule to allow all traffic to and from the update servers.

Answer 49

B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.

Question 50

113-A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

A. Create V-Wire objects with two V-Wire interfaces and define a range of 0-4096 in the Tag Allowed field of the V-Wire object.

B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.

D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Answer 50

B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.