A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
- A . Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass - B . > set session tcp-reject-non-syn no
- C . Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global - D . # set deviceconfig setting session tcp-reject-non-syn no
A, D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.
When creating a new rule, what is needed to allow the application to resolve dependencies?
- A . Add SSL and web-browsing applications to the same rule.
- B . Add web-browsing application to the same rule.
- C . Add SSL application to the same rule.
- D . SSL and web-browsing must both be explicitly allowed.
C
Explanation:
‘Implicitly Uses’ has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but ‘Implicitly means already uses HTTP.
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
- A . Change the firewall management IP address
- B . Configure a device block list
- C . Add administrator accounts
- D . Rename a vsys on a multi-vsys firewall
- E . Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
DRAG DROP
Match the terms to their corresponding definitions
Explanation:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf page 83
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
- A . Yes, because the action is set to alert
- B . No, because this is an example from a defeated phishing attack
- C . No, because the severity is high and the verdict is malicious.
- D . Yes, because the action is set to allow.
D
Explanation:
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
- A . The PanGPS process failed to connect to the PanGPA process on port 4767
- B . The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
- C . The PanGPA process failed to connect to the PanGPS process on port 4767
- D . The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
C
Explanation:
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
An engineer reviews high availability (HA) settings to understand a recent HA failover event.
Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
- A . Hello Interval
- B . Promotion Hold Time
- C . Heartbeat Interval
- D . Monitor Fail Hold Up Time
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
- A . 1 to 4 hours
- B . 6 to 12 hours
- C . 24 hours
- D . 36 hours
B
Explanation:
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
- A . 1 to 4 hours
- B . 6 to 12 hours
- C . 24 hours
- D . 36 hours
B
Explanation:
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
- A . VirtualWire
- B . Layer3
- C . TAP
- D . Layer2
AD
Explanation:
A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing. This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.
A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire. The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.
D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN. The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.
Verified
Reference: 1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html
3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html
Which log type would provide information about traffic blocked by a Zone Protection profile?
- A . Data Filtering
- B . IP-Tag
- C . Traffic
- D . Threat
D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile. This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1. These attacks are classified as threats by the firewall and are logged in the threat log2. The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2. Verified
Reference: 1: Zone protection profiles – Palo Alto Networks Knowledge Base
2: Threat Log Fields – Palo Alto Networks
Refer to the exhibit.
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
- A . The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.
- B . The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.
- C . The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
- D . The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
A
Explanation:
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 "- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example – if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don’t want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
- A . Data Filtering
- B . Configuration
- C . Threat
- D . Traffic
C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
- A . NAT
- B . DOS protection
- C . QoS
- D . Tunnel inspection
C
Explanation:
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security
certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
- A . A web server certificate signed by the organization’s PKI
- B . A self-signed certificate generated on the firewall
- C . A subordinate Certificate Authority certificate signed by the organization’s PKI
- D . A web server certificate signed by an external Certificate Authority
Which new PAN-OS 11.0 feature supports IPv6 traffic?
- A . DHCPv6 Client with Prefix Delegation
- B . OSPF
- C . DHCP Server
- D . IKEv1
A
Explanation:
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
- A . DNS proxy
- B . Explicit proxy
- C . SSL forward proxy
- D . Transparent proxy
D
Explanation:
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
- A . Log Ingestion
- B . HTTP
- C . Log Forwarding
- D . LDAP
BC
Explanation:
>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
- A . Click Session Browser and review the session details.
- B . Click Traffic view and review the information in the detailed log view.
- C . Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
- D . Click App Scope > Network Monitor and filter the report for NAT rules.
A
Explanation:
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1. The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
- A . Incomplete
- B . unknown-tcp
- C . Insufficient-data
- D . not-applicable
D
Explanation:
Traffic didnt match any other policies and so landed at the implicit "deny all" policy. If it’s deny all, the traffic was dropped before the application could be determined. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Which statement regarding HA timer settings is true?
- A . Use the Recommended profile for typical failover timer settings
- B . Use the Moderate profile for typical failover timer settings
- C . Use the Aggressive profile for slower failover timer settings.
- D . Use the Critical profile for faster failover timer settings.
A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
A company has configured a URL Filtering profile with override action on their firewall.
Which two profiles are needed to complete the configuration? (Choose two)
- A . SSL/TLS Service
- B . HTTP Server
- C . Decryption
- D . Interface Management
A, D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8
A company has recently migrated their branch office’s PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama.
They notice that commit times have drastically increased for the PA-220S after the migration.
What can they do to reduce commit times?
- A . Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
- B . Update the apps and threat version using device-deployment
- C . Perform a device group push using the "merge with device candidate config" option
- D . Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.
A
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
- A . Change destination NAT zone to Trust_L3.
- B . Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.
- C . Change Source NAT zone to Untrust_L3.
- D . Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
Why would a traffic log list an application as "not-applicable”?
- A . The firewall denied the traffic before the application match could be performed.
- B . The TCP connection terminated without identifying any application data
- C . There was not enough application data after the TCP connection was established
- D . The application is not a known Palo Alto Networks App-ID.
A
Explanation:
traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application match could be performed. This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1. In this case, the firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in the application field of the traffic log1.
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)
- A . RADIUS
- B . TACACS+
- C . Kerberos
- D . LDAP
- E . SAML
ABE
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
Where can a service route be configured for a specific destination IP?
- A . Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4
- B . Use Device > Setup > Services > Services
- C . Use Device > Setup > Services > Service Route Configuration > Customize > Destination
- D . Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
- A . Windows User-ID agent
- B . GlobalProtect
- C . XMLAPI
- D . External dynamic list
- E . Dynamic user groups
ABC
Explanation:
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1.
User-ID information can be collected from various sources, such as:
A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2. The agent then sends the user information to the firewall or Panorama for user mapping2.
B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3. GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.
C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
- A . A Deny policy for the tagged traffic
- B . An Allow policy for the initial traffic
- C . A Decryption policy to decrypt the traffic and see the tag
- D . A Deny policy with the "tag" App-ID to block the tagged traffic
B, D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy
Refer to the exhibit.
Which will be the egress interface if the traffic’s ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
- A . ethernet1/6
- B . ethernet1/3
- C . ethernet1/7
- D . ethernet1/5
D
Explanation:
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will be ethernet1/5. This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201. The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2. Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message?
- A . In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
- B . Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure
- C . Check whether the VPN peer on one end is set up correctly using policy-based VPN
- D . In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages
The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto Networks firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
- A . Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit
- B . Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit
- C . Choose the URL categories on Site Access column and set action to block Click the User credential
Detection tab and select IP User Mapping Commit - D . Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit
A
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
- A . Inherit settings from the Shared group
- B . Inherit IPSec crypto profiles
- C . Inherit all Security policy rules and objects
- D . Inherit parent Security policy rules and objects
A, D
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall’s dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
- A . Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
- B . Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings
- C . Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings
- D . Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.
B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
- A . To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.
- B . Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
- C . Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
- D . The WildFire Global Cloud only provides bare metal analysis.
C
Explanation:
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud―global (U.S.), regional, and private―analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
Which three items must be configured to implement application override? (Choose three )
- A . Custom app
- B . Security policy rule
- C . Application override policy rule
- D . Decryption policy rule
- E . Application filter
ABC
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
- A . HSCI-C
- B . Console Backup
- C . HA3
- D . HA2 backup
C, D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair. An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1. To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
- A . Resource Protection
- B . TCP Port Scan Protection
- C . Packet Based Attack Protection
- D . Packet Buffer Protection
A
Explanation:
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target’s resources. On the profile’s Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
What is the best definition of the Heartbeat Interval?
- A . The interval in milliseconds between hello packets
- B . The frequency at which the HA peers check link or path availability
- C . The frequency at which the HA peers exchange ping
- D . The interval during which the firewall will remain active following a link monitor failure
C
Explanation:
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
"A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
- A . Ensure Force Template Values is checked when pushing configuration.
- B . Push the Template first, then push Device Group to the newly managed firewall.
- C . Perform the Export or push Device Config Bundle to the newly managed firewall.
- D . Push the Device Group first, then push Template to the newly managed firewall
C
Explanation:
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.
Which two statements correctly describe Session 380280? (Choose two.)
- A . The session went through SSL decryption processing.
- B . The session has ended with the end-reason unknown.
- C . The application has been identified as web-browsing.
- D . The session did not go through SSL decryption processing.
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
- A . 1
- B . 2
- C . 3
- D . 4
D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-
classes
Refer to Exhibit:
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Refer to the exhibit.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
- A . Click the hyperlink for the Zero Access.Gen threat.
- B . Click the left arrow beside the Zero Access.Gen threat.
- C . Click the source user with the highest threat count.
- D . Click the hyperlink for the hotport threat Category.
B
Explanation:
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
- A . Run the CLI command show advanced-routing ospf neighbor
- B . In the WebUI, view the Runtime Stats in the virtual router
- C . Look for configuration problems in Network > virtual router > OSPF
- D . In the WebUI, view Runtime Stats in the logical router
A, D
Explanation:
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
- A . Set up certificate authentication.
- B . Use the Dynamic IP address type.
- C . Enable Passive Mode
- D . Configure the peer address as an FQDN.
B
Explanation:
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device’s certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device’s dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device’s fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
- A . NTP Server Address
- B . Antivirus Profile
- C . Authentication Profile
- D . Service Route Configuration
- E . Dynamic Address Groups
ACD
Explanation:
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama. A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.
A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
In a template, which two objects can be configured? (Choose two.)
- A . SD-WAN path quality profile
- B . Monitor profile
- C . IPsec tunnel
- D . Application group
BC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
- A . Export the log database.
- B . Use the import option to pull logs.
- C . Use the scp logdb export command.
- D . Use the ACC to consolidate the logs.
A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb
Refer to the exhibit.
Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert – Threats" Profile Match List?
- A . The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
- B . The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
- C . The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
- D . The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
- A . IP Netmask
- B . IP Wildcard Mask
- C . IP Address
- D . IP Range
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
- A . Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
- B . Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
- C . Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution
- D . Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
Which protocol is supported by GlobalProtect Clientless VPN?
- A . FTP
- B . RDP
- C . SSH
- D . HTTPS
D
Explanation:
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN.
Reference:
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
Which type of zone will allow different virtual systems to communicate with each other?
- A . Tap
- B . External
- C . Virtual Wire
- D . Tunnel
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
- A . Exclude video traffic
- B . Enable decryption
- C . Block traffic that is not work-related
- D . Create a Tunnel Inspection policy
AC
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
- A . Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
- B . Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
- C . Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
- D . Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
- A . Add the policy to the target device group and apply a master device to the device group.
- B . Reference the targeted device’s templates in the target device group.
- C . Clone the security policy and add it to the other device groups.
- D . Add the policy in the shared device group as a pre-rule
D
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-the-rule-hierarchy#idfb9e2593-a7f1-4e0d-aab5-a2903d654c99 https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-
policies#id671977ca-1041-4605-8a80-fbc10f3f5d7b
An administrator notices that an interface configuration has been overridden locally on a firewall.
They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
- A . Perform a commit force from the CLI of the firewall.
- B . Perform a template commit push from Panorama using the "Force Template Values" option.
- C . Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
- D . Reload the running configuration and perform a Firewall local commit.
B
Explanation:
The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides is B: Perform a template commit push from Panorama using the “Force Template Values” option. This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
- A . No Direct Access to local networks
- B . Tunnel mode
- C . iPSec mode
- D . Satellite mode
B
Explanation:
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
- A . No Direct Access to local networks
- B . Tunnel mode
- C . iPSec mode
- D . Satellite mode
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
- A . Deny
- B . Discard
- C . Allow
- D . Next VR
B
Explanation:
Set the Action to take when matching a packet:
Forward―Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)―Select the virtual system to
which to forward the packet.
Discard―Drops the packet.
No PBF―Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
- A . Configure a floating IP between the firewall pairs.
- B . Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
- C . Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
- D . On one pair of firewalls, run the CLI command: set network interface vlan arp.
B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
- A . A service route to the LDAP server
- B . A Master Device
- C . Authentication Portal
- D . A User-ID agent on the LDAP server
B
Explanation:
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
- A . Minimum TLS version
- B . Certificate
- C . Encryption Algorithm
- D . Maximum TLS version
- E . Authentication Algorithm
ABD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
An administrator is attempting to create policies tor deployment of a device group and template
stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
- A . Specify the target device as the master device in the device group
- B . Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
- C . Add the template as a reference template in the device group
- D . Add a firewall to both the device group and the template
C
Explanation:
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
- A . No client configuration is required for explicit proxy, which simplifies the deployment complexity.
- B . Explicit proxy supports interception of traffic using non-standard HTTPS ports.
- C . It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
- D . Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
CD
Explanation:
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
- A . upload-onlys
- B . install and reboot
- C . upload and install
- D . upload and install and reboot
- E . verify and install
ACD
Explanation:
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
- A . PAN-OS integrated User-ID agent
- B . GlobalProtect
- C . Windows-based User-ID agent
- D . LDAP Server Profile configuration
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate?
- A . A self-signed Certificate Authority certificate generated by the firewall
- B . A Machine Certificate for the firewall signed by the organization’s PKI
- C . A web server certificate signed by the organization’s PKI
- D . A subordinate Certificate Authority certificate signed by the organization’s PKI
D
Explanation:
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate.
Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which operation will impact the performance of the management plane?
- A . Decrypting SSL sessions
- B . Generating a SaaS Application report
- C . Enabling DoS protection
- D . Enabling packet buffer protection
B
Explanation:
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD―PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
- A . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 172.16.15.10 –
Application: ssh - B . NAT Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP / 172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh - C . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh - D . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
An administrator would like to determine which action the firewall will take for a specific CVE.
Given the screenshot below, where should the administrator navigate to view this information?
- A . The profile rule action
- B . CVE column
- C . Exceptions lab
- D . The profile rule threat name
C
Explanation:
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures". From there you will see all threat information including specific actions.
More detail:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
A network administrator wants to deploy SSL Forward Proxy decryption.
What two attributes should a forward trust certificate have? (Choose two.)
- A . A subject alternative name
- B . A private key
- C . A server certificate
- D . A certificate authority (CA) certificate
B, D
Explanation:
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions. The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions. The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
An engineer is configuring a firewall with three interfaces:
• MGT connects to a switch with internet access.
• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
- A . Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
- B . Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
- C . Set DNS and Palo Alto Networks Services to use the MGT source interface.
- D . Set DDNS and Palo Alto Networks Services to use the MGT source interface.
A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Which Panorama feature protects logs against data loss if a Panorama server fails?
- A . Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
- B . Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
- C . Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
- D . Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
B
Explanation:
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
"Log redundancy is available only if each Log Collector has the same number of logging disks." (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue?
- A . Disable ALG under H.323 application
- B . Increase the TCP timeout under H.323 application
- C . Increase the TCP timeout under SIP application
- D . Disable ALG under SIP application
D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg
An engineer manages a high availability network and requires fast failover of the routing protocols.
The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
- A . OSPF
- B . RIP
- C . BGP
- D . IGRP
- E . OSPFv3 virtual link
A, B, C
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
An engineer configures SSL decryption in order to have more visibility to the internal users’ traffic when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
- A . High availability (HA)
- B . Layer 3
- C . Layer 2
- D . Tap
- E . Virtual Wire
B, C, E
Explanation:
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
- A . PA-220
- B . PA-800 Series
- C . PA-5000 Series
- D . PA-500
- E . PA-3400 Series
ABE
Explanation:
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?
- A . The User-ID agent is connected to a domain controller labeled lab-client
- B . The host lab-client has been found by a domain controller
- C . The host lab-client has been found by the User-ID agent.
- D . The User-ID aaent is connected to the firewall labeled lab-client
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
- A . IPv6 Source or Destination Address
- B . Destination-Based Service Route
- C . IPv4 Source Interface
- D . Inherit Global Setting
C
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system/customize-service-routes-to-services-for-virtual-systems
Which three authentication types can be used to authenticate users? (Choose three.)
- A . Local database authentication
- B . PingID
- C . Kerberos single sign-on
- D . GlobalProtect client
- E . Cloud authentication service
ACE
Explanation:
The three authentication types that can be used to authenticate users are:
A: Local database authentication. This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1.
C: Cloud authentication service. This is the authentication type that uses a cloud-based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2.
E: Kerberos single sign-on. This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
- A . IKE Crypto Profile
- B . Security policy
- C . Proxy-IDs
- D . PAN-OS versions
C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS
https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
An administrator has been tasked with configuring decryption policies.
Which decryption best practice should they consider?
- A . Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.
- B . Decrypt all traffic that traverses the firewall so that it can be scanned for threats.
- C . Place firewalls where administrators can opt to bypass the firewall when needed.
- D . Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.
A
Explanation:
The best decryption best practice that the administrator should consider is A: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
If a URL is in multiple custom URL categories with different actions, which action will take priority?
- A . Allow
- B . Override
- C . Block
- D . Alert
C
Explanation:
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?
- A . Tunnel mode
- B . Satellite mode
- C . IPSec mode
- D . No Direct Access to local networks
A
Explanation:
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)
- A . Check dependencies
- B . Schedules
- C . Verify
- D . Revert content
- E . Install
BDE
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.
What should they review with their leadership before implementation?
- A . Browser-supported cipher documentation
- B . Cipher documentation supported by the endpoint operating system
- C . URL risk-based category distinctions
- D . Legal compliance regulations and acceptable usage policies
D
Explanation:
The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization. Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts "Understand local laws and regulations about the traffic you can legally decrypt and user notification requirements."
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10.
Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
- A . None
- B . Outside
- C . DMZ
- D . Inside
D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
- A . It matches to the New App-IDs downloaded in the last 90 days.
- B . It matches to the New App-IDs in the most recently installed content releases.
- C . It matches to the New App-IDs downloaded in the last 30 days.
- D . It matches to the New App-IDs installed since the last time the firewall was rebooted.
B
Explanation:
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.
Reference: Monitor New App-IDs
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
- A . No, because the URL generated an alert.
- B . Yes, because both the web-browsing application and the flash file have the ‘alert" action.
- C . Yes, because the final action is set to "allow.”
- D . No, because the action for the wildfire-virus is "reset-both."
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
- A . Initial
- B . Tentative
- C . Passive
- D . Active-secondary
B
Explanation:
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the “Tentative” state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
- A . Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
- B . Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
- C . Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.
- D . Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.
B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each
vsys. This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.
Reference: Device Group Push to a Multi-VSYS Firewall, Configure Virtual Systems, PCNSE Study Guide (page 50)
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
- A . Low
- B . High
- C . Critical
- D . Informational
- E . Medium
BCE
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation. PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.
Reference: Create the Data Center Best Practice Anti-Spyware Profile, Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
What must be configured to apply tags automatically based on User-ID logs?
- A . Device ID
- B . Log Forwarding profile
- C . Group mapping
- D . Log settings
D
Explanation:
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule. The tags can then be used for dynamic address groups, policy enforcement, or reporting1.
Reference: Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
- A . Outdated plugins
- B . Global Protect agent version
- C . Expired certificates
- D . Management only mode
A
Explanation:
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services. Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2. If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.
Reference: Panorama Plugins Upgrade/Downgrade Considerations, Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
- A . Log Forwarding profile
- B . SSL decryption exclusion
- C . Email scheduler
- D . Login banner
- E . Dynamic updates
BDE
Explanation:
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named “Global” and included in all template stacks. A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.
Reference: Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
- A . Initial
- B . Passive
- C . Active
- D . Active-primary
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
- A . Captive portal
- B . Standalone User-ID agent
- C . Syslog listener
- D . Agentless User-ID with redistribution
C
Explanation:
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings. A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2. A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.
Reference: Configure a Syslog Listener for User Mapping, User-ID Agent Deployment Guide,
PCNSE Study Guide (page 48)
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
- A . The forward untrust certificate has not been signed by the self-singed root CA certificate.
- B . The forward trust certificate has not been installed in client systems.
- C . The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
- D . The forward trust certificate has not been signed by the self-singed root CA certificate.
D
Explanation:
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12.
Reference: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption