Q_401-425 Flashcards
Question #401 Topic 1
An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not
seem to be coming up.
If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the
CLI?
A. show system state filter sw.dev.interface.config
B. show chassis status slot s1
C. show system state filter-pretty sys.s1.*
D. show system state filter ethernet1/1
C. show system state filter-pretty sys.s1.*
Question #402 Topic 1
An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface.
Which statement is true regarding the configuration of the Decryption Port Mirroring feature?
A. The engineer should install the Decryption Port Mirror license and reboot the firewall.
B. The PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade the firewall to PA-3200 series.
C. The engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror interface.
D. The engineer must assign the related virtual-router to the decrypt mirror interface.
A. The engineer should install the Decryption Port Mirror license and reboot the firewall.
Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring.
Question #403 Topic 1
Which statement is true regarding a heatmap in a BPA report?
A. When guided by authorized sales engineer, it helps determine the areas of the greatest security risk.
B. It runs only on firewalls.
C. It provides a percentage of adoption for each assessment area.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
C. It provides a percentage of adoption for each assessment area.
BPA contains the following:
The Adoption Heatmap analyzes Panorama network security management and individual NGFW configurations to see how you are leveraging Palo Alto Networks prevention capabilities. Specifically, the tool analyzes your rule base to identify whether our capabilities are being leveraged where relevant.
The Best Practice Assessment evaluates configurations, identifies risks and gives recommendations for how you can address any found issues.
Question #404 Topic 1
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
A. A Certificate profile should be configured with a trusted root CA
B. An SSL/TLS Service profile should be configured with a certificate assigned.
C. An Interface Management profile with HTTP and HTTPS enabled should be configured.
D. An Authentication profile with the allow list of users should be configured.
B. An SSL/TLS Service profile should be configured with a certificate assigned.
Question #405 Topic 1
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has
an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. System logs
B. WildFire logs
C. Threat logs
D. Traffic logs
B. WildFire logs
Wildfire Logs. When you look in the log forwarding profile you see an option to forward wild fire logs to panorama
Question #406 Topic 1
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames.
The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27.
The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28.
What information does the administrator need to provide in the User Identification > Discovery section?
A. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
B. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange
C. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers
D. network 192.168.28.32/27 with server type Microsoft
A. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
trickk type can only be Server Type (Microsoft Active Directory, Microsoft Exchange, Novell eDirectory, or Syslog Sender)
Question #407 Topic 1
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests
coming from IP 172.16.15.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Question #407 Topic 1
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests
coming from IP 172.16.15.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
first search zones…to rule out
D. NAT Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Application: ssh
Question #408 Topic 1
What is the best definition of the Heartbeat Interval?
A. the interval during which the firewall will remain active following a link monitor failure
B. the frequency at which the HA peers exchange ping
C. the interval in milliseconds between hello packets
D. the frequency at which the HA peers check link or path availability
B. the frequency at which the HA peers exchange ping
on-board help (?)Heartbeat Interval (ms)—Specify how frequently the HA peers exchange heartbeat messages in the form of an ICMP ping (range is 1,000 to 60,000; there is no default).
Question #409 Topic 1 –graphic
A QoS profile is configured as shown in the image. The following throughput is realized:
Class 3 traffic 325Mbps - Priority high
Class 5 traffic 470Mbps - Priority high
Class 7 traffic: 330Mbps - Priority low !!!
What happens as a result? NOTE: (examples are HIGHER than guaranteed)
A. Available bandwidth from the unused classes will be used to maintain the Egress Guaranteed throughput for each. (examples are HIGHER than guaranteed)
B. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5 maintaining their Egress Guaranteed throughput.
B. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5 maintaining their Egress Guaranteed throughput.
When contention occurs, traffic that is assigned a lower priority is dropped. Real-time priority uses its own separate queue.
Question #409 Topic 1 –graphic
Class 3 traffic 325Mbps - (examples are HIGHER than guaranteed)
Class 5 traffic 470Mbps - (examples are HIGHER than guaranteed)
Class 7 traffic: 330Mbps - (examples are HIGHER than guaranteed)
Question #410 Topic 1
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)
A. Check dependencies
B. Schedules
C. Verify
D. Revert content
E. Install
B. Schedules
D. Revert content
E. Install
Schedules - Select to Schedule Dynamic Content Updates.
Revert-Uninstall the PAN-OS software patch currently installed on managed firewalls and Log Collectors.
click Install in the Action column and select
Question #411 Topic 1
A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are
reporting that they are unable to access the application.
What must be enabled to allow an interface to forward multicast traffic?
A. IGMP
B. SSM
C. BFD
D. PIM
A. IGMP
Question #412 Topic 1 –graphic !!DOES NOT SHOW ALL Server -dg assignments!!
misdirection…fFW-1 is not in the Reg DG nor OfficE, FW2 is office_fw
look for override icons
Review the screenshots and consider the following information:
* FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG
* There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
A. Server-1 on FW-1 will have IP 2.2.2.2
Server-1 will not be pushed to FW-2
B. Server-1 on FW-1 will have IP 3.3.3.3
Server-1 will not be pushed to FW-2
C. Server-1 on FW-1 will have IP 1.1.1.1
Server-1 will not be pushed to FW-2
D. Server-1 on FW-1 will have IP 4.4.4.4
Server-1 on FW-2 will have IP 1.1.1.1
DRAW this out
D. Server-1 on FW-1 will have IP 4.4.4.4
Server-1 on FW-2 will have IP 1.1.1.1
FW-1 has override icon - not using shared using 4.4.4.4
FW2 parent is only shared shows as 1.1.1.1
https://www.examtopics.com/exams/palo-alto-networks/pcnse/custom-view/ 589/772
Question #413 Topic 1
Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose two.)
A. All traffic from source network 192.168.100.0/24 is sent to an external syslog target.
B. All threats are logged to Panorama.
C. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake.
D. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.
A. All traffic from source network 192.168.100.0/24 is sent to an external syslog target.
C. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake.
remember subnet basics - duh
The RFC1918 address space includes the following networks:
10.0.0.0 – 10.255.255.255 (10/8 prefix)
172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
Misc-1 The RFC1918 address space includes the following networks. what are the address ranges
(10/8 prefix)
(172.16/12 prefix)
(192.168/16 prefix)
ADDRESS Ranges
11.10.0.0.0 – 10.255.255.255 (10/8 prefix)
172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
Question #414 Topic 1
Which benefit do policy rule UUIDs provide?
A. Functionality for scheduling policy actions
B. The use of user IP mapping and groups in policies
C. An audit trail across a policy’s lifespan
D. Cloning of policies between device-groups
C. An audit trail across a policy’s lifespan
To keep track of rules within a rulebase, you can refer to the rule number, which changes depending on the order of a rule in the rulebase. The rule number determines the order in which the firewall applies the rule.
The universally unique identifier (UUID) for a rule never changes even if you modify the rule, such as when you change the rule name. The UUID allows you to track the rule across rulebases even after you deleted the rule.
