Q_301-325 Flashcards
Question #301 Topic 1
Which statement is true regarding a Best Practice Assessment?
A. It runs only on firewalls
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. It shows how your current configuration compares to Palo Alto Networks recommendations
D. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities
C. It shows how your current configuration compares to Palo Alto Networks recommendations
Question #302 Topic 1
What are three important considerations during SD-WAN configuration planning? (Choose three.)
A. link requirements
B. IP Addresses
C. connection throughput
D. dynamic routing
E. branch and hub locations
A. link requirements
B. IP Addresses
E. branch and hub locations
Question #303 Topic 1
A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully
managing the firewall?
A. Use the “import device configuration to Panorama” operation, then “export or push device config bundle” to push the configuration
B. Use the “import Panorama configuration snapshot” operation, then perform a device-group commit push with “include device and network
templates”
C. Use the “import Panorama configuration snapshot” operation, then “export or push device config bundle” to push the configuration
D. Use the “import device configuration to Panorama” operation, then perform a device-group commit push with “include device and network
templates”
A. Use the “import device configuration to Panorama” operation, then “export or push device config bundle” to push the configuration
Question #305 Topic 1
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has
already ended.
Where would you find this in Panorama or firewall logs?
A. System Logs
B. Session Browser
C. You cannot find failover details on closed sessions
D. Traffic Logs
Question #305 Topic 1 /—??—/ D(75%)
D. Traffic Logs
Question #306 Topic 1
Where is information about packet buffer protection logged?
A. All entries are in the System log
B. All entries are in the Alarms log
C. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
D. Alert entries are in the System log. Entries for dropped traffic, discarded sessions, and blocked IP addresses are in the Threat log
D. Alert entries are in the System log. Entries for dropped traffic, discarded sessions, and blocked IP addresses are in the Threat log
SYSTEM and THREAT logs
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
Question #307 Topic 1
SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate.
End-users are receiving the “security certificate is not trusted” warning. Without SSL decryption, the web browser shows that the website
certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/ website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?
A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores
C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-
CA, select the Trusted Root CA check box, and commit the configuration
D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA
and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration
/—??—/ c(86%) unclear!!!!!-ssl should be NON-Public certs
C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-
CA, select the Trusted Root CA check box, and commit the configuration
Question #308 Topic 1
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the
administrator identify the configuration changes?
A. review the configuration logs on the Monitor tab
B. use Test Policy Match to review the policies in Panorama
C. context-switch to the affected firewall and use the configuration audit tool
D. click Preview Changes under Push Scope
A. review the configuration logs on the Monitor tab
Question #309 Topic 1
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate.
They have also created a Forward Trust and Forward Untrust certificate and set them as such.
The admin has not yet installed the root certificate onto client systems.
What effect would this have on decryption functionality?
A. Decryption will not function because self-signed root certificates are not supported
B. Decryption will function, but users will see certificate warnings for each SSL site they visit
C. Decryption will not function until the certificate is installed on client systems
D. Decryption will function, and there will be no effect to end users
B. Decryption will function, but users will see certificate warnings for each SSL site they visit
Question #310 Topic 1
A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator
needs to minimize the BGP configuration and management overhead on on-prem network devices.
What should the administrator implement?
A. hot potato routing
B. summarized BGP routes before advertising
C. default routing
D. target service connection for traffic steering
/—??—/
C. default routing
Question #311 Topic 1
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites
have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these
sites will therefore be blocked if decrypted.
How should the engineer proceed?
A. Create a Security policy to allow access to those sites
B. Install the unsupported cipher into the firewall to allow the sites to be decrypted
C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
D. Allow the firewall to block the sites to improve the security posture
C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Question #312 Topic 1
A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
B. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk
traffic
D. Use RSA in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk
traffic
C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risktraffic
ie PFS=Hi Prio=Processor intensive./
from docs;;;you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources
for using PFS-based decryption for higher priority, sensitive traffic. (
Question #313 Topic 1
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
graphic
A. unknown-udp
B. not-applicable
C. insufficient-data
D. incomplete
Correct Answer: D
traffic details shows UDP port 443
A. unknown-udp
It is a UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only
Question #314 Topic 1
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure
certificate-based administrator authentication to the web UI? (Choose two.)
A. client certificate
B. certificate profile
C. certificate authority (CA) certificate
D. server certificate
B. certificate profile
C. certificate authority (CA) certificate
Step 1 Generate a CA certificate ON THE FIREWALL. Step 2. Create a certificate profile for securing access to the web interface. The cruxt
of the question is what is needed ON THE FIREWALL
Correct Answer: BC
Question #315 Topic 1
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN
profile?
A. Traffic Distribution profile
B. Path Quality profile
C. Certificate profile
D. SD-WAN interface profile
D. SD-WAN interface profile
Question #316 Topic 1
DRAG DROP -
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to
determine routing priority.
Match the default Administrative Distances for each routing protocol.
Select and Place:
EBGP - 20
RIP - 120
Static - 10
OSPF External - 110
