PCNSE - 301/400

Which statement is true regarding a Best Practice Assessment?. A. It runs only on firewalls. B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. C. It shows how your current configuration compares to Palo Alto Networks recommendations. D. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.

What are three important considerations during SD-WAN configuration planning? (Choose three.). A. link requirements. B. IP Addresses. C. connection throughput. D. dynamic routing. E. branch and hub locations.

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?. A. Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration. B. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates". C. Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration. D. Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".

When you navigate to Network > GlobalProtect > Portals > Agent > (config) > App and look in the Connect Method section, which three options are available? (Choose three.). A. user-logon (always on). B. certificate-logon. C. pre-logon then on-demand. D. on-demand (manual user initiated connection). E. post-logon (always on).

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs?. A. System Logs. B. Session Browser. C. You cannot find failover details on closed sessions. D. Traffic Logs.

Where is information about packet buffer protection logged?. A. All entries are in the System log. B. All entries are in the Alarms log. C. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log. C. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log.

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?. A. review the configuration logs on the Monitor tab. B. use Test Policy Match to review the policies in Panorama. C. context-switch to the affected firewall and use the configuration audit tool. D. click Preview Changes under Push Scope.

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?. A. Decryption will not function because self-signed root certificates are not supported. B. Decryption will function, but users will see certificate warnings for each SSL site they visit. C. Decryption will not function until the certificate is installed on client systems. D. Decryption will function, and there will be no effect to end users.

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?. A. hot potato routing. B. summarized BGP routes before advertising. C. default routing. D. target service connection for traffic steering.

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?. A. Create a Security policy to allow access to those sites. B. Install the unsupported cipher into the firewall to allow the sites to be decrypted. C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption. D. Allow the firewall to block the sites to improve the security posture.

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?. A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive. B. Use Decryption profiles to drop traffic that uses processor-intensive ciphers. C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic. D. Use RSA in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic.

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?. A. unknown-udp. B. not-applicable. C. insufficient-data. D. incomplete.

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web UI? (Choose two.). A. client certificate. B. certificate profile. C. certificate authority (CA) certificate. D. server certificate.

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?. A. Traffic Distribution profile. B. Path Quality profile. C. Certificate profile. D. SD-WAN interface profile.

DRAG DROP (Drag and Drop is not supported) An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority. Match the default Administrative Distances for each routing protocol. Select and Place: Static. OSPF External. EBGP. RIP.

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?. A. template variables. B. the ‘Shared’ device group. C. template stacks. D. a device group.

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the features that are supported on the VWire interface. What are three supported features on the VWire interface? (Choose three.). A. IPSec. B. OSPF. C. SSL Decryption. D. QoS. E. NAT.

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?. A. Move the "Local" template above the "Global" template in the template stack. B. Perform a commit and push with the "Force Template Values" option selected. C. Override the values on the local firewall and apply the correct settings for each value. D. Move the "Global" template above the "Local" template in the template stack.

A network administrator wants to deploy SSL Inbound Inspection. What two attributes should the required certificate have? (Choose two.). A. a client certificate. B. a private key. C. a server certificate. D. a subject alternative name.

When using certificate authentication for firewall administration, which method is used for authorization?. A. LDAP. B. Radius. C. Local. D. Kerberos.

Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.). A. The environment requires real full-time redundancy from both firewalls at all times. B. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes. C. The environment requires Layer 2 interfaces in the deployment. D. The environment requires that all configuration must be fully synchronized between both members of the HA pair. E. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence.

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?. A. Guest devices may not trust the CA certificate used for the forward trust certificate. B. Guests may use operating systems that can’t be decrypted. C. The organization has no legal authority to decrypt their traffic. D. Guest devices may not trust the CA certificate used for the forward untrust certificate.

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama?. A. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. B. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. C. A master device with Group Mapping configured must be set in the device group where the Security rules are configured. D. A User-ID Certificate profile must be configured on Panorama.

Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive application to go directly to the internet through the branch's ISP link instead of going back to the data-center hub through the VPN tunnel, thus saving WAN bandwidth costs?. A. SD-WAN Full Mesh with branches only. B. SD-WAN direct internet access (DIA) links. C. SD-WAN Interface profile. D. VPN Cluster.

What can you use with GlobalProtect to assign user-specific client certificates to each GlobalProtect user?. A. CSP Responder. B. Certificate profile. C. SCEP. D. SSL/TLS Service profile.

A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an address of 172.16.15.1. In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?. A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing. B. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168.15.47) - Application: Web-browsing. C. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing. D. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing.

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories. Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?. A. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit. B. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit. C. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit. D. Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter commit.

WildFire will submit for analysis blocked files that match which profile settings?. A. files matching Anti-Spyware signatures. B. files matching Anti-Virus signatures. C. files that are blocked by a File Blocking profile. D. files that are blocked by URL filtering.

A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules How will the rule order populate once pushed to the firewall?. A. shared device group policies, local policies, firewall device group policies. B. firewall device group policies, local policies, shared device group policies. C. local policies, firewall device group policies, shared device group policies. D. shared device group policies, firewall device group policies, local policies.

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?. A. logging. B. signature matching for content inspection. C. Quality of Service. D. IPSec tunnel standup.

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.). A. APK. B. VBscripts. C. Powershell scripts. D. ELF. E. MS Office.

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?. A. PDF Export under Panorama > templates. B. Variable CSV export under Panorama > templates. C. Managed Devices > Device Association. D. Manage variables under Panorama > templates.

What is a feature of the PA-440 hardware platform?. A. It supports Zero Touch Provisioning to assist in automated deployments. B. It supports 10GbE SFP+ modules. C. It has twelve 1GbE Copper ports. D. It has dedicated interfaces for high availability.

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?. A. They can have different hardware media such as the ability to mix fiber optic and copper. B. They can have a different interface type such as Layer 3 or Layer 2. C. They can have a different interface type from an aggregate interface group. D. They can have a different bandwidth.

A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption. Which order of steps is best to complete this migration?. A. First migrate SSH rules to App-ID; then implement SSL decryption. B. Configure SSL decryption without migrating port-based security rules to App-ID rules. C. First implement SSL decryption; then migrate port-based rules to App-ID rules. D. First migrate port-based rules to App-ID rules; then implement SSL decryption.

A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The engineer couldn’t find any events related to VPN under system logs. What is the likely cause?. A. Tunnel Inspection settings are misconfigured. B. The log quota for GTP and Tunnel needs to be adjusted. C. The Tunnel Monitor is not configured. D. Dead Peer Detection is not enabled.

A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?. A. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone. B. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone. C. Enable packet buffer protection in the outside zone. D. Create a Security rule to deny all ICMP traffic from the outside zone.

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?. A. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface. B. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface. C. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface. D. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?. A. Certificate profile. B. SSL/TLS Service profile. C. SSH Service profile. D. Decryption profile.

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request?. A. Specify the subinterface as a management interface in Setup > Device > Interfaces. B. Add the network segment’s IP range to the Permitted IP Addresses list. C. Enable HTTPS in an Interface Management profile on the subinterface. D. Configure a service route for HTTP to use the subinterface.

A client wants to detect the use of weak and manufacturer-default passwords for IoT devices. Which option will help the customer?. A. Configure a Data Filtering profile with alert mode. B. Configure an Antivirus profile with alert mode. C. Configure an Anti-Spyware profile with alert mode. D. Configure a Vulnerability Protection profile with alert mode.

When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?. A. Radius. B. Kerberos. C. LDAP. D. Local.

An engineer needs to see how many existing SSL decryption sessions are traversing a firewall. What command should be used?. A. debug sessions | match proxy. B. debug dataplane pool statistics | match proxy. C. show dataplane pool statistics | match proxy. D. show sessions all.

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.). A. #set deviceconfig setting session tcp-reject-non-syn no. B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set “Asymmetric Path" to Global. C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass. D. > set session tcp-reject-non-syn no.

A company is using wireless controllers to authenticate users. Which source should be used for User-ID mappings?. A. server monitoring. B. XFF headers. C. Syslog. D. client probing.

You have upgraded your Panorama and Log Collectors to 10.2.x. Before upgrading your firewalls using Panorama, what do you need do?. A. Commit and Push the configurations to the firewalls. B. Refresh your licenses with Palo Alto Network Support – Panorama/Licenses/Retrieve License Keys from License Server. C. Refresh the Master Key in Panorama/Master Key and Diagnostic. D. Re-associate the firewalls in Panorama/Managed Devices/Summary.

Which steps should an engineer take to forward system logs to email?. A. Create a new email profile under Device > server profiles; then navigate to Device > Log Settings > System and add the email profile under email. B. Enable log forwarding under the email profile in the Objects tab. C. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile. D. Enable log forwarding under the email profile in the Device tab.

An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?. A. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile. B. Disable the WildFire profile on the related Security policy. C. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile. D. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

What can be used to create dynamic address groups?. A. tags. B. FQDN addresses. C. dynamic address. D. region objects.

A firewall administrator wants to avoid overflowing the company syslog server with traffic logs. What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?. A. Disable logging on security rules allowing DNS. B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS. C. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DNS. D. Create a security rule to deny DNS traffic with the syslog server in the destination.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3. Which scenario will cause the Active firewall to fail over?. A. IP address 8.8.8.8 is unreachable for 1 second. B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds. C. IP address 4.2.2.2 is unreachable for 2 seconds. D. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?. A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. C. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. D. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

Which configuration is backed up using the Scheduled Config Export feature in Panorama?. A. Panorama running configuration and running configuration of all managed devices. B. Panorama candidate configuration. C. Panorama candidate configuration and candidate configuration of all managed devices. D. Panorama running configuration.

While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column. What best explains these occurrences?. A. A handshake did take place, but the application could not be identified. B. A handshake took place, but no data packets were sent prior to the timeout. C. A handshake did not take place, and the application could not be identified. D. A handshake took place; however, there were not enough packets to identify the application.

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?. A. Upgrade the Log Collectors one at a time. B. Add Panorama Administrators to each Managed Collector. C. Upgrade all the Log Collectors at the same time. D. Add a Global Authentication Profile to each Managed Collector.

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?. A. Templates > Device > Log Settings. B. Device Groups > Objects > Log Forwarding. C. Monitor > Logs > Traffic. D. Panorama > Managed Devices.

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?. A. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. B. The firewall rejects the pushed configuration, and the commit fails. C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects. D. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Which Panorama feature protects logs against data loss if a Panorama server fails?. A. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group. B. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group. C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster. D. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?. A. Traffic logs. B. System logs. C. Tunnel Inspection logs. D. Configuration logs.

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?. A. Create an Application Override using TCP ports 443 and 80. B. Add the HTPP, SSL, and Evernote applications to the same Security policy. C. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL. D. Add only the Evernote application to the Security policy rule.

Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?. A. Legacy. B. Management Only. C. Log Collector. D. Panorama.

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?. A. Use the Dynamic IP address type. B. Enable Passive Mode. C. Set up certificate authentication. D. Configure the peer address as an FQDN.

An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.). A. Check the HA Link Monitoring interface cables. B. Check High Availability > Active/Passive Settings > Passive Link State. C. Check the High Availability > Link and Path Monitoring settings. D. Check the High Availability > HA Communications > Packet Forwarding settings. E. Use the CLI command show high-availability flap-statistics.

Which CLI command is used to determine how much disk space is allocated to logs?. A. debug log-receiver show. B. show system info. C. show system logdb-quota. D. show logging-status.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to “any”. There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to “all”. Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?. A. Active. B. Passive. C. Active-Secondary. D. Non-functional.

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall’s management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?. A. Windows-based agent deployed on each domain controller. B. PAN-OS integrated agent deployed on the firewall. C. a syslog listener. D. Citrix terminal server agent deployed on the network.

Which statement best describes the Automated Commit Recovery feature?. A. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails. B. It restores the running configuration on a firewall if the last configuration commit fails. C. It restores the running configuration on a firewall and Panorama if the last configuration commit fails. D. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?. A. There is insufficient application data after the TCP connection was established. B. The TCP connection was terminated without identifying any application data. C. The TCP connection did not fully establish. D. The client sent a TCP segment with the PUSH flag set.

Which profile generates a packet threat type found in threat logs?. A. WildFire. B. Zone Protection. C. Anti-Spyware. D. Antivirus.

What can an engineer use with GlobalProtect to distribute user-specific client certificates to each GlobalProtect user?. A. SCEP. B. SSL/TLS Service profile. C. OCSP Responder. D. Certificate profile.

An engineer was tasked to simplify configuration of multiple firewalls with a specific set of configurations shared across all devices. Which two advantages would be gained by using multiple templates in a stack? (Choose two.). A. standardizes log-forwarding profiles for security policies across all stacks. B. defines a common standard template configuration for firewalls. C. inherits address-objects from the templates. D. standardizes server profiles and authentication configuration across all stacks.

A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing. Which CLI command should the engineer run?. A. Show running tunnel flow lookup. B. Show vpn flow name <tunnel name>. C. Show vpn ipsec-sa tunnel <tunnel name>. D. Show vpn tunnel name | match encap.

How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?. A. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile. B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile. C. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD. D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD.

An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?. A. PBF > Static route > Security policy enforcement. B. BGP < PBF > NAT. C. PBF > Zone Protection Profiles > Packet Buffer Protection. D. NAT > Security policy enforcement > OSPF.

While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile. If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?. A. Enable resources protection under the DoS Protection profile. B. Change the SYN flood action from Random Early Drop to SYN cookies. C. Increase the activate rate for the SYN flood protection. D. Change the DoS Protection profile type from aggregate to classified.

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?. A. Configure the TAP interface for segment X on the firewall. B. Configure a Layer 3 interface for segment X on the firewall. C. Configure vwire interfaces for segment X on the firewall. D. Configure a new vsys for segment X on the firewall.

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules. How can this be achieved?. A. by configuring User-ID group mapping in Panorama > User Identification. B. by configuring Master Device in Panorama > Device Groups. C. by configuring User-ID source device in Panorama > Managed Devices. D. by configuring Data Redistribution Client in Panorama > Data Redistribution.

After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp. Which possible firewall change could have caused this issue?. A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings. B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings. C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers. D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-order and application identification.

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.). A. upload-only. B. install and reboot. C. upload and install. D. upload and install and reboot. E. verify and install.

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks. The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate. What else should the administrator do to stop packet buffers from being overflowed?. A. Apply DOS profile to security rules allow traffic from outside. B. Enable packet buffer protection for the affected zones. C. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. D. Add a Zone Protection profile to the affected zones.

A network security administrator has been tasked with deploying User-ID in their organization. What are three valid methods of collecting User-ID information in a network? (Choose three.). A. XML API. B. Windows User-ID agent. C. External dynamic list. D. Dynamic user groups. E. GlobalProtect.

What is a correct statement regarding administrative authentication using external services with a local authorization method?. A. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall. B. Prior to PAN-OS 10.2, an administrator used the firewall to manage role assignments, but access domains have not been supported by this method. C. Starting with PAN-OS 10.2, an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication. D. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays: • threat type: spyware • category: dns-c2 • threat ID: 1000011111 Which set of steps should the administrator take to configure an exception for this signature?. A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit. B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit.

Given the screenshot, how did the firewall handle the traffic?. A. Traffic was allowed by policy but denied by profile as encrypted. B. Traffic was allowed by policy but denied by profile as a threat. C. Traffic was allowed by profile but denied by policy as a threat. D. Traffic was allowed by policy but denied by profile as a nonstandard port.

Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?. A. self-signed root CA. B. external CA certificate. C. server certificate. D. device certificate.

Refer to the screenshots. Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin access to Panorama and to the managed devices?. A. The Panorama section overrides the Device section. The accounts need to be configured only in the Panorama section. B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections. C. The Device section overrides Panorama section. The accounts need to be configured only in the Device section. D. Configuration in the sections is merged together. The accounts need to be configured in either section.

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?. A. a WildFire profile and a File Blocking profile. B. a Vulnerability Protection profile and a Decryption policy. C. a Vulnerability Protection profile and a QoS policy. D. a Decryption policy and a Data Filtering profile.

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?. A. Enable PFS under the IPSec Tunnel advanced options. B. Add an authentication algorithm in the IPSec Crypto profile. C. Select the appropriate DH Group under the IPSec Crypto profile. D. Enable PFS under the IKE gateway advanced options.

Which protocol is supported by GlobalProtect Clientless VPN?. A. FTP. B. HTTPS. C. SSH. D. RDP.

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA. Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?. A. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use?. A. test routing fib-lookup ip 10.2.5.0/24 virtual-router default. B. test routing route ip 10.2.5.3. C. test routing route ip 10.2.5.3 virtual-router default. D. test routing fib-lookup ip 10.2.5.3 virtual-router default.

A client is concerned about web shell attacks against their servers. Which profile will protect the individual servers?. A. Anti-Spyware profile. B. Zone Protection profile. C. DoS Protection profile. D. Antivirus profile.

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?. A. service route. B. data redistribution. C. SNMP setup. D. dynamic updates.

How is an address object of type IP range correctly defined?. A. 192.168.40.1-192.168.40.255. B. 192.168 40.1/24. C. 192.168.40.1, 192.168.40.255. D. 192.168.40.1-255.

An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. From the Pre-defined Categories tab within the URL Filtering profile what is the right configuration to prevent such connections?. A. Set the malware category to block. B. Set the Command and Control category to block. C. Set the phishing category to override. D. Set the hacking category to continue.

In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?. A. HTTPS. B. FTP. C. SMB v3. D. SCP.

A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT, Finance, and HR. Which two types of traffic will the rule apply to? (Choose two.). A. traffic between zone Finance and zone HR. B. traffic between zone IT and zone Finance. C. traffic within zone HR. D. traffic within zone IT.

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled: 1. End-users must not get the warning for the https://www.very-important-website.com/ website 2. End-users should get the warning for any other untrusted website Which approach meets the two customer requirements?. A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration. B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores. C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration. D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration.

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company provided smartphones. All of these devices have their authentication events logged. Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?. A. agentless User-ID with redistribution. B. Syslog listener. C. captive portal. D. standalone User-ID agent.