Q_176-200

Question 1

Question #186 Topic 1
When overriding a template configuration locally on a firewall, what should you consider?
A. Panorama will update the template with the overridden value.
B. The firewall template will show that it is out of sync within Panorama.
C. Only Panorama can revert the override.
D. Panorama will lose visibility into the overridden configuration.

Answer 1

D. Panorama will lose visibility into the overridden configuration.

Panorama cannot see the local configurations on the firewall.

Question 2

Question #187 Topic 1
When setting up a security profile, which three items can you use? (Choose three.)
A. Wildfire analysis
B. anti-ransomware
C. antivirus
D. URL filtering
E. decryption profile

Answer 2

A. Wildfire analysis

C. antivirus
D. URL filtering

Question 3

Question #188 Topic 1
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path
maintains synchronization of the HA session (and prevents network outage)?
A. Upgrade directly to the target major version.
B. Upgrade the HA pair to a base image.
C. Upgrade one major version at a time.
D. Upgrade two major versions at a time.

Answer 3

C. Upgrade one major version at a time.

Question 4

Question #189 Topic 1
What are three types of Decryption Policy rules? (Choose three.)
A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror

Answer 4

A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy

Question 5

Question #190 Topic 1
During SSL decryption, which three factors affect resource consumption? (Choose three.)
A. key exchange algorithm
B. transaction size
C. TLS protocol version
D. applications ta non-standard ports
E. certificate issuer

Answer 5

A. key exchange algorithm
B. transaction size
C. TLS protocol version

The amount of SSL traffic you want to decrypt.
The TLS protocol version. Higher versions are more secure but consume more resources.
The key size. The larger the key size, t
The key exchange algorithm. PFS (DHE ECDHE) consume more than RSA_
The encryption algorithm
The certificate authentication method. RSA (not the RSA key exchange algorithm) consumes less resources than Elliptic Curve Digital Signature Algorithm (ECDSA) but ECDSA is more secure.

Question 6

Question #191 Topic 1
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A. A Decryption profile must be attached to the Decryption policy that the traffic matches.
B. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
C. A Decryption profile must be attached to the Security policy that the traffic matches.
D. There must be a certificate with only the Forward Trust option selected.

Answer 6

D. There must be a certificate with only the Forward Trust option selected.

a decryption profile is not needed.

Question 7

Question #192 Topic 1
Which two features require another license on the NGFW? (Choose two.)
A. SSL Inbound Inspection
B. SSL Forward Proxy
C. Decryption Mirror
D. Decryption Broker

Answer 7

C. Decryption Mirror
D. Decryption Broker

Question 8

Question #193 Topic 1
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire
subscription.
How does adding the WildFire subscription improve the security posture of the organization?
A. WildFire and Threat Prevention combine to minimize the attack surface.
B. After 24 hours, WildFire signatures are included in the antivirus update.
C. Protection against unknown malware can be provided in near real-time.
D. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall.

Answer 8

C. Protection against unknown malware can be provided in near real-time.

fast signatures sent mimute 5 min etc.

Question 9

Question #194 Topic 1
What are two characteristic types that can be defined for a variable? (Choose two.)
A. zone
B. FQDN
C. IP netmask
D. path group

Answer 9

B. FQDN
C. IP netmask

You can use variables to replace:
An IP address (includes IP Netmask, IP Range, and FQDN) in all areas of the configuration.

Question 10

Question #195 Topic 1
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management
profile to secure management access? (Choose three.)
A. Permitted IP Addresses
B. SSH
C. https
D. User-ID
E. HTTP

Answer 10

A. Permitted IP Addresses
B. SSH
C. https

Question 11

Question #196 Topic 1
An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication.
The administrator wants to create a packet capture on the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the configuration?
A. > scp export mgmt-pcap from mgmt.pcap to (username@host:path)
B. > scp export poap-mgmt from poap.mgmt to (username@host:path)
C. > ftp export mgmt-pcap from mgmt.pcap to <FTF>
D. > scp export pcap from pcap to (username@host:path)</FTF>

Answer 11

A. > scp export mgmt-pcap from mgmt.pcap to (username@host:path)

SCP or TFTP, ONLY
> scp export mgmt-pcap from mgmt.pcap to

<value> Destination (username@host:path)
or
> tftp export mgmt-pcap from mgmt.pcap to
<value> tftp host
</value></value>

Question 12

Question #197 Topic 1
When you configure an active/active high availability pair, which two links can you use? (Choose two.)
A. HA3
B. Console Backup
C. HSCI-C
D. HA2 backup

Answer 12

old q Pick bad ones out..
A. HA3
D. HA2 backup

Each firewall needs a dedicated interface for the HA3 link.
HA2 backup (not exact)
But Console and HSCI-C is wrong

Question 13

Question #198 Topic 1
What are two common reasons to use a “No Decrypt” action to exclude traffic from SSL decryption? (Choose two.)
A. the web server requires mutual authentication
B. the website matches a category that is not allowed for most users
C. the website matches a high-risk category
D. the website matches a sensitive category

Answer 13

A. the web server requires mutual authentication

D. the website matches a sensitive category

Question 14

Question #199 Topic 1
PBF can address which two scenarios? (Choose two.)
A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. providing application connectivity the primary circuit fails
C. enabling the firewall to bypass Layer 7 inspection
D. forwarding all traffic by using source port 78249 to a specific egress interface

Answer 14

A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B. providing application connectivity the primary circuit fails

PBF does NOT parse src ports

Question 15

Question #200 Topic 1
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the
neighbour’s routing table.
Which two configurations should you check on the firewall? (Choose two.)
A. Ensure that the OSPF neighbour state is “2-Way”
B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
C. Within the redistribution profile ensure that Redist is selected.
D. In the redistribution profile check that the source type is set to “ospf.”

Answer 15

B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.

C. Within the redistribution profile ensure that Redist is selected.

Question 16

Question #176 Topic 1
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization
is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization?
A. Test Policy Match
B. Application Groups
C. Policy Optimizer
D. Config Audit

Answer 16

C. Policy Optimizer

Question 17

Question #177 Topic 1
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements
are correct regarding the bootstrap package contents? (Choose two.)
A. The bootstrap package is stored on an AFS share or a discrete container file bucket.
B. The bootstrap.xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.
C. The /config, /content and /software folders are mandatory while the /license and /plugin folders are optional.
D. The init-cfg.txt and bootstrap.xml files are both optional configuration items for the /config folder.
E. The directory structure must include a /config, /content, /software and /license folders.

Answer 17

B. The bootstrap.xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.

E. The directory structure must include a /config, /content, /software and /license folders.

The bootstrap package must include the basic configuration in config/init-cfg.txt. The complete configuration (in /config/bootstrap.xml file) is optional.

The bootstrap package must include the /config, /license, /software, and /content folders, even if they are empty. The /plugins folder is optional.

Question 18

Question #178 Topic 1
Which Panorama objects restrict administrative access to specific device-groups?
A. admin roles
B. authentication profiles
C. templates
D. access domains

Answer 18

D. access domains

Question 19

Question #179 Topic 1
An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?
A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
B. Use an enterprise CA-signed certificate for the Forward Untrust certificate.
C. Use the same Forward Trust certificate on all firewalls in the network.
D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

Answer 19

A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

(Obtain, not “use” trick) question
Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites that require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother

Question 20

Question #180 Topic 1
An administrator receives the following error message:
“IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received
remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0.”
How should the administrator identify the root cause of this error message?
A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Answer 20

B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.

proxy ids indicate “policy based vpns”

Question 21

Question #181 Topic 1
The following objects and policies are defined in a device group hierarchy.
Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group

What objects and policies will the Dallas-FW receive if “Share Unused Address and Service Objects” is enabled in Panorama?
A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1
B. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1
C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch
Policy1
D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

Answer 21

D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

check policy “target” arggg

Question 22

Question #182 Topic 1
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?
A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Answer 22

C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

Each Advanced WildFire cloud—global (U.S.) and regional, and the WildFire private cloud—analyzes samples and generates WildFire verdicts independently of the other WildFire cloud options. With the exception of WildFire private cloud verdicts, verdicts are shared globally, enabling Advanced WildFire users to access a worldwide database of threat data.

Question 23

Question #183 Topic 1
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-
CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-
Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as
Trusted Root CA
An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall
does the SSL
Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.
The end-user’s browser will show that the certificate for www. example-website.com was issued by which of the following?
A. Enterprise-Trusted-CA which is a self-signed CA
B. Enterprise-Root-CA which is a self-signed CA
C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA
D. Enterprise-Untrusted-CA which is a self-signed CA

Answer 23

D. Enterprise-Untrusted-CA which is a self-signed CA

Enterprise-Trusted-CA is installed in the trusted store of the end-user browser and system. So it should not lead to any certificate issue. The most possible that www.example-website.com is signed by not trusted certificate authority which leads to use Enterprise-Untrusted-CA, which is not trusted as well

Question 24

Question #184 Topic 1
What are three reasons for excluding a site from SSL decryption? (Choose three.)
A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Answer 24

B. unsupported ciphers
C. certificate pinning
E. mutual authentication

Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers.

Question 25

Question #185 Topic 1
DRAG DROP -
Match each SD-WAN configuration element to the description of that element.
Select and Place:

Answer 25

SD_WAN intf profile-> matches traffic to apps

Traffic Distribution profile -> path selection

Path Quality profile - > latency, packet loss thresholds

SD_WAN intf profile -> tag applied to physical int