Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

p11 > Q_501-525 > Flashcards

Q_501-525 Flashcards

1
Q

Question #501 Topic 1
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-
NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below

What should the NAT rule destination zone be set to?
A. None
B. Inside
C. DMZ
D. Outside

A

B. Inside

Pre-NAT dest IP on not on the FW, but inside the network,.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Question #502 Topic 1
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode.
Which three elements must be in place before a transparent web proxy can function? (Choose three.)
A. User-ID for the proxy zone
B. DNS Security license
C. Prisma Access explicit proxy license
D. Cortex Data Lake license
E. Authentication Policy Rule set to default-web-form

A

A. User-ID for the proxy zone

B. DNS Security license

E. Authentication Policy Rule set to default-web-form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question #503 Topic 1
Which source is the most reliable for collecting User-ID user mapping?
A. Microsoft Active Directory
B. Microsoft Exchange
C. GlobalProtect
D. Syslog Listener

A

C. GlobalProtect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question #504 Topic 1
Which type of zone will allow different virtual systems to communicate with each other?
A. Tap
B. Tunnel
C. Virtual Wire
D. External

A

D. External

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question #505 Topic 1
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls.
Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy.
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. SSL forward proxy
B. Explicit proxy
C. Transparent proxy
D. DNS proxy

A

B. Explicit proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question #506 Topic 1
An engineer discovers the management interface is not routable to the User-ID agent.
What configuration is needed to allow the firewall to communicate to the User-ID agent?
A. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
B. Create a NAT policy for the User-ID agent server
C. Create a custom service route for the UID Agent
D. Add a static route to the virtual ro

A

C. Create a custom service route for the UID Agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question #507 Topic 1
An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric
environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?
A. set deviceconfig setting tcp asymmetric-path drop
B. set session tcp-reject-non-syn yes
C. set deviceconfig setting tcp asymmetric-path bypass
D. set deviceconfig setting session tcp-reject-non-syn no

A

D. set deviceconfig setting session tcp-reject-non-syn no

work around…so setting to not reject !
+ tcp-reject-non-syn reject non-SYN TCP packet for session setu

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question #508 Topic 1
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
A. Panorama
B. M600 Log Collectors
C. Cortex Data Lake
D. On Palo Alto Networks Update Server

A

C. Cortex Data Lake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question #509 Topic 1
Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?
A. Satellite mode
B. Tunnel mode
C. No Direct Access to local networks
D. IPSec mode

A

B. Tunnel mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question #510 Topic 1
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working
with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
A. Create a Dynamic Admin with the Panorama Administrator role.
B. Create a Dynamic Read only superuser.
C. Create a Device Group and Template Admin.
D. Create a Custom Panorama Admin.

A

C. Create a Device Group and Template Admin.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question #511 Topic 1
An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN)
feature on the Palo Alto Networks next-generation firewall.
What should the administrator configure in order to connect the sites?
A. Generic Routing Encapsulation (GRE) Tunnels
B. GlobalProtect Satellite
C. SD-WAN
D. IKE Gateways

A

B. GlobalProtect Satellite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question #512 Topic 1
A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?
A. tun.1025
B. tunnel.50
C. vpn.1024
D. gre1/2

A

B. tunnel.50

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question #513 Topic 1
An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?
A. Destination IP
B. Threshold
C. Action
D. Interval

A

C. Action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question #515 Topic 1
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
A. LDAP
B. Log Ingestion
C. HTTP
D. Log Forwarding

A

C. HTTP
D. Log Forwarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question #514 Topic 1
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
A. One-time password
B. User certificate
C. SMS
D. Voice
E. Fingerprint

A

A. One-time password
C. SMS
D. Voice

  • Push
  • Short message service (SMS)
  • Voice
  • One-time password (OTP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question #516 Topic 1
What is the PAN-OS NPTv6 feature based on RFC 6296 used for?
A. Application port number translation
B. IPv6-to-IPv6 network prefix translation
C. Stateful translation to provide better security
D. IPv6-to-IPv6 host portion translation

A

B. IPv6-to-IPv6 network prefix translation

16
Q

Question #517 Topic 1
An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)
A. Device certificate
B. Subordinate CA from the administrator’s own PKI infrastructure
C. Self-signed root CA
D. External CA certificate

A

B. Subordinate CA from the administrator’s own PKI infrastructure
C. Self-signed root CA

17
Q

Question #518 Topic 1
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
A. Inherit all Security policy rules and objects
B. Inherit settings from the Shared group
C. Inherit IPSec crypto profiles
D. Inherit parent Security policy rules and objects

A

B. Inherit settings from the Shared group

D. Inherit parent Security policy rules and objects

read slowly

18
Q

Question #519 Topic 1
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from
trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will
see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
A. A self-signed certificate generated on the firewall
B. A web server certificate signed by the organization’s PKI
C. A web server certificate signed by an external Certificate Authority
D. A subordinate Certificate Authority certificate signed by the organization’s PKI

A

A. A self-signed certificate generated on the firewall

clients will not have self signed root cert so this will throw a browser error.

19
Q

Question #520 Topic 1
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds
that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application

A

D. Disable ALG under SIP application

20
Q

Question #521 Topic 1
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without
duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewall.
C. Push the Device Group first, then push Template to the newly managed firewall.
D. Perform the Export or push Device Config Bundle to the newly managed firewall.

A

D. Perform the Export or push Device Config Bundle to the newly managed firewall.

21
Q

Question #522 Topic 1
Which new PAN-OS 11.0 feature supports IPv6 traffic?
A. OSPF`
B. IKEv1
C. DHCP Server
D. DHCPv6 Client with Prefix Delegation

A

D. DHCPv6 Client with Prefix Delegation

22
Q

Question #523 Topic 1
If a URL is in multiple custom URL categories with different actions, which action will take priority?
A. Block
B. Allow
C. Alert
D. Override

A

A. Block

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe
and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow

23
Q

Question #524 Topic 1
An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
A. Hello Interval
B. Monitor Fail Hold Up Time
C. Heartbeat Interval
D. Promotion Hold Time

A

A. Hello Interval

Hello Interval (ms)
Interval in milliseconds between hello packets that are sent to verify that the HA functionality on the other firewall is operational (range is 8,000 to 60,000; default is 8,000).

24
Q

Question #525 Topic 1
Which three items must be configured to implement application override? (Choose three.)
A. Application filter
B. Application override policy rule
C. Custom app
D. Decryption policy rule
E. Security policy rule

A

B. Application override policy rule
C. Custom app

E. Security policy rule

To configure an Application Override, go to Policies > Application Override in the WebGUI. For setup, you’ll need the following:
Custom Application to be used in the Application Override policy (recommended)
Application Override policy
Security Policy that allows the newly created Custom Application through the firewall

p11 (26 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions