Q_426-450

Question 1

Question #426 Topic 1
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
C. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its vsys in a single device group.
D. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single
device group.

Answer 1

A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

You can assign any one firewall or virtual system (vsys) to only one device group.

Question 2

Question #427 Topic 1
An engineer needs to collect User-ID mappings from the company’s existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
A. Client probing
B. XFF Headers
C. Syslog
D. Server Monitoring

Answer 2

B. XFF Headers
C. Syslog

Question 3

Question #428 Topic 1
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the
enterprise PKI that expires December 31, 2025.
The validity date on the PA-generated certificate is taken from what?
A. The root CA
B. The untrusted certificate
C. The server certificate
D. The trusted certificate

Answer 3

C. The server certificate

the validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8wCAC

Question 4

Question #429 Topic 1
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to
be changed to match the peer.
Where should this change be made?
A. IKE Gateway profile
B. IPSec Crypto profile
C. IKE Crypto profile
D. IPSec Tunnel settings

Answer 4

B. IPSec Crypto profile

Question 5

Question #430 Topic 1
Which statement about High Availability timer settings is true?
A. Use the Moderate timer for typical failover timer settings.
B. Use the Critical timer for faster failover timer settings.
C. Use the Aggressive timer for faster failover timer settings.
D. Use the Recommended timer for faster failover timer settings.

Answer 5

C. Use the Aggressive timer for faster failover timer settings.

Question 6

Question #431 Topic 1
A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI.
Where can they find this information?
A. Routes listed in the routing table with flags Oi
B. Routes listed in the routing table with flags A?B
C. Under the BGP Summary tab
D. Routes listed in the forwarding table with BGP in the Protocol column

Answer 6

B. Routes listed in the routing table with flags A?B

A?B—Active and learned via BGP

Question 7

Question #432 Topic 1
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
A. PA-220
B. PA-800 Series
C. PA-5000 Series
D. PA-500
E. PA-3400 Series

Answer 7

A. PA-220
B. PA-800 Series
E. PA-3400 Series

PA-500 and PA-5000 EOL

Question 8

Question #433 Topic 1
As a best practice, logging at session start should be used in which case?
A. While troubleshooting
B. Only on Deny rules
C. Only when log at session end is enabled
D. On all Allow rules

Answer 8

A. While troubleshooting

Question 9

Question #434 Topic 1
What must be configured to apply tags automatically to User-ID logs?
A. User mapping
B. Log Forwarding profile
C. Log settings
D. Group mapping

Answer 9

C. Log settings

For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

Question 10

Question #435 Topic 1
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from
the internet.
Which profile is the engineer configuring?
A. Vulnerability Protection
B. DoS Protection
C. Packet Buffer Protection
D. Zone Protection

Answer 10

B. DoS Protection

Question 11

Question #436 Topic 1
Which states will a pair of firewalls be in if their HA Group ID is mismatched?
A. Active/Non-functional
B. Active/Passive
C. Init/Init
D. Active/Active

Answer 11

A. Active/Non-functional

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN3kCAG&lang=en_US%E2%80%A9

Question 12

Question #437 Topic 1
An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are
behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
A. Add a Security policy to allow UDP/500.
B. Add a Security policy to allow the IKE application.
C. Add a Security policy to allow the IPSec application.
D. Add a Security policy to allow UDP/4501.

Answer 12

C. Add a Security policy to allow the IPSec application.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages , IPSec -esp-udp - udp4500/4501

Question 13

Question #438 Topic 1
An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT
department.
Which dynamic role does the administrator assign to the new-hire colleague?
A. Superuser (read-only)
B. Device administrator (read-only)
C. Firewall administrator (read-only)
D. System administrator (read-only)

Answer 13

B. Device administrator (read-only)

Device administrator (read-only)—Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
Only Superuser and Devie admin are “Dynamic Roles”

Question 14

Question #439 Topic 1
An engineer has been given approval to upgrade their environment to PAN-OS 10.2.
The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.
What is the recommended order when upgrading to PAN-OS 10.2?
A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

Answer 14

D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

Question 15

Question #440 Topic 1 m /—graphics—/
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also
installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
A. The forward trust certificate has not been signed by the self-singed root CA certificate.
B. The forward trust certificate has not been installed in client systems.
C. The forward untrust certificate has not been signed by the self-singed root CA certificate.
D. The self-signed CA certificate has the same CN as the forward trust and untrust certificates

Answer 15

A. The forward trust certificate has not been signed by the self-singed root CA certificate.

Question 16

Question #441 Topic 1
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.
What should they review with their leadership before implementation?
A. Browser-supported cipher documentation
B. Cipher documentation supported by the endpoint operating system
C. URL risk-based category distinctions
D. Legal compliance regulations and acceptable usage policies

Answer 16

D. Legal compliance regulations and acceptable usage policies

Question 17

Question #442 Topic 1
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the
URL?
A. Custom URL category in URL Filtering profile
B. PAN-DB URL category in URL Filtering profile
C. EDL in URL Filtering profile
D. Custom URL category in Security policy rule

Answer 17

B. PAN-DB URL category in URL Filtering profile

Question 18

Question #443 Topic 1
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections.
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon
them?
A. Stream ID in the IP Option Drop options
B. Record Route in IP Option Drop options
C. Ethernet SGT Protection
D. TCP Fast Open in the Strip TCP options
Question

Answer 18

C. Ethernet SGT Protection

Question 19

Question #444 Topic 1
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
A. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.
B. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.
C. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
D. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

Answer 19

A. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

Question 20

Question #445 Topic 1
An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT.
Which type of certificate must be installed?
A. External CA certificate
B. Server certificate
C. Device certificate
D. Self-signed root CA certificate

Answer 20

C. Device certificate

Question 21

Question #446 Topic 1
Which Palo Alto Networks tool provides configuration heat map displays for security controls?
A. Expedition
B. Security Life Cycle Review
C. Prevention Posture Assessment
D. Best Practice Assessment

Answer 21

D. Best Practice Assessment

Question 22

Question #447 Topic 1
An engineer is configuring SSL Inbound Inspection for public access to a company’s application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?
A. Intermediate CA(s) and End-entity certificate
B. Root CA and Intermediate CA(s)
C. Self-signed certificate with exportable private key
D. Self-signed CA and End-entity certificate

Answer 22

A. Intermediate CA(s) and End-entity certificate

end entity

Question 23

448 Topic 1

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A. A Machine Certificate for the firewall signed by the organization’s PKI
B. A web server certificate signed by the organization’s PKI
C. A subordinate Certificate Authority certificate signed by the organization’s PKI
D. A self-signed Certificate Authority certificate generated by the firewall

Answer 23

C. A subordinate Certificate Authority certificate signed by the organization’s PKI

Question 24

Question #449 Topic 1
A company has configured a URL Filtering profile with override action on their firewall.
Which two profiles are needed to complete the configuration? (Choose two.)
A. Decryption
B. HTTP Server
C. SSL/TLS Service
D. Interface Management

Answer 24

C. SSL/TLS Service
D. Interface Management

Question 25

Question #450 Topic 1
Which three authentication types can be used to authenticate users? (Choose three.)
A. Local database authentication
B. PingID
C. Kerberos single sign-on
D. GlobalProtect client
E. Cloud authentication service

Answer 25

A. Local database authentication

C. Kerberos single sign-on

E. Cloud authentication service