Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

p11 > q_201-225 > Flashcards

q_201-225 Flashcards

1
Q

Question #201 Topic 1
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
A. unknown-udp
B. unknown-ip
C. incomplete
D. not-applicable

A

A. unknown-udp

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Question #202 Topic 1
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)
A. App-ID
B. Custom URL Category
C. User-ID
D. Destination Zone
E. Source Interface

A

B. Custom URL Category
C. User-ID
D. Destination Zone

BCD. There no App-ID or Source Interface options for decryption policy.
A. App-ID (not decrypted ??)
E. Source Interface (not a field in rule)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question #203 Topic 1
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?
A. Resources Widget on the Dashboard
B. Monitor > Utilization
C. Support > Resources
D. Application Command and Control Center

A

A. Resources Widget on the Dashboard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question #204 Topic 1
Which CLI command displays the physical media that are connected to ethernet1/8?
A. > show system state filter-pretty sys.s1.p8.stats
B. > show system state filter-pretty sys.s1.p8.med
C. > show interface ethernet1/8
D. > show system state filter-pretty sys.s1.p8.phy

A

D. > show system state filter-pretty sys.s1.p8.phy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question #205 Topic 1
A variable name must start with which symbol?
A. $
B. !
C. #
D. &

A

A. $

$$$$$$

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question #206 Topic 1
Given the following configuration, which route is used for destination 10.10.0.4? set network virtual-router 2 routing-table ip static-route “

Route 1” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route “Route 1” metric 30 set network virtual-router 2 routingtable ip static-route “Route 1” destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route “Route 1” re route-table unicast

set network virtual-router 2 routing-table ip static-route “Route 2” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip staticroute
“Route 2” metric 20 set network virtual-router 2 routing-table ip static-route “Route 2” destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route “Route 2” route-table unicast

set network virtual-router 2 routing-table ip static-route “Route 3” nexthop ip-address 10.10.20.1 set network virtual-router 2 routing-table ip static-route “Route 3” metric 5 set network virtual-router 2 routing-table ip static-route “Route 3” destination 0.0.0.0/0 set network virtual-router 2 routing-table ip static-route “Route 3” route-table unicast set network virtual-router 2 routing-table ip static-route

“Route 4” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route “Route 4” metric 10 set network virtual-router 2 routing-table ip static-route “Route 4” destination 10.10.1.0/25 set network virtual-router 2 routing-table ip static-route “Route 4” route-table unicast
A. Route 1
B. Route 3
C. Route 2
D. Route 4

A

C. Route 2

Longest mask first, then lowest metric is longest mask is concurrent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question #207 Topic 1
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
A. self-signed CA certificate
B. server certificate
C. wildcard server certificate
D. client certificate
E. enterprise CA certificate

A

A. self-signed CA certificate

E. enterprise CA certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question #208 Topic 1
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the
configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
A. virtual systems
B. template stacks
C. variables
D. collector groups

A

B. template stacks
C. variables

Template Variables allow you to assign a dynamic value in a template configuration you can overwrite later in a template stack.
This can be particularly useful for IPv4 addresses you do not know value when configuring a template.
The IPv4 template variable can be referenced in different parts of the template configuration like in Global Protect configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question #209 Topic 1
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.
B. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
C. Decryption Mirror requires a tap interface on the firewall.
D. Only management consent is required to use the Decryption Mirror future.
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is
submitted via an encrypted channel.

A

A. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.

B. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

  • the decryption, storage, inspection, and/or use of SSL traffic is governed in certain countries and
  • user consent might be required in order to use the decryption mirror feature.
  • Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social
    security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel.
  • Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question #210 Topic 1
As a best practice, which URL category should you target first for SSL decryption?
A. Health and Medicine
B. High Risk
C. Online Storage and Backup
D. Financial Services

A

B. High Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question #211 Topic 1
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
A. LDAP Server Profile configuration
B. GlobalProtect
C. Windows-based User-ID agent
D. PAN-OS integrated User-ID agent

A

B. GlobalProtect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question #212 Topic 1
DRAG DROP -
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order.
Select and Place:

A

Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.
Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.
Step 3. Upload or drag and drop the technical support file.
Step 4. Map the zone type and area of the architecture to each zone.
Step 5.Follow the steps to download the BPA report bundle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question #213 Topic 1
DRAG DROP -
Place the steps in the WildFire process workflow in their correct order.
Select and Place:

A

wf upload
static analysis
wf uses heuristic
wf generates new sigs

WUP-AN-HE-GsnSig

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question #214 Topic 1
In a Panorama template, which three types of objects are configurable? (Choose three.)
A. certificate profiles
B. HIP objects
C. QoS profiles
D. security profiles
E. interface management profiles

A

A. certificate profiles
C. QoS profiles
E. interface management profiles

keyword “template”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question #215 Topic 1
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at
the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)
A. duplicate static route
B. no install on the route
C. disabling of the static route
D. path monitoring on the static route

A

B. no install on the route
D. path monitoring on the static route

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

?????????Question #216 Topic 1
A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the
following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users.
Which two settings must the customer configure? (Choose two.)
A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the
security policy rules in Mobile_User_Device_Group.
D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of
the security policy rules in the Mobile_User_Device_Group.

A

B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.

C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.

lgfwd to cortexDl
then have Cortex send to splunk

17
Q

Question #217 Topic 1
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
A. machine certificate
B. server certificate
C. certificate authority (CA) certificate
D. client certificate

A

B. server certificate

18
Q

Question #218 Topic 1
In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?
A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours

A

B. 6 to 12 hours

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.

19
Q

Question #219 Topic 1
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has
opened a ticket.
The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the
system.
Where is the best place to validate if the firewall is blocking the user’s TAR file?
A. Threat log
B. Data Filtering log
C. WildFire Submissions log
D. URL Filtering log

A

B. Data Filtering log

20
Q

Question #220 Topic 1
In a firewall, which three decryption methods are valid? (Choose three.)
A. SSL Outbound Proxyless Inspection
B. SSL Inbound Inspection
C. SSH Proxy
D. SSL Inbound Proxy
E. Decryption Mirror

A

B. SSL Inbound Inspection
C. SSH Proxy
E. Decryption Mirror

21
Q

Question #221 Topic 1
DRAG DROP -
Match each type of DoS attack to an example of that type of attack.
Application-Based Attacks—Target weaknesses in a particular application and try to exhaust its resources so legitimate users can’t use it. An example of this is the Slowloris attack.

Protocol-Based Attacks—Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.

Volumetric Attacks—High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.

A

Application-Based Attacks—Target weaknesses in a particular application and try to exhaust its resources so legitimate users can’t use it. An example of this is the Slowloris attack.

Protocol-Based Attacks—Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.

Volumetric Attacks—High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.

22
Q

Question #222 Topic 1
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
A. inherit address-objects from templates
B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks
D. standardize log-forwarding profiles for security polices across all stacks

A

B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks

remember where policies are–DeviceGroups

23
Q

Question #223 Topic 1 /—??—/
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
A. Forward-Untrust-Certificate
B. Forward-Trust-Certificate
C. Firewall-CA
D. Firewall-Trusted-Root-CA

A

A. Forward-Untrust-Certificate

some argue ,,,,,
B. Forward-Trust-Certificate

24
Q

Question #224 Topic 1
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN preconfigured configuration would adapt to changes when deployed to the future site?
A. GlobalProtect client
B. PPTP tunnels
C. IPsec tunnels using IKEv2
D. GlobalProtect satellite

A

D. GlobalProtect satellite

25
Q

Question #225 Topic 1
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
A. You must set the interface to Layer 2, Layer 3, or virtual wire.
B. The interface must be used for traffic to the required services.
C. You must use a static IP address.
D. You must enable DoS and zone protection.

A

C. You must use a static IP address.

p11 (26 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions