q_151-175

Question 1

Question #151 Topic 1
Which is not a valid reason for receiving a decrypt-cert-validation error?
A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer

Answer 1

A. Unsupported HSM

“Unsupported HSM” is not a valid reason for receiving a decrypt-cert-validation error

receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown
status, or status verification time-out.

Question 2

Question #152 Topic 1
In the following image from Panorama, why are some values shown in red?
Device Name Logging rate Device Throughput Session
uk3 781(red) 209 4022`
sg2 0 953 170 (red)
us3 291(red) 0 67455
A. sg2 session count is the lowest compared to the other managed devices.
B. us3 has a logging rate that deviates from the administrator-configured thresholds.
C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
D. sg2 has misconfigured session thresholds.

Answer 2

C. uk3 has a logging rate that deviates from the seven-day calculated baseline.

deviating metrics in red. A metric health baseline is determined by averaging the health performance for a given metric over seven days plus the standard deviation.

Question 3

!!! OLD DEPRECATED Question #153 Topic 1
The firewall is not downloading IP addresses from MineMeld. Based on the image, what most likely is wrong?
A. A Certificate Profile that contains the client certificate needs to be selected.
B. The source address supports only files hosted with an ftp://<address/file>.
C. External Dynamic Lists do not support SSL connections.
D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer 3

D. A Certificate Profile that contains the CA certificate needs to be selected.

Question 4

Question #154 Topic 1
Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)
A. video streaming application
B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category

Answer 4

A. video streaming application
B. Client Application Process
C. Destination Domain

Question 5

Question #155 Topic 1
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity
D. GlobalProtect Quarantine Activity

Answer 5

B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity

B & C
NOTICE the word ACTIVITY in the Question. That removed the Quarantine option even though it is present. It is not an Activity widget

Question 6

Question #156 Topic 1
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. log forwarding auto-tagging
B. XML API
C. GlobalProtect agent
D. User-ID Windows-based agent

Answer 6

A. log forwarding auto-tagging
B. XML API

Usernames can also be tagged and untagged by using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke the PAN-OS XML API commands
to tag or untag usernames

Question 7

Question #157 Topic 1
SD-WAN is designed to support which two network topology types? (Choose two.)
A. point-to-point
B. hub-and-spoke
C. full-mesh
D. ring

Answer 7

B. hub-and-spoke
C. full-mesh

Beginning with PAN-OS 10.0.3, SD-WAN supports a full mesh topology, in addition to the hub-spoke topology. The mesh can consist of branches with or without hubs. Use full mesh when the branches need to communicate with each other directly.

Question 8

Question #158 Topic 1
Which option describes the operation of the automatic commit recovery feature?
A. It enables a firewall to revert to the previous configuration if rule shadowing is detected.
B. It enables a firewall to revert to the previous configuration if application dependency errors are found.
C. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.
D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Answer 8

D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Question 9

Question #159 Topic 1
Which three items are important considerations during SD-WAN configuration planning? (Choose three.)
A. branch and hub locations
B. link requirements
C. the name of the ISP
D. IP Addresses

Answer 9

A. branch and hub locations
B. link requirements

D. IP Addresses

Question 10

Question #160 Topic 1
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer’s Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages

Answer 10

A. on the App Dependency tab in the Commit Status window

C. on the Application tab in the Security Policy Rule creation window

Question 11

Question #161 Topic 1
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A. when an aggregate Ethernet interface component fails
B. when Panorama pushes a configuration
C. when a firewall performs a local commit
D. when a firewall HA pair fails over

Answer 11

B. when Panorama pushes a configuration

C. when a firewall performs a local commit

Question 12

Question #162 Topic 1
Panorama provides which two SD-WAN functions? (Choose two.)
A. network monitoring
B. control plane
C. data plane
D. physical network links

Answer 12

A. network monitoring
B. control plane

SD-WAN separates the control and management processes from the underlying networking hardware, making them available as software that can
be easily configured and deployed. A centralized control pane means network administrators can write new rules and policies, and then configure
and deploy them across an entire network at once.
https://www.paloaltonetworks.com/cyberpedia/what-is-a-sd-wan

Question 13

Question #163 Topic 1
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:
A. respond to changes in user behaviour or potential threats using manual policy changes
B. respond to changes in user behaviour or potential threats without manual policy changes
C. respond to changes in user behaviour or potential threats without automatic policy changes
D. respond to changes in user behaviour and confirmed threats with manual policy changes

Answer 13

B. respond to changes in user behaviour or potential threats without manual policy changes

Because updates to dynamic user group membership are automatic, using dynamic user groups instead of static group objects allows you to respond to changes in user behavior or potential threats without manual policy changes.

Question 14

Question #164 Topic 1
How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?
A. by adding the device’s Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect
gateway from a quarantined device
B. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and
leveraging the appropriate XSOAR playbook
C. by using security policies, log forwarding profiles, and log settings
D. there is no native auto-quarantine feature so a custom script would need to be leveraged

Answer 14

C. by using security policies, log forwarding profiles, and log settings

You can automatically quarantine a device using a log forwarding profile with a security policy rule or HIP match log settings.

Question 15

Question #165 Topic 1
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate
traffic to drop, you can configure:
A. PBP (Protocol Based Protection)
B. BGP (Border Gateway Protocol)
C. PGP (Packet Gateway Protocol)
D. PBP (Packet Buffer Protection)

Answer 15

D. PBP (Packet Buffer Protection)

Packet Buffer Protection defends your firewall and network from single session DoS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop. Although you don’t configure Packet Buffer Protection in a Zone Protection profile or in a DoS Protection profile or policy rule, Packet Buffer Protection defends ingress zones. While zone and DoS protection apply to new sessions (connections) and are granular, Packet Buffer Protection applies to existing sessions and is global.

Question 16

Question #166 Topic 1
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a firewall that was previously being used in a lab.
The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PANOS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been restarted using command: > request restart system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:
A. The bootstrap.xml file is a required file, but it is missing
B. Firewall must be in factory default state or have all private data deleted for bootstrapping
C. The hostname is a required parameter, but it is missing in init-cfg.txt
D. The USB must be formatted using the ext3 file system. FAT32 is not supported

Answer 16

B. Firewall must be in factory default state or have all private data deleted for bootstrapping

The firewall must be in a factory default state or must have all private data deleted.

Question 17

Question #167 Topic 1
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?
A. default-no-captive-portal
B. default-authentication-bypass
C. default-browser-challenge
D. default-web-form

Answer 17

A. default-no-captive-portal

default-no-captive-portal—The firewall evaluates Security policy without authenticating users.

Question 18

Question #168 Topic 1
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file named init-cfg.txt.
The contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the
bootstrapping process. The failure is caused because:
A. the bootstrap.xml file is a required file, but it is missing
B. nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
C. The USB must be formatted using the ext4 file system
D. There must be commas between the parameter names and their values instead of the equal symbols
E. The USB drive has been formatted with an unsupported file system

Answer 18

E. The USB drive has been formatted with an unsupported file system

The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support one of the following:

• File Allocation Table 32 (FAT32)
• Third Extended File System (ext3)

Question 19

Question #169 Topic 1
To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP
literals in your configurations.
Which one is the correct configuration?
A. &Panorama
B. @Panorama
C. $Panorama
D. #Panorama

Answer 19

C. $Panorama

Create a template and template stack using a variable name for an object. Variable names must start with the dollar sign ( “$” ) symbol. For example, you could use $Panorama as a variable for the Panorama IP address that you want to configure on multiple managed firewalls and appliances

Question 20

Question #170 Topic 1
On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?
A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3. Select Import Private key 4. Click Generate to generate the new certificate
B. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key
Export 4. Click Generate to generate the new certificate
D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export

Answer 20

C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key
Export 4. Click Generate to generate the new certificate

!!only answer correct path Device>Certificate management> Device

Question 21

Question #171 Topic 1
What is the maximum number of samples that can be submitted to WildFire manually per day?
A. 1,000
B. 2,000
C. 5,000
D. 15,000

Answer 21

/—-??—-/
A. 1,000

All Palo Alto Networks customers with a support account can use the Palo Alto Networks WildFire portal to manually submit up to five samples a day for analysis. If you have an Advanced WildFire or WildFire subscription, you can manually submit samples to the portal as part of your 1000 sample uploads daily limit; however, keep in mind that the 1000 sample daily limit also includes WildFire API submissions.

Question 22

Question #172 Topic 1
What file type upload is supported as part of the basic WildFire service?
A. ELF
B. BAT
C. PE
D. VBS

Answer 22

C. PE

With the basic WildFire service, the firewall can forward portable executable (PE) files for analysis, and can retrieve Advanced WildFire signatures only with antivirus and/or Threat Prevention updates which are made available every 24-48 hours.

Question 23

Question #173 Topic 1
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A. Task Manager
B. System Logs
C. Traffic Logs
D. Configuration Logs

Answer 23

A. Task Manager
B. System Logs
/—-??—-/

::monitor/logs/system
( description contains ‘commit’ )

Question 24

Question #174 Topic 1
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other
IP flood attacks.
B. Add a WildFire subscription to activate DoS and zone protection features.
C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.
D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone
protection

Answer 24

D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Check and monitor firewall dataplane CPU consumption to ensure that each firewall is properly sized to support DoS and Zone Protection along with any other features that consume CPU cycles, such as decryption. If you use Panorama to manage your firewalls, use Device Monitor (PanoramaManaged DevicesHealth) to check and monitor the CPU consumption of all managed firewalls at one time.

Question 25

Question #175 Topic 1
DRAG DROP -
Please match the terms to their corresponding definitions.
Select and Place:

SD-WAN interface profile SD-WAN path selection

Traffic Dist profile selects new best path - current thresh

Path Quality profile max latency, jitter, packet loss

SD-WAN interface profile specifies tag applied to phys interface

Answer 25

SD-WAN interface profile SD-WAN path selection

Traffic Dist profile selects new best path - current thresh

Path Quality profile max latency, jitter, packet loss

SD-WAN interface profile specifies tag applied to phys interface