Q_126-150

Question 1

Question #126 Topic 1
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
A. At-boot
B. Pre-logon
C. User-logon (Always on)
D. On-demand

Answer 1

B. Pre-logon

Question 2

Question #127 Topic 1
Which feature can provide NGFWs with User-ID mapping information?
A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect
D. Native 802.1x authentication

Answer 2

C. GlobalProtect

Question 3

Question #128 Topic 1
Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)
A. Role Based
B. Custom Panorama Admin
C. Device Group
D. Dynamic
E. Template Admin

Answer 3

C. Device Group

E. Template Admin

Question 4

Question #129 Topic 1
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-only
C. Select download-and-install, with ג€Disable new apps in content update ג€ selected
D. Select disable application updates and select ג€Install only Threat updates

Answer 4

A. Select download-and-install

“old” content id is already installed…
trick

Question 5

!!!! uncertain Question #130 Topic 1
Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?
A. 10,000
B. 15,000
C. 7,500
D. 5,000

Answer 5

A. 10,000

answer is 1000 however its not listed in the choices

Question 6

Question #131 Topic 1
In which two types of deployment is active/active HA configuration supported? (Choose two.)
A. Layer 3 mode
B. TAP mode
C. Virtual Wire mode
D. Layer 2 mode

Answer 6

A. Layer 3 mode

C. Virtual Wire mode

Question 7

Question #132 Topic 1
For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)
A. ingress processing errors
B. rule match with action ג€deny €ג
C. rule match with action ג€allow €ג
D. equal-cost multipath

Answer 7

A. ingress processing errors
B. rule match with action deny

Question 8

Question #133 Topic 1
Which logs enable a firewall administrator to determine whether a session was decrypted?
A. Traffic
B. Security Policy
C. Decryption
D. Correlated Event

Answer 8

A. Traffic

could be decryption log…arggg

Question 9

Question #134 Topic 1
An administrator needs to upgrade an NGFW to the most current version of PAN-OS®ֲ software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?
A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution

Answer 9

D. DNS settings for the firewall to use for resolution

Question 10

Question #135 Topic 1
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service
attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP
address?
A. Add an Anti-Spyware Profile to block attacking IP address
B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
C. Add QoS Profiles to throttle incoming requests
D. Add a tuned DoS Protection Profile

Answer 10

D. Add a tuned DoS Protection Profile

Question 11

Question #136 Topic 1
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS®ֲ software?
A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.

Answer 11

B. Applications and Threats update package.

Question 12

Question #137 Topic 1
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus

Answer 12

A. Anti-Spyware

Question 13

!!OLD Question #138 Topic 1
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer 13

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.

Question 14

Question #139 Topic 1
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile

Answer 14

A. CRL

C. OCSP

Question 15

Question #140 Topic 1
Which administrative authentication method supports authorization by an external service?
A. Certificates
B. LDAP
C. RADIUS
D. SSH keys

Answer 15

C. RADIUS

Question 16

Question #141 Topic 1
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)
A. .dll
B. .exe
C. .fon
D. .apk
E. .pdf
F. .jar

Answer 16

A. .dll
B. .exe
C. .fon

Question 17

Question #142 Topic 1
An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single
gateway IP for the pair.
Which configuration will enable this HA scenario?
A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
Correct

Answer 17

A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

Single gateway means a shared singel floating IP

Question 18

!! IGNORE Question #143 Topic 1
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming
application?
A. GlobalProtect version 4.0 with PAN-OS 8.1
B. GlobalProtect version 4.1 with PAN-OS 8.1
C. GlobalProtect version 4.1 with PAN-OS 8.0
D. GlobalProtect version 4.0 with PAN-OS 8.0

Answer 18

!! IGNORE
B. GlobalProtect version 4.1 with PAN-OS 8.1

Question 19

Question #144 Topic 1
How does Panorama prompt VMWare NSX to quarantine an infected VM?
A. HTTP Server Profile
B. Syslog Server Profile
C. Email Server Profile
D. SNMP Server Profile

Answer 19

A. HTTP Server Profile

Question 20

Question #145 Topic 1
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use
to verify the progress or success of that commit task? (Choose two.)
A: System Log (shows informational severity)
B. Traffic Log
C. System log (filtered “link-change”)
D: Task manager

Answer 20

A: System Log

D: Task manager

note the pics. Commit is NOT in a link-change filtered system log

Question 21

Question #146 Topic 1
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
A. Create a no-decrypt Decryption Policy rule.
B. Configure a Dynamic Address Group for untrusted sites.
C. Create a Security Policy rule with a vulnerability Security Profile attached.
D. Enable the ג€Block sessions with untrusted issuers ג€ setting.

Answer 21

(Choose two.)
A. Create a no-decrypt Decryption Policy rule.

D. Enable the ג€Block sessions with untrusted issuers ג€ setting.

Question 22

Question #147 Topic 1
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.
B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection per egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

Answer 22

A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.

Question 23

Question #148 Topic 1
What is the purpose of the firewall decryption broker?
A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
B. force decryption of previously unknown cipher suites
C. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
D. inspect traffic within IPsec tunnels

Answer 23

A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.

Question 24

Question #149 Topic 1
SAML SLO is supported for which two firewall features? (Choose two.)
A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI

Answer 24

A. GlobalProtect Portal

C. WebUI

Question 25

Question #150 Topic 1
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
A. Rule Usage Hit counter will not be reset.
B. Highlight Unused Rules will highlight all rules.
C. Highlight Unused Rules will highlight zero rules.
D. Rule Usage Hit counter will reset

Answer 25

A. Rule Usage Hit counter will not be reset.

B. Highlight Unused Rules will highlight all rules.