Exam Domain 4 – Configuration Troubleshooting Flashcards
1
Q
157. If users cannot access their Gmail accounts through the firewall, which log and filter do you use to troubleshoot the problem? A. Traffic, (app eq gmail) B. Traffic, (app in gmail) C. Configuration, (app eq gmail) D. Configuration, (app in gmail)
A
A. Traffic, (app eq gmail)
2
Q
- You cannot access the firewall web interface. From the firewall CLI, how do you check to
see if the web service is running?
A. ps -aux | grep appweb
B. ps -aux | match appweb
C. show system software status | grep appweb
D. show system software status | match appweb
A
D. show system software status | match appweb
3
Q
159. Which firewall log displays information about connection failures to an external LDAP authentication server? A. Traffic B. System C. User-ID D. Authentication
A
B. System
4
Q
160. Which Security Profile does not have a packet capture option? A. Antivirus B. Anti-spyware C. Vulnerability Protection D. URL Filtering
A
D. URL Filtering
5
Q
161. On a PA-7080, which feature (do you need to disable to use packet capture? A. NAT B. hardware offload C. hardware acceleration D. decryption
A
B. hardware offload
6
Q
162. When must you use tcpdump to capture traffic on the next-generation firewall? A. on tunnel interface traffic B. on data-plane interfaces C. on the management interface D. on IPsec negotiation traffic
A
B. on data-plane interfaces
7
Q
- Where in the firewall web interface can you see whether any sessions are going through a specific interface?
A. Dashboard
B. Application Command Center (ACC)
C. Session Log node on the Monitor tab
D. Session Browser node on the Monitor tab
A
D. Session Browser node on the Monitor tab
8
Q
- Communication through a specific interface works most of the time but fails when traffic
throughput is at its highest. Which policy do you consult to identify the problem?
A. Security
B. DoS Protection
C. QoS
D. Application Override
A
B. DoS Protection
9
Q
165. Which interface type allows you to add a firewall with the least disruption to a network? A. Tap B. Layer 3 C. Layer 2 D. Virtual Wire
A
D. Virtual Wire
10
Q
- Why would SSL decryption that has been working for a customer suddenly stop?
A. The firewall’s CA certificate expired.
B. The firewall’s IP address, which is encoded in the certificate, changed.
C. The firewall has been upgraded to a different model.
D. The firewall’s decryption subscription expired.
A
A. The firewall’s CA certificate expired.
11
Q
- A company uses a small SaaS application provider. This application is accessed through HTTPS but suddenly stops working through the firewall. However, when the application is accessed from home, users receive an error about the certificate. Which two situations would explain this behavior? (Choose two.)
A. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to
block connections with expired certificates.
B. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to use
the untrusted CA with expired certificates.
C. The SaaS’s certificate was replaced with one whose certificate authority is not known
to the firewall. The firewall’s decryption policy is configured to block connections with
certificates whose CA is not trusted.
D. The SaaS’s certificate was replaced with one whose certificate authority is not known to
the firewall. The firewall’s decryption policy is configured to use the untrusted certificate
for certificates whose CA is not trusted.
E. The firewall’s own CA certificate needs to be updated.
A
A. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to block connections with expired certificates.
C. The SaaS’s certificate was replaced with one whose certificate authority is not known
to the firewall. The firewall’s decryption policy is configured to block connections with
certificates whose CA is not trusted.
12
Q
168. Which encryption algorithm is not supported by the firewall and causes the firewall to drop the connection? A. DES B. 3DES C. AES252-CBC D. AES256-GCM
A
A. DES
13
Q
- Which condition could be a symptom of a certificate chain-of-trust issue?
A. The firewall no longer decrypts HTTPS traffic.
B. The firewall no longer decrypts HTTPS traffic from a specific site.
C. The firewall still decrypts HTTPS traffic from all sites, but it re-encrypts it using the
Forward Untrust certificate instead of the Forward Trust certificate.
D. The firewall still decrypts HTTPS traffic from a specific site, but it re-encrypts it using
the Forward Untrust certificate instead of the Forward Trust certificate.
A
D. The firewall still decrypts HTTPS traffic from a specific site, but it re-encrypts it using the Forward Untrust certificate instead of the Forward Trust certificate.
14
Q
170. Which field is mandatory in the subject field of a certificate? A. Organization B. Organizational Unit C. Common Name D. Locale
A
C. Common Name
15
Q
171. Which field in a certificate must include a value known to the firewall for the certificate to be considered valid by the firewall? A. Issuer B. Subject C. Key D. Object
A
A. Issuer
16
Q
172. Where do you find the dynamic routing configuration in the next-generation firewall’s web interface? A. Device > Network > Virtual Router B. Network > Virtual Router C. Device > Network > Interfaces D. Network > Interfaces
A
B. Network > Virtual Router
17
Q
- The organization has three redundant connections to the internet, and all three of them are available. What are two reasons why access to one set of IP addresses through the firewall consistently results in good performance while access to another set of IP addresses consistently results in poor performance? (Choose two.)
A. The organization uses equal-cost multi-path (ECMP) routing to the internet and selects which path to use based on the source IP address, and some IP addresses get routed
through a slower ISP.
B. The organization uses Policy Based Forwarding (PBF) and selects which route to use for the internet based on source IP address, and some IP addresses get routed through a slower ISP.
C. The organization uses the Routing Information Protocol (RIP), and some IP addresses get
routed through a slower ISP.
D. The organization uses Border Gateway Protocol (BGP), and some IP addresses get routed
through a slower ISP.
E. The organization uses Open Shortest Path First (OSPF), and some IP addresses get routed through a slower ISP.
A
A. The organization uses equal-cost multi-path (ECMP) routing to the internet and selects
which path to use based on the source IP address, and some IP addresses get routed
through a slower ISP.
B. The organization uses Policy Based Forwarding (PBF) and selects which route to use for
the internet based on source IP address, and some IP addresses get routed through a
slower ISP.
18
Q
- An organization has two links to the internet, one 100Mbps and the other 10Mbps. The firewall balances them using ECMP in the virtual router. Which load balancing ECMP setting does the organization need to use to optimize network resources?
A. Balanced Round Robin
B. Weighted Round Robin, with a weight of 10 for the fast connection and 100 for the slow one.
C. IP Hash
D. Weighted Round Robin, with a weight of 100 for the fast connection and 10 for the slow one
A
D. Weighted Round Robin, with a weight of 100 for the fast connection and 10 for the slow one
