Q_251-275

Question 1

Question #252 Topic 1
An organization’s administrator has the funds available to purchase more firewalls to increase the organization’s security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect.
Is the SE’s advice correct, and why or why not?
A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement.
B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.
C. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network.
D. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating
systems.

Answer 1

Question #252 Topic 1

B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.

Question 2

Question #251 Topic 1
In a template, you can configure which two objects? (Choose two.)
A. Monitor profile
B. application group
C. SD-WAN path quality profile
D. IPsec tunnel

Answer 2

A. Monitor profile

D. IPsec tunnel

Question 3

Question #253 Topic 1
DRAG DROP -
Match each GlobalProtect component to the purpose of that component.
Select and Place:

Answer 3

GP Portal mgt fn for GP Infra
GP Gateway sec enforcement for traffic fr GP Apps
GP App sw on endpoint that enable access to resources
GP Clientless - secure remote access to common web apps

Question 4

Question #254 Topic 1
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
A. Preview Changes
B. Policy Optimizer
C. Managed Devices Health
D. Test Policy Match

Answer 4

D. Test Policy Match

Question 5

Question #255 Topic 1
What is a key step in implementing WildFire best practices?
A. Configure the firewall to retrieve content updates every minute.
B. Ensure that a Threat Prevention subscription is active.
C. In a mission-critical network, increase the WildFire size limits to the maximum value.
D. n a security-first network, set the WildFire size limits to the minimum value.

Answer 5

B. Ensure that a Threat Prevention subscription is active.

Question 6

Question #256 Topic 1
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?
A. Phase 2 SAs are synchronized over HA2 links.
B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 SAs are synchronized over HA1 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Answer 6

A. Phase 2 SAs are synchronized over HA2 links.

Question 7

Question #257 Topic 1
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?
A. Vulnerability Protection profile
B. DoS Protection profile
C. Data Filtering profile
D. URL Filtering profile

Answer 7

B. DoS Protection profile

Question 8

Question #258 Topic 1
What are three reasons why an installed session can be identified with the “application incomplete” tag? (Choose three.)
A. There was no application data after the TCP connection was established.
B. The client sent a TCP segment with the PUSH flag set.
C. The TCP connection was terminated without identifying any application data.
D. There is not enough application data after the TCP connection was established.
E. The TCP connection did not fully establish.

Answer 8

A. There was no application data after the TCP connection was established.

C. The TCP connection was terminated without identifying any application data.

E. The TCP connection did not fully establish.

Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application.

One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.

Question 9

Question #259 Topic 1
Which three statements correctly describe Session 380280? (Choose three.)
A. The application was initially identified as “ssl.”
B. The session has ended with the end-reason “unknown.”
C. The session cid not go through SSL decryption processing.
D. The application shifted to “web-browsing.”
E. The session went through SSL decryption processing.

Answer 9

A. The application was initially identified as “ssl.”

D. The application shifted to “web-browsing.”
E. The session went through SSL decryption processing.

Question 10

Question #260 Topic 1
An administrator’s device-group commit push is failing due to a new URL category.
How should the administrator correct this issue?
A. update the Firewall Apps and Threat version to match the version of Panorama
B. change the new category action to “alert” and push the configuration again
C. ensure that the firewall can communicate with the URL cloud
D. verity that the URL seed tile has been downloaded and activated on the firewall

Answer 10

A. update the Firewall Apps and Threat version to match the version of Panorama

this issue happens when you are running an older Application and Threat version on Firewall as compared to the Panorama

Question 11

Question #261 Topic 1
A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to
provide secure
Web Ul authentication? (Choose three.)
A. Authentication Algorithm
B. Encryption Algorithm
C. Certificate
D. Maximum TLS version
E. Minimum TLS version

Answer 11

C. Certificate
D. Maximum TLS version
E. Minimum TLS version

Question 12

Question #262 Topic 1
Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?
A. Layer 3
B. Layer 2
C. Tap
D. Decryption Mirror

Answer 12

A. Layer 3

A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a security chain for inspection.
The decryption forwarding interfaces must be assigned to a brand new virtual router

Question 13

Question #263 Topic 1
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on
the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

Answer 13

A

Log forwarding should be set!

Question 14

Question #264 Topic 1
Which configuration task is best for reducing load on the management plane?
A. Enable session logging at start
B. Disable logging on the default deny rule
C. Set the URL filtering action to send alerts
D. Disable pre-defined reports

Answer 14

D. Disable pre-defined reports

Question 15

Question #265 Topic 1
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for
server monitoring with User-ID?
A. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange
B. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
C. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
D. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

Answer 15

D. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

no RedHat nor terminal server

Question 16

Question #266 Topic 1
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding
firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?
A. in Threat General Settings, select “Report Grayware Files”
B. within the log settings option in the Device tab
C. in WildFire General Settings, select “Report Grayware Files”
D. within the log forwarding profile attached to the Security policy rule

Answer 16

C. in WildFire General Settings, select “Report Grayware Files”

Question 17

Question #267 Topic 1
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link
has substantial network bandwidth to support all mission-critical applications. The firewall’s management plane is highly utilized. Given this
scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
A. PAN-OS integrated agent
B. Citrix terminal server agent with adequate data-plane resources
C. Captive Portal
D. Windows-based User-ID agent on a standalone server

Answer 17

D. Windows-based User-ID agent on a standalone server

Question 18

Question #268 Topic 1
Which component enables you to configure firewall resource protection settings?
A. DoS Protection Profile
B. QoS Profile
C. Zone Protection Profile
D. DoS Protection policy

Answer 18

C. Zone Protection Profile

Question 19

Question #269 Topic 1
How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?
A. Choose the download and install action for both members of the HA pair in the Schedule object
B. Switch context to the firewalls to start the download and install process
C. Download the apps to the primary no further action is required
D. Configure the firewall’s assigned template to download the content updates

Answer 19

A. Choose the download and install action for both members of the HA pair in the Schedule object

Question 20

Question #270 Topic 1
A Panorama administrator configures a new zone and uses the zone in a new Security policy. After the administrator commits the configuration to
Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?
A. merge with candidate config
B. include device and network templates
C. specify the template as a reference template
D. force template values

Answer 20

B. include device and network templates

Question 21

Question #271 Topic 1
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the
corporate domain?
A. a Security policy with ‘known-user’ selected in the Source User field
B. a Security policy with ‘unknown’ selected in the Source User field
C. an Authentication policy with ‘known-user’ selected in the Source User field
D. an Authentication policy with ‘unknown’ selected in the Source User field

Answer 21

D. an Authentication policy with ‘unknown’ selected in the Source User field

Whenever a user requests a resource, the firewall evaluates Authentication policy. Based on the matching policy rule, the firewall then prompts the
user to respond to one or more challenges of different factors (types), such as login and password, voice, SMS, push, or one-time password (OTP)
authentication.

Question 22

Question #272 Topic 1
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure
authentication to the web
UI? (Choose two.)
A. server certificate
B. SSL/TLS Service Profile
C. certificate profile
D. SSH Service Profile

Answer 22

A. server certificate

C. certificate profile

Both SSH and SSL/TLS profiles are NOT necessary for certificate based admin authentication

Question 23

Question #273 Topic 1
An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be
configured to ensure that they are evaluated with a high priority?
A. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules
B. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules
C. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules
D. Create the appropriate rules with a Block action and apply them at the top of the Default Rules

Answer 23

B. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules

Question 24

Question #274 Topic 1
When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can be implemented using a phased approach in
alignment with
Palo Alto Networks best practices. What should you recommend?
A. Enable SSL decryption for known malicious source IP addresses
B. Enable SSL decryption for malicious source users
C. Enable SSL decryption for source users and known malicious URL categories
D. Enable SSL decryption for known malicious destination IP addresses

Answer 24

C. Enable SSL decryption for source users and known malicious URL categories

Question 25

Question #275 Topic 1
What are two valid deployment options for Decryption Broker? (Choose two.)
A. Transparent Bridge Security Chain
B. Transparent Mirror Security Chain
C. Layer 2 Security Chain
D. Layer 3 Security Chain

Answer 25

A. Transparent Bridge Security Chain

D. Layer 3 Security Chain