Exam Domain 4 – Configuration Troubleshooting

Question 1

157. If users cannot access their Gmail accounts through the firewall, which log and filter do
you use to troubleshoot the problem?
A. Traffic, (app eq gmail)
B. Traffic, (app in gmail)
C. Configuration, (app eq gmail)
D. Configuration, (app in gmail)

Answer 1

A. Traffic, (app eq gmail)

Question 2

158. You cannot access the firewall web interface. From the firewall CLI, how do you check to
     see if the web service is running?
     A. ps -aux | grep appweb
     B. ps -aux | match appweb
     C. show system software status | grep appweb
     D. show system software status | match appweb

Answer 2

D. show system software status | match appweb

Question 3

159. Which firewall log displays information about connection failures to an external LDAP
authentication server?
A. Traffic
B. System
C. User-ID
D. Authentication

Answer 3

B. System

Question 4

160. Which Security Profile does not have a packet capture option?
A. Antivirus
B. Anti-spyware
C. Vulnerability Protection
D. URL Filtering

Answer 4

D. URL Filtering

Question 5

161. On a PA-7080, which feature (do you need to disable to use packet capture?
A. NAT
B. hardware offload
C. hardware acceleration
D. decryption

Answer 5

B. hardware offload

Question 6

162. When must you use tcpdump to capture traffic on the next-generation firewall?
A. on tunnel interface traffic
B. on data-plane interfaces
C. on the management interface
D. on IPsec negotiation traffic

Answer 6

B. on data-plane interfaces

Question 7

163. Where in the firewall web interface can you see whether any sessions are going through a specific interface?
     A. Dashboard
     B. Application Command Center (ACC)
     C. Session Log node on the Monitor tab
     D. Session Browser node on the Monitor tab

Answer 7

D. Session Browser node on the Monitor tab

Question 8

164. Communication through a specific interface works most of the time but fails when traffic
     throughput is at its highest. Which policy do you consult to identify the problem?
     A. Security
     B. DoS Protection
     C. QoS
     D. Application Override

Answer 8

B. DoS Protection

Question 9

165. Which interface type allows you to add a firewall with the least disruption to a network?
A. Tap
B. Layer 3
C. Layer 2
D. Virtual Wire

Answer 9

D. Virtual Wire

Question 10

166. Why would SSL decryption that has been working for a customer suddenly stop?
     A. The firewall’s CA certificate expired.
     B. The firewall’s IP address, which is encoded in the certificate, changed.
     C. The firewall has been upgraded to a different model.
     D. The firewall’s decryption subscription expired.

Answer 10

A. The firewall’s CA certificate expired.

Question 11

167. A company uses a small SaaS application provider. This application is accessed through HTTPS but suddenly stops working through the firewall. However, when the application is accessed from home, users receive an error about the certificate. Which two situations would explain this behavior? (Choose two.)
     A. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to
     block connections with expired certificates.
     B. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to use
     the untrusted CA with expired certificates.
     C. The SaaS’s certificate was replaced with one whose certificate authority is not known
     to the firewall. The firewall’s decryption policy is configured to block connections with
     certificates whose CA is not trusted.
     D. The SaaS’s certificate was replaced with one whose certificate authority is not known to
     the firewall. The firewall’s decryption policy is configured to use the untrusted certificate
     for certificates whose CA is not trusted.
     E. The firewall’s own CA certificate needs to be updated.

Answer 11

A. The SaaS’s certificate had expired. The firewall’s decryption policy is configured to block connections with expired certificates.

C. The SaaS’s certificate was replaced with one whose certificate authority is not known
to the firewall. The firewall’s decryption policy is configured to block connections with
certificates whose CA is not trusted.

Question 12

168. Which encryption algorithm is not supported by the firewall and causes the firewall to
drop the connection?
A. DES
B. 3DES
C. AES252-CBC
D. AES256-GCM

Answer 12

A. DES

Question 13

169. Which condition could be a symptom of a certificate chain-of-trust issue?
     A. The firewall no longer decrypts HTTPS traffic.
     B. The firewall no longer decrypts HTTPS traffic from a specific site.
     C. The firewall still decrypts HTTPS traffic from all sites, but it re-encrypts it using the
     Forward Untrust certificate instead of the Forward Trust certificate.
     D. The firewall still decrypts HTTPS traffic from a specific site, but it re-encrypts it using
     the Forward Untrust certificate instead of the Forward Trust certificate.

Answer 13

D. The firewall still decrypts HTTPS traffic from a specific site, but it re-encrypts it using the Forward Untrust certificate instead of the Forward Trust certificate.

Question 14

170. Which field is mandatory in the subject field of a certificate?
A. Organization
B. Organizational Unit
C. Common Name
D. Locale

Answer 14

C. Common Name

Question 15

171. Which field in a certificate must include a value known to the firewall for the certificate to
be considered valid by the firewall?
A. Issuer
B. Subject
C. Key
D. Object

Answer 15

A. Issuer

Question 16

172. Where do you find the dynamic routing configuration in the next-generation firewall’s
web interface?
A. Device > Network > Virtual Router
B. Network > Virtual Router
C. Device > Network > Interfaces
D. Network > Interfaces

Answer 16

B. Network > Virtual Router

Question 17

173. The organization has three redundant connections to the internet, and all three of them are available. What are two reasons why access to one set of IP addresses through the firewall consistently results in good performance while access to another set of IP addresses consistently results in poor performance? (Choose two.)
     A. The organization uses equal-cost multi-path (ECMP) routing to the internet and selects which path to use based on the source IP address, and some IP addresses get routed
     through a slower ISP.
     B. The organization uses Policy Based Forwarding (PBF) and selects which route to use for the internet based on source IP address, and some IP addresses get routed through a slower ISP.
     C. The organization uses the Routing Information Protocol (RIP), and some IP addresses get
     routed through a slower ISP.
     D. The organization uses Border Gateway Protocol (BGP), and some IP addresses get routed
     through a slower ISP.
     E. The organization uses Open Shortest Path First (OSPF), and some IP addresses get routed through a slower ISP.

Answer 17

A. The organization uses equal-cost multi-path (ECMP) routing to the internet and selects
which path to use based on the source IP address, and some IP addresses get routed
through a slower ISP.
B. The organization uses Policy Based Forwarding (PBF) and selects which route to use for
the internet based on source IP address, and some IP addresses get routed through a
slower ISP.

Question 18

174. An organization has two links to the internet, one 100Mbps and the other 10Mbps. The firewall balances them using ECMP in the virtual router. Which load balancing ECMP setting does the organization need to use to optimize network resources?
     A. Balanced Round Robin
     B. Weighted Round Robin, with a weight of 10 for the fast connection and 100 for the slow one.
     C. IP Hash
     D. Weighted Round Robin, with a weight of 100 for the fast connection and 10 for the slow one

Answer 18

D. Weighted Round Robin, with a weight of 100 for the fast connection and 10 for the slow one