Pa3

Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two). Vulnerability Object. DoS Protection Profile. Data Filtering Profile. Zone Protection Profile.

A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?. Zone Protection Policy with UDP Flood Protection. QoS Policy to throttle traffic below maximum limit. Security Policy rule to deny trafic to the IP address and port that is under attack. Classified DoS Protection Policy using destination IP only with a Protect action.

The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real time, the applications taking up the most bandwidth?. QoS Statistics. Applications Report. Application Command Center (ACC). QoS Log.

Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two). From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode. Log in the Panorama CLI of the dedicated Log Collector.

The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080. Which NAT and security rules must be configured on the firewall? (Choose two). A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source.

Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose two). Brute-force signatures. BrightCloud Url Filtering. PAN-DB URL Filtering. DNS-based command-and-control signatures.

A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama?. Device state and license files. Configuration and serial number files. Configuration and statistics files. Configuration and Large Scale VPN (LSVPN) setups file.

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: • DMZ zone: DMZ-L3 • Public zone: Untrust-L3 • Guest zone: Guest-L3 • Web server zone: Trust-L3 • Public IP address (Untrust-L3): 1.1.1.1 • Private IP address (Trust-L3): 192.168.1.50 What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?. Untrust-L3. DMZ-L3. Guest-L3. Trust-L3.

Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic. Wait until an official Application signature is provided from Palo Alto Networks. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic.

What must be used in Security Policy Rule that contain addresses where NAT policy applies?. Pre-NAT addresse and Pre-NAT zones. Post-NAT addresse and Post-Nat zones. Pre-NAT addresse and Post-Nat zones. Post-Nat addresses and Pre-NAT zones.

A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?. Blocked Activity. Bandwidth Activity. Threat Activity. Network Activity.

A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab. What could cause this condition?. The firewall does not have an active WildFire subscription. The engineer's account does not have permission to view WildFire Submissions. A policy is blocking WildFire Submission traffic. Though WildFire is working, there are currently no WildFire Submissions log entries.

A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?. Pre Rules. Post Rules. Explicit Rules. Implicit Rules.

Click the Exhibit button below, A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC?. 172.20.30.1. 172.20.40.1. 172.20.20.1. 172.20.10.1.

Which three function are found on the dataplane of a PA-5050? (Choose three). Protocol Decoder. Dynamic routing. Management. Network Processing. Signature Match.

What are three valid method of user mapping? (Choose three). Syslog. XML API. 802.1X. WildFire. Server Monitoring.

What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three). Clean. Bengin. Adware. Suspicious. Grayware. Malware.

What can missing SSL packets when performing a packet capture on dataplane interfaces?. The packets are hardware offloaded to the offloaded processor on the dataplane. The missing packets are offloaded to the management plane CPU. The packets are not captured because they are encrypted. There is a hardware problem with offloading FPGA on the management plane.

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?. Disable Server Response Inspection. Apply an Application Override. Disable HIP Profile. Add server IP Security Policy exception.

How are IPV6 DNS queries configured to user interface ethernet1/3?. Network > Virtual Router > DNS Interface. Objects > CustomerObjects > DNS. Network > Interface Mgrnt. Device > Setup > Services > Service Route Configuration.

A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?. From the CLI, issue the show counter global filter pcap yes command. From the CLI, issue the show counter global filter packet-filter yes command. From the GUI, select show global counters under the monitor tab. From the CLI, issue the show counter interface command for the ingress interface.

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?. DHCP has been set to Auto. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode. DNS has not been properly configured on the firewall.

The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?. Server Certificate. Client Certificate. Authentication Profile. Certificate Profile.

Which interface configuration will accept specific VLAN IDs?. Tab Mode. Subinterface. Access Interface. Trunk Interface.

A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall. Which interface configuration will accept specific VLAN IDs? Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two). A report can be created that identifies unclassified traffic on the network. Different security profiles can be applied to traffic matching rules 2 and 3. Rule 2 and 3 apply to traffic on different ports. Separate Log Forwarding profiles can be applied to rules 2 and 3.

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?. The two devices must share a routable floating IP address. The two devices may be different models within the PA-5000 series. The HA1 IP address from each peer must be on a different subnet. The management port may be used for a backup control connection.

Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?. VM-100. VM-200. VM-1000 HV. VM-300.

Which two interface types can be used when configuring GlobalProtect Portal?(Choose two). Virtual Wire. Loopback. Layer 3. Tunnel.

Which three options does the WF-500 appliance support for local analysis? (Choose three). E-mail links. APK files. jar files. PNG files. Portable Executable (PE) files.

After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?. A Server Profile has not been configured for logging to this Panorama device. Panorama is not licensed to receive logs from this particular firewall. The firewall is not licensed for logging to this Panorama device. None of the firwwall's policies have been assigned a Log Forwarding profile.

Support for which authentication method was added in PAN-OS 8.0?. RADIUS. LDAP. Diameter. TACACS+.

A company.com wants to enable Application Override. Given the following screenshot: Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two). Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines. Traffic will be forced to operate over UDP Port 16384. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base". Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?. Trunk interface type with specified tag. Layer 3 interface type with specified tag. Layer 2 interface type with a VLAN assigned. Layer 3 subinterface type with specified tag.

A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. How should this be accomplished?. Create a Template with the appropriate IKE Gateway settings. Create a Template with the appropriate IPSec tunnel settings. Create a Device Group with the appropriate IKE Gateway settings. Create a Device Group with the appropriate IPSec tunnel settings.

Which option is an IPv6 routing protocol?. RIPv3. OSPFv3. OSPv3. BGP NG.

Firewall administrators cannot authenticate to a firewall GUI. Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.). ms log. authd log. System log. Traffic log. dp-monitor .log.

Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal?. Assign an IP address on each tunnel interface at each site. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces. Create new VPN zones at each site to terminate each VPN connection.

When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?. When configuring Certificate Profiles. When configuring GlobalProtect portal. When configuring User Activity Reports. When configuring Antivirus Dynamic Updates.

What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.). The firewalls must have the same set of licenses. The management interfaces must to be on the same network. The peer HA1 IP address must be the same on both firewalls. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?. Microsoft Active Directory. Microsoft Terminal Services. Aerohive Wireless Access Point. Palo Alto Networks Captive Portal.

A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface. Which configuration setting needs to be modified?. Service route. Default route. Management profile. Authentication profile.

Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?. Log. Alert. Allow. Default.

People are having intermittent quality issues during a live meeting via web application. Use QoS profile to define QoS Classes. Use QoS Classes to define QoS Profile. Use QoS Profile to define QoS Classes and a QoS Policy. Use QoS Classes to define QoS Profile and a QoS Policy.

Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?. Log. Alert. Allow. Default.

Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accoumplish this goal?. Assign an IP address on each tunnel interface at each site. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces. Create new VPN zones at each site to terminate each VPN connection.

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy?. Configure ECMP to handle matching NAT traffic. Configure a NAT Policy rule with Dynamic IP and Port. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option.

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?. Panorama Log Settings. Panorama Log Templates. Panorama Device Group Log Forwarding. Collector Log Forwarding for Collector Groups.

Which CLI command displays the current management plan memory utilization?. > show system info. > show system resources. > debug management-server show. > show running resource-monitor.

Which three rule types are available when defining policies in Panorama? (Choose three.). Pre Rules. Post Rules. Default Rules. Stealth Rules. Clean Up Rules.

What will be the source address in the ICMP packet?. 10.30.0.93. 10.46.72.93. 10.46.64.94. 192.168.93.1.

A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?. Block all unauthorized applications using a security policy. Block all known internal custom applications. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks.

A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two). BGP not sure. OSPFv3. RIP. Static Route.

Which CLI command displays the current management plane memory utilization?. > debug management-server show. > show running resource-monitor. > show system info. > show system resources.

When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log. What will be the destination IP Address in that log entry?. The IP Address of sinkhole.paloaltonetworks.com. The IP Address of the command-and-control server. The IP Address specified in the sinkhole configuration. The IP Address of one of the external DNS servers identified in the anti-spyware database.

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two). ms.log. traffic.log. system.log. dp-monitor.log. authd.log.

In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall. Which authentication method must be used?. LDAP. Kerberos. Certification based authentication. RADIUS with Vendor Specific Attributes.

A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information: * Users outside the company are in the "Untrust-L3" zone. * The web server physically resides in the "Trust-L3" zone. * Web server public IP address: 23.54.6.10 * Web server private IP address: 192.168.1.10 Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.). Destination IPof 23.54.6.10. UntrustL3 for both Source and Destination Zone. Destination IP of 192.168.1.10. UntrustL3 for Source Zone and Trust-L3 for Destination Zone.

How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?. Enable support for non-standard syslog messages under device management. Check the custom-format check box in the syslog server profile. Select a non-standard syslog server profile. Create a custom log format under the syslog server profile.

Refer to Exhibit: A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address. He makes an HTTPS connection to 172.16.10.29. What is the next hop IP address for the HTTPS traffic from Wills PC. 172.20.30.1. 172.20.20.1. 172.20.10.1. 172.20.40.1.

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?. Master. Universal. Shared. Global.

A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first?. Remove the cable from the management interface, reload the log Collector and then re-connect that cable. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments. remove the device from the Collector Group. Revert to a previous configuration.

Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.). Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions. Enable User-ID on the zone object for the destination zone. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions. Enable User-ID on the zone object for the source zone. Configure a RADIUS server profile to point to a domain controller.

Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.). KVM. VMware ESX. VMware NSX. AWS.

Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?. Enable on Site-A only. Enable on Site-B only. Enable on Site-B only with passive mode. Enable on Site-A and Site-B.

Which field is optional when creating a new Security Policy rule?. Name. Description. Source Zone. Destination Zone. Action.

YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall: * ethernet1/1, Zone: Untrust (Internet-facing) * ethernet1/2, Zone: Trust (client-facing) A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound. Which setting for class 6 with throttle YouTube traffic?. Outbound profile with Guaranteed Ingress. Outbound profile with Maximum Ingress. Inbound profile with Guaranteed Egress. Inbound profile with Maximum Egress.