Q_276-300

Question 1

Question #276 Topic 1
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer
relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
A. show routing protocol bgp rib-out
B. show routing protocol bgp peer
C. show routing protocol bgp summary
D. show routing protocol bgp state

Answer 1

B. show routing protocol bgp peer

Probably B is a little bit more correct answer as the output is split by peers with additional details and there is also an option to add “peer-name

<name>" which will filter output for only specific peer, summary shows them all
</name>

Question 2

Question #277 Topic 1
What is the best description of the HA4 Keep-alive Threshold (ms)?
A. the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully
synchronizing
B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
D. the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

Answer 2

B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

Question 3

Question #278 Topic 1
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy?
(Choose three.)
A. GlobalProtect HIP
B. source users
C. App-ID
D. URL categories
E. source and destination IP addresses

/—-??—-/

Answer 3

B. source users

D. URL categories
E. source and destination IP addresses

Question 4

Question #279 Topic 1
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet
Buffer Protection apply to?
A. It applies to existing sessions and is not global
B. It applies to existing sessions and is global
C. It applies to new sessions and is global
D. It applies to new sessions and is not global

Answer 4

B. It applies to existing sessions and is global

/—-??—-/

Question 5

Question #280 Topic 1
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
A. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs
B. Study the release notes and install new App-IDs if they are determined to have low impact
C. Configure a security policy rule to allow new App-IDs that might have network-wide impact
D. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

Answer 5

B. Study the release notes and install new App-IDs if they are determined to have low impact
C. Configure a security policy rule to allow new App-IDs that might have network-wide impact

Question 6

Question #281 Topic 1
The manager of the network security team has asked you to help configure the company’s Security Profiles according to Palo Alto Networks best
practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action
and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?
A. action ‘reset-server’ and packet capture ‘disable’
B. action ‘default’ and packet capture ‘single-packet’
C. action ‘reset-both’ and packet capture ‘extended-capture’
D. action ‘reset-both’ and packet capture ‘single-packet’

Answer 6

D. action ‘reset-both’ and packet capture ‘single-packet’

https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles

Question 7

Question #282 Topic 1
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best describes redistribution of user mappings?
A. User-ID agent to firewall
B. firewall to firewall
C. Domain Controller to User-ID agent
D. User-ID agent to Panorama

Answer 7

B. firewall to firewall

Question 8

Question #283 Topic 1
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone dropdown
list does not include the required zone. What must the administrator do to correct this issue?
A. Add a firewall to both the device group and the template
B. Add the template as a reference template in the device group
C. Enable “Share Unused Address and Service Objects with Devices” in Panorama settings
D. Specify the target device as the master device in the device group

Answer 8

B. Add the template as a reference template in the device group

Question 9

Question #284 Topic 1
What best describes the HA Promotion Hold Time?
A. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
C. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall it the firewall is operational again

Answer 9

A. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

Question 10

Question #285 Topic 1
A user at an internal system queries the DNS server for their web server with a private IP of 10.250.241.131 in the DMZ. The DNS server returns an
address of the web servers public address, 200.1.1.10. In order to reach the web server, which security rule and U-Turn NAT rule must be
configured on the firewall?
no graphic
A. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 Security Rule: Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131
B. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 Security Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131
C. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 Security Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131
D. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 Security Rule: Source Zone: Trust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10

Answer 10

D. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 Security Rule: Source Zone: Trust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10

separated for easier read

NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP: 200.1.1.10 Destination Translation address:
10.250.241.131 (typo in doc should be 10.50.241.131 ARGGGG)

Security Rule: Source Zone: Trust-L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10

NOTE: had to be this one,,,
In Sec Rule- always use final Zone with in-packet IP
(DMZ) with IP 200.1.1.10)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

Question 11

Question #286 Topic 1
What is considered the best practice with regards to zone protection?
A. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
B. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
C. Set the Alarm Rate threshold for event-log messages to high severity or critical severity
D. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection

Answer 11

A. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs

https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

Question 12

Question #287 Topic 1
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum
amount of bandwidth the administrator could configure at the compute location?
A. 90Mbps
B. 75Mbps
C. 50Mbps
D. 300Mbps

Answer 12

C. 50Mbps

https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/prisma-access-for-networks/configure-prisma-access-for-networks/configure-bandwidth-by-compute-location#id2a91f76f-db22-4c25-8c25-91db3701d860

Question 13

Question #288 Topic 1
An engineer must configure the Decryption Broker feature. Which Decryption Broker security chain supports bi-directional traffic flow?
A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chai

Answer 13

B. Layer 3 security chain

Question 14

Question #289 Topic 1
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator
enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action
should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. Use the import option to pull logs.
B. Use the scp logdb export command.
C. Export the log database.
D. Use the ACC to consolidate the logs.

Answer 14

C. Export the log database.

Answer C is correct, logdb stands for log database, but the command syntax in answer B is wrong:
scp export logdb ===> is good
scp logdb export ===> is not an option from the CLI

Question 15

Question #290 Topic 1
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited
to provide the raw data for an SLR from the network in a way that is minimally invasive?
A. Layer 2
B. Virtual Wire
C. Tap
D. Layer 3

Answer 15

C. Tap

this is how evals were done..

Question 16

Question #291 Topic 1
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed.
In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software. Why did the bootstrap process
fail for the VM-Series firewall in
Azure?
A. All public cloud deployments require the /plugins folder to support proper firewall native integrations
B. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
C. The /config or /software folders were missing mandatory files to successfully bootstrap
D. The /content folder is missing from the bootstrap package

Answer 16

D. The /content folder is missing from the bootstrap package

“The bootstrap package must include the /config, /license, /software, and /content folders, even if they are empty. The /plugins folder is optional.”

Question 17

Question #292 Topic 1
Which GlobalProtect component must be configured to enable Clientless VPN?
A. GlobalProtect satellite
B. GlobalProtect app
C. GlobalProtect portal
D. GlobalProtect gateway

Answer 17

C. GlobalProtect portal

user connects to portal, portal presents page…

Question 18

Question #293 Topic 1
Which statement regarding HA timer settings is true?
A. Use the Moderate profile for typical failover timer settings
B. Use the Critical profile for faster failover timer settings
C. Use the Aggressive profile for slower failover timer settings
D. Use the Recommended profile for typical failover timer settings

Answer 18

D. Use the Recommended profile for typical failover timer settings

Question 19

Question #294 Topic 1
You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any officesuite
application?
A. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the office-programs subcategory
D. Create an Application Filter and name it Office Programs, then filter it on the business-systems category

Answer 19

C. Create an Application Filter and name it Office Programs, then filter it on the office-programs subcategory

Question 20

Question #295 Topic 1
Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app?
Failed to connect to server at port:4767
A. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. The PanGPS process failed to connect to the PanGPA process on port 4767
D. The PanGPA process failed to connect to the PanGPS process on port 4767

Answer 20

D. The PanGPA process failed to connect to the PanGPS process on port 4767

If there is no active listener on port 4767, the service didn’t start properly. Refer to the PanGPS.log for more information as to why or investigate other custom OS changes that could cause conflict.

If there is a listener, try connecting to the port by using the telnet command: telnet 127.0.0.1:4767

Question 21

Question #296 Topic 1
A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only Internet egress for the connected
clients. Prisma
Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected
and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?
A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet
B. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the
Internet
C. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet
D. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet

Answer 21

A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet

GUess…

Question 22

Question #297 Topic 1
An administrator analyzes the following portion of a VPN system log and notices the following issue:
Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0.
What is the cause of the issue?
A. bad local and peer identification IP addresses in the IKE gateway
B. IPSec crypto profile mismatch
C. mismatched Proxy-IDs
D. IPSec protocol mismatch

Answer 22

C. mismatched Proxy-IDs

10.10.1.4/24 vs. 10.1.10.4/24 –> Proxy-IDs are mismatched

Question 23

Question #298 Topic 1
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in
the environment.
They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
A. QoS can be used in conjunction with SSL decryption
B. QoS is only supported on hardware firewalls
C. QoS is only supported on firewalls that have a single virtual system configured
D. QoS can be used on firewalls with multiple virtual systems configured

Answer 23

D. QoS can be used on firewalls with multiple virtual systems configured

Question 24

Question #299 Topic 1
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as
illustrated in the diagram?

graphics show o’s and 1’s with organization, us national cash register headings

A. IP Netmask
B. IP Range
C. IP Address
D. IP Wildcard Mask

Answer 24

D. IP Wildcard Mask

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects

another question in the exam asks what
kind of ip is this: 10.132.1.1/0.0.2.255
Which’s also considered IP wildcard mask

Question 25

Question #300 Topic 1
Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?

A. No, because WildFire classified the severity as high
B. Yes, because the action is set to allow
C. No, because WildFire categorized a file with the verdict ג€malicious
D. Yes, because the action is set to alert

Answer 25

B. Yes, because the action is set to allow
—or—
D. Yes, because the action is set to alert

majority said “B”