Q_76-100 Flashcards
Question #76 Topic 1
Which virtual router feature determines if a specific destination IP address is reachable?
A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path
C. Path Monitoring
Question #77 Topic 1
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?
A. Decryption Mirror interface with the Threat Analysis license
B. Virtual Wire interface with the Decryption Port Export license
C. Tap interface with the Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license
Question #78 Topic 1
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet
A. after the application has been identified
Question #79 Topic 1
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries
A. In the details of the Traffic log entries
Question #80 Topic 1
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw
in an operating system on an internal system.
Which Security Profile type will prevent this attack?
A. Vulnerability Protection
B. Anti-Spyware
C. URL Filtering
D. Antivirus
A. Vulnerability Protection
Question #81 Topic 1
Which processing order will be enabled when a Panorama administrator selects the setting Objects defined in ancestors will take higher
precedence?
A. Descendant objects will take precedence over other descendant objects.
B. Descendant objects will take precedence over ancestor objects.
C. Ancestor objects will have precedence over descendant objects.
D. Ancestor objects will have precedence over other ancestor objects.
C. Ancestor objects will have precedence over descendant objects.
Question #82 Topic 1
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication
A. Use custom certificates
Question #83 Topic 1
What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113
during the time shown in the image?
NOTE PBF SCHEDULE has and clock..
A. ethernet1/7
B. ethernet1/5
C. ethernet1/6
D. ethernet1/3
D. ethernet1/3
PBF rule not active due to schedule
local route table shows route.
Question #84 Topic 1
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to Untrust (10.1.1.100), web browsing ג€” Allow
B. Untrust (any) to Untrust (1.1.1.100), web browsing ג€” Allow
C. Untrust (any) to DMZ (1.1.1.100), web browsing ג€” Allow
D. Untrust (any) to DMZ (10.1.1.100), web browsing ג€” Allow
C. Untrust (any) to DMZ (1.1.1.100), web browsing “ Allow
Question #85 Topic 1
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
27% –A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
73%–D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
Question #86 Topic 1
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
A. The firewall is in multi-vsys mode.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
D. The firewall’s DP CPU is higher than 50%.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
keyword capture aka pcap
Question #87 Topic 1
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS®ֲ software would help in this case?
A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings
D. redistribution of user mappings
Question #88 Topic 1
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in ג€the cloud ג€). Bootstrapping is the
most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A. Use config-drive on a USB stick.
B. Use an S3 bucket with an ISO.
C. Create and attach a virtual hard disk (VHD).
D. Use a virtual CD-ROM with an ISO.
D. Use a virtual CD-ROM with an ISO.
Question #89 Topic 1
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a No Decrypt action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing
A. Block sessions with expired certificates
D. Block sessions with untrusted issuers
Question #90 Topic 1
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A. port mapping
B. server monitoring
C. client probing
D. XFF headers
A. port mapping
Question #91 Topic 1
Which feature can be configured on VM-Series firewalls?
A. aggregate interfaces
B. machine learning
C. multiple virtual systems
D. GlobalProtect
D. GlobalProtect
Question #92 Topic 1
In High Availability, which information is transferred via the HA data link?
A. session information
B. heartbeats
C. HA state information
D. User-ID information
A. session information
Question #93 Topic 1
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)
A. Create a custom application.
B. Create a custom object for the custom application server to identify the custom application.
C. Submit an App-ID request to Palo Alto Networks.
D. Create a Security policy to identify the custom application.
A. Create a custom application.
C. Submit an App-ID request to Palo Alto Networks.
Question #94 Topic 1
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto
Networks NGFW to inspect traffic to the server?
A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption
B. SSL Inbound Inspection
Question #95 Topic 1
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed
denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP
addresses (DDoS attack)?
A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
B. Add a Vulnerability Protection Profile to block the attack.
C. Add QoS Profiles to throttle incoming requests.
D. Add a DoS Protection Profile with defined session count.
D. Add a DoS Protection Profile with defined session count.
Question #96 Topic 1
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
A. Verify AutoFocus status using the CLI ג€test ג€ command.
B. Check the WebUI Dashboard AutoFocus widget.
C. Check for WildFire forwarding logs.
D. Check the license.
E. Verify AutoFocus is enabled below Device Management tab.
D. Check the license.
E. Verify AutoFocus is enabled below Device Management tab.
Question #97 Topic 1
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources
A. show running resource-monitor
Question #98 Topic 1
Which DoS protection mechanism detects and prevents session exhaustion attacks?
A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection
C. Resource Protection
Question #99 Topic 1
Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.)
A. Content-ID
B. User-ID
C. Applications and Threats
D. Antivirus
C. Applications and Threats
D. Antivirus
SUBSCRIPTIONS !!!!
Question #90 Topic 1
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A. port mapping
B. server monitoring
C. client probing
D. XFF headers
A. port mapping
Question #100 Topic 1
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?
A. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
B. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server.
C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
used for internal GP GWs for hip, user-ID etc
