Q_526-550

Question 1

Question #526 Topic 1
An engineer is configuring a firewall with three interfaces:
* MGT connects to a switch with internet access.
* Ethernet1/1 connects to an edge router.
* Ethernet1/2 connects to a virtualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
A. Set DNS and Palo Alto Networks Services to use the MGT source interface.
B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
C. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Answer 1

B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

Question 2

Question #527 Topic 1
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Answer 2

C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Question 3

Question #528 Topic 1
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating
administrator account on the local firewall? (Choose three.)
A. TACACS+
B. Kerberos
C. SAML
D. RADIUS
E. LDAP

Answer 3

A. TACACS+

C. SAML
D. RADIUS

Question 4

Question #529 Topic 1
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

A. insufficient-data
B. incomplete
C. not-applicable
D. unknown-tcp

/—-graphic—-/

Answer 4

C. not-applicable

Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is
!!!! no rule or policy allowing that port or service!!!! hit default drop rule

Question 5

Question #530 Topic 1
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
A. Clone the security policy and add it to the other device groups.
B. Add the policy to the target device group and apply a master device to the device group.
C. Reference the targeted device’s templates in the target device group.
D. Add the policy in the shared device group as a pre-rule.

Answer 5

D. Add the policy in the shared device group as a pre-rule.

Question 6

/—-pic-/-/Question #531 Topic 1
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?
“pic shows Server Monitor section of user-ID
name, lab-cliient, enabled checked type Ms AD net address and “green connected” status

A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.

Answer 6

A. The User-ID agent is connected to a domain controller labeled lab-client.

Question 7

532 Topic 1

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
A. Deny
B. Allow
C. Discard
D. Next VR

Answer 7

C. Discard

Question 8

Question #533 Topic 1
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
A. OSPF
B. IGRP
C. OSPFv3 virtual link
D. BGP
E. RIP

Answer 8

A. OSPF

D. BGP

E. RIP

Question 9

Question #534 Topic 1
A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series
and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama.
They notice that commit times have drastically increased for the PA-220s after the migration.
What can they do to reduce commit times?
A. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.
B. Perform a device group push using the “merge with device candidate config” option.
C. Update the apps and threat version using device-deployment.
D. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.

Answer 9

A. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.
.

Question 10

Question #535 Topic 1
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
A. 1
B. 2
C. 3
D. 4

Answer 10

D. 4

Question 11

Question #536 Topic 1
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed
from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
A. Reload the running configuration and perform a Firewall local commit.
B. Perform a commit force from the CLI of the firewall.
C. Perform a template commit push from Panorama using the “Force Template Values” option.
D. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option.

Answer 11

C. Perform a template commit push from Panorama using the “Force Template Values” option.

Question 12

Question #537 Topic 1
Where can a service route be configured for a specific destination IP?
A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4
B. Use Device > Setup > Services > Services
C. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
D. Use Device > Setup > Services > Service Route Configuration > Customize > Destination

Answer 12

D. Use Device > Setup > Services > Service Route Configuration > Customize > Destination

Question 13

Question #538 Topic 1
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions

Answer 13

C. Proxy-IDs

Question 14

Question #539 Topic 1
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in
the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain
controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM).
There did not appear to be direct integration between PAN-OS and the IDM solution.
How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?
A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution.
C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Answer 14

A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

Question 15

Question #540 Topic 1
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
A. Configuration
B. Data Filtering
C. Traffic
D. Threat

Answer 15

D. Threat

Threat (and System-not a choice here)

Question 16

Question #541 Topic 1
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
A. A service route to the LDAP server
B. A User-ID agent on the LDAP server
C. A Master Device
D. Authentication Portal

Answer 16

C. A Master Device

Question 17

Question #542 Topic 1

What is your favorite colour ?

a. Green
B. Blue
C. Red
D. Yellow

Answer 17

Green

Question 18

Question #543 Topic 1
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
A. Service Route Configuration
B. Dynamic Address Groups
C. NTP Server Address
D. Antivirus Profile
E. Authentication Profile

Answer 18

A. Service Route Configuration

C. NTP Server Address

E. Authentication Profile

auth profile in device tab

Question 19

Question #544 Topic 1
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.
When creating a new rule, what is needed to allow the application to resolve dependencies?
A. Add SSL application to the same rule.
B. SSL and web-browsing must both be explicitly allowed.
C. Add SSL and web-browsing applications to the same rule.
D. Add web-browsing application to the same rule.

Answer 19

A. Add SSL application to the same rule.

Question 20

Question #545 Topic 1
In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours

Answer 20

B. 6 to 12 hours

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first#id184AH00F06E

Question 21

Question #546 Topic 1
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route
configuration.
What type of service route can be used for this configuration?
A. Destination-Based Service Route
B. Inherit Global Setting
C. IPv6 Source or Destination Address
D. IPv4 Source Interface

Answer 21

D. IPv4 Source Interface

Question 22

Question #547 Topic 1
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that
there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
A. A QoS policy for each application
B. An Application Override policy for the SIP traffic
C. A QoS profile defining traffic classes
D. QoS on the ingress interface for the traffic flows
E. QoS on the egress interface for the traffic flows

Answer 22

A. A QoS policy for each application

C. A QoS profile defining traffic classes

E. QoS on the egress interface for the traffic flows

Question 23

Question #548 Topic 1
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
A. Rename a vsys on a multi-vsys firewall
B. Change the firewall management IP address
C. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
D. Add administrator accounts
E. Configure a device block list

Answer 23

A. Rename a vsys on a multi-vsys firewall

C. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

E. Configure a device block list

Question 24

Question #549 Topic 1

When the Bridgekeeper asked “ What is the airspeed velocity of an unladen swallow?”

Arthur asked which kind of swallow: _____ or ______

A. Middle Eastern
B. African
C. European
D. Persian

Answer 24

African
European

Question 25

Question #550 Topic 1
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
A. Virtual Wire
B. Layer 2
C. Layer 3
D. TAP

Answer 25

A. Virtual Wire
B. Layer 2