Q_451-475

Question 1

Question #451 Topic 1
Which feature checks Panorama connectivity status after a commit?
A. HTTP Server profiles
B. Device monitoring data under Panorama settings
C. Automated commit recovery
D. Scheduled config export

Answer 1

C. Automated commit recovery

Question 2

Question #452 Topic 1 /—grap[hic—/
“ : High-availability ha1-backup interface configuration requires a peer-ip-backup address to be configured(Module: ha_agent)”

What are two explanations for this type of issue? (Choose two.)
A. Either management or a data-plane interface is used as HA1-backup.
B. One of the firewalls has gone into the suspected state.
C. The peer IP is not included in the permit list on Management Interface Settings.
D. The Backup Peer HA1 IP Address was not configured when the commit was issued.

Answer 2

A. Either management or a data-plane interface is used as HA1-backup.

D. The Backup Peer HA1 IP Address was not configured when the commit was issued.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCAU

Question 3

Question #453 Topic 1
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose
two.)
A. A certificate authority (CA) certificate
B. A private key
C. A server certificate
D. A subject alternative name

Answer 3

Question #453 Topic 1

A. A certificate authority (CA) certificate
B. A private key

Question 4

Question #454 Topic 1
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is
preventing the team from decrypting all of the traffic they want to decrypt.
Which three items should be prioritized for decryption? (Choose three.)
A. Financial, health, and government traffic categories
B. Less-trusted internal IP subnets
C. Known malicious IP space
D. High-risk traffic categories
E. Public-facing servers

Answer 4

B. Less-trusted internal IP subnets

D. High-risk traffic categories
E. Public-facing servers

you would already block “known malicious IP space”

Question 5

Question #455 Topic 1
During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before
logging in to their new Windows 10 endpoints.
The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve
this issue.
What must be configured to enable the Connect Before Logon feature?
A. The Certificate profile in the GlobalProtect Portal Authentication Settings.
B. Registry keys on the Windows system.
C. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
D. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.

Answer 5

B. Registry keys on the Windows system.

from the gp release notes

Question 6

Question #456 Topic 1
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s)
that could be compromised by a botnet?
A. Click the hyperlink for the ZeroAccess.Gen threat.
B. Click the source user with the highest threat count.
C. Click the left arrow beside the ZeroAccess.Gen threat.
D. Click the hyperlink for the botnet Threat Category.

Answer 6

D. Click the hyperlink for the botnet Threat Category.

other options not broad enough

Question 7

Question #457 Topic 1
What is the best description of the Cluster Synchronization Timeout (min)?
A. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from
fully synchronizing
C. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
D. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

Answer 7

B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

rtfm baby - Cluster Synchronization Timeout (min)—Maximum number of minutes that the local firewall waits before going to Active state when another cluster member (for example, in unknown state) is preventing the cluster from fully synchronizing (range is 0 to 30; default is 0).

Question 8

Question #458 Topic 1
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
A. A Decryption policy to decrypt the traffic and see the tag
B. A Deny policy with the “tag” App-ID to block the tagged traffic
C. An Allow policy for the initial traffic
D. A Deny policy for the tagged traffic

Answer 8

C. An Allow policy for the initial traffic
D. A Deny policy for the tagged traffic

You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent..

Question 9

459 Topic 1

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that
there is an excessive amount of SSL traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
A. QoS on the egress interface for the traffic flows
B. QoS on the ingress interface for the traffic flows
C. A QoS profile defining traffic classes
D. A QoS policy for each application ID
E. An Application Override policy for the SSL traffic

Answer 9

A. QoS on the egress interface for the traffic flows

C. A QoS profile defining traffic classes
D. A QoS policy for each application ID

QOS is only on egress
ssl app override- not a thing

Question 10

Question #460 Topic 1
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to
the same firewall. The update contains an application that matches the same traffic signatures as the custom application.
Which application will be used to identify traffic traversing the firewall?
A. Custom application
B. Unknown application
C. Downloaded application
D. Incomplete application

Answer 10

A. Custom application

Question 11

Question #461 Topic 1
An administrator creates an application-based security policy rule and commits the change to the firewall.
Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)
A. Review the App Dependency application list from the Commit Status view.
B. Open the security policy rule and review the Depends On application list.
C. Reference another application group containing similar applications.
D. Use the show predefined xpath command and review the output.

Answer 11

A. Review the App Dependency application list from the Commit Status view.
B. Open the security policy rule and review the Depends On application list.

Question 12

Question #462 Topic 1
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices.
Which two variable types can be defined? (Choose two.)
A. IP netmask
B. Zone
C. Path group
D. FQDN

Answer 12

A. IP netmask

D. FQDN

Question 13

Question #463 Topic 1
Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover
that there are two different static routes on the firewall for the server.
What is used to determine which route has priority?
A. The first route installed
B. Bidirectional Forwarding Detection
C. The route with the lowest administrative distance
D. The route with the highest administrative distance

Answer 13

C. The route with the lowest administrative distance

Question 14

Question #464 Topic 1
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been
reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose two.)
A. Enable decryption
B. Exclude video traffic
C. Create a Tunnel Inspection policy
D. Block traffic that is not work-related

Answer 14

B. Exclude video traffic

D. Block traffic that is not work-related

Question 15

Question #465 Topic 1
Which log type would provide information about traffic blocked by a Zone Protection profile?
A. Data Filtering
B. IP-Tag
C. Threat
D. Traffic

Answer 15

C. Threat

Question 16

Question #466 Topic 1
Where can an administrator see both the management-plane and data-plane CPU utilization in the WebUI?
A. Session Browser
B. System Logs widget
C. System Resources widget
D. General Information widget

Answer 16

C. System Resources widget

Question 17

Question #467 Topic 1
An administrator wants to perform HIP checks on the endpoints to ensure their security posture.
Which license is required on all Palo Alto Networks next-generation firewalls that will be performing the HIP checks?
A. GlobalProtect Gateway
B. Current and Active Support License
C. Threat Prevention
D. GlobalProtect Portal

Answer 17

A. GlobalProtect Gateway

the GP GW is performing the inspections

Question 18

Question #468 Topic 1
A network security administrator wants to configure SSL inbound inspection.
Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)
A. An SSL/TLS Service profile
B. The web server’s security certificate with the private key
C. A Decryption profile
D. A Decryption policy
E. The client’s security certificate with the private key

Answer 18

B. The web server’s security certificate with the private key

C. A Decryption profile

D. A Decryption policy

Question 19

Question #469 Topic 1
You have been asked to implement GlobalProtect for your organization. You have decided on https://gp.mycompany.com for your Portal, and have
received the certificate and key.
Where would you navigate to on the firewall UI to import the certificate?
A. Device > Certificate Management > Device Certificates > Certificates
B. Device Certificates > Certificate Management > Certificates > Device
C. Device > Device Certificates > Certificate Management > Certificates
D. Device > Certificate Management > Certificates > Device Certificates

Answer 19

D. Device > Certificate Management > Certificates > Device Certificates

Question 20

Question #470 Topic 1
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices
share a common link for communication.
Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
A. ASBR
B. OSPFv3
C. ECMP
D. OSPF

Answer 20

B. OSPFv3

Question 21

Question #471 Topic 1
An administrator is configuring a Panorama device group.
Which two objects are configurable? (Choose two.)
A. URL Filtering profiles
B. SSL/TLS profiles
C. Address groups
D. DNS Proxy

Answer 21

A. URL Filtering profiles

C. Address groups

Question 22

Question #472 Topic 1
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.
What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos,
LDAP, and TACACS+?
A. The priority assigned to the Authentication profile defines the order of the sequence.
B. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully
authenticates the user.
C. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be
made.
D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

Answer 22

D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

Question 23

Question #473 Topic 1
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with
Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
A. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
B. On one pair of firewalls, run the CLI command: set network interface vlan arp.
C. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
D. Configure a floating IP between the firewall pairs.

Answer 23

C. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

Question 24

Question #474 Topic 1
The same route appears in the routing table three times using three different protocols.
Which mechanism determines how the firewall chooses which route to use?
A. Administrative distance
B. Metric
C. Order in the routing table
D. Round Robin load balancing

Answer 24

A. Administrative distance

Question 25

Question #475 Topic 1
An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth.
Which QoS setting should the engineer adjust?
A. QoS interface: Egress Guaranteed
B. QoS profile: Egress Max
C. QoS profile: Egress Guaranteed
D. QoS interface: Egress Max

Answer 25

C. QoS profile: Egress Guaranteed

Question 26

Question #476 Topic 1
A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”.
Which action will this configuration cause on the matched traffic?
A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is
set to “Deny”.
B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the perseverity
defined actions defined in the associated Vulnerability Protection Profile.
C. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D. The Profile Settings section will be grayed out when the Action is set to “Deny”.

Answer 26

A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny”.

Question 27

Question #477 Topic 1
Which feature detects the submission of corporate login information into website forms?
A. App-ID
B. File Blocking profile
C. Data Filtering profile
D. Credential Phishing

Answer 27

D. Credential Phishing