Q_476-500

Question 1

Question #476 Topic 1
A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”.
Which action will this configuration cause on the matched traffic?
A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is
set to “Deny”.
B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the perseverity
defined actions defined in the associated Vulnerability Protection Profile.
C. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D. The Profile Settings section will be grayed out when the Action is set to “Deny”.

Answer 1

A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is
set to “Deny”.

Question 2

Question #477 Topic 1
Which feature detects the submission of corporate login information into website forms?
A. App-ID
B. File Blocking profile
C. Data Filtering profile
D. Credential Phishing

Answer 2

D. Credential Phishing

Question 3

Question #478 Topic 1
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
A. Short message service
B. Push
C. User logon
D. One-Time Password
E. SSH key

Answer 3

A. Short message service
B. Push

D. One-Time Password

Question 4

Question #479 Topic 1
An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?
A. From the Monitor tab, click Traffic view and review the information in the detailed log view.
B. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the
detailed log view.
C. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules.
D. From the Monitor tab, click Session Browser and review the session details.

Answer 4

D. From the Monitor tab, click Session Browser and review the session details.

Question 5

Question #480 Topic 1
Which three external services perform both authentication and authorization for administration of firewalls? (Choose three.)
A. Kerberos
B. TACACS+
C. SAML
D. Radius
E. LDAP

Answer 5

B. TACACS+
C. SAML
D. Radius

Question 6

Question #481 Topic 1
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.
In which section is this configured?
A. Monitor > Logs > System
B. Objects > Log Forwarding
C. Device > Log Settings
D. Panorama > Managed Devices

Answer 6

C. Device > Log Settings

Question 7

Question #482 Topic 1
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
A. Virtual Wire interface
B. Layer 3 interface
C. Layer 2 interface
D. Loopback interface

Answer 7

B. Layer 3 interface

keyword : segmented

Question 8

Question #483 Topic 1
An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap
package directory structure? (Choose three.)
A. /plugins
B. /license
C. /opt
D. /content
E. /software

Answer 8

B. /license

D. /content
E. /software

Question 9

Question #484 Topic 1
A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in
the future, but it does not perform SSL Forward Proxy decryption at this time.
Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted
websites?
A. By having a Certificate profile that contains the website’s Root CA assigned to the respective Security policy rule
B. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and the server/client session keys in order to validate a
certificate’s authenticity and expiration
C. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in order to validate a certificates authenticity and expiration
D. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt
policy rule

Answer 9

D. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule

Question 10

Question #485 Topic 1
A company is looking to increase redundancy in their network.
Which interface type could help accomplish this?
A. Tap
B. Layer 2
C. Virtual wire
D. Aggregate ethernet

Answer 10

D. Aggregate ethernet

Question 11

Question #486 Topic 1
An auditor has requested that roles and responsibilities be split inside the security team. Group A will manage templates, and Group B will
manage device groups inside Panorama.
Which two specific firewall configurations will Group B manage? (Choose two.)
A. Routing
B. Security rules
C. Interfaces
D. Address objects

Answer 11

B. Security rules

D. Address objects

Question 12

Question #487 Topic 1
An engineer is deploying VoIP and needs to ensure that voice traffic is treated with the highest priority on the network.
Which QoS priority should be assigned to such an application?
A. Medium
B. Low
C. High
D. Real-time

Answer 12

D. Real-time

Question 13

Question #488 Topic 1
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile.
What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
A. TCP Drop
B. ICMP Drop
C. SYN Random Early Drop
D. TCP Port Scan Block

Answer 13

A. TCP Drop
B. ICMP Drop

Question 14

Question #489 Topic 1 /—graphic—/
Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?
A. No, because this is an example from a defeated phishing attack.
B. Yes, because the action is set to “allow”
C. No, because the severity is “high” and the verdict “malicious”
D. Yes, because the action is set to “alert”

Answer 14

B. Yes, because the action is set to “allow”

Question 15

Question #490 Topic 1
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an
error when trying to install.
When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?
A. GlobalProtect agent version
B. Outdated plugins
C. Management only mode
D. Expired certificates

Answer 15

B. Outdated plugins

Question 16

Question #491 Topic 1
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email
alerts.
B. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor
resource utilization on managed firewalls.
C. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.
D. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on
a managed firewall.

Answer 16

C. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.

Question 17

Question #492 Topic 1
An administrator is configuring SSL decryption and needs to ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy
are installed properly on the firewall.
When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)
A. Forward Untrust certificate
B. Enterprise Root CA certificate
C. Forward Trust certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)

Answer 17

B. Enterprise Root CA certificate
C. Forward Trust certificate
E. Intermediate certificate(s)

Question 18

Question #493 Topic 1
An administrator would like to determine which action the firewall will take for a specific CVE.
Given the screenshot below, where should the administrator navigate to view this information?

A. The profile rule action
B. CVE column
C. The profile rule threat name
D. Exceptions tab

Answer 18

D. Exceptions tab

Question 19

Question #494 Topic 1
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was
configured the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
A. Run the CLI command show advanced-routing ospf neighbor
B. In the WebUI, view the Runtime Stats in the virtual router
C. Look for configuration problems in Network > virtual router > OSPF
D. In the WebUI, view Runtime Stats in the logical router

Answer 19

A. Run the CLI command show advanced-routing ospf neighbor

D. In the WebUI, view Runtime Stats in the logical router

Question 20

Question #495 Topic 1
In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?
A. The existing session is transferred to the active firewall.
B. The firewall drops the session.
C. The session is sent to fastpath.
D. The firewall allows the session but does not decrypt the session.

Answer 20

D. The firewall allows the session but does not decrypt the session.

Question 21

Question #496 Topic 1
An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewall’s dashboard is showing as down.

What could an administrator do to troubleshoot the issue?
A. Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
B. Go to Device > High Availability > HA Communications > General > and check the Heartbeat Backup under Election Settings
C. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings
D. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings

Answer 21

D. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings

Question 22

Question #497 Topic 1
An engineer troubleshoots an issue that causes packet drops.
Which command should the engineer run in the CLI to see if packet buffer protection is enabled and activated?
A. show session id
B. show system state | match packet-buffer-protection
C. show session packet-buffer- protection
D. show running resource-monitor

Answer 22

C. show session packet-buffer- protection

Question 23

Question #498 Topic 1
An engineer configures SSL decryption in order to have more visibility to the internal users’ traffic when it is egressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
A. High availability (HA)
B. Layer 3
C. Layer 2
D. Tap
E. Virtual Wire

Answer 23

B. Layer 3
C. Layer 2

E. Virtual Wire

Question 24

Question #499 Topic 1
If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?
A. Post-NAT destination address
B. Pre-NAT destination address
C. Pre-NAT source address
D. Post-NAT source address

Answer 24

C. Pre-NAT source address

Question 25

Question #500 Topic 1
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

https://www.examtopics.com/exams/palo-alto-networks/pcnse/custom-view/ 691/772
Question #500 Topic 1
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA
peer?
A. Heartbeat Interval
B. Promotion Hold Time
C. Additional Master Hold Up Time
D. Monitor Fail Hold Up Time

Answer 25

B. Promotion Hold Time