Q_351-375 Flashcards
Question #351 Topic 1
What can be used to create dynamic address groups?
A. tags
B. FQDN addresses
C. dynamic address
D. region objects
A. tags
Question #352 Topic 1
A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.
What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?
A. Disable logging on security rules allowing DNS.
B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application
not equal to DNS.
C. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application
equal to DNS.
D. Create a security rule to deny DNS traffic with the syslog server in the destination.
B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application
not equal to DNS.
Question #353 Topic 1
An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Path Monitoring has been enabled with a Failure Condition of “any.”
A path group is configured with Failure Condition of “all” and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a
Ping count of 3.
Which scenario will cause the Active firewall to fail over?
A. IP address 8.8.8.8 is unreachable for 1 second.
B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds.
C. IP address 4.2.2.2 is unreachable for 2 seconds.
D. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds.
Question says “AND”
500 ms x 3 1.5 sec.
Question #354 Topic 1
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the
day at a certain time.
How can they achieve this?
A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
C. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
D. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
must push to PANORAMA first…
PUSH not export
Question #355 Topic 1
Which configuration is backed up using the Scheduled Config Export feature in Panorama?
A. Panorama running configuration and running configuration of all managed devices
B. Panorama candidate configuration
C. Panorama candidate configuration and candidate configuration of all managed devices.
D. Panorama running configuration
A. Panorama running configuration and running configuration of all managed devices
Question #356 Topic 1
While analyzing the Traffic log, you see that some entries show “unknown-tcp” in the Application column.
What best explains these occurrences?
A. A handshake did take place, but the application could not be identified.
B. A handshake took place, but no data packets were sent prior to the timeout.
C. A handshake did not take place, and the application could not be identified.
D. A handshake took place; however, there were not enough packets to identify the application.
A. A handshake did take place, but the application could not be identified.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Question #357 Topic 1
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.
When upgrading Log Collectors to 10.2, you must do what?
A. Upgrade the Log Collectors one at a time.
B. Add Panorama Administrators to each Managed Collector.
C. Upgrade all the Log Collectors at the same time.
D. Add a Global Authentication Profile to each Managed Collector.
C. Upgrade all the Log Collectors at the same time.
You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data.
Question #358 Topic 1
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama.
In which section is this configured?
A. Templates > Device > Log Settings
B. Device Groups > Objects > Log Forwarding
C. Monitor > Logs > Traffic
D. Panorama > Managed Devices
B. Device Groups > Objects > Log Forwarding
The profile defines the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
Select Objects > Log Forwarding, select the Device Group of the firewalls that will forward logs, and Add a profile
Question #359 Topic 1
An engineer is pushing configuration from Panorama to a managed firewall.
What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the
firewall?
A. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the
pushed configuration.
B. The firewall rejects the pushed configuration, and the commit fails.
C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects.
D. The firewall renames the duplicate local objects with “-1” at the end signifying they are clones; it will update the references to the objects
accordingly and fully commit the pushed configuration.
A. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.
Question #360 Topic 1
Which Panorama feature protects logs against data loss if a Panorama server fails?
A. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
B. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
D. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
A. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group.
Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors.
Question #361 Topic 1
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers.
Where can the administrator find the corresponding logs after running a test command to initiate the VPN?
A. Traffic logs
B. System logs
C. Tunnel Inspection logs
D. Configuration logs
B. System logs
Question #362 Topic 1
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and
web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
A. Create an Application Override using TCP ports 443 and 80.
B. Add the HTPP, SSL, and Evernote applications to the same Security policy.
C. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
D. Add only the Evernote application to the Security policy rule.
D. Add only the Evernote application to the Security policy rule.
implicitly: depend on other applications but you don’t need to allow it.
explicitly: you need to allow the other application it depends on to work as expected [add it to the same rule.]
Question #363 Topic 1
Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?
A. Legacy
B. Management Only
C. Log Collector
D. Panorama
B. Management Only
eliminate any on-board logging - legacy,panorama..Loc collector turnd the panromaa into ONLY a log collector.
Question #364 Topic 1
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?
A. Use the Dynamic IP address type.
B. Enable Passive Mode.
C. Set up certificate authentication.
D. Configure the peer address as an FQDN.
A. Use the Dynamic IP address type.
Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation.” and
“Enable Passive Mode Click (NOT Cfg BS ques) to have the firewall only respond to IKE connections and never initiate them.”
Question #365 Topic 1
An administrator is seeing one of the firewalls in a HA active/passive pair moved to “suspended” state due to Non-functional loop.
Which three actions will help the administrator resolve this issue? (Choose three.)
A. Check the HA Link Monitoring interface cables.
B. Check High Availability > Active/Passive Settings > Passive Link State
C. Check the High Availability > Link and Path Monitoring settings.
D. Check the High Availability > HA Communications > Packet Forwarding settings.
E. Use the CLI command show high-availability flap-statistics
A. Check the HA Link Monitoring interface cables.
C. Check the High Availability > Link and Path Monitoring settings.
E. Use the CLI command show high-availability flap-statistics
TRICK —ivalid path —-High Availability > Active/Passive Settings > Passive Link State doesn’t exist on PAN ???
