Q_326-350

Question 1

Question #326 Topic 1
What can you use with GlobalProtect to assign user-specific client certificates to each GlobalProtect user?
A. CSP Responder
B. Certificate profile
C. SCEP
D. SSL/TLS Service profile

Answer 1

C. SCEP

Question 2

Question #327 Topic 1
A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com.
The DNS server returns an address of 172.16.15.1.
In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?
——-graphic
A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3
(172.16.15.1) - Application: Web-browsing
B. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3
(192.168.15.47) - Application: Web-browsing
C. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3
(172.16.15.1) - Application: Web-browsing
D. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) -
Application: Web-browsing

Answer 2

A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3
(172.16.15.1) - Application: Web-browsing

read careful

Question 3

Question #328 Topic 1
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories.
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
A. Choose the URL categories in the User Credential Submission column and set action to block . Select the User credential Detection tab and
select Use Domain Credential Filter Commit
B. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and
select use IP User Mapping Commit
C. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User
Mapping Commit
D. Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable
Domain Credential Filter Commit

Answer 3

A. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and
select Use Domain Credential Filter Commit

Domain credential includes both username and password

Question 4

Question #329 Topic 1
WildFire will submit for analysis blocked files that match which profile settings?
A. files matching Anti-Spyware signatures
B. files matching Anti-Virus signatures
C. files that are blocked by a File Blocking profile
D. files that are blocked by URL filtering

Answer 4

B. files matching Anti-Virus signatures

If you enabled WildFire forwarding on your firewall, the firewall now submits blocked files that match antivirus signatures for WildFire analysis, in
addition to unknown files.

Question 5

Question #330 Topic 1
A firewall has Security policies from three sources:
1. locally created policies
2. shared device group policies as pre-rules
3. the firewall’s device group as post-rules
How will the rule order populate once pushed to the firewall?
A. shared device group policies, local policies, firewall device group policies
B. firewall device group policies, local policies, shared device group policies
C. local policies, firewall device group policies, shared device group policies
D. shared device group policies, firewall device group policies, local policies

Answer 5

A. shared device group policies, local policies, firewall device group policies

tricky !!!

Question 6

Question #331 Topic 1
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
A. logging
B. signature matching for content inspection
C. Quality of Service
D. IPSec tunnel standup

Answer 6

A. logging

mgt aka control plane

Question 7

Question #332 Topic 1
An administrator wants to enable WildFire inline machine learning.
Which three file types does WildFire inline ML analyze? (Choose three.)
A. APK
B. VBscripts
C. Powershell scripts
D. ELF
E. MS Office

Answer 7

C. Powershell scripts
D. ELF
E. MS Office

“PEM”

enables the firewall dataplane to apply machine learning on PE (portable executable), ELF (executable and linked format) and MS Office files, and PowerShell and shell scripts in real-time. T

Question 8

Question #333 Topic 1
An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?
A. PDF Export under Panorama > templates
B. Variable CSV export under Panorama > templates
C. Managed Devices > Device Association
D. Manage variables under Panorama > templates

Answer 8

(32%) B. Variable CSV export under Panorama > templates
or
(68%) D. Manage variables under Panorama > templates clone only …

Question 9

Question #334 Topic 1
What is a feature of the PA-440 hardware platform?
A. It supports Zero Touch Provisioning to assist in automated deployments.
B. It supports 10GbE SFP+ modules.
C. It has twelve 1GbE Copper ports.
D. It has dedicated interfaces for high availability.

Answer 9

A. It supports Zero Touch Provisioning to assist in automated deployments.

Question 10

Question #335 Topic 1
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch.
Which statement is correct about the configuration of the interfaces assigned to an aggregated interface group?
A. They can have different hardware media such as the ability to mix fiber optic and copper.
B. They can have a different interface type such as Layer 3 or Layer 2.
C. They can have a different interface type from an aggregate interface group.
D. They can have a different bandwidth.

Answer 10

A. They can have different hardware media such as the ability to mix fiber optic and copper.

Before configuring an aggregate group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth and interface type must be the same.

Question 11

Question #336 Topic 1
A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?
A. First migrate SSH rules to App-ID; then implement SSL decryption.
B. Configure SSL decryption without migrating port-based security rules to App-ID rules.
C. First implement SSL decryption; then migrate port-based rules to App-ID rules.
D. First migrate port-based rules to App-ID rules; then implement SSL decryption.

Answer 11

D. First migrate port-based rules to App-ID rules; then implement SSL decryption.

port>app>ssl PAS

Question 12

Question #337 Topic 1
A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The engineer couldn’t find any events related to
VPN under system logs.
What is the likely cause?
A. Tunnel Inspection settings are misconfigured.
B. The log quota for GTP and Tunnel needs to be adjusted.
C. The Tunnel Monitor is not configured.
D. Dead Peer Detection is not enabled.

Answer 12

C. The Tunnel Monitor is not configured.

Question 13

Question #338 Topic 1
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone.
What should the firewall administrator do to mitigate this type of attack?
A. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
B. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone.
C. Enable packet buffer protection in the outside zone.
D. Create a Security rule to deny all ICMP traffic from the outside zone.

Answer 13

A. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.

Question 14

Question #339 Topic 1
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to
“Auto” under
Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active
firewall.
Why is the AE interface showing down on the passive firewall?
A. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE
Interface.
B. It does not perform pre-negotiation LACP unless “Enable in HA Passive State” is selected under the High Availability Options on the LACP
tab of the AE Interface.
C. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE
Interface.
D. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE
Interface.

Answer 14

B. It does not perform pre-negotiation LACP unless “Enable in HA Passive State” is selected under the High Availability Options on the LACP

LACP —“Enable in HA Passive State”

Question 15

Question #340 Topic 1
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.
Which profile should be configured in order to achieve this?
A. Certificate profile
B. SSL/TLS Service profile
C. SSH Service profile
D. Decryption profile

Answer 15

C. SSH Service profile

Question 16

Question #341 Topic 1
An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a
Palo Alto
Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?
A. Specify the subinterface as a management interface in Setup > Device > Interfaces.
B. Add the network segment’s IP range to the Permitted IP Addresses list.
C. Enable HTTPS in an Interface Management profile on the subinterface.
D. Configure a service route for HTTP to use the subinterface.

Answer 16

C. Enable HTTPS in an Interface Management profile on the subinterface.

from adm guide
To use the API (XML or REST), you must enable API access for your administrators and get your API key. By default, the firewall and Panorama support API requests over HTTPS. To make API request over HTTP, you must configure an interface management profile.

Question 17

Question #342 Topic 1
A client wants to detect the use of weak and manufacturer-default passwords for IoT devices.
Which option will help the customer?
A. Configure a Data Filtering profile with alert mode.
B. Configure an Antivirus profile with alert mode.
C. Configure an Anti-Spyware profile with alert mode.
D. Configure a Vulnerability Protection profile with alert mode.

Answer 17

D. Configure a Vulnerability Protection profile with alert mode.

confirmed in firewall

Question 18

Question #343 Topic 1
When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?
A. Radius
B. Kerberos
C. LDAP
D. Local

Answer 18

D. Local

SSH keys are cfg ‘d local

Question 19

Question #344 Topic 1
An engineer needs to see how many existing SSL decryption sessions are traversing a firewall.
What command should be used?
A. debug sessions | match proxy
B. debug dataplane pool statistics | match proxy
C. show dataplane pool statistics | match proxy
D. show sessions all

Answer 19

B. debug dataplane pool statistics | match proxy

Question 20

Question #345 Topic 1
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture
cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
A. #set deviceconfig setting session tcp-reject-non-syn no
B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to Global
Set ג€Asymmetric Path” to Global
C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to No Set
“Asymmetric Path” to Bypass

Answer 20

/—??—/ need to narrow down. ONLY 2

A. #set deviceconfig setting session tcp-reject-non-syn no

B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to Global
Set ג€Asymmetric Path” to Global

D. > set session tcp-reject-non-syn no

Question 21

Question #346 Topic 1
A company is using wireless controllers to authenticate users.
Which source should be used for User-ID mappings?
A. server monitoring
B. XFF headers
C. Syslog
D. client probing

Answer 21

C. Syslog

Question 22

Question #347 Topic 1
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that
authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided
smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
A. agentless User-ID with redistribution
B. Syslog listener
C. captive portal
D. standalone User-ID agent

Answer 22

B. Syslog listener (93 %)

Question 23

Question #348 Topic 1
You have upgraded your Panorama and Log Collectors to 10.2.x.
Before upgrading your firewalls using Panorama, what do you need do?
A. Commit and Push the configurations to the firewalls.
B. Refresh your licenses with Palo Alto Network Support ג€” Panorama/Licenses/Retrieve License Keys from License Server.
C. Refresh the Master Key in Panorama/Master Key and Diagnostic.
D. Re-associate the firewalls in Panorama/Managed Devices/Summary.

Answer 23

A. Commit and Push the configurations to the firewalls.

Question 24

Question #349 Topic 1
Which steps should an engineer take to forward system logs to email?
A. Create a new email profile under Device > server profiles; then navigate to Device > Log Settings > System and add the email profile under
email.
B. Enable log forwarding under the email profile in the Objects tab.
C. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the
add email profile.
D. Enable log forwarding under the email profile in the Device tab.

Answer 24

A. Create a new email profile under Device > server profiles; then navigate to Device > Log Settings > System and add the email profile under
email.
.

Question 25

Question #350 Topic 1
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action.
How can the administrator create an exception for this particular file?
A. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
B. Disable the WildFire profile on the related Security policy.
C. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
D. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

Answer 25

D. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

he File Exceptions table allows you to define specific files that you do not want analyzed, such as false-positives.
To create a new file exception entry, Add a new entry and provide the partial hash, filename, and description of the file that you want to exclude from enforcement.