Q_551-579

Question 1

Question #551 Topic 1
Which operation will impact the performance of the management plane?
A. Enabling DoS protection
B. Enabling packet buffer protection
C. Decrypting SSL sessions
D. Generating a Saas Application report

Answer 1

D. Generating a Saas Application report

Question 2

Question #552 Topic 1
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
A. Tunnel inspection
B. NAT
C. QoS
D. DOS protection

Answer 2

C. QoS

Device ID – IOT

Question 3

Question #579 Topic 1
“First shalt thou take out the Holy Pin. Then shalt thou count to three, no more no less. Three shalt be the number thou shalt count, and the number of the counting shalt be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out. Once the number three, being the third number, be reached, then lobbest thou thy Holy Hand Grenade of Antioch towards thou foe, who being naughty in my sight, shall snuff it.” – Monk

So on what count did they throw the Holy Hand Grenade ?
A. one
B. four
C. three
D. two
E. five

Answer 3

A. one
B. four
C. three
D. two
E. five

Question 4

Question #553 Topic 1
Why would a traffic log list an application as “not-applicable”?
A. There was not enough application data after the TCP connection was established.
B. The TCP connection terminated without identifying any application data.
C. The firewall denied the traffic before the application match could be performed.
D. The application is not a known Palo Alto Networks App-ID.

Answer 4

C. The firewall denied the traffic before the application match could be performed.

Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.

For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you’ll see sessions with “not-applicable” in the application field.

Question 5

Question #554 Topic 1
What must be configured to apply tags automatically based on User-ID logs?
A. Device ID
B. Log settings
C. Group mapping
D. Log Forwarding profile

Answer 5

B. Log settings

For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings
.
NOT Log Forwarding profile(For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile)

Question 6

Question #555 Topic 1
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the
firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured
for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.
B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.
C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.
D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

Answer 6

A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

if it matches the translate A to B, then DNS rewrite A to B (same) therefore FOREWARD

If A to B translates, and rewrite B to A, then its REVERSE

Question 7

Question #556 Topic 1
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
A. Initial
B. Passive
C. Active-secondary
D. Tentative

Answer 7

D. Tentative

a/a Tentative state
-Failure of a firewall.
-Failure of a monitored object (a link or path).
-The firewall leaves suspended or non-functional state.

Question 8

557 Topic 1

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware
Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
A. Critical
B. High
C. Medium
D. Informational
E. Low

Answer 8

A. Critical
B. High
C. Medium

firewall detects a medium, high, or critical severity threat, and enables single packet capture
why take PCAPS on Low or Info??

Question 9

Question #558 Topic 1
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
A. Applications configured in the rule with their dependencies
B. The security rule with any other security rule selected
C. Applications configured in the rule with applications seen from traffic matching the same rule
D. The running configuration with the candidate configuration of the firewall

Answer 9

C. Applications configured in the rule with applications seen from traffic matching the same rule

Question 10

Question #560 Topic 1
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
A. Number of security zones in decryption policies
B. Encryption algorithm
C. TLS protocol version
D. Number of blocked sessions

Answer 10

B. Encryption algorithm
C. TLS protocol version

Question 11

Question #562 Topic 1
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates
arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?
A. Values in Global Settings
B. Values in Datacenter
C. Values in efw01ab.chi
D. Values in Chicago

Answer 11

C. Values in efw01ab.chi

Question 12

Question #563 Topic 1
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service.
What should an administrator configure to enable automatic failover to the backup tunnel?
A. Replay Protection
B. Zone Protection
C. Tunnel Monitor
D. Passive Mode

Answer 12

C. Tunnel Monitor

Question 13

Question #564 Topic 1
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?
A. Proxy IDs
B. ToS Header
C. GRE Encapsulation
D. Tunnel Monitor

Answer 13

A. Proxy IDs

Question 14

Question #565 Topic 1
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on
the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
A. It matches to the New App-IDs downloaded in the last 90 days.
B. It matches to the New App-IDs in the most recently installed content releases.
C. It matches to the New App-IDs downloaded in the last 30 days.
D. It matches to the New App-IDs installed since the last time the firewall was rebooted.

Answer 14

B. It matches to the New App-IDs in the most recently installed content releases.

Question 15

Question #566 Topic 1
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
A. Passive
B. Initial
C. Active
D. Active-primary

Answer 15

D. Active-primary

Question 16

Question #567 Topic 1
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template
named “Global” and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
A. Log Forwarding profile
B. SSL decryption exclusion
C. Email scheduler
D. Login banner
E. Dynamic updates

Answer 16

B. SSL decryption exclusion

D. Login banner
E. Dynamic updates

Question 17

Question #568 Topic 1
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly
notify them that their traffic will be decrypted?
A. Authentication Portal
B. SSL Decryption profile
C. SSL decryption policy
D. comfort pages

Answer 17

D. comfort pages

Authentication Portal Comfort Page
The firewall displays this page so that users can enter login credentials to access services that are subject to Authentication policy rules (see Policies > Authentication). Enter a message that tells users how to respond to this authentication challenge. The firewall authenticates users based on the Authentication Profile specified in the authentication enforcement object assigned to an Authentication rule (see Objects > Authentication).

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/device/device-response-pages

Question 18

Question #569 Topic 1
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
A. ECDSA
B. ECDHE
C. RSA
D. DHE

Answer 18

B. ECDHE
D. DHE

Both contain DHE

Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms. PFS key exchange algorithms provide greater security than RSA key exchange algorithms because the firewall has to generate a new cipher key for each session—but generating the new key consumes more firewall resources. However, if an attacker compromises a session key, PFS prevents the attacker from using it to decrypt any other sessions between the same client and server and RSA does not.

Question 19

Question #570 Topic 1
An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a
troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.
Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.)
A. Override the DNS server on the template stack.
B. Configure the DNS server locally on the firewall.
C. Change the DNS server on the global template.
D. Configure a service route for DNS on a different interface.

Answer 19

A. Override the DNS server on the template stack.
B. Configure the DNS server locally on the firewall.

Question 20

Question #571 Topic 1
An engineer troubleshoots a high availability (HA) link that is unreliable.
Where can the engineer view what time the interface went down?
A. Monitor > Logs > Traffic
B. Device > High Availability > Active/Passive Settings
C. Monitor > Logs > System
D. Dashboard > Widgets > High Availability

Answer 20

C. Monitor > Logs > System

Question 21

Question #572 Topic 1
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in
their environment.
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
A. Kerberos or SAML authentication need to be configured.
B. RADIUS is only supported for a transparent Web Proxy.
C. RADIUS is not supported for explicit or transparent Web Proxy.
D. LDAP or TACACS+ authentication need to be configured

Answer 21

A. Kerberos or SAML authentication need to be configured.

C. RADIUS is not supported for explicit or transparent Web Proxy.

For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly. You can use one of following methods to authenticate users with the explicit proxy:
Kerberos, which requires a web proxy license.
SAML 2.0, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.
Cloud Identity Engine, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.

Question 22

Question #573 Topic 1
A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and
gateway. The customer uses Windows Active Directory for authentication.
What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?
A. Deploy a PAN-OS integrated User-ID agent on each vsys
B. Deploy the GlobalProtect vsys as a User-ID data hub
C. Deploy a M-200 as a User-ID collector
D. Deploy Windows User-ID agents on each domain controller

Answer 22

B. Deploy the GlobalProtect vsys as a User-ID data hub

Question 23

Question #574 Topic 1
A security engineer wants to upgrade the company’s deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the newTLSv1.3 support
for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
A. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
B. Optional: Download and install the latest preferred PAN-OS 10.1 release.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
C. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.

Answer 23

B. Optional: Download and install the latest preferred PAN-OS 10.1 release.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.

Question 24

Question #575 Topic 1
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
A. Configure the decryption profile.
B. Configure SSL decryption rules.
C. Define a Forward Trust Certificate.
D. Configure a SSL / TLS service profile.

Answer 24

B. Configure SSL decryption rules.

C. Define a Forward Trust Certificate.

Question 25

Question #576 Topic 1
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the
engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours.
Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
A. Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours.
B. Click “Review Apps” after application updates are installed in order to assess how the changes might impact Security policy.
C. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.
D. Select the action “download-only” when configuring an Applications and Threats update schedule.

Answer 25

B. Click “Review Apps” after application updates are installed in order to assess how the changes might impact Security policy.

C. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.

Careful- it asks Which two ADDITONAL best-practice guideline

Question 26

Question #577 Topic 1
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
A. HA1
B. HA2
C. HA3
D. HA4

Answer 26

D. HA4

HA4 and HA4 backup connections are the dedicated cluster links that synchronize session state among

Question 27

Question #578 Topic 1
What can the Log Forwarding built-in action with tagging be used to accomplish?
A. Forward selected logs to the Azure Security Center.
B. Block the destination zones of selected unwanted traffic.
C. Block the source zones of selected unwanted traffic.
D. Block the destination IP addresses of selected unwanted traffic.

Answer 27

D. Block the destination IP addresses of selected unwanted traffic.

Question 28

Marco

Answer 28

Polo