Q_76-100

Question 1

Question #76 Topic 1
Which virtual router feature determines if a specific destination IP address is reachable?
A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path

Answer 1

C. Path Monitoring

Question 2

Question #77 Topic 1
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?
A. Decryption Mirror interface with the Threat Analysis license
B. Virtual Wire interface with the Decryption Port Export license
C. Tap interface with the Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license

Answer 2

D. Decryption Mirror interface with the associated Decryption Port Mirror license

Question 3

Question #78 Topic 1
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet

Answer 3

A. after the application has been identified

Question 4

Question #79 Topic 1
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries

Answer 4

A. In the details of the Traffic log entries

Question 5

Question #80 Topic 1
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw
in an operating system on an internal system.
Which Security Profile type will prevent this attack?
A. Vulnerability Protection
B. Anti-Spyware
C. URL Filtering
D. Antivirus

Answer 5

A. Vulnerability Protection

Question 6

Question #81 Topic 1
Which processing order will be enabled when a Panorama administrator selects the setting Objects defined in ancestors will take higher precedence?
A. Descendant objects will take precedence over other descendant objects.
B. Descendant objects will take precedence over ancestor objects.
C. Ancestor objects will have precedence over descendant objects.
D. Ancestor objects will have precedence over other ancestor objects.

Answer 6

C. Ancestor objects will have precedence over descendant objects.

Question 7

Question #82 Topic 1
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication

Answer 7

A. Use custom certificates

Question 8

Question #83 Topic 1
What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113
during the time shown in the image?
NOTE PBF SCHEDULE has and clock..

A. ethernet1/7
B. ethernet1/5
C. ethernet1/6
D. ethernet1/3

Answer 8

D. ethernet1/3

PBF rule not active due to schedule
local route table shows route.

Question 9

Question #84 Topic 1
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to Untrust (10.1.1.100), web browsing ג€” Allow
B. Untrust (any) to Untrust (1.1.1.100), web browsing ג€” Allow
C. Untrust (any) to DMZ (1.1.1.100), web browsing ג€” Allow
D. Untrust (any) to DMZ (10.1.1.100), web browsing ג€” Allow

Answer 9

C. Untrust (any) to DMZ (1.1.1.100), web browsing “ Allow

Question 10

Question #85 Topic 1
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer 10

27% –A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow

73%–D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow

Question 11

Question #86 Topic 1
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
A. The firewall is in multi-vsys mode.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
D. The firewall’s DP CPU is higher than 50%.

Answer 11

B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.

keyword capture aka pcap

Question 12

Question #87 Topic 1
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS®ֲ software would help in this case?
A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings

Answer 12

D. redistribution of user mappings

Question 13

Question #88 Topic 1
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in ג€the cloud ג€). Bootstrapping is the
most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A. Use config-drive on a USB stick.
B. Use an S3 bucket with an ISO.
C. Create and attach a virtual hard disk (VHD).
D. Use a virtual CD-ROM with an ISO.

Answer 13

D. Use a virtual CD-ROM with an ISO.

Question 14

Question #89 Topic 1
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a No Decrypt action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing

Answer 14

A. Block sessions with expired certificates

D. Block sessions with untrusted issuers

Question 15

Question #90 Topic 1
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A. port mapping
B. server monitoring
C. client probing
D. XFF headers

Answer 15

A. port mapping

Question 16

Question #91 Topic 1
Which feature can be configured on VM-Series firewalls?
A. aggregate interfaces
B. machine learning
C. multiple virtual systems
D. GlobalProtect

Answer 16

D. GlobalProtect

Question 17

Question #92 Topic 1
In High Availability, which information is transferred via the HA data link?
A. session information
B. heartbeats
C. HA state information
D. User-ID information

Answer 17

A. session information

Question 18

Question #93 Topic 1
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)
A. Create a custom application.
B. Create a custom object for the custom application server to identify the custom application.
C. Submit an App-ID request to Palo Alto Networks.
D. Create a Security policy to identify the custom application.

Answer 18

A. Create a custom application.

C. Submit an App-ID request to Palo Alto Networks.

Question 19

Question #94 Topic 1
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto
Networks NGFW to inspect traffic to the server?
A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption

Answer 19

B. SSL Inbound Inspection

Question 20

Question #95 Topic 1
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed
denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP
addresses (DDoS attack)?
A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
B. Add a Vulnerability Protection Profile to block the attack.
C. Add QoS Profiles to throttle incoming requests.
D. Add a DoS Protection Profile with defined session count.

Answer 20

D. Add a DoS Protection Profile with defined session count.

Question 21

Question #96 Topic 1
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
A. Verify AutoFocus status using the CLI ג€test ג€ command.
B. Check the WebUI Dashboard AutoFocus widget.
C. Check for WildFire forwarding logs.
D. Check the license.
E. Verify AutoFocus is enabled below Device Management tab.

Answer 21

D. Check the license.

E. Verify AutoFocus is enabled below Device Management tab.

Question 22

Question #97 Topic 1
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources

Answer 22

A. show running resource-monitor

Question 23

Question #98 Topic 1
Which DoS protection mechanism detects and prevents session exhaustion attacks?
A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection

Answer 23

C. Resource Protection

Question 24

Question #99 Topic 1
Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.)
A. Content-ID
B. User-ID
C. Applications and Threats
D. Antivirus

Answer 24

C. Applications and Threats

D. Antivirus

SUBSCRIPTIONS !!!!

Question 25

Question #90 Topic 1
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A. port mapping
B. server monitoring
C. client probing
D. XFF headers

Answer 25

A. port mapping

Question 25

Question #100 Topic 1
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?
A. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
B. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server.

Answer 25

C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.

used for internal GP GWs for hip, user-ID etc