q_101-125 Flashcards
Question #101 Topic 1
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose
three.)
A. TACACS+
B. Kerberos
C. PAP
D. LDAP
E. SAML
F. RADIUS
A. TACACS+
E. SAML
F . RADIUS
The administrative accounts are DEFINED on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and
authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML
server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.
Question #102 Topic 1
What is exchanged through the HA2 link?
A. hello heartbeats
B. User-ID information
C. session synchronization
D. HA state information
C. session synchronization
Question #103 Topic 1
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
A. Both SSH keys and SSL certificates must be generated.
B. No prerequisites are required.
C. SSH keys must be manually generated.
D. SSL certificates must be generated.
Correct
B. No prerequisites are required.
Configuring SSH Proxy does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during
boot up.
Question #104 Topic 1
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)
A. ae.8
B. aggregate.1
C. ae.1
D. aggregate.8
A. ae.8
C. ae.1
Question #105 Topic 1
Which three authentication factors does PAN-OS®ֲ software support for MFA? (Choose three.)
A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS
A. Push
D. Voice
E. SMS
Push – An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS) – An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
Voice – An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP) – An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.
Question #106 Topic 1
VPN traffic intended for an administrator’s firewall is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?
A. Zone Protection
B. Replay
C. Web Application
D. DoS Protection
B. Replay
Question #107 Topic 1
Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The
web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.
B
Zone Pair
Src Z Internet dst zone DMZ
Question #108 Topic 1
An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application.
However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
A. Enable QoS interface
B. Enable QoS in the Interface Management Profile
C. Enable QoS Data Filtering Profile
D. Enable QoS monitor
A. Enable QoS interface
Question #109 Topic 1
Which log file can be used to identify SSL decryption failures?
A. Traffic
B. ACC
C. Configuration
D. Threats
A. Traffic
Question #110 Topic 1
A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)
A. tunnel.1
B. vpn-tunnel.1
C. tunnel.1025
D. vpn-tunnel.1024
A. tunnel.1
C. tunnel.1025
Question #111 Topic 1
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?
Cert path graphic show Verisign->Symantec->*.paloalonetworks
A. Palo Alto Networks > Symantec > VeriSign
B. VeriSign > Symantec > Palo Alto Networks
C. Symantec > VeriSign > Palo Alto Networks
D. VeriSign > Palo Alto Networks > Symantec
B. VeriSign > Symantec > Palo Alto Networks
it s a tree, dummy !!
Question #112 Topic 1
An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for
the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?
A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a
Security policy rule to allow the traffic from that interface to the update servers if necessary.
C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced
destined for the update servers goes out of the interface acting as your Internet connection.
D. Configure a Security policy rule to allow all traffic to and from the update servers.
B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
Question #113 Topic 1
A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and
to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?
A. Create V-Wire objects with two V-Wire interfaces and define a range of ג €0-4096 ג € in the ג€Tag Allowed ג€ field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the ג€Tag Allowed ג€ field of the V-Wire object.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would
handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN
ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
!!! Key is seperate into it’s own zone…
Question #114 Topic 1
Which data flow describes redistribution of user mappings?
A. User-ID agent to firewall
B. Domain Controller to User-ID agent
C. User-ID agent to Panorama
D. firewall to firewall
D. firewall to firewall
user-id redistribution is a Palo term
Question #115 Topic 1
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
A. System Utilization log
B. System log
C. Resources widget
D. CPU Utilization widget
C. Resources widget
