Q_226-250

Question 1

Question #226 Topic 1
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure
SSL/TLS connection?
A. link state
B. profiles
C. stateful firewall connection
D. certificates

Answer 1

D. certificates

Question 2

Question #227 Topic 1
When you configure a Layer 3 interface, what is one mandatory step?
A. Configure virtual routers to route the traffic for each Layer 3 interface.
B. Configure Interface Management profiles, which need to be attached to each Layer 3 interface.
C. Configure Security profiles, which need to be attached to each Layer 3 interface.
D. Configure service routes to route the traffic for each Layer 3 interface.

Answer 2

A. Configure virtual routers to route the traffic for each Layer 3 interface.

Question 3

Question #228 Topic 1
Which statement accurately describes service routes and virtual systems?
A. Virtual systems can only use one interface for all global service and service routes of the firewall.
B. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.
C. Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route
settings for the firewall.
D. The interface must be used for traffic to the required external services.

Answer 3

B. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.

Question 4

Question #229 Topic 1
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version.
What is considered best practice for this scenario?
A. Perform the Panorama and firewall upgrades simultaneously.
B. Upgrade the firewall first, wait at least 24 hours, and then upgrade the Panorama version.
C. Upgrade Panorama to a version at or above the target firewall version.
D. Export the device state, perform the update, and then import the device state.

Answer 4

C. Upgrade Panorama to a version at or above the target firewall version.

Question 5

Question #230 Topic 1
An administrator has 750 firewalls. The administrator’s central-management Panorama instance deploys dynamic updates to the firewalls. The
administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root
cause?
A. Panorama does not have valid licenses to push the dynamic updates.
B. Panorama has no connection to Palo Alto Networks update servers.
C. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
D. No service route is configured on the firewalls to Palo Alto Networks update servers.

Answer 5

C. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

Question 6

Question #231 Topic 1
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems.
However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure
access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication
(MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.
C. Configure a Captive Portal authentication policy that uses an authentication sequence.
D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

Answer 6

D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

Question 7

An administrator wants to enable zone protection.
Before doing so, what must the administrator consider?
A. Activate a zone protection subscription.
B. Security policy rules do not prevent lateral movement of traffic between zones.
C. The zone protection profile will apply to all interfaces within that zone.
D. To increase bandwidth, no more than one firewall interface should be connected to a zone.

Answer 7

C. The zone protection profile will apply to all interfaces within that zone.

Question 8

Question #233 Topic 1
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
A. Disable HA.
B. Disable the HA2 link.
C. Set the passive link state to “shutdown.”
D. Disable config sync.

Answer 8

D. Disable config sync.

Question 9

Question #234 Topic 1
Before you upgrade a Palo Alto Networks NGFW, what must you do?
A. Make sure that the PAN-OS support contract is valid for at least another year.
B. Export a device state of the firewall.
C. Make sure that the firewall is running a supported version of the app + threat update.
D. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

Answer 9

C. Make sure that the firewall is running a supported version of the app + threat update.

Question 10

Question #235 Topic 1
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A. GlobalProtect app and GlobalProtect satellite
B. GlobalProtect app and GlobalProtect portal
C. GlobalProtect app and GlobalProtect gateway
D. GlobalProtect portal and GlobalProtect gateway

Answer 10

C. GlobalProtect app and GlobalProtect gateway

Question 11

Question #236 Topic 1
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by
Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information
Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?
A. Configure Prisma Access to learn group mapping via SAML assertion.
B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
C. Assign a master device in Panorama through which Prisma Access learns groups.
D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Answer 11

C. Assign a master device in Panorama through which Prisma Access learns groups.

Question 12

Question #237 Topic 1
What happens to traffic traversing SD-WAN fabric that doesn’t match any SD-WAN policies?
A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.
B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.
C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

Answer 12

C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.

Question 13

Question #238 Topic 1
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure
certificate-based administrator authentication to the web Ul? (Choose two.)
A. certificate authority (CA) certificate
B. server certificate
C. client certificate
D. certificate profile

Answer 13

A. certificate authority (CA) certificate

D. certificate profile

Question 14

Question #239 Topic 1
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. WildFire logs
B. System logs
C. Threat logs
D. Traffic logs

Answer 14

A. WildFire logs

/—??—/

Question 15

Question #240 Topic 1
A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?
A. Configure an LDAP Server profile and enable the User-ID service on the management interface.
B. Configure a group mapping profile to retrieve the groups in the target template.
C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D. Configure a master device within the device groups.

Answer 15

A. Configure an LDAP Server profile and enable the User-ID service on the management interface.

/—??—/

D. Configure a master device within the device groups.

Question 16

Question #241 Topic 1
How can packet buffer protection be configured?
A. at zone level to protect firewall resources and ingress zones, but not at the device level
B. at the interface level to protect firewall resources
C. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level
D. at the device level (globally) and, if enabled globally, at the zone level

Answer 16

D. at the device level (globally) and, if enabled globally, at the zone level

Question 17

Question #242 Topic 1
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet.
One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Configure policy-based forwarding
D. Deploy Prisma SD-WAN with Prisma Access

Answer 17

B. Upgrade to a PAN-OS SD-WAN subscription

Question 18

Question #243 Topic 1
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting?
A. Change the HA timer profile to “user-defined” and manually set the timers.
B. Change the HA timer profile to “fast”.
C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.
D. Change the HA timer profile to “quick” and customize in advanced profile.

Answer 18

C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.

Question 19

Question #244 Topic 1
What is the function of a service route?
A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source
interface and source IP address.
B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured
destination interface and destination IP address.
C. The service route is the method required to use the firewall’s management plane to provide services to applications.
D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like
the Customer Support Portal.

Answer 19

A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.

Question 20

Question #245 Topic 1
DRAG DROP -
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
Select and Place:

Answer 20

1st = register ztp fw to panorama claim key
Panorama reg fw to CSP
after connect, ztp fw req dev cert
ZTP service pushes fqdn
ZTP FW connect to Panorama

Question 21

Question #246 Topic 1
Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption
processing?
A. show session all filter ssl-decryption yes total-count yes
B. show session all ssl-decrypt yes count yes
C. show session all filter ssl-decrypt yes count yes
D. show session filter ssl-decryption yes total-count yes

Answer 21

C. show session all filter ssl-decrypt yes count yes

Question 22

Question #247
Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP
servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?
A. Override the value on the NYCFW template.
B. Override a template value using a template stack variable.
C. Override the value on the Global template.
D. Enable “objects defined in ancestors will take higher precedence” under Panorama settings.

Answer 22

B. Override a template value using a template stack variable.

Question 23

Question #248 Topic 1
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity
certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache

Answer 23

Question #248 Topic 1 /—??—/

B. show system setting ssl-decrypt certificate
or

D. show system setting ssl-decrypt certificate-cache

Question 24

Question #249 Topic 1
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?
A. removing the Panorama serial number from the ZTP service
B. performing a factory reset of the firewall
C. performing a local firewall commit
D. removing the firewall as a managed device in Panorama

Answer 24

Question #249 Topic 1 /—??—/

C. performing a local firewall commit
or
D. removing the firewall as a managed device in Panorama

Question 25

Question #250 Topic 1
In URL filtering, which component matches URL patterns?
A. live URL feeds on the management plane
B. security processing on the data plane
C. single-pass pattern matching on the data plane
D. signature matching on the data plane

Answer 25

Question #250 Topic 1 /—??—/
In URL filtering, which component matches URL patterns?
A. live URL feeds on the management plane
B. security processing on the data plane
C. single-pass pattern matching on the data plane
D. signature matching on the data plane