Paloalto Networks PCNSE : Practice Exam

Exam Code: PCNSE 8

Title : Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 8.0
QUESTION 1
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host
A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
D. Untrust (Any) to DMZ (10.1.1.1), ssh Allow
E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Correct Answer: CD

QUESTION 2
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access
from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

A. application: web-browsing; service: application-default

B. application: web-browsing; service: service-https
C. application: ssl; service: any
D. application: web-browsing; service: (custom with destination TCP port 8080)

Correct Answer: A

QUESTION 3
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains
highly-sensitive business data?

A. Security policy
B. Decryption policy
C. Authentication policy
D. Application Override policy

Correct Answer: C

QUESTION 4
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

A. Device>Setup>Services>AutoFocus
B. Device> Setup>Management >AutoFocus
C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
D. Device>Setup>WildFire>AutoFocus
E. Device>Setup> Management> Logging and Reporting Settings

Correct Answer: B

QUESTION 5
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

A. WildFire updates
B. NAT
C. NTP
D. antivirus
E. File blocking

Correct Answer: ABC

QUESTION 6
Which CLI command can be used to export the tcpdump capture?

A. scp export tcpdump from mgmt.pcap to <username@host:path>

B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
D. download mgmt.-pcap

Correct Answer: C

QUESTION 7
Which option is part of the content inspection process?

A. Packet forwarding process

B. SSL Proxy re-encrypt
C. IPsec tunnel encryption
D. Packet egress process

Correct Answer: A

QUESTION 8
Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

A. Certificate from Default Trust Certificate Authorities

B. Domain Sub-CA
C. Forward_Trust
D. Domain-Root-Cert

Correct Answer: A

QUESTION 9
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

A. Security policy rule allowing SSL to the target server

B. Firewall connectivity to a CRL
C. Root certificate imported into the firewall with "Trust" enabled
D. Importation of a certificate from an HSM

Correct Answer: A

QUESTION 10
Which three firewall states are valid? (Choose three.)

A. Active
B. Functional
C. Pending
D. Passive
E. Suspended

Correct Answer: ADE

QUESTION 11
Which feature prevents the submission of corporate login information into website forms?

A. Data filtering
B. User-ID
C. File blocking
D. Credential phishing prevention
Correct Answer: D

QUESTION 12
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications
DNS, SSL, and web-browsing. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first
entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

A. Create a decryption rule matching the encrypted BitTorrent traffic with action "No-Decrypt," and place the rule at the top of the Decryption policy.
B. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy.
C. Disable the exclude cache option for the firewall.
D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Correct Answer: D

QUESTION 13
If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type?

A. Data Filtering
B. WildFire Submissions
C. Threat
D. Traffic

Correct Answer: C

QUESTION 14
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

A. ethernet1/6
B. ethernet1/3
C. ethernet1/7
D. ethernet1/5

Correct Answer: D

QUESTION 15
Which Palo Alto Networks VM-Series firewall is valid?

A. VM-25
B. VM-800
C. VM-50
D. VM-400

Correct Answer: C
QUESTION 16
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

A. set deviceconfig interface speed-duplex 1Gbps-full-duplex

B. set deviceconfig system speed-duplex 1Gbps-duplex
C. set deviceconfig system speed-duplex 1Gbps-full-duplex
D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Correct Answer: B

QUESTION 17
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

A. Deny application facebook-chat before allowing application facebook

B. Deny application facebook on top
C. Allow application facebook on top
D. Allow application facebook before denying application facebook-chat

Correct Answer: A

QUESTION 18
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS®version, and serial number?

A. debug system details

B. show session info
C. show system info
D. show system details

Correct Answer: C

QUESTION 19
A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The
company's engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny
traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)

A. show interface hardware

B. show interface management
C. show interface ethernet1/1
D. show interface logical

Correct Answer: CD

QUESTION 20
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration
with PAN-OS® software?

A. XML API
B. Port Mapping
C. Client Probing
D. Server Monitoring

Correct Answer: A

QUESTION 21
During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. Pattern based application identification

B. Application override policy match
C. Application changed from content inspection
D. Session application identified.

Correct Answer: BD

QUESTION 22
PAN-OS 8.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command
Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

A. Application Center
B. URL Filtering
C. GlobalProtect
D. Threat Prevention

Correct Answer: D

QUESTION 23
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW.
The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

A. Custom application
B. System logs show an application error and neither signature is used.
C. Downloaded application
D. Custom and downloaded application signature files are merged and both are used

Correct Answer: A

QUESTION 24
Which three settings are defined within the Templates object of Panorama? (Choose three.)

A. Setup
B. Virtual Routers
C. Interfaces
D. Security
E. Application Override

Correct Answer: ADE

QUESTION 25
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be
forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A.
B.

C.

D.

Correct Answer: C

QUESTION 26
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator
enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

A. Use the import option to pull logs into Panorama.

B. A CLI command will forward the pre-existing logs to Panorama.
C. Use the ACC to consolidate pre-existing logs.
D. The log database will need to exported form the firewalls and manually imported into Panorama.

Correct Answer: B

QUESTION 27
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies
tab?

A. Admin Role
B. WebUI
C. Authentication
D. Authorization

Correct Answer: A

QUESTION 28
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active
firewall.
Which priority is for the passive firewall?

A. 0
B. 99
C. 1
D. 255

Correct Answer: D

QUESTION 29
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface
type would support this business requirement?

A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Correct Answer: B

QUESTION 30
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

A. ACC
B. System Logs
C. App Scope
D. Session Browser

Correct Answer: D

QUESTION 31
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

A. Okta
B. DUO
C. RADIUS
D. PingID

Correct Answer: C

QUESTION 32
If the firewall has the link monitoring configuration, what will cause a failover?

A. ethernet1/3 and ethernet1/6 going down

B. ethernet1/3 going down
C. ethernet1/3 or Ethernet1/6 going down
D. ethernet1/6 going down

Correct Answer: A

QUESTION 33
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide
service quality?

A. Port Inspection
B. Certificate revocation
C. Content-ID
D. App-ID

Correct Answer: D

QUESTION 34
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image.
Which configuration change should the administrator make?
A.
B.

C.
D.

E.

Correct Answer: B

QUESTION 35
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

A. Enable packet buffer protection on the Zone Protection Profile.

B. Apply an Anti-Spyware Profile with DNS sinkholing.
C. Use the DNS App-ID with application-default.
D. Apply a classified DoS Protection Profile.

Correct Answer: A

QUESTION 36
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

A. To enable Gateway authentication to the Portal

B. To enable Portal authentication to the Gateway
C. To enable user authentication to the Portal
D. To enable client machine authentication to the Portal

Correct Answer: C

QUESTION 37
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-
OS® software would help in this case?

A. Application override
B. Redistribution of user mappings
C. Virtual Wire mode
D. Content inspection

Correct Answer: B

QUESTION 38
A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny". Which action will this cause configuration on the matched traffic?

A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny".
B. The configuration will allow the matched session unless a vulnerability is detected. The "Deny" action will supersede the per-severity defined actions defined in
the associated Vulnerability Protection Profile.
C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule
action is set to "Deny."

Correct Answer: B

QUESTION 39
A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

A. The three-way TCP handshake was observed, but the application could not be identified.
B. The three-way TCP handshake did not complete.
C. The traffic is coming across USP, and the application could not be identified.
D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Correct Answer: C

QUESTION 40
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

A. Red Hat Enterprise Virtualization (RHEV)

B. Kernel Virtualization Module (KVM)
C. Boot Strap Virtualization Module (BSVM)
D. Microsoft Hyper-V

Correct Answer: BD

QUESTION 41
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the
template stack is pushed?

A. The settings assigned to the template that is on top of the stack.

B. The administrator will be promoted to choose the settings for that chosen firewall.
C. All the settings configured in all templates.
D. Depending on the firewall location, Panorama decides with settings to send.

Correct Answer: B

QUESTION 42
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options
can be used to correctly categorize their custom database application? (Choose two.)

A. Application Override policy.

B. Security policy to identify the custom application.
C. Custom application.
D. Custom Service object.

Correct Answer: BC

QUESTION 43
If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to
HTTP(S) websites?

A. SSL Forward Proxy

B. SSL Inbound Inspection
C. TLS Bidirectional proxy
D. SSL Outbound Inspection

Correct Answer: B

QUESTION 44
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

A. Session Browser
B. Application Command Center
C. TCP Dump
D. Packet Capture

Correct Answer: B

QUESTION 45
An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse
back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates?

A. A scheduler will need to be configured for application signatures.

B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.

Correct Answer: D

QUESTION 46
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

A. Anti-Spyware
B. Instruction Prevention
C. File Blocking
D. Antivirus

Correct Answer: D

QUESTION 47
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

A. Mapping to the IP address of the logged-in user.

B. First four letters of the username matching any valid corporate username.
C. Using the same user's corporate username and password.
D. Marching any valid corporate username.

Correct Answer: A

QUESTION 48
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

A. Configure a Decryption Profile and select SSL/TLS services.

B. Set up SSL/TLS under Polices > Service/URL Category>Service.
C. Set up Security policy rule to allow SSL communication.
D. Configure an SSL/TLS Profile.

Correct Answer: D

QUESTION 49
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts
every 5 minutes.
How quickly will the firewall receive back a verdict?

A. More than 15 minutes

B. 5 minutes
C. 10 to 15 minutes
D. 5 to 10 minutes

Correct Answer: D

QUESTION 50
What are two benefits of nested device groups in Panorama? (Choose two.)

A. Reuse of the existing Security policy rules and objects

B. Requires configuring both function and location for every device
C. All device groups inherit settings form the Shared group
D. Overwrites local firewall configuration

Correct Answer: BC

QUESTION 51
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

A. .dll
B. .exe
C. .src
D. .apk
E. .pdf
F. .jar

Correct Answer: DEF

QUESTION 52
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

A. The Passive firewall, which then synchronizes to the active firewall

B. The active firewall, which then synchronizes to the passive firewall
C. Both the active and passive firewalls, which then synchronize with each other
D. Both the active and passive firewalls independently, with no synchronization afterward

Correct Answer: C

QUESTION 53
Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)

A. Browser Toolbar
B. Trojans
C. Ransomeware
D. Potentially unwanted programs
E. Adware.

Correct Answer: ADE

QUESTION 54
Which Captive Portal mode must be configured to support MFA authentication?

A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent

Correct Answer: B

QUESTION 55
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be
triggered by the traffic?

A. check
B. find
C. test
D. sim

Correct Answer: C

QUESTION 56
Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side.
Where is the best
place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A.

B.
C.

D.

Correct Answer: D
QUESTION 57
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin
account on the local firewall? (Choose three.)

A. Kerberos
B. PAP
C. SAML
D. TACACS+
E. RADIUS
F. LDAP

Correct Answer: ACF

QUESTION 58
Which three options are supported in HA Lite? (Choose three.)

A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization

Correct Answer: BCD

QUESTION 59
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external
users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to
scan this traffic for threats.
Which option would achieve this result?

A. Create a custom App-ID and enable scanning on the advanced tab.

B. Create an Application Override policy.
C. Create a custom App-ID and use the "ordered conditions" check box.
D. Create an Application Override policy and custom threat signature for the application.

Correct Answer: A

QUESTION 60
VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN
tunnel, which protection profile can be enabled to prevent this malicious behavior?

A. Zone Protection
B. DoS Protection
C. Web Application
D. Replay

Correct Answer: A

QUESTION 61
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix
to connect to the network and access resources?

A. Client Probing
B. Terminal Services agent
C. GlobalProtect
D. Syslog Monitoring

Correct Answer: C

QUESTION 62
Which protection feature is available only in a Zone Protection Profile?

A. SYN Flood Protection using SYN Flood Cookies

B. ICMP Flood Protection
C. Port Scan Protection
D. UDP Flood Protections

Correct Answer: A

QUESTION 63
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported
excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing
monitoring platforms?

A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
C. Configure log compression and optimization features on all remote firewalls.
D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Correct Answer: C

QUESTION 64
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

A. View the System logs and look for the error messages about BGP.
B. Perform a traffic pcap on the NGFW to see any BGP problems.
C. View the Runtime Stats and look for problems with BGP configuration.
D. View the ACC tab to isolate routing issues.

Correct Answer: CD

QUESTION 65
The certificate information displayed in the following image is for which type of certificate?

A. Forward Trust certificate

B. Self-Signed Root CA certificate
C. Web Server certificate
D. Public CA signed certificate

Correct Answer: D

QUESTION 66
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

A. View Runtime Stats in the virtual router.

B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. Perform a traffic pcap at the routing stage.

Correct Answer: AC

QUESTION 67
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure
tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

A. Preconfigured GlobalProtect satellite

B. Preconfigured GlobalProtect client
C. Preconfigured PIsec tunnels
D. Preconfigured PPTP Tunnels

Correct Answer: A

QUESTION 68
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through
an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-
browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded?

A. Security policy rule

B. CRL
C. Service route
D. Scheduler

Correct Answer: A

QUESTION 69
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

A. Disable SNMP on the management interface.

B. Application override of SSL application.
C. Disable logging at session start in Security policies.
D. Disable predefined reports.
E. Reduce the traffic being decrypted by the firewall.

Correct Answer: CDE

QUESTION 70
A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been
configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

Correct Answer: D

QUESTION 71
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

A. web-browsing and 443

B. SSL and 80
C. SSL and 443
D. web-browsing and 80

Correct Answer: B

QUESTION 72
Which event will happen if an administrator uses an Application Override Policy?

A. Threat-ID processing time is decreased.

B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
C. The application name assigned to the traffic by the security rule is written to the Traffic log.
D. App-ID processing time is increased.

Correct Answer: B

QUESTION 73
Server Message Block (SMB), a common file-sharing application, is slow when passing through a Palo Alto Networks firewall. The Network Security Administrator
created an application override policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?

A. Layer 7 processing has been disabled for SMB traffic.

B. Layer 4 processing has been disabled for the SMB traffic.
C. Zone protection is no longer being applied.
D. Security policy assignment is being done more efficiently.

Correct Answer: A

QUESTION 74
After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not
establishing correctly. The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

A. Update- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2.
C. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs
D. Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.

Correct Answer: D

QUESTION 75
Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)

A. maximum file size

B. file types
C. application
D. direction

Correct Answer: BCD

QUESTION 76
Which method will dynamically register tags on the Palo Alto Networks NGFW?

A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
B. Restful API or the VMware API on the firewall or on the User-ID agent
C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Correct Answer: D

QUESTION 77
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

A. URL Filtering profile

B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile

Correct Answer: A

QUESTION 78
How can a candidate or running configuration be copied to a host external from Panorama?

A. Commit a running configuration.

B. Save a configuration snapshot.
C. Save a candidate configuration.
D. Export a named configuration snapshot.

Correct Answer: D

QUESTION 79
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

A. Use the debug dataplane packet-diag set capture stage firewall file command.
B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
C. Use the debug dataplane packet-diag set capture stage management file command.
D. Use the topdump command.

Correct Answer: A

QUESTION 80
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface? (Choose two.)

A. Virtual router
B. Security zone
C. ARP entries
D. Netflow Profile

Correct Answer: BD

QUESTION 81
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A. Configure the option for "Threshold".
B. Disable automatic updates during weekdays.
C. Automatically "download only" and then install Applications and Threats later, after the administrator approvesthe update.
D. Automatically "download and install" but with the "disable new applications" option used.

Correct Answer: C

QUESTION 82
In a virtual router, which object contains all potential routes?

A. MIB
B. RIB
C. SIP
D. FIB

Correct Answer: B

QUESTION 83
What are three valid actions in a File Blocking Profile? (Choose three)

A. Forward
B. Block
C. Alret
D. Upload
E. Reset-both
F. Continue

Correct Answer: ABC

QUESTION 84
A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two)

A. BGP not sure

B. OSPFv3
C. RIP
D. Static Route

Correct Answer: BD

QUESTION 85
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

A. Certificate revocation list

B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol

Correct Answer: C

QUESTION 86
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

A. ms log
B. authd log
C. System log
D. Traffic log
E. dp-monitor .log

Correct Answer: BC

QUESTION 87
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)

A. Clean
B. Bengin
C. Adware
D. Suspicious
E. Grayware
F. Malware

Correct Answer: BEF

QUESTION 88
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

A. KVM
B. VMware ESX
C. VMware NSX
D. AWS

Correct Answer: AB
QUESTION 89
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and
complex.
Which CLI command will help identify the issue?

A. test routing fib virtual-router vr1

B. show routing route type static destination 98.139.183.24
C. test routing fib-lookup ip 98.139.183.24 virtual-router vr1
D. show routing interface

Correct Answer: C

QUESTION 90
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

A. Vulnerability Object
B. DoS Protection Profile
C. Data Filtering Profile
D. Zone Protection Profile

Correct Answer: BD

QUESTION 91
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections
with the external server.
What can be done to simplify the NAT policy?

A. Configure ECMP to handle matching NAT traffic

B. Configure a NAT Policy rule with Dynamic IP and Port
C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Correct Answer: C

QUESTION 92
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

A. Set the type to Aggregate, clear the session's box and set the Maximum concurrent Sessions to 4000.
B. Set the type to Classified, clear the session's box and set the Maximum concurrent Sessions to 4000.
C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Correct Answer: C

QUESTION 93
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

A. Log
B. Alert
C. Allow
D. Default

Correct Answer: B

QUESTION 94
Refer to Exhibit:
A firewall has three PDF rules and a default route with a next hop .29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10
IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

A. 172.20.30.1
B. 172.20.20.1
C. 172.20.10.1
D. 172.20.40.1

Correct Answer: B

QUESTION 95
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP
address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and
Site-B?

A. Enable on Site-A only

B. Enable on Site-B only
C. Enable on Site-B only with passive mode
D. Enable on Site-A and Site-B

Correct Answer: D

QUESTION 96
A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

A. Block all unauthorized applications using a security policy

B. Block all known internal custom applications
C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks

Correct Answer: D

QUESTION 97
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

A. VM-100
B. VM-200
C. VM-1000-HV
D. VM-300

Correct Answer: C

QUESTION 98
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to
a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to
other hosts insides the network?

A. Zone Protection Policy with UDP Flood Protection

B. QoS Policy to throttle traffic below maximum limit
C. Security Policy rule to deny trafic to the IP address and port that is under attack
D. Classified DoS Protection Policy using destination IP only with a Protect action

Correct Answer: D

QUESTION 99
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that
this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

A. Create a custom Application without signatures, then create an Application Override policythat includes the source, Destination, Destination Port/Protocol and
Custom Application of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.
C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
Correct Answer: D

QUESTION 100
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being
used to connect to the management network. Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

A. test panoramas-connect 10.10.10.5

B. show panoramas-status
C. show arp all I match 10.10.10.5
D. topdump filter "host 10.10.10.5
E. debug dataplane packet-diag set capture on

Correct Answer: BD

QUESTION 101
How are IPV6 DNS queries configured to user interface ethernet1/3?

A. Network > Virtual Router > DNS Interface

B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration

Correct Answer: D

QUESTION 102
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

A. Log
B. Alert
C. Allow
D. Default

Correct Answer: B

QUESTION 103
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose
two)

A. Brute-force signatures
B. BrightCloud Url Filtering
C. PAN-DB URL Filtering
D. DNS-based command-and-control signatures

Correct Answer: CD

QUESTION 104
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next- Generation Firewall. As a final step, the
administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?

A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol<protocol number>
C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol<protocol number>
D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
test security-policy-match source

Correct Answer: A

QUESTION 105
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

A. Assign an IP address on each tunnel interface at each site

B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
D. Create new VPN zones at each site to terminate each VPN connection

Correct Answer: C

QUESTION 106
Support for which authentication method was added in PAN-OS 8.0?

A. RADIUS
B. LDAP
C. Diameter
D. TACACS+

Correct Answer: D

QUESTION 107
What can missing SSL packets when performing a packet capture on dataplane interfaces?

A. The packets are hardware offloaded to the offloaded processor on the dataplane
B. The missing packets are offloaded to the management plane CPU
C. The packets are not captured because they are encrypted
D. There is a hardware problem with offloading FPGA on the management plane

Correct Answer: A

QUESTION 108
DRAG DROP - (Topic 2)
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

A.
B.
C.
D.

Correct Answer:

QUESTION 109
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

A. Panorama Log Settings

B. Panorama Log Templates
C. Panorama Device Group Log Forwarding
D. Collector Log Forwarding for Collector Groups

Correct Answer: A

QUESTION 110
The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of
GlobalPortect Portal?

A. Server Certificate
B. Client Certificate
C. Authentication Profile
D. Certificate Profile

Correct Answer: A

QUESTION 111
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to
determine the last date a failover event occurred?

A. From the CLI issue use the show System log

B. Apply the filter subtype eq ha to the System log
C. Apply the filter subtype eq ha to the configuration log
D. Check the status of the High Availability widget on the Dashboard of the GUI

Correct Answer: B

QUESTION 112
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

A. Change the Site-B IKE Gateway profile version to match Site-A,

B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
C. Enable NAT Traversal on the Site-A IKE Gateway profile.
D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Correct Answer: D

QUESTION 113
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

A. Enable support for non-standard syslog messages under device management

B. Check the custom-format check box in the syslog server profile
C. Select a non-standard syslog server profile
D. Create a custom log format under the syslog server profile

Correct Answer: D

QUESTION 114
Which CLI command displays the current management plan memory utilization?
A. > show system info
B. > show system resources
C. > debug management-server show
D. > show running resource-monitor

Correct Answer: B

QUESTION 115
What are three valid method of user mapping? (Choose three)

A. Syslog
B. XML API
C. 802.1X
D. WildFire
E. Server Monitoring

Correct Answer: ABE

QUESTION 116
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

A. Blocked Activity
B. Bandwidth Activity
C. Threat Activity
D. Network Activity

Correct Answer: D

QUESTION 117
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the
following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?

Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

A. A report can be created that identifies unclassified traffic on the network.

B. Different security profiles can be applied to traffic matching rules 2 and 3.
C. Rule 2 and 3 apply to traffic on different ports.
D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Correct Answer: BD

QUESTION 118
Which three function are found on the dataplane of a PA-5050? (Choose three)

A. Protocol Decoder
B. Dynamic routing
C. Management
D. Network Processing
E. Signature Match

Correct Answer: BDE

QUESTION 119
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

A. Virtual Wire
B. Loopback
C. Layer 3
D. Tunnel

Correct Answer: BC

QUESTION 120
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th
output from the command:
less mp-log ikemgr.log:
What could be the cause of this problem?

A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the AS
B.
C. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the AS
D.
E. The shared secerts do not match between the Palo Alto firewall and the ASA
F. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Correct Answer: B

QUESTION 121
In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

A. LDAP
B. Kerberos
C. Certification based authentication
D. RADIUS with Vendor-Specific Attributes

Correct Answer: D

QUESTION 122
Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?

A. Right-Click on the bittorrent link and select Value from the context menu
B. Create a global filter for bittorrent traffic and then view Traffic logs.
C. Create local filter for bittorrent traffic and then view Traffic logs.
D. Click on the bittorrent application link to view network activity

Correct Answer: D

QUESTION 123
Which option is an IPv6 routing protocol?

A. RIPv3
B. OSPFv3
C. OSPv3
D. BGP NG

Correct Answer: B

QUESTION 124
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

A. Disable Server Response Inspection

B. Apply an Application Override
C. Disable HIP Profile
D. Add server IP Security Policy exception

Correct Answer: A

QUESTION 125
Which three options are available when creating a security profile? (Choose three)

A. Anti-Malware
B. File Blocking
C. Url Filtering
D. IDS/ISP
E. Threat Prevention
F. Antivirus

Correct Answer: ABF

QUESTION 126
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.
C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.
E. Log in the Panorama CLI of the dedicated Log Collector

Correct Answer: BE

QUESTION 127
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security
Profiles> Anti-Spyware and select default profile.
What should be done next?

A. Click the simple-critical rule and then click the Action drop-down list.
B. Click the Exceptions tab and then click show all signatures.
C. View the default actions displayed in the Action column.
D. Click the Rules tab and then look for rules with "default" in the Action column.

Correct Answer: B

QUESTION 128
Which three rule types are available when defining policies in Panorama? (Choose three.)

A. Pre Rules
B. Post Rules
C. Default Rules
D. Stealth Rules
E. Clean Up Rules

Correct Answer: ABC

QUESTION 129
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if
the administrators at the branch office sites to override these products?

A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules

Correct Answer: A

QUESTION 130
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

A. Configure the management interface as HA3 Backup

B. Configure Ethernet 1/1 as HA1 Backup
CConfigure Ethernet 1/1 as HA2 Backup
C. Configure the management interface as HA2 Backup
D. Configure the management interface as HA1 Backup
E. Configure ethernet1/1 as HA3 Backup

Correct Answer: BE

QUESTION 131
How is the Forward Untrust Certificate used?

A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
B. It is used when web servers request a client certificate.
C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.
D. It is used for Captive Portal to identify unknown users.

Correct Answer: C

QUESTION 132
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
A. Pre-NAT addresse and Pre-NAT zones
B. Post-NAT addresse and Post-Nat zones
C. Pre-NAT addresse and Post-Nat zones
D. Post-Nat addresses and Pre-NAT zones

Correct Answer: C

QUESTION 133
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

A. SNMP Trap
B. Email
C. RADIUS
D. Kerberos
E. Panorama
F. Syslog

Correct Answer: ABF

QUESTION 134
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

A. Microsoft Active Directory

B. Microsoft Terminal Services
C. Aerohive Wireless Access Point
D. Palo Alto Networks Captive Portal

Correct Answer: B

QUESTION 135
Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

A. Assign an IP address on each tunnel interface at each site

B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
D. Create new VPN zones at each site to terminate each VPN connection

Correct Answer: C

QUESTION 136
Which field is optional when creating a new Security Policy rule?

A. Name
B. Description
C. Source Zone
D. Destination Zone
E. Action

Correct Answer: B

QUESTION 137
People are having intermittent quality issues during a live meeting via web application.

A. Use QoS profile to define QoS Classes

B. Use QoS Classes to define QoS Profile
C. Use QoS Profile to define QoS Classes and a QoS Policy
D. Use QoS Classes to define QoS Profile and a QoS Policy

Correct Answer: C

QUESTION 138
How does Panorama handle incoming logs when it reaches the maximum storage capacity?

A. Panorama discards incoming logs when storage capacity full.

B. Panorama stops accepting logs until licenses for additional storage space are applied
C. Panorama stops accepting logs until a reboot to clean storage space.
D. Panorama automatically deletes older logs to create space for new ones.

Correct Answer: D

QUESTION 139
A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

A. Destination IP.54.6.10
B. UntrustL3 for both Source and Destination Zone
C. Destination IP .168.1.10
D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone
Correct Answer: AB

QUESTION 140
YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic.
The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface
Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

A. Outbound profile with Guaranteed Ingress

B. Outbound profile with Maximum Ingress
C. Inbound profile with Guaranteed Egress
D. Inbound profile with Maximum Egress

Correct Answer: D

QUESTION 141
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

A. When configuring Certificate Profiles

B. When configuring GlobalProtect portal
C. When configuring User Activity Reports
D. When configuring Antivirus Dynamic Updates

Correct Answer: D

QUESTION 142
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in
Panorama's traffic logs. What could be the problem?

A. A Server Profile has not been configured for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. The firewall is not licensed for logging to this Panorama device.
D. None of the firwwall's policies have been assigned a Log Forwarding profile

Correct Answer: D

QUESTION 143
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but
there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which
feature can be used to identify, in real time, the applications taking up the most bandwidth?

A. QoS Statistics
B. Applications Report
C. Application Command Center (ACC)
D. QoS Log

Correct Answer: A

QUESTION 144
Which three fields can be included in a pcap filter? (Choose three)

A. Egress interface
B. Source IP
C. Rule number
D. Destination IP
E. Ingress interface

Correct Answer: BCD

QUESTION 145
An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the
output from the command:

What could be the cause of this problem?

A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the AS
B.
C. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the AS
D.
E. The public IP addresses do not match for both the Palo Alto Networks Firewall and the AS
F.
G. The shared secrets do not match between the Palo Alto Networks Firewall and the AS
H.

Correct Answer: C

QUESTION 146
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters
associated with the traffic after configuring the appropriate packet filters?

A. From the CLI, issue the show counter global filter pcap yes command.
B. From the CLI, issue the show counter global filter packet-filter yes command.
C. From the GUI, select show global counters under the monitor tab.
D. From the CLI, issue the show counter interface command for the ingress interface.

Correct Answer: B

QUESTION 147
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the
Collector Group.
What should be done first?

A. Remove the cable from the management interface, reload the log Collector and then re- connect that cable
B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
C. remove the device from the Collector Group
D. Revert to a previous configuration

Correct Answer: C

QUESTION 148
Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
B. Configuring the metric for RIP to be higher than that of OSPF Int.
C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
D. Configuring the metric for RIP to be lower than that OSPF Ext.

Correct Answer: A

QUESTION 149
Click the Exhibit button below,
A firewall has three PBF rules and a default route with a next hop .20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10
IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC?

A. 172.20.30.1
B. 172.20.40.1
C. 172.20.20.1
D. 172.20.10.1

Correct Answer: C

QUESTION 150
Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

A. ms.log
B. traffic.log
C. system.log
D. dp-monitor.log
E. authd.log

Correct Answer: CE

QUESTION 151
Which interface configuration will accept specific VLAN IDs?

A. Tab Mode
B. Subinterface
C. Access Interface
D. Trunk Interface

Correct Answer: B

QUESTION 152
Which three options does the WF-500 appliance support for local analysis? (Choose three)

A. E-mail links
B. APK files
C. jar files
D. PNG files
E. Portable Executable (PE) files

Correct Answer: ACE

QUESTION 153
Which CLI command displays the current management plane memory utilization?

A. > debug management-server show

B. > show running resource-monitor
C. > show system info
D. > show system resources

Correct Answer: D

QUESTION 154
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect
against threats?

A. X-Auth IPsec VPN

B. GlobalProtect Apple IOS
C. GlobalProtect SSL
D. GlobalProtect Linux

Correct Answer: A

QUESTION 155
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address
of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly
configured.
What can be the cause of this problem?

A. No Zone has been configured on Ethernet 1/4.

B. Interface Ethernet 1/1 is in Virtual Wire Mode.
C. DNS has not been properly configured on the firewall.
D. DNS has not been properly configured on the host.

Correct Answer: A

QUESTION 156
Which command can be used to validate a Captive Portal policy?

A. eval captive-portal policy <criteria>

B. request cp-policy-eval <criteria>
C. test cp-policy-match <criteria>
D. debug cp-policy <criteria>

Correct Answer: C

QUESTION 157
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web- browsing. When user try to accesss https://
www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

A. Add SSL App-ID to Rule1

B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
C. Add the DNS App-ID to Rule2
D. Add the Web-browsing App-ID to Rule2

Correct Answer: C

QUESTION 158
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has
decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
·
Public zone: Untrust-L3
·
Guest zone: Guest-L3
·
Web server zone: Trust-L3
·
Public IP address (Untrust-L3): 1.1.1.1
·
Private IP address (Trust-L3): 192.168.1.50
·
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3

Correct Answer: A

QUESTION 159
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

A. The firewalls must have the same set of licenses.

B. The management interfaces must to be on the same network.
C. The peer HA1 IP address must be the same on both firewalls.
D. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Correct Answer: AD

QUESTION 160
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-
OS 8.0.4 across the enterprise?( Choose three)

A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.
B. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.
D. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.
E. Download and install PAN-OS 8.0.4 directly on each firewall.
F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Correct Answer: ACF

QUESTION 161
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The
destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)

A. A security policy with a source of any from untrust-I3 Zone to a destination .1.1.100 in dmz-I3 zone using web- browsing application
B. A NAT rule with a source of any from untrust-I3 zone to a destination .1.1.100 in dmz-zone using service-http service.
C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone usingservice- http service.
D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone usingweb- browsing application.

Correct Answer: BD

QUESTION 162
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus
software. Furthermore, SSL is used to tunnel malicious traffic to command- and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security policies with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert

Correct Answer: A

QUESTION 163
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

A. Master
B. Universal
C. Shared
D. Global

Correct Answer: C

QUESTION 164
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

A. The firewall does not have an active WildFire subscription.

B. The engineer's account does not have permission to view WildFire Submissions.
C. A policy is blocking WildFire Submission traffic.
D. Though WildFire is working, there are currently no WildFire Submissions log entries.

Correct Answer: B

QUESTION 165
Which two statements are for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
B. The devices are licensed and ready for deployment.
C. The management interface has an IP address .168.1.1 and allows SSH and HTTPS connections.
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
E. The interface are pingable.

Correct Answer: BC

QUESTION 166
A company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
B. Traffic will be forced to operate over UDP Port 16384.
C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Correct Answer: AC

QUESTION 167
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled,
generating a traffic log.
What will be the destination IP Address in that log entry?

A. The IP Address of sinkhole.paloaltonetworks.com

B. The IP Address of the command-and-control server
C. The IP Address specified in the sinkhole configuration
D. The IP Address of one of the external DNS servers identified in the anti-spyware database

Correct Answer: C

QUESTION 168
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the
replacement firewall that is using Panorama?

A. Device state and license files

B. Configuration and serial number files
C. Configuration and statistics files
D. Configuration and Large Scale VPN (LSVPN) setups file

Correct Answer: A

QUESTION 169
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in
Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The
administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will the error?

A. Set tunnel. 1 to p2p

B. Set tunnel. 1 to p2mp
C. Set Ethernet 1/1 to p2mp
D. Set Ethernet 1/1 to p2p

Correct Answer: A

QUESTION 170
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management
interface.
Which configuration setting needs to be modified?

A. Service route
B. Default route
C. Management profile
D. Authentication profile

Correct Answer: A

QUESTION 171
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration
needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

A. Create a Template with the appropriate IKE Gateway settings

B. Create a Template with the appropriate IPSec tunnel settings
C. Create a Device Group with the appropriate IKE Gateway settings
D. Create a Device Group with the appropriate IPSec tunnel settings

Correct Answer: B

QUESTION 172
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

A. The two devices must share a routable floating IP address

B. The two devices may be different models within the PA-5000 series
C. The HA1 IP address from each peer must be on a different subnet
D. The management port may be used for a backup control connection

Correct Answer: D

QUESTION 173

What will be the source address in the ICMP packet?

A. 10.30.0.93
B. 10.46.72.93
C. 10.46.64.94
D. 192.168.93.1

Correct Answer: C

QUESTION 174
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

A. Panorama virtual appliance on ESX(i) only

B. M-500
C. M-100 with Panorama installed
D. M-100

Correct Answer: BC

QUESTION 175
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot
pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

A. DHCP has been set to Auto.

B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
D. DNS has not been properly configured on the firewall

Correct Answer: B

QUESTION 176
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
? Users outside the company are in the "Untrust-L3" zone
? The web server physically resides in the "Trust-L3" zone.
? Web server public IP address: 23.54.6.10
? Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)
A. Untrust-L3 for both Source and Destination zone
B. Destination IP .168.1.10
C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
D. Destination IP .54.6.10

Correct Answer: CD

QUESTION 177
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

A. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions
B. Enable User-ID on the zone object for the destination zone
C. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions
D. Enable User-ID on the zone object for the source zone
E. Configure a RADIUS server profile to point to a domain controller

Correct Answer: AD

QUESTION 178
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-
5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?

A. Trunk interface type with specified tag

B. Layer 3 interface type with specified tag
C. Layer 2 interface type with a VLAN assigned
D. Layer 3 subinterface type with specified tag

Correct Answer: D