0% found this document useful (0 votes)

800 views136 pages

PCNSE (326 Questions)

The document contains a series of questions and answers related to firewall administration, specifically focusing on Palo Alto Networks products and configurations. Topics include certificate authentication, Quality of Service policies, High Availability settings, and SSL decryption methods. Each question is followed by the correct answer and relevant explanations or references for further understanding.

Uploaded by

soroush haris

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

800 views136 pages

PCNSE (326 Questions)

Uploaded by

soroush haris

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 136

QUESTION 1

When using certificate authentication for firewall administration, which method is used for authorization?

A. Radius
B. LDAP
C. Kerberos
D. Local

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 2
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate
should the administrator use?

A. certificate authority (CA) certificate

B. client certificate
C. machine certificate
D. server certificate

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: Use only signed certificates, not CA certificates, in SSL/TLS service profiles. https://
docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure- an-ssltls-
service-profile.html

QUESTION 3
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose
two.)

A. inherit address-objects from templates

B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks
D. standardize log-forwarding profiles for security polices across all stacks

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 4
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external
router using the BGP protocol. The peer relationship is not establishing. What command could the
engineer run to see the current state of the BGP state between the two devices?

A. show routing protocol bgp state

B. show routing protocol bgp peer
C. show routing protocol bgp summary
D. show routing protocol bgp rib-out

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 5
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery
guarantees for various applications in the environment They want to ensure that they know as much as
they can about QoS before deploying.Which statement about the QoS feature is correct?

A. QoS is only supported on firewalls that have a single virtual system configured
B. QoS can be used in conjunction with SSL decryption
C. QoS is only supported on hardware firewalls
D. QoS can be used on firewalls with multiple virtual systems configured

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 6
Which statement regarding HA timer settings is true?

A. Use the Recommended profile for typical failover timer settings

B. Use the Moderate profile for typical failover timer settings
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 7
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are
available? (Choose three )

A. user-logon (always on)

B. pre-logon then on-demand
C. on-demand (manual user initiated connection)
D. post-logon (always on)
E. certificate-logon

Correct Answer: ABC

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 8
An engineer must configure the Decryption Broker feature Which Decryption Broker security chain
supports bi-directional traffic flow?

A. Layer 2 security chain

B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: Together, the primary and secondary interfaces form a pair of decryption forwarding
interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here.
Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or
bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain,
and which interface receives the traffic back from the security chain after it has undergone additional
enforcement.

QUESTION 9
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the
feature inside which type of SD-WAN profile?

A. Certificate profile
B. Path Quality profile
C. SD-WAN Interface profile
D. Traffic Distribution profile

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 10
What is the best description of the HA4 Keep-Alive Threshold (ms)?

A. the maximum interval between hello packets that are sent to verify that the HA functionality on the other
firewall is operational.
B. The time that a passive or active-secondary firewall will wait before taking over as the active or active-
primary firewall
C. the timeframe within which the firewall must receive keepalives from a cluster member to know that the
cluster member is functional.
D. The timeframe that the local firewall wait before going to Active state when another cluster member is
preventing the cluster from fully synchronizing.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 11
What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

A. Phase 2 SAs are synchronized over HA2 links

B. Phase 1 and Phase 2 SAs are synchronized over HA2 links
C. Phase 1 SAs are synchronized over HA1 links
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall
HA pair, not all IPSEC related information is synchronized between the firewalls... This is an expected
behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."

And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security
associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always
unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang =en_US
%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCS ArticleDetail

QUESTION 12
A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure
should you use so Panorama is fully managing the firewall?

A. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit
push with "include device and network templates"
B. Use the "import device configuration to Panorama" operation, then "export or push device config
bundle" to push the configuration
C. Use the "import Panorama configuration snapshot" operation, then "export or push device config
bundle" to push the configuration
D. Use the "import device configuration to Panorama" operation, then perform a device-group commit
push with "include device and network templates"

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- firewalls/
transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama- management.html

QUESTION 13
Before you upgrade a Palo Alto Networks NGFW, what must you do?

A. Make sure that the PAN-OS support contract is valid for at least another year
B. Export a device state of the firewall
C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that
support the licensed subscriptions.
D. Make sure that the firewall is running a supported version of the app + threat update

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 14
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks
NGFW.

Which interface type is best suited to provide the raw data for an SLR from the network in a way that is
minimally invasive?

A. Layer 3
B. Virtual Wire
C. Tap
D. Layer 2

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 15
A remote administrator needs firewall access on an untrusted interface. Which two components are
required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose
two)

A. client certificate
B. certificate profile
C. certificate authority (CA) certificate
D. server certificate

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall- administration/manage-
firewall-administrators/configure-administrative-accounts-and- authentication/configure-certificate-based-
administrator-authentication-to-the-web-interface.html

QUESTION 16
When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be
implemented using phased approach in alignment with Palo Alto Networks best practices

What should you recommend?

A. Enable SSL decryption for known malicious source IP addresses

B. Enable SSL decryption for source users and known malicious URL categories
C. Enable SSL decryption for malicious source users
D. Enable SSL decryption for known malicious destination IP addresses

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 17
What would allow a network security administrator to authenticate and identify a user with a new BYOD-
type device that is not joined to the corporate domain'?

A. a Security policy with 'known-user" selected in the Source User field

B. an Authentication policy with 'unknown' selected in the Source User field
C. a Security policy with 'unknown' selected in the Source User field
D. an Authentication policy with 'known-user' selected in the Source User field
Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 18
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

A. Destination Zone
B. App-ID
C. Custom URL Category
D. User-ID
E. Source Interface

Correct Answer: ACD

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 19
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption?
(Choose two.)

A. the website matches a category that is not allowed for most users
B. the website matches a high-risk category
C. the web server requires mutual authentication
D. the website matches a sensitive category

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-
exclusions/palo-alto-networks-predefined-decryption-exclusions.html The firewall provides a predefined
SSL Decryption Exclusion list to exclude from decryption commonly used sites that break decryption
because of technical reasons such as pinned certificates and mutual authentication.

QUESTION 20
An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is
considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

A. Protection against unknown malware can be provided in near real-time

B. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
C. After 24 hours WildFire signatures are included in the antivirus update
D. WildFire and Threat Prevention combine to minimize the attack surface

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 21
What are two valid deployment options for Decryption Broker? (Choose two)

A. Transparent Bridge Security Chain

B. Layer 3 Security Chain
C. Layer 2 Security Chain
D. Transparent Mirror Security Chain

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption- broker

QUESTION 22
An administrator needs to assign a specific DNS server to one firewall within a device group. Where would
the administrator go to edit a template variable at the device level?

A. Variable CSV export under Panorama > templates

B. PDF Export under Panorama > templates
C. Manage variables under Panorama > templates
D. Managed Devices > Device Association

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 23
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are
used to configure a VLAN interface? (Choose two.)

A. Virtual router
B. Security zone
C. ARP entries
D. Netflow Profile

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/network/
network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd- 8064499f5b9d

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

VLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLAN interface
and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces then attach VLAN
interface to virtual router. Without VLAN interface you can pass traffic between interfaces on the same
network and with VLAN interface you can route traffic to other networks.

QUESTION 24
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers.
Where can the administrator find the corresponding logs after running a test command to initiate the VPN?
A. Configuration logs
B. System logs
C. Traffic logs
D. Tunnel Inspection logs

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 25
An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers,
from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in
Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

A. Export the log database.

B. Use the import option to pull logs.
C. Use the ACC to consolidate the logs.
D. Use the scp logdb export command.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 26
A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats
within the GUI. Where can they find this information?

A. routes listed in the routing table with flags

B. routes listed in the routing table with flags A?
C. under the BGP Summary tab
D. routes listed in the forwarding table with BGP in the Protocol column

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 27
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial
configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive
was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The
firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash
drive are as follows:
The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using
command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The
failure is caused because

A. Firewall must be in factory default state or have all private data deleted for bootstrapping
B. The hostname is a required parameter, but it is missing in init-cfg txt
C. The USB must be formatted using the ext3 file system, FAT32 is not supported
D. PANOS version must be 91.x at a minimum but the firewall is running 10.0.x
E. The bootstrap.xml file is a required file but it is missing

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall- administration/
bootstrap-the-firewall/bootstrap-a-firewall-using-a-usb-flash-drive.html#id8378007f- d6e5-4f2d-84a4-
5d50b0b3ad7d

QUESTION 28
A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-
intensive decryption methods for lower-risk traffic
B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-
intensive decryption methods for tower-risk traffic
C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-
intensive
D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 29
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.

Which server OS platforms can be used for server monitoring with User-ID?

A. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
B. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange
C. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory
D. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers- can-the-
user-id-agent-monitor

QUESTION 30
What are three reasons for excluding a site from SSL decryption? (Choose three.)

A. the website is not present in English

B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Explanation: Reasons that sites break decryption technically include pinned certificates, client
authentication, incomplete certificate chains, and unsupported ciphers. https://docs.paloaltonetworks.com/
pan-os/10-1/pan-os-admin/decryption/decryption- exclusions/exclude-a-server-from-decryption.html

QUESTION 31
A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241
131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the
firewall?
A. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131 Security Rule: Source IP: Any Destination Zone: DMZ
Destination IP: 10.250.241.131
B. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10
Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Untrust-L3 Source IP:
Any Destination Zone: DMZ Destination IP: 10.250.241.1
C. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP:
200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Untrust-L3
Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131
D. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3 Destination IP:
200.1.1.10 Destination Translation address: 10.250.241.131 Security Rule: Source Zone: Trust-L3
Source IP: Any Destination Zone: DMZ Destination IP: 200.1.1.10
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 32
An administrator device-group commit push is tailing due to a new URL category How should the
administrator correct this issue?

A. verify that the URL seed Tile has been downloaded and activated on the firewall
B. change the new category action to alert" and push the configuration again
C. update the Firewall Apps and Threat version to match the version of Panorama
D. ensure that the firewall can communicate with the URL cloud

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNqw

QUESTION 33
SAML SLO is supported for which two firewall features? (Choose two.)

A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation: SSO is available to administrators who access the web interface and to end users who
access applications through GlobalProtect or Captive Portal. SLO is available to administrators and
GlobalProtect end users, but not to Captive Portal end users. https://docs.paloaltonetworks.com/pan-os/9-
0/pan-os-admin/authentication/authentication- types/saml
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-server- profiles-
saml-identity-provider

QUESTION 34
The manager of the network security team has asked you to help configure the company's Security
Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you
the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo
Alto Networks best practice?

A. action 'reset-both' and packet capture 'extended-capture'

B. action 'default' and packet capture 'single-packet'
C. action 'reset-both' and packet capture 'single-packet'
D. action 'reset-server' and packet capture 'disable'

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best- practices/best-
practice-internet-gateway-security-policy/create-best-practice-security-profiles "Enable extended-capture
for critical, high, and medium severity events and single-packet capture for low severity events. " https://
docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface- help/objects/objects-security-profiles-
vulnerability-protection

QUESTION 35
The following objects and policies are defined in a device group hierarchy

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group

NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is
enabled in Panorama?

A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1
B. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1
C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -
Shared Policy1 -Shared Policy2 -Branch Policy1
D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -
Branch Policy1

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 36
An administrator is attempting to create policies tor deployment of a device group and template stack.
When creating the policies, the zone drop down list does not include the required zone.What must the
administrator do to correct this issue?

A. Specify the target device as the master device in the device group
B. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
C. Add the template as a reference template in the device group
D. Add a firewall to both the device group and the template

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 37
An existing NGFW customer requires direct interne! access offload locally at each site and iPSec
connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be
introduced to the environment.What is the best solution for the customer?

A. Configure a remote network on PAN-OS

B. Upgrade to a PAN-OS SD-WAN subscription
C. Deploy Prisma SD-WAN with Prisma Access
D. Configure policy-based forwarding

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 38
Which GlobalProtect component must be configured to enable Clientless VPN?

A. GlobalProtect satellite
B. GlobalProtect app
C. GlobalProtect portal
D. GlobalProtect gateway

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: Creating the GlobalProtect portal is as simple as letting it know if you have accessed it
already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be
used with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5

QUESTION 39
An administrator analyzes the following portion of a VPN system log and notices the following issue
"Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type
IPv4 address protocol 0 port 0."What is the cause of the issue?

A. IPSec crypto profile mismatch

B. IPSec protocol mismatch
C. mismatched Proxy-IDs
D. bad local and peer identification IP addresses in the IKE gateway

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 40
An administrator analyzes the following portion of a VPN system log and notices the following issue

"Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type
IPv4 address protocol 0 port 0."

What is the cause of the issue?

A. IPSec crypto profile mismatch

B. IPSec protocol mismatch
C. mismatched Proxy-IDs
D. bad local and peer identification IP addresses in the IKE gateway

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 41
When an in-band data port is set up to provide access to required services, what is required for an
interface that is assigned to service routes?

A. The interface must be used for traffic to the required services

B. You must enable DoS and zone protection
C. You must set the interface to Layer 2 Layer 3. or virtual wire
D. You must use a static IP address

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 42
Refer to the image.
An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the
Global template NTP servers. The administrator needs to change the IP address to a preferable server for
this template stack but cannot impact other template stacks.

How can the issue be corrected?

A. Override the value on the NYCFW template.

B. Override a template value using a template stack variable.
C. Override the value on the Global template.
D. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: Both templates and template stacks support variables. Variables allow you to create
placeholder objects with their value specified in the template or template stack based on your configuration
needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in
your configurations. https://docs.paloaltonetworks.com/panorama/10- 0/panorama-admin/manage-
firewalls/manage-templates-and-template-stacks/override-a-template- setting.html

QUESTION 43
You need to allow users to access the office-suite applications of their choice. How should you configure
the firewall to allow access to any office-suite application?

A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
B. Create an Application Group and add business-systems to it.
C. Create an Application Filter and name it Office Programs, then filter it on the office programs
subcategory.
D. Create an Application Filter and name it Office Programs then filter on the business-systems category.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 44
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is
properly sized to support DoS and zone protection
B. Create a zone protection profile with flood protection configured to defend an entire egress zone
against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
C. Add a WildFire subscription to activate DoS and zone protection features
D. Replace the hardware firewall because DoS and zone protection are not available with VM- Series
systems

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: 1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection- best-
practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-
practices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20inte rnet%
20perimeter.

2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos- protection/zone-
defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to- measure-cps.html
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos- protection.html

QUESTION 45
DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama
configuration Place the steps in order.
A.
B.
C.
D.

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:

Explanation:
Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical
support file.

Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.

Step 3. Upload or drag and drop the technical support file.

Step 4. Map the zone type and area of the architecture to each zone.

Step 5.Follow the steps to download the BPA report bundle.

Reference:

https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa

QUESTION 46
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual
machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the
following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

A. All public cloud deployments require the /plugins folder to support proper firewall native integrations
B. The /content folder is missing from the bootstrap package
C. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from
successfully completing
D. The /config or /software folders were missing mandatory files to successfully bootstrap

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 47
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate
authorities (Cas)

A. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the
trusted store of the end-user browser and system ) ii. Enterprise-Untrusted-CA, which is verified as
Forward Untrust Certificate iii. Enterprise-lntermediate-CA
iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https //www
example-website com/ with a server certificate Common Name (CN) www example-website com The
firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted
by the firewall The end-user's browser will show that the certificate for www.example-website.com was
issued by which of the following?
B. Enterprise-Untrusted-CA which is a self-signed CA
C. Enterprise-Trusted-CA which is a self-signed CA
D. Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
E. Enterprise-Root-CA which is a self-signed CA

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 48
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three
remote networks.What is the minimum amount of bandwidth the administrator could configure at the
compute location?

A. 90Mbps
B. 300 Mbps
C. 75Mbps
D. 50Mbps

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: The number you specify for the bandwidth applies to both the egress and ingress traffic for
the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a
remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth
speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps
connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps
plus 10% overage allocation). https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-
panorama-admin/prisma- access-for-networks/how-to-calculate-network-bandwidth

QUESTION 49
What best describes the HA Promotion Hold Time?

A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring
devices
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path
monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after communications
with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the active
firewall if the firewall is operational again

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 50
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks
NGFW?

A. Use the debug dataplane packet-diag set capture stage firewall file command.
B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
C. Use the debug dataplane packet-diag set capture stage management file command.
D. Use the tcpdump command.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet- Capture/ta-
p/62390

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take- a-
packet-capture-on-the-management-interface.html

QUESTION 51
What is the best description of the HA4 Keep-Alive Threshold (ms)?

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 52
An internal system is not functioning. The firewall administrator has determined that the incorrect egress
interface is being used. After looking at the configuration, the administrator believes that the firewall is not
using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

A. no install on the route

B. duplicate static route
C. path monitoring on the static route
D. disabling of the static route

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static- routes/static-
route-removal-based-on-path-monitoring.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-a- static-
route.html

QUESTION 53
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a
session failover for a session that has already ended Where would you find this in Panorama or firewall
logs?

A. Traffic Logs
B. System Logs
C. Session Browser
D. You cannot find failover details on closed sessions

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 54
SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //
www important-website com certificate End-users are receiving me "security certificate is not trusted is
warning Without SSL decryption the web browser shows that the website certificate is trusted and signed
by a well-known certificate chain Well-Known-lntermediate and Well-Known- Root- CA. The network
security administrator who represents the customer requires the following two behaviors when SSL
Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

A. Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-
lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the
configuration
B. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems
m the user and local computer stores
C. Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities
import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box
and commit the configuration
D. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the
configuration

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 55
Given the following snippet of a WildFire submission log. did the end-user get access to the requested
information and why or why not?

A. Yes. because the action is set to "allow ''

B. No because WildFire categorized a file with the verdict "malicious"
C. Yes because the action is set to "alert"
D. No because WildFire classified the seventy as "high."

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 56
Which configuration task is best for reducing load on the management plane?

A. Disable logging on the default deny rule

B. Enable session logging at start
C. Disable pre-defined reports
D. Set the URL filtering action to send alerts

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 57
The UDP-4501 protocol-port is used between which two GlobalProtect components?

A. GlobalProtect app and GlobalProtect gateway

B. GlobalProtect portal and GlobalProtect gateway
C. GlobalProtect app and GlobalProtect satellite
D. GlobalProtect app and GlobalProtect portal

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall- administration/reference-port-
number-usage/ports-used-for-globalprotect.html

QUESTION 58
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need
to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options
differentiates multiple VLAN into separate zones?

A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed"
field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag
Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for
untagged traffic. Assign each interface/sub interface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA.
unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/
sub interface to a unique zone.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure- interfaces/
virtual-wire-interfaces/vlan-tagged-traffic Virtual wire interfaces by default allow all untagged traffic. You
can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow
traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.You can also create
multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a
combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control
for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

QUESTION 59
In a Panorama template which three types of objects are configurable? (Choose three)

A. certificate profiles
B. HIP objects
C. QoS profiles
D. security profiles
E. interface management profiles

Correct Answer: ACE

Section: (none)
Explanation
Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- firewalls/use-
case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and- policies/use-
templates-to-administer-a-base-configuration

QUESTION 60
An enterprise information Security team has deployed policies based on AD groups to restrict user access
to critical infrastructure systems However a recent phisning campaign against the organization has
prompted Information Security to look for more controls that can secure access to critical assets For users
that need to access these systems Information Security wants to use PAN-OS multi-factor authentication
(MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

A. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a
RADIUS profile
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal
authentication policy
C. Configure a Captive Portal authentication policy that uses an authentication sequence
D. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 61
PBF can address which two scenarios? (Select Two)

A. forwarding all traffic by using source port 78249 to a specific egress interface
B. providing application connectivity the primary circuit fails
C. enabling the firewall to bypass Layer 7 inspection
D. routing FTP to a backup ISP link to save bandwidth on the primary ISP link

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 62
Which data flow describes redistribution of user mappings?

A. User-ID agent to firewall

B. firewall to firewall
C. Domain Controller to User-ID agent
D. User-ID agent to Panorama

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user- id/configure-
firewalls-to-redistribute-user-mapping-information https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-
admin/user-id/deploy-user-id-in-a-large- scale-network/redistribute-user-mappings-and-authentication-
timestamps/firewall-deployment-for- user-id-redistribution.html#ide3661b46-4722-4936-bb9b-
181679306809

QUESTION 63
What type of address object would be useful for internal devices where the addressing structure assigns
meaning to certain bits in the address, as illustrated in the diagram?

A. IP Netmask
B. IP Wildcard Mask
C. IP Address
D. IP Range

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 64
What are two best practices for incorporating new and modified App-IDs? (Choose two.)

A. Run the latest PAN-OS version in a supported release tree to have the best performance for the new
App-IDs
B. Configure a security policy rule to allow new App-IDs that might have network-wide impact
C. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
D. Study the release notes and install new App-IDs if they are determined to have low impact

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new- app-ids-
introduced-in-content-releases/app-id-updates-workflow.html

QUESTION 65
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall
device group.

How should the administrator identify the configuration changes?

A. review the configuration logs on the Monitor tab

B. click Preview Changes under Push Scope
C. use Test Policy Match to review the policies in Panorama
D. context-switch to the affected firewall and use the configuration audit tool

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama- web-
interface/panorama-commit-operations.html

QUESTION 66
An administrator needs firewall access on a trusted interface. Which two components are required to
configure certificate based, secure authentication to the web Ul? (Choose two )

A. certificate profile
B. server certificate
C. SSH Service Profile
D. SSL/TLS Service Profile

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 67
Which two actions would be part of an automatic solution that would block sites with untrusted certificates
without enabling SSL Forward Proxy? (Choose two.)

A. Create a no-decrypt Decryption Policy rule.

B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
C. Create a Dynamic Address Group for untrusted sites
D. Create a Security Policy rule with vulnerability Security Profile attached.
E. Enable the "Block sessions with untrusted issuers" setting.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Explanation: You can use the No Decryption tab to enable settings to block traffic that is matched to a
decryption policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these
options to control server certificates for the session, though the firewall does not decrypt and inspect the
session traffic. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface- help/objects/objects-
decryption-profile

QUESTION 68
DRAG DROP

Place the steps in the WildFire process workflow in their correct order.
A.
B.
C.
D.

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:

Explanation:
Timeline

Description automatically generated

https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html

QUESTION 69
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67

A. The PanGPS process failed to connect to the PanGPA process on port 4767
B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. The PanGPA process failed to connect to the PanGPS process on port 4767
D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 70
Which GlobalProtect component must be configured to enable Clientless VPN?

A. GlobalProtect satellite
B. GlobalProtect app
C. GlobalProtect portal
D. GlobalProtect gateway

Correct Answer: C
Section: (none)
Explanation

QUESTION 71
A customer is replacing their legacy remote access VPN solution The current solution is in place to secure
only internet egress for the connected clients Prisma Access has been selected to replace the current
remote access VPN solution During onboarding the following options and licenses were selected and
enabled

- Prisma Access for Remote Networks 300Mbps

- Prisma Access for Mobile Users 1500 Users

- Cortex Data Lake 2TB

- Trusted Zones trust

- Untrusted Zones untrust

- Parent Device Group shared

How can you configure Prisma Access to provide the same level of access as the current VPN solution?

A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to
the internet
B. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the
desired traffic outbound to the internet
C. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow
the desired traffic outbound to the internet
D. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound
to the internet

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 72
What is the best description of the HA4 Keep-Alive Threshold (ms)?

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 73
What is the function of a service route?

A. The service route is the method required to use the firewall's management plane to provide services to
applications
B. The service packets enter the firewall on the port assigned from the external service. The server sends
its response to the configured destination interface and destination IP address
C. The service packets exit the firewall on the port assigned for the external service. The server sends its
response to the configured source interface and source IP address
D. Service routes provide access to external services such as DNS servers external authentication
servers or Palo Alto Networks services like the Customer Support Portal

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 74
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations

Correct Answer: ACD

Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan- sd-wan-
configuration

QUESTION 75
What is considered the best practice with regards to zone protection?

A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from
other threat logs
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 76
In the screenshot above which two pieces ot information can be determined from the ACC configuration
shown? (Choose two )

A. The Network Activity tab will display all applications, including FTP.
B. Threats with a severity of "high" are always listed at the top of the Threat Name list
C. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
D. The ACC has been filtered to only show the FTP application

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 77
A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in
Panorama, and a successful commit and push has been performed. While validating the configuration on
the local firewall, the engineer discovers that some settings are not being applied as intended. The setting
values from the "Global" template are applied to the firewall instead of the "Local" template that has
different values for the same settings. What should be done to ensure that the settings in the "Local"
template are applied while maintaining settings from both templates?

A. Move the "Global" template above the "Local" template in the template stack.
B. Perform a commit and push with the "Force Template Values" option selected.
C. Move the "Local" template above the "Global" template in the template stack.
D. Override the values on the local firewall and apply the correct settings for each value.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 78
WildFire will submit for analysis blocked files that match which profile settings?

A. files matching Anti-Spyware signatures

B. files that are blocked by URL filtering
C. files that are blocked by a File Blocking profile
D. files matching Anti-Virus signatures

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 79
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and
groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

A. The Security rules must be targeted to a firewall in the device group and have Group Mapping
configured
B. A master device with Group Mapping configured must be set in the device group where the Security
rules are configured
C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same
mappings
D. A User-ID Certificate profile must be configured on Panorama

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 80
What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

A. SSL/TLS Service profile

B. Certificate profile
C. SCEP
D. OCSP Responder

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 81
During the process of developing a decryption strategy and evaluating which websites are required for
corporate users to access, several sites have been identified that cannot be decrypted due to technical
reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be
blocked if decrypted How should the engineer proceed?

A. Allow the firewall to block the sites to improve the security posture
B. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
C. Install the unsupported cipher into the firewall to allow the sites to be decrypted
D. Create a Security policy to allow access to those sites

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 82
An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the
internet through a dedicated path that does not traverse back through the NGFW itself.

Which configuration setting or step will allow the firewall to get automatic application signature updates?

A. A scheduler will need to be configured for application signatures.

B. A Security policy rule will need to be configured to allow the update requests from the firewall to the
update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/device/
device-dynamic-updates

QUESTION 83
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Correct Answer: A
Section: (none)
Explanation

QUESTION 84
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway
and wants to be sure of the functions that are supported on the vwire interface What are three supported
functions on the VWire interface? (Choose three )

A. NAT
B. QoS
C. IPSec
D. OSPF
E. SSL Decryption

Correct Answer: ABE

Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure- interfaces/
virtual-wire-interfaces
"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to
supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/
active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection,
packet buffer protection, tunnel content inspection, and NAT."

QUESTION 85
Where is information about packet buffer protection logged?

A. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP
address are in the Threat log
B. All entries are in the System log
C. Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP
addresses are in the Threat log
D. All entries are in the Alarms log

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

Graphical user interface, text, application

Description automatically generated

QUESTION 86
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports.
The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely
would stop only Traffic logs from being sent from the NGFW to Panorama?
A.
B.
C.
D.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 87
Which statement is true regarding a Best Practice Assessment?

A. It shows how your current configuration compares to Palo Alto Networks recommendations
B. It runs only on firewalls
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you
should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 88
A network administrator plans a Prisma Access deployment with three service connections, each with a
BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management
overhead on on-prem network devices.
What should the administrator implement?

A. target service connection for traffic steering

B. summarized BGP routes before advertising
C. hot potato routing
D. default routing

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 89
DRAG DROP

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing
protocols, and the engineer is trying to determine routing priority Match the default Administrative
Distances for each routing protocol.
A.
B.
C.
D.

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:
Explanation:
--Range is 10-240; default is 10.
--Range is 10-240; default is 30.
--Range is 10-240; default is 110.
--Range is 10-240; default is 200.
--Range is 10-240; default is 20.
--Range is 10-240; default is 120.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers

QUESTION 90
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

A. signature matching for content inspection

B. IPSec tunnel standup
C. Quality of Service
D. logging

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 91
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A. wildcard server certificate

B. enterprise CA certificate
C. client certificate
D. server certificate
E. self-signed CA certificate

Correct Answer: BE
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure- ssl-
forward-proxy.html

QUESTION 92
An organization wishes to roll out decryption but gets some resistance from engineering leadership
regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

A. Guest devices may not trust the CA certificate used for the forward untrust certificate.
B. Guests may use operating systems that can't be decrypted.
C. The organization has no legal authority to decrypt their traffic.
D. Guest devices may not trust the CA certificate used for the forward trust certificate.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best- practices/decryption-
best-practices/plan-ssl-decryption-best-practice-deployment https://live.paloaltonetworks.com/t5/general-
topics/decrypt-guest-network-traffic/td-p/119388

QUESTION 93
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations

Correct Answer: ACD

Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan- sd-wan-
configuration

QUESTION 94
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best
describes redistribution of user mappings?

A. Domain Controller to User-ID agent

B. User-ID agent to Panorama
C. User-ID agent to firewall
D. firewall to firewall

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 95
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single- session DoS
attacks Which sessions does Packet Buffer Protection apply to?

A. It applies to existing sessions and is not global

B. It applies to new sessions and is global
C. It applies to new sessions and is not global
D. It applies to existing sessions and is global

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 96
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall
using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate
and set them as such The admin has not yet installed the root certificate onto client systems What effect
would this have on decryption functionality?

A. Decryption will function and there will be no effect to end users

B. Decryption will not function because self-signed root certificates are not supported
C. Decryption will not function until the certificate is installed on client systems
D. Decryption will function but users will see certificate warnings for each SSL site they visit

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 97
A firewall has Security policies from three sources

1. locally created policies

2. shared device group policies as pre-rules

3. the firewall's device group as post-rules

How will the rule order populate once pushed to the firewall?

A. shared device group policies, firewall device group policies. local policies.
B. firewall device group policies, local policies. shared device group policies
C. shared device group policies. local policies, firewall device group policies
D. local policies, firewall device group policies, shared device group policies

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 98
Which three use cases are valid reasons for requiring an Active/Active high availability deployment?
(Choose three.)

A. The environment requires real, full-time redundancy from both firewalls at all times
B. The environment requires Layer 2 interfaces in the deployment
C. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing
protocol convergence
D. The environment requires that all configuration must be fully synchronized between both members of
the HA pair
E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic
spikes

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 99
An administrator is building Security rules within a device group to block traffic to and from malicious
locations
How should those rules be configured to ensure that they are evaluated with a high priority?

A. Create the appropriate rules with a Block action and apply them at the top of the Default Rules
B. Create the appropriate rules with a Block action and apply them at the top of the Security Post- Rules.
C. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security
rules.
D. Create the appropriate rules with a Block action and apply them at the top of the Security Pre- Rules

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 100
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto
Networks appliances. Which profile should be configured in order to achieve this?

A. SSH Service profile

B. SSL/TLS Service profile
C. Decryption profile
D. Certificate profile

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 101
A company is using wireless controllers to authenticate users. Which source should be used for User-ID
mappings?

A. Syslog
B. XFF headers
C. server monitoring
D. client probing

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 102
An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which
certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

A. Self-signed CA and End-entity certificate

B. Root CA and Intermediate CA(s)
C. Self-signed certificate with exportable private key
D. Intermediate CA (s) and End-entity certificate

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 103
A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ
to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to
detect exploit traffic in a session with TLS encapsulation?

A. Decryption policy and a Data Filtering profile

B. a WildFire profile and a File Blocking profile
C. Vulnerability Protection profile and a Decryption policy
D. a Vulnerability Protection profile and a QoS policy

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 104
Which two statements correctly describe Session 380280? (Choose two.)
A. The session went through SSL decryption processing.
B. The session has ended with the end-reason unknown.
C. The application has been identified as web-browsing.
D. The session did not go through SSL decryption processing.

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 105
While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column
What best explains these occurrences?

A. A handshake took place, but no data packets were sent prior to the timeout.
B. A handshake took place; however, there were not enough packets to identify the application.
C. A handshake did take place, but the application could not be identified.
D. A handshake did not take place, and the application could not be identified.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 106
A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor
is correct, but the route is not in the neighbor's routing table.Which two configurations should you check on
the firewall? (Choose two.)

A. In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export
Rules section.
B. Within the redistribution profile ensure that Redist is selected.
C. Ensure that the OSPF neighbor state Is "2-Way."
D. In the redistribution profile check that the source type is set to "ospf."

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 107
Which statement best describes the Automated Commit Recovery feature?

A. It performs a connectivity check between the firewall and Panorama after every configuration commit
on the firewall. It reverts the configuration changes on the firewall if the check fails.
B. It restores the running configuration on a firewall and Panorama if the last configuration commit fails.
C. It performs a connectivity check between the firewall and Panorama after every configuration commit
on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.
D. It restores the running configuration on a firewall if the last configuration commit fails.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 108
A firewall administrator wants to avoid overflowing the company syslog server with traffic logs. What should
the administrator do to prevent the forwarding of DNS traffic logs to syslog?

A. Disable logging on security rules allowing DNS.

B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match
list, create a new filter with application not equal to DNS.
C. Create a security rule to deny DNS traffic with the syslog server in the destination
D. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match
list, create a new filter with application equal to DNS.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 109
An engineer is planning an SSL decryption implementation Which of the following statements is a best
practice for SSL decryption?

A. Use the same Forward Trust certificate on all firewalls in the network.
B. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
C. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
D. Use an enterprise CA-signed certificate for the Forward Untrust certificate.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 110
An administrator needs to optimize traffic to prefer business-critical applications over non-critical
applications QoS natively integrates with which feature to provide service quality?

A. certificate revocation
B. Content-ID
C. App-ID
D. port inspection

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 111
What can an engineer use with GlobalProtect to distribute user-specific client certificates to each
GlobalProtect user?

A. Certificate profile
B. SSL/TLS Service profile
C. OCSP Responder
D. SCEP

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 112
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices?
(Choose three.)

A. upload-only
B. upload and install and reboot
C. verify and install
D. upload and install
E. install and reboot

Correct Answer: CDE

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 113
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's
Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and
Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect.
Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are
signed by the company's Intermediate CA.Which method should the administrator use when creating
Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

A. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 114
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling
the Advance Routing Engine run on PAN-OS 10.2?

A. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile
under Network > Virtual Router > BGP > BFD
B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile
under Network > Virtual Router > BGP > General > Global BFD Profile
C. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile
under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile
under Network > Routing > Logical Routers > BGP > BFD

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 115
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path
Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure
Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a
Ping count of 3. Which scenario will cause the Active firewall to fail over?

A. IP address 8.8.8.8 is unreachable for 1 second.

B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
C. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
D. IP address 4.2.2.2 is unreachable for 2 seconds.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 116
With the default TCP and UDP settings on the firewall, what will be the identified application in the
following session?
A. Incomplete
B. unknown-udp
C. Insufficient-data
D. not-applicable

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 117
Which profile generates a packet threat type found in threat logs?

A. Zone Protection
B. WildFire
C. Anti-Spyware
D. Antivirus

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 118
A client wants to detect the use of weak and manufacturer-default passwords for loT devices.
Which option will help the customer?

A. Configure a Data Filtering profile with alert mode.

B. Configure an Antivirus profile with alert mode.
C. Configure a Vulnerability Protection profile with alert mode
D. Configure an Anti-Spyware profile with alert mode.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 119
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall
sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?

A. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing
traffic from the outside zone
B. Enable packet buffer protection in the outside zone.
C. Create a Security rule to deny all ICMP traffic from the outside zone.
D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to
the outside zone.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 120
An engineer needs to permit XML API access to a firewall for automation on a network segment that is
routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment
cannot access the dedicated management interface due to the Security policy.Without changing the
existing access to the management interface, how can the engineer fulfill this request?

A. Specify the subinterface as a management interface in Setup > Device > Interfaces.
B. Enable HTTPS in an Interface Management profile on the subinterface.
C. Add the network segment's IP range to the Permitted IP Addresses list
D. Configure a service route for HTTP to use the subinterface

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 121
An engineer needs to see how many existing SSL decryption sessions are traversing a firewall What
command should be used?
A. show dataplane pool statistics I match proxy
B. debug dataplane pool statistics I match proxy
C. debug sessions I match proxy
D. show sessions all

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 122
Which steps should an engineer take to forward system logs to email?

A. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding
profile > set log type to system and the add email profile.
B. Enable log forwarding under the email profile in the Objects tab.
C. Create a new email profile under Device > server profiles: then navigate to Device > Log Settings >
System and add the email profile under email.
D. Enable log forwarding under the email profile in the Device tab.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 123
A network security administrator has an environment with multiple forms of authentication. There is a
network access control system in place that authenticates and restricts access for wireless users, multiple
Windows domain controllers, and an MDM solution for company-provided smartphones. All of these
devices have their authentication events logged.Given the information, what is the best choice for
deploying User-ID to ensure maximum coverage?

A. Syslog listener
B. agentless User-ID with redistribution
C. standalone User-ID agent
D. captive portal

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 124
Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured
to respond only to the ssh requests coming from IP 172.16.16.1. In order to reach the SSH server only
from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
A. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1
Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh
B. NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10
Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh
C. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10
Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh
D. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 125
Which Panorama feature protects logs against data loss if a Panorama server fails?

A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside
the Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the
Collector Group

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 126
An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended" state due
to Non-functional loop. Which three actions will help the administrator troubleshool this issue? (Choose
three.)

A. Use the CLI command show high-availability flap-statistics

B. Check the HA Link Monitoring interface cables.
C. Check the High Availability > Link and Path Monitoring settings.
D. Check High Availability > Active/Passive Settings > Passive Link State
E. Check the High Availability > HA Communications > Packet Forwarding settings.

Correct Answer: ABC

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 127
Which User-ID mapping method should be used in a high-security environment where all IP address-to-
user mappings should always be explicitly known?

A. PAN-OS integrated User-ID agent

B. GlobalProtect
C. Windows-based User-ID agent
D. LDAP Server Profile configuration

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 128
What can be used to create dynamic address groups?

A. dynamic address
B. region objects
C. tags
D. FODN addresses

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 129
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and
pushed to the devices at the end of the day at a certain time. How can they achieve this?

A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to
commit all Panorama changes.
C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to
commit all Panorama changes.
D. Use the Scheduled Config Push taschedule Commit to Panorama and also Push to Devices.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 130
Which statement accurately describes service routes and virtual systems?

A. Virtual systems that do not have specific service routes configured inherit the global service and
service route settings for the firewall.
B. Virtual systems can only use one interface for all global service and service routes of the firewall.
C. Virtual systems cannot have dedicated service routes configured; and virtual systems always use the
global service and service route settings for the firewall.
D. The interface must be used for traffic to the required external services.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 131
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log
Collectors to 10.2, you must do what?

A. Upgrade the Log Collectors one at a time.

B. Add Panorama Administrators to each Managed Collector.
C. Add a Global Authentication Profile to each Managed Collector.
D. Upgrade all the Log Collectors at the same time.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 132
Which configuration is backed up using the Scheduled Config Export feature in Panorama?

A. Panorama running configuration

B. Panorama candidate configuration
C. Panorama candidate configuration and candidate configuration of all managed devices
D. Panorama running configuration and running configuration of all managed devices

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 133
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about
grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on
the firewall to log grayware verdicts?

A. within the log forwarding profile attached to the Security policy rule
B. within the log settings option in the Device tab
C. in WildFire General Settings, select "Report Grayware Files"
D. in Threat General Settings, select "Report Grayware Files"

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 134
You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls using
Panorama, what do you need do?

A. Refresh your licenses with Palo Alto Network Support - Panorama/Licenses/Retrieve License Keys
from License Server.
B. Re-associate the firewalls in Panorama/Managed Devices/Summary.
C. Commit and Push the configurations to the firewalls.
D. Refresh the Mastor Key in Panorama/Master Key and Diagnostic

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 135
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user
of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the
firewall when trying to download a TAR file. The user is getting no error response on the system. Where is
the best place to validate if the firewall is blocking the user's TAR file?

A. URL Filtering log

B. Data Filtering log
C. Threat log
D. WildFire Submissions log

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 136
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to
drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken
on the firewall to allow the dropped traffic permanently? (Choose two.)

A. Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set
"Asymmetric Path" to Bypass
B. > set session tcp-reject-non-syn no
C. Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set
"Asymmetric Path" to Global
D. # set deviceconfig setting session tcp-reject-non-syn no

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 137
Which CLI command is used to determine how much disk space is allocated to logs?

A. show logging-status
B. show system info
C. debug log-receiver show
D. show system logdfo-quota

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 138
An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify
with App-ID. Why would the application field display as incomplete?

A. The client sent a TCP segment with the PUSH flag set.
B. The TCP connection was terminated without identifying any application data.
C. There is insufficient application data after the TCP connection was established.
D. The TCP connection did not fully establish.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 139
Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?

A. Legacy
B. Log Collector
C. Panorama
D. Management Only

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 140
DRAG DROP

Match each GlobalProtect component to the purpose of that component

A.
B.
C.
D.

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:

Explanation:
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure The
GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps The GlobalProtect
app software runs on endpoints and enables access to your network resources
QUESTION 141
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and
Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured
containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

A. Non-functional
B. Passive
C. Active-Secondary
D. Active

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 142
An engineer is pushing configuration from Panorama lo a managed firewall. What happens when the
pushed Panorama configuration has Address Object names that duplicate the Address Objects already
configured on the firewall?

A. The firewall rejects the pushed configuration, and the commit fails.
B. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will
update the references to the objects accordingly and fully commit the pushed configuration.
C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects
D. The firewall ignores only the pushed objects that have the same name as the locally configured
objects, and it will commit the rest of the pushed configuration.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 143
What is a correct statement regarding administrative authentication using external services with a local
authorization method?

A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access
domains have not been supported by this method.
B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external
authentication services for administrative authentication.
C. The administrative accounts you define locally on the firewall serve as references to the accounts
defined on an external authentication server.
D. The administrative accounts you define on an external authentication server serve as references to the
accounts defined locally on the firewall.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 144
An administrator wants multiple web servers In the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22.

Based on the image, which NAT rule will forward web-browsing traffic correctly?
A.
B.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 145
An engineer is tasked with enabling SSL decryption across the environment. What are three valid
parameters of an SSL Decryption policy? (Choose three.)

A. URL categories
B. source users
C. source and destination IP addresses
D. App-ID
E. GlobalProtect HIP

Correct Answer: ABC

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 146
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic
logs to Panorama. In which section is this configured?

A. Panorama > Managed Devices

B. Monitor > Logs > Traffic
C. Device Groups > Objects > Log Forwarding
D. Templates > Device > Log Settings

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 147
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-
positive action. How can the administrator create an exception for this particular file?

A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
D. Disable the WildFire profile on the related Security policy.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 148
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from
Trust to DMZ is being decrypted with a Forward Proxy rule Which combination of service and application,
and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this
server on tcp/443?

A. Rule #1 application: web-browsing; service application-default; action: allow Rule #2- application: ssl;
service: application-default; action: allow
B. Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application:
ssl; service: application-default, action: allow
C. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl;
service: application-default; action: allow
D. Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; web- browsing;
service application-default; action: allow

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 149
The firewall identifies a popular application as an unKnown-tcp. Which two options are available to identify
the application? (Choose two.)

A. Create a custom application.

B. Submit an App-ID request to Palo Alto Networks.
C. Create a custom object for the application server.
D. Create a Security policy to identify the custom application.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 150
An administrator is required to create an application-based Security policy rule to allow Evernote. The
Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs
to configure in the Security rule to allow only Evernote?

A. Add the Evernote application to the Security policy rule, then add a second Security policy rule
containing both HTTP and SSL.
B. Add the HTTP, SSL, and Evernote applications to the same Security policy
C. Add only the Evernote application to the Security policy rule.
D. Create an Application Override using TCP ports 443 and 80.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 151
Your company occupies one floor in a single building. You have two Active Directory domain controllers on
a single network. The firewall's management-plane resources are lightly utilized. Given the size of this
environment, which User-ID collection method is sufficient?

A. Citrix terminal server agent deployed on the network

B. Windows-based agent deployed on each domain controller
C. PAN-OS integrated agent deployed on the firewall
D. a syslog listener

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 152
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA
pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/
Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.
Why is the AE interface showing down on the passive firewall?

A. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the
High Availability Options on the LACP tab of the AE Interface.
B. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP
selection on the LACP tab of the AE Interface.
C. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable
LACP selection on the LACP tab of the AE Interface.
D. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP
selection on the LACP tab of the AE Interface.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 153
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a
forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the
PA-generated certificate is taken from what?

A. The trusted certificate

B. The server certificate
C. The untrusted certificate
D. The root CA

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 154
Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to
firewalls inside the DATACENTER_DG device group?
A. shared pre-rules
DATACENTER DG pre rules
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules
DATACENTER.DG default rules
B. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
shared post-rules
DATACENTER.DG post-rules
shared default rules
C. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
shared default rules
D. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
DATACENTER_DG default rules

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 155
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a
managed firewall?

A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a
system log and can send email alerts
B. Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer
any ability to see or monitor resource utilization on managed firewalls
C. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when
resource exhaustion is detected on a managed firewall
D. Panorama provides information about system resources of the managed devices in the Managed
Devices > Health menu

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: Panorama can help with troubleshooting problems such as high CPU or resource exhaustion
on a managed firewall by providing information about system resources of the managed devices in the
Managed Devices > Health menu. This is explained in the Palo Alto Networks PCNSE Study Guide in
Chapter 13: Panorama, under the section "Monitoring Managed Firewalls with Panorama":
"The Panorama web interface provides information about the system resources of the managed devices.
In the Managed Devices > Health menu, you can view the CPU, memory, and disk usage of each
managed device. This information can help you troubleshoot problems such as high CPU or resource
exhaustion on a managed firewall."

QUESTION 156
Four configuration choices are listed, and each could be used to block access to a specific URL II you
configured each choice to block the same URL, then which choice would be evaluated last in the
processing order to block access to the URL1?

A. PAN-DB URL category in URL Filtering profile

B. Custom URL category in Security policy rule
C. Custom URL category in URL Filtering profile
D. EDL in URL Filtering profile

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 157
After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit
with the following details.

What are two explanations for this type of issue? (Choose two)

A. The peer IP is not included in the permit list on Management Interface Settings
B. The Backup Peer HA1 IP Address was not configured when the commit was issued
C. Either management or a data-plane interface is used as HA1-backup
D. One of the firewalls has gone into the suspended state

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Explanation: Cause The issue is seen when the HA1-backup is configured with either management (MGT)
or an in-band interface. The "Backup Peer HA1 IP Address" is not configured :
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCAU&lang =en_US
%E2%80%A9

QUESTION 158
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The
security team has already configured all firewalls with the Panorama IP address and added all the firewall
serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to
Panorama?

A. Use API calls to retrieve the configuration directly from the managed devices
B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration
Snapshot in Panorama
C. import Device Configuration to Panorama followed by Export or Push Device Config Bundle
D. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 159
Which log type would provide information about traffic blocked by a Zone Protection profile?

A. Data Filtering
B. IP-Tag
C. Traffic
D. Threat

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC Zone
Protection profile is a set of security policies that you can apply to an interface or zone to protect it from
reconnaissance, flooding, brute force, and other types of attacks. The log type that would provide
information about traffic blocked by a Zone Protection profile is Threat 4. This log type records events such
as packet-based attacks, spyware, viruses, vulnerability exploits, and URL filtering.

QUESTION 160
An engineer is creating a template and wants to use variables to standardize the configuration across a
large number of devices Which Mo variable types can be defined? (Choose two.)

A. Path group
B. Zone
C. IP netmask
D. FQDN

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 161
An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are
mandatory as part of the bootstrap package directory structure? (Choose three.)

A. /software
B. /opt
C. /license
D. /content
E. /plugins

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 162
Review the screenshot of the Certificates page.

An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned
Decryption roll out The administrator has also installed the sell-signed root certificate <n all client systems
When testing, they noticed that every time a user visited an SSL site they received unsecured website
warnings What is the cause of the unsecured website warnings.

A. The forward trust certificate has not been signed by the set-singed root CA certificate
B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates
C. The forward untrust certificate has not been signed by the self-singed root CA certificate
D. The forward trust certificate has not been installed in client systems

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 163
Which statement about High Availability timer settings is true?

A. Use the Moderate timer for typical failover timer settings.

B. Use the Critical timer for taster failover timer settings.
C. Use the Recommended timer tor faster failover timer settings.
D. Use the Aggressive timer for taster failover timer settings

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 164
What are two best practices for incorporating new and modified App-IDs? (Choose two)

A. Configure a security policy rule to allow new App-lDs that might have network-wide impact
B. Study the release notes and install new App-IDs if they are determined to have low impact
C. Perform a Best Practice Assessment to evaluate the impact or the new or modified App-IDs
D. Run the latest PAN-OS version in a supported release tree to have the best performance for the new
App-IDs

Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Explanation:

QUESTION 165
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

A. SSH key
B. User logon
C. Short message service
D. One-Time Password
E. Push

Correct Answer: BDE

Section: (none)
Explanation

Explanation/Reference:
Explanation: According to Palo Alto Networks documentation123, multi-factor authentication (MFA) is a
method of verifying a user's identity using two or more factors, such as something they know, something
they have, or something they are.
The firewall supports MFA for administrative access, GlobalProtect VPN access, and Captive Portal
access. The firewall can integrate with external MFA providers such as RSA SecurID, Duo Security, or
Okta Verify.
The three firewall MFA factors that are supported by PAN-OS are:

QUESTION 166
An engineer has been given approval to upgrade their environment 10 PAN-OS 10 2

The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log
collectors

What is the recommended order when upgrading to PAN-OS 10.2?

A. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

B. Upgrade the firewalls upgrade log collectors, upgrade Panorama
C. Upgrade the firewalls upgrade Panorama, upgrade the log collectors
D. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 167
Which benefit do policy rule UUlDs provide?

A. An audit trail across a policy's lifespan

B. Functionality for scheduling policy actions
C. The use of user IP mapping and groups in policies
D. Cloning of policies between device-groups

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
QUESTION 168
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of
the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust
certificate?

A. A self-signed Certificate Authority certificate generated by the firewall

B. A Machine Certificate for the firewall signed by the organization's PKI
C. A web server certificate signed by the organization's PKI
D. A subordinate Certificate Authority certificate signed by the organization's PKI

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 169
During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN
connection to the corporate network before logging in to their new Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the
Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

A. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
B. Registry keys on the Windows system.
C. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
D. The Certificate profile in the GlobalProtect Portal Authentication Settings.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 170
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by
upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on
Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

A. Management only mode

B. Expired certificates
C. Outdated plugins
D. GlobalProtect agent version

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 171
An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)
A. Syslog
B. XFF Headers
C. Client probing
D. Server Monitoring

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 172
Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down
Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

A. Click the hyperlink for the Zero Access.Gen threat.

B. Click the left arrow beside the Zero Access.Gen threat.
C. Click the source user with the highest threat count.
D. Click the hyperlink for the hotport threat Category.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 173
An administrator creates an application-based security policy rule and commits the change to the firewall.
Which two methods should be used to identify the dependent applications for the respective rule? (Choose
two.)

A. Use the show predefined xpath <value> command and review the output.
B. Review the App Dependency application list from the Commit Status view.
C. Open the security policy rule and review the Depends On application list.
D. Reference another application group containing similar applications.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 174
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

A. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B. Phase 1 SAs are synchronized over HA1 links.
C. Phase 2 SAs are synchronized over HA2 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA2 links.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 175
An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its
vsys in a single device group.
B. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which
must have all its vsys in a single device group.
C. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each
vsys in a different device group.
D. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have
each vsys in a different device group.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 176
An administrator creates a custom application containing Layer 7 signatures. The latest application and
threat dynamic update is downloaded to the same firewall. The update contains an application that
matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

A. Custom application
B. Unknown application
C. Incomplete application
D. Downloaded application

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 177
Refer to the exhibit.
Review the screenshots and consider the following information:

ꞏ FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DG.

ꞏ There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

Which IP address will be pushed to the firewalls inside Address Object Server-1?

A. Server-1 on FW-1 will have IP 1.1.1.1. Server-1 will not be pushed to FW-2.
B. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.
C. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.
D. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 178
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the
GlobalProtect gateway?

A. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

B. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
C. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
D. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:

QUESTION 179
An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a
new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

A. Device administrator (read-only)

B. System administrator (read-only)
C. Firewall administrator (read-only)
D. Superuser (read-only)

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 180
Which feature checks Panorama connectivity status after a commit?

A. Automated commit recovery

B. Scheduled config export
C. Device monitoring data under Panorama settings
D. HTTP Server profiles

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 181
What is the dependency for users to access services that require authentication?

A. An Authentication profile that includes those services

B. Disabling the authentication timeout
C. An authentication sequence that includes those services
D. A Security policy allowing users to access those services

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 182
A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation
counters are increasing. Which CLI command should the engineer run?

A. Show vpn tunnel name | match encap

B. Show vpn flow name <tunnel name>
C. Show running tunnel flow lookup
D. Show vpn ipsec-sa tunnel <tunnel name>

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 183
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The
administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

A. IKE Gateway profile

B. IPSec Crypto profile
C. IPSec Tunnel settings
D. IKE Crypto profile

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 184
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the
firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an
aggregate interface group?

A. They can have a different bandwidth.

B. They can have a different interface type such as Layer 3 or Layer 2.
C. They can have a different interface type from an aggregate interface group.
D. They can have different hardware media such as the ability to mix fiber optic and copper.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 185
What is a key step in implementing WildFire best practices?

A. In a mission-critical network, increase the WildFire size limits to the maximum value.
B. Configure the firewall to retrieve content updates every minute.
C. In a security-first network, set the WildFire size limits to the minimum value.
D. Ensure that a Threat Prevention subscription is active.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 186
An administrator is attempting to create policies for deployment of a device group and template stack.
When creating the policies, the zone drop-down list does not include the required zone.

What can the administrator do to correct this issue?

A. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
B. Add a firewall to both the device group and the template.
C. Specify the target device as the master device in the device group.
D. Add the template as a reference template in the device group.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: In order to see what is in a template, the device-group needs the template referenced. Even if
you add the firewall to both the template and device-group, the device-group will not see what is in the
template.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

QUESTION 187

Review the images. A firewall policy that permits web traffic includes the

What is the result of traffic that matches the "Alert - Threats" Profile Match List?
A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180
minutes.
B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180
minutes.
C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180
minutes.
D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180
minutes.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 188
View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information,
which two statements are correct? (Choose two.)

A. DNS has a higher priority and more bandwidth than SSH.

B. Google-video has a higher priority and more bandwidth than WebEx.
C. SMTP has a higher priority but lower bandwidth than Zoom.
D. Facetime has a higher priority but lower bandwidth than Zoom.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 189
A system administrator runs a port scan using the company tool as part of vulnerability check. The
administrator finds that the scan is identified as a threat and is dropped by the firewall. After further
investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

What should the administrator do to allow the tool to scan through the firewall?

A. Remove the Zone Protection profile from the zone setting.

B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone
Protection profile.
C. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS
Protection profile.
D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 190
An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys
dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do
not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the
configuration does not appear, what is the root cause?

A. Panorama does not have valid licenses to push the dynamic updates.
B. Panorama has no connection to Palo Alto Networks update servers.
C. No service route is configured on the firewalls to Palo Alto Networks update servers.
D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 191
How does Panorama prompt VMWare NSX to quarantine an infected VM?

A. Email Server Profile

B. Syslog Sewer Profile
C. SNMP Server Profile
D. HTTP Server Profile

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 192
Given the screenshot, how did the firewall handle the traffic?

A. Traffic was allowed by profile but denied by policy as a threat

B. Traffic was allowed by policy but denied by profile as..
C. Traffic was allowed by policy but denied by profile as ..
D. Traffic was allowed by policy but denied by profile as a..

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 193
A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for the IP
address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1

In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?
A)

A. Option A
B. Option B
C. Option C
D. Option D

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 194
An administrator is receiving complaints about application performance degradation. After checking the
ACC. the administrator observes that there Is an excessive amount of SSL traffic

Which three elements should the administrator configure to address this issue? (Choose three.)

A. QoS on the ingress Interface for the traffic flows

B. An Application Override policy for the SSL traffic
C. A QoS policy for each application ID
D. A QoS profile defining traffic classes
E. QoS on the egress interface for the traffic flows

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 195
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles
are needed to complete the configuration? (Choose two)

A. SSUTLS Service
B. HTTP Server
C. Decryption
D. Interface Management

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 196
An administrator accidentally closed the commit window/screen before the commit was finished. Which two
options could the administrator use to verify the progress or success of that commit task? (Choose two.)

A. System Logs
B. Task Manager
C. Traffic Logs
D. Configuration Logs

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation: A. System Logs: The system logs contain information about various events that occur on the
firewall, including the commit process. The administrator can review the system logs to verify whether the
commit completed successfully or whether there were any errors or warnings during the commit process.
B. Task Manager: The task manager displays a list of all active tasks on the firewall, including the commit
task. The administrator can use the task manager to check the status of the commit task, including whether
it is in progress, completed successfully, or failed.

QUESTION 197
The same route appears in the routing table three times using three different protocols Which mechanism
determines how the firewall chooses which route to use?

A. Administrative distance
B. Round Robin load balancing
C. Order in the routing table
D. Metric

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Administrative distance is the measure of trustworthiness of a routing protocol. It is used to
determine the best path when multiple routes to the same destination exist. The route with the lowest
administrative distance is chosen as the best route. When the same route appears in the routing table
three times using three different protocols, the mechanism that determines which route the firewall
chooses to use is the administrative distance. This is explained in the Palo Alto Networks PCNSE Study
Guide in Chapter 6: Routing, under the section "Route Selection":
"Administrative distance is a value assigned to each protocol that the firewall uses to determine which
route to use if multiple protocols provide routes to the same destination. The route with the lowest
administrative distance is preferred."

QUESTION 198
An administrator is configuring SSL decryption and needs 10 ensure that all certificates for both SSL
Inbound inspection and SSL Forward Proxy are installed properly on the firewall. When certificates are
being imported to the firewall for these purposes, which three certificates require a private key? (Choose
three.)

A. Forward Untrust certificate

B. Forward Trust certificate
C. Enterprise Root CA certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)

Correct Answer: ABD

Section: (none)
Explanation

Explanation/Reference:
Explanation:
This is discussed in the Palo Alto Networks PCNSE Study Guide in Chapter 9: Decryption, under the
section "SSL Forward Proxy and Inbound Inspection Certificates":
"When importing SSL decryption certificates, you need to provide private keys for the forward trust, forward
untrust, and end-entity (leaf) certificates. You do not need to provide private keys for the root CA and
intermediate certificates."

QUESTION 199
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a
forward trust certificate have? (Choose two.)

A. A subject alternative name

B. A private key
C. A server certificate
D. A certificate authority (CA) certificate

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation: When deploying SSL Forward Proxy decryption, a forward trust certificate must have a
subject alternative name (SAN) and be a server certificate. SAN is an extension to the X.509 standard that
allows multiple domain names to be protected by a single SSL/TLS certificate. It is used to identify the
domain names or IP addresses that the certificate should be valid for. A private key is also required but it is
not mentioned in the options. A certificate authority (CA) certificate is not required as the forward trust
certificate itself is a CA certificate.

QUESTION 200
An engineer has been asked to limit which routes are shared by running two different areas within an
OSPF implementation. However, the devices share a common link for communication. Which virtual router
configuration supports running multiple instances of the OSPF protocol over a single link?
A. ASBR
B. ECMP
C. OSPFv3
D. OSPF

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: Support for multiple instances per link--With OSPFv3, you can run multiple instances of the
OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An
interface that is assigned to an instance ID drops packets that contain a different ID.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospf- concepts/ospfv3

QUESTION 201
A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny."

Which action will this configuration cause on the matched traffic?

A. The Profile Settings section will be grayed out when the Action is set to "Deny"
B. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
C. The configuration will allow the matched session unless a vulnerability signature is detected.
D. The "Deny" action will supersede the per-severity defined actions defined in the associated
Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.
Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security- profiles.html

First note in above link states:

"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan
traffic after the application or category is allowed by the security policy."

The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile
never gets checked if a match happens on a policy set to deny that match.

QUESTION 202
An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding
defined bandwidth Which QoS setting should the engineer adjust?

A. QoS profile: Egress Max

B. QoS interface: Egress Guaranteed
C. QoS profile: Egress Guaranteed
D. QoS interface: Egress Max

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-
effort basis. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of- service/qos-concepts/
qos-bandwidth-management

QUESTION 203
A company is looking to increase redundancy in their network. Which interface type could help accomplish
this?

A. Layer 2
B. Virtual wire
C. Tap
D. Aggregate ethernet

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: An aggregate group increases the bandwidth between peers by load balancing traffic across
the combined interfaces. It also provides redundancy https://docs.paloaltonetworks.com/pan-os/10-1/pan-
os-networking-admin/configure- interfaces/configure-an-aggregate-interface-group#id9c0f5a8b-0aad-
4be5-821d-ef9d7c11a88d

QUESTION 204
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been
configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display
the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in
conflict?

A. Configure a floating IP between the firewall pairs.

B. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the
same subnet.
C. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
D. On one pair of firewalls, run the CLI command: set network interface vlan arp.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS change the
Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
This will prevent the MAC addresses from conflicting and allow the firewalls to properly route traffic. You
can also configure a floating IP between the firewall pairs if necessary.

QUESTION 205
How can an administrator use the Panorama device-deployment option to update the apps and threat
version of an HA pair of managed firewalls?

A. Configure the firewall's assigned template to download the content updates.

B. Choose the download and install action for both members of the HA pair in the Schedule object.
C. Switch context to the firewalls to start the download and install process.
D. Download the apps to the primary; no further action is required.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage- firewalls/use-
case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and- policies/add-the-
managed-firewalls-and-deploy-updates
QUESTION 206
An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

A. Ethernet SGT Protection

B. Protocol Protection
C. DoS Protection
D. Reconnaissance Protection
E. Resource Protection

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Explanation: B. Protocol Protection: Protocol protection is used to limit or block traffic that uses certain
protocols or application functions. For example, a Zone Protection profile can be configured to block traffic
that uses non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain
protocols, such as SIP. C. DoS Protection: DoS protection is used to protect against various types of
denial-of-service (DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone
Protection profile can be configured to limit the rate of traffic for certain protocols or to drop traffic that
matches specific patterns, such as malformed packets or packets with invalid headers. D. Reconnaissance
Protection: Reconnaissance protection is used to prevent attackers from gathering information about the
network, such as by using port scans or other techniques. A Zone Protection profile can be configured to
limit the rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to
drop traffic that matches specific patterns, such as packets with invalid flags or payloads.

QUESTION 207
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application
uptime requirements.

What is the correct setting?

A. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
B. Change the HA timer profile to "fast".
C. Change the HA timer profile to "user-defined" and manually set the timers.
D. Change the HA timer profile to "quick" and customize in advanced profile.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/setup-
activepassive-ha/configure-activepassive-ha
In an A/P HA pair, HA (High Availability) timers are used to determine how quickly the firewall should fail
over in case of a failure. Typically, the firewall administrator can choose between several predefined timer
profiles such as "normal", "aggressive", and "fast". Changing the HA timer profile to "user-defined" and
manually setting the timers would allow the administrator to fine-tune the failover timing and make sure it
meets the uptime requirements for the critical business applications. This approach allows the
administrator to set the timers to the lowest possible value without compromising the stability and security
of the firewall.

QUESTION 208
Where can an administrator see both the management-plane and data-plane CPU utilization in the
WebUI?

A. System Resources widget

B. System Logs widget
C. Session Browser
D. General Information widget

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: The System Resources widget of the Exadata WebUI, displays a real-time overview of the
various resources like CPU, Memory, and I/O usage across the entire Exadata Database Machine. It
shows the usage of both management-plane and data-plane CPU utilization. System Resources Widget
Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions
established through the firewall or Panorama). https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-
interface-help/dashboard/dashboard- widgets.html

QUESTION 209
An administrator would like to determine which action the firewall will take for a specific CVE. Given the
screenshot below, where should the administrator navigate to view this information?

A. The profile rule action

B. CVE column
C. Exceptions lab
D. The profile rule threat name

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 210
When using SSH keys for CLI authentication for firewall administration, which method is used for
authorization?

A. Local
B. LDAP
C. Kerberos
D. Radius

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: When using SSH keys for CLI authentication for firewall administration, the method used for
authorization is local. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 4:
Authentication and Authorization, under the section "CLI Authentication with SSH Keys":
"SSH keys use public key cryptography to authenticate users, but they do not provide a mechanism for
authorization. Therefore, when using SSH keys for CLI authentication, authorization is always performed
locally on the firewall."

QUESTION 211
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's
dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

A. Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for
heartbeat backup
B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management
Interface Settings
C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup
under Election Settings
D. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications >
Packet Forwarding settings.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: If the HA status is showing as down after enabling HA Heartbeat Backup on two devices, an
administrator could troubleshoot the issue by checking the peer IP address in the permit list in Device >
Setup > Management > Interfaces > Management Interface Settings. This is described in the Palo Alto
Networks PCNSE Study Guide in Chapter 7: High Availability, under the section "Configure Heartbeat
Backup for Redundancy":
"Verify that the management interface's permitted IP addresses on each peer includes the IP address of
the other peer's Heartbeat Backup interface."

QUESTION 212
A company has configured GlobalProtect to allow their users to work from home. A decrease in
performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

A. Exclude video traffic

B. Enable decryption
C. Block traffic that is not work-related
D. Create a Tunnel Inspection policy

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation: This is because excluding video traffic from being sent over the VPN will reduce the amount
of bandwidth being used during peak hours, allowing more bandwidth to be available for other types of
traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further
freeing up bandwidth for work-related traffic. Enabling decryption and creating a Tunnel Inspection policy
are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not directly
address the issue of limited bandwidth availability during these times.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

QUESTION 213
An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two )

A. DNS Proxy
B. Address groups
C. SSL/TLS roles
D. URL Filtering profiles

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation: URL filtering is a feature in Palo Alto Networks firewalls that allows administrators to block
access to specific URLs [1]. This feature can be configured via four different objects: Custom URL
categories in URL Filtering profiles, PAN-DB URL categories in URL Filtering profiles, External Dynamic
Lists (EDL) in URL Filtering profiles, and Custom URL categories in Security policy rules. The evaluation
order for URL filtering is: Custom URL categories in URL Filtering profile, PAN-DB URL categories in URL
Filtering profile, EDL in URL Filtering profile, and Custom URL category in Security policy rule. This
information can be found in the Palo Alto Networks PCNSE Study Guide, which can be accessed here:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/resource-library/palo-alto- networks-
pcnse-study-guide.html.

QUESTION 214
A network security administrator wants to configure SSL inbound inspection.

Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose
three.)

A. An SSL/TLS Service profile

B. The web server's security certificate with the private key
C. A Decryption profile
D. A Decryption policy
E. The client's security certificate with the private key

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure- ssl-
inbound-inspection
QUESTION 215
A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

A. Windows User-ID agent

B. GlobalProtect
C. XMLAPI
D. External dynamic list
E. Dynamic user groups

Correct Answer: ABC

Section: (none)
Explanation

QUESTION 216
What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

A. Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate
B. Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)
C. Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)
D. Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: NAT oversubscription is a feature that allows you to reuse a translated IP address and port for
multiple source devices. This can help you conserve public IP addresses and increase the number of
sessions that can be translated by a NAT rule.

QUESTION 217
A network administrator is trying to prevent domain username and password submissions to phishing sites
on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential
phishing on the firewall?

A. Choose the URL categories on Site Access column and set action to block Click the User credential
Detection tab and select IP User Mapping Commit
B. Choose the URL categories in the User Credential Submission column and set action to block Select
the User credential Detection tab and select use IP User Mapping Commit
C. Choose the URL categories in the User Credential Submission column and set action to block Select
the URL filtering settings and enable Domain Credential Filter Commit
D. Choose the URL categories in the User Credential Submission column and set action to block Select
the User credential Detection tab and select Use Domain Credential Filter Commit

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: credential phishing prevention works by scanning username and password submissions to
websites and comparing those submissions to known corporate credentials. You can configure solutions
that detect and prevent credential phishing using URL filtering profiles and User-ID agents.

QUESTION 218
An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A. Inherit settings from the Shared group

B. Inherit IPSec crypto profiles
C. Inherit all Security policy rules and objects
D. Inherit parent Security policy rules and objects

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation: B. Inherit IPSec crypto profiles
This is correct because IPSec crypto profiles are one of the objects that can be inherited from a parent
device group 1. You can also create IPSec crypto profiles for use in shared or device group policy 1.
D. Inherit parent Security policy rules and objects
This is correct because Security policy rules and objects are also inheritable from a parent device group 1.
You can also create Security policy rules and objects for use in shared or device group policy 1.

QUESTION 219
A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The
engineer couldn't find any events related to VPN under system togs.

What is the likely cause?

A. Dead Peer Detection is not enabled.

B. Tunnel Inspection settings are misconfigured.
C. The Tunnel Monitor is not configured.
D. The log quota for GTP and Tunnel needs to be adjusted

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: This means that the firewall does not have a mechanism to monitor the status of the IPSec
VPN tunnel and generate logs when it goes down or up. The Tunnel Monitor is an optional feature that can
be enabled on each IPSec tunnel interface and it uses ICMP probes to check the connectivity of the tunnel
peer. If the firewall does not receive a response from the peer after a specified number of retries, it marks
the tunnel as down and logs an event 1.

QUESTION 220
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

A. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and
reboot.
B. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
C. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and
reboot.
D. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and
reboot

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then
commit and reboot 1. This means that the administrator can enable advanced routing features such as RIB
filtering, BFD, multicast, and redistribution profiles for each virtual router on the firewall. The firewall
requires a reboot after enabling advanced routing to apply the changes.

QUESTION 221
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New
Application to monitor new applications on the network and better assess any Security policy updates the
engineer might want to make.

How does the firewall identify the New App-ID characteristic?

A. It matches to the New App-IDs downloaded in the last 30 days.

B. It matches to the New App-IDs downloaded in the last 90 days
C. It matches to the New App-IDs installed since the last time the firewall was rebooted
D. It matches to the New App-IDs in the most recently installed content releases.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: When creating a new App-ID report under Monitor > Reports > Application Reports > New
Application, the firewall identifies new applications based on the New App-IDs in the most recently installed
content releases. The New App-IDs are the application signatures that have been added in the latest
content release, which can be found under Objects > Security Profiles > Application. This allows the
engineer to monitor any new applications that have been added to the firewall's database and evaluate
whether to allow or block them with a Security policy update.

QUESTION 222
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN- OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the
proxy.
C. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
D. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the
outgoing request

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 223
What is the best definition of the Heartbeat Interval?

A. The interval in milliseconds between hello packets

B. The frequency at which the HA peers check link or path availability
C. The frequency at which the HA peers exchange ping
D. The interval during which the firewall will remain active following a link monitor failure

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: According to the Palo Alto Networks Knowledge Base12, the best definition of the Heartbeat
Interval is A. The interval in milliseconds between hello packets. The Heartbeat Interval is a CLI command
that configures how often an HA peer sends an ICMP ping to its partner through the HA control link. The
ping verifies network connectivity and ensures that the peer kernel is responsive. The default value is
1000ms for all Palo Alto Networks platforms.

QUESTION 224
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses
to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange
servers, which can provide logs for login events.

All six servers have IP addresses assigned from the following subnet: 192.168 28.32/27. The Microsoft
Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers resideL in
192.168.28 48/28

What information does the administrator need to provide in the User Identification > Discovery section?

A. The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for
each of the six servers
B. Network 192 168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28
with server type Microsoft Exchange
C. Network 192 168 28.32/27 with server type Microsoft
D. One IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically
obtain all five of the other servers

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: The administrator needs to provide the IP address and corresponding server type (Microsoft
Active Directory or Microsoft Exchange) for each of the six servers in the User Identification > Discovery
section. The administrator should enter the network address of 192.168.28.32/28 and select "Microsoft
Active Directory" as the server type for the four Active Directory servers and enter the network address of
192.168.28.48/28 and select "Microsoft Exchange" as the server type for the two Exchange servers. This
will allow the User-ID agent to discover and map the IP address of each server to the corresponding
username.

QUESTION 225
A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward
Secrecy) needs to be enabled.

What action should the engineer take?

A. Add an authentication algorithm in the IPSec Crypto profile.

B. Enable PFS under the IPSec Tunnel advanced options.
C. Select the appropriate DH Group under the IPSec Crypto profile.
D. Enable PFS under the IKE gateway advanced options

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 226
A network security engineer configured IP multicast in the virtual router to support a new application. Users
in different network segments are reporting that they are unable to access the application.

What must be enabled to allow an interface to forward multicast traffic?

A. IGMP
B. PIM
C. BFD
D. SSM

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: A protocol that enables routers to forward multicast traffic efficiently based on the source and
destination addresses. PIM can operate in two modes: sparse mode (PIM-SM) or dense mode (PIM-DM).
PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic, while PIM-DM
uses flooding and pruning techniques 2. to enable PIM on the interface which allows routers to forward
multicast traffic using either sparse mode or dense mode depending on your network topology and
requirements.

QUESTION 227
A super user is tasked with creating administrator accounts for three contractors. For compliance
purposes, all three contractors will be working with different device-groups m their hierarchy to deploy
policies and objects.

Which type of role-based access is most appropriate for this project?

A. Create a Dynamic Admin with the Panorama Administrator role.

B. Create a Device Group and Template Admin.
C. Create a Custom Panorama Admin.
D. Create a Dynamic Read only superuser

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: A Custom Panorama Admin is a type of role-based access that allows a super user to create
separate Panorama administrator accounts for each of the three contractors. This will allow each
contractor to work with different device-groups in their hierarchy and deploy policies and objects in
accordance with the organization's compliance requirements. The Custom Panorama Admin role also
allows the super user to assign separate permissions to each contractor's account, granting them access
to only the resources they are authorized to use. This type of role-based access is the most appropriate for
this project as it will ensure that each contractor is only able to access the resources they need in order to
do their job.

QUESTION 228
An engineer receives reports from users that applications are not working and that websites are only
partially loading in an asymmetric environment. After investigating, the engineer observes the
flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

A. set deviceconfig setting tcp asymmetric-path drop

B. set deviceconfig setting session tcp-reject-non-syn no
C. set session tcp-reject-non-syn yes
D. set deviceconfig setting tcp asymmetric-path bypass

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: To work around this issue, one possible troubleshooting command is set deviceconfig setting
session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot) 4. This
command allows non-SYN first packet through without dropping it. The flow_tcp_non_syn_drop counter
increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates
asymmetric traffic flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN
TCP packets. In this case, disabling the tcp-reject-non-syn option using the "set deviceconfig setting
session tcp-reject-non-syn no" command can help work around the issue. This allows the firewall to accept
non-SYN packets and create a session for the existing flow.

QUESTION 229
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any
WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall.
WildFire togs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is
missing?

A. Threat logs
B. Traffic togs
C. System logs
D. WildFire logs

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: When an administrator has numerous firewalls and Panorama, WildFire logs need to be
forwarded from the firewalls to Panorama in order for them to be visible in Panorama. WildFire logs contain
information about malicious files that have been detected by WildFire and provide detailed information
such as the file's hash value, severity, and other attributes. This information can then be used to help
identify threats and take appropriate security measures. Proper configuration of forwarding WildFire logs is
essential for monitoring malicious activity and ensuring the security of the network.

QUESTION 230
Which source is the most reliable for collecting User-ID user mapping?

A. GlobalProtect
B. Microsoft Active Directory
C. Microsoft Exchange
D. Syslog Listener

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: User-ID is a feature that enables you to identify and control users on your network based on
their usernames instead of their IP addresses 1. User mapping is the process of mapping IP addresses to
usernames using various sources of information 1. The most reliable source for collecting User-ID user
mapping is GlobalProtect 2. GlobalProtect is a solution that provides secure access to your network and
resources from anywhere. GlobalProtect agents on endpoints send user mapping information directly to
the firewall or Panorama, which eliminates the need for probing other sources 2. GlobalProtect also
supports dynamic IP address changes and roaming users 2.

QUESTION 231
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
A. Cortex Data Lake
B. Panorama
C. On Palo Alto Networks Update Servers
D. M600 Log Collectors

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: The Device Telemetry data is stored on Cortex Data Lake3, which is a cloud-based service
that collects and stores logs from your firewalls and other sources. Cortex Data Lake also enables you to
analyze and visualize your data using various applications. To use Device Telemetry, you need to install a
device certificate on your firewall 3. This certificate authenticates your firewall to Cortex Data Lake and
encrypts the data in transit.

QUESTION 232
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10 2? (Choose three.)

A. PA-5000 Series
B. PA-500
C. PA-800 Series
D. PA-220
E. PA-3400 Series

Correct Answer: CDE

Section: (none)
Explanation

Explanation/Reference:
Explanation: According to the Palo Alto Networks Compatibility Matrix1, the three platforms that support
PAN-OS 10.2 are:
The PA-5000 Series and PA-500 do not support PAN-OS 10.2 2. To upgrade devices to PAN-OS 10.2
using Panorama, you need to determine the upgrade path 3, upgrade Panorama itself 4, and then upgrade
the firewalls using Panorama5.

QUESTION 233
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is
regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

A. High availability (HA)

B. Layer
C. Virtual Wire
D. Tap
E. Layer 3

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Explanation: SSL Forward Proxy is a feature that allows the firewall to decrypt and inspect outbound SSL
traffic from internal users to external servers 1. The firewall acts as a proxy (MITM) generating a new
certificate for the accessed URL and presenting it to the client during SSL handshake 2.
SSL Forward Proxy can be configured on any interface type that supports security policies, which are
Layer 2, Virtual Wire, and Layer 3 interfaces 1. These interface types allow the firewall to apply security
profiles and URL filtering on the decrypted SSL traffic.

QUESTION 234
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy
feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the
web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

A. DNS proxy
B. Explicit proxy
C. SSL forward proxy
D. Transparent proxy

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation: A transparent proxy is a type of web proxy that intercepts and redirects HTTP and HTTPS
requests without requiring any configuration on the client browser 1. The firewall acts as a gateway
between the client and the web server, and performs security checks on the traffic. A transparent proxy
can be configured on PAN-OS 11.0 firewalls by performing the following steps
1:
By configuring a transparent proxy on PAN-OS 11.0 firewalls, an organization can migrate from their
existing web proxy architecture without changing their network topology or client settings 2 . The firewall
will maintain the same type of traffic flow as before, where HTTP and HTTPS requests contain the IP
address of the web server and the client browser is redirected to the proxy 1.
Answer A is not correct because DNS proxy is a type of web proxy that intercepts DNS queries from clients
and resolves them using an external DNS server 3. This type of proxy does not redirect HTTP or HTTPS
requests to the firewall.

QUESTION 235
A company is deploying User-ID in their network. The firewall learn needs to have the ability to see and
choose from a list of usernames and user groups directly inside the Panorama policies when creating new
security rules

How can this be achieved?

A. By configuring Data Redistribution Client in Panorama > Data Redistribution

B. By configuring User-ID source device in Panorama > Managed Devices
C. By configuring User-ID group mapping in Panorama > User Identification
D. By configuring Master Device in Panorama > Device Groups

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: User-ID group mapping is a feature that allows Panorama to retrieve user and group
information from directory services such as LDAP or Active Directory 1. This information can be used to
enforce security policies based on user identity and group membership. To configure User-ID group
mapping on Panorama, you need to perform the following steps 1:
By configuring User-ID group mapping on Panorama, you can see and choose from a list of usernames
and user groups directly inside the Panorama policies when creating new security rules 2.

QUESTION 236
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a
commit/push is successful without duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewal.
C. Perform the Export or push Device Config Bundle to the newly managed firewall.
D. Push the Device Group first, then push Template to the newly managed firewall

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: When importing a pre-configured firewall configuration to Panorama, you need to perform the
following steps 12:
The Export or push Device Config Bundle operation allows you to push a complete configuration bundle
from Panorama to a managed firewall without duplicating local configurations 3. This operation ensures
that any local settings on the firewall are preserved and merged with the settings from Panorama.

QUESTION 237
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a
specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these
rules?

A. A service route to the LDAP server

B. A Master Device
C. Authentication Portal
D. A User-ID agent on the LDAP server

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation: To configure LDAP authentication on Panorama, you need to23:

QUESTION 238
An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.

Which of the following statements is consistent with SSL decryption best practices?

A. The forward trust certificate should not be stored on an HSM.

B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.
C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL
decryption
D. The forward untrust certificate should not be signed by a Trusted Root CA

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall
to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client
and the server, generating a certificate on the fly for each site. The best practices for configuring SSL
forward proxy are 23:

QUESTION 239
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

A. Video Streaming Application

B. Destination Domain
C. Client Application Process
D. Source Domain
E. URL Category

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Explanation: The GlobalProtect Gateway supports three methods for split tunneling23:

QUESTION 240
An engineer discovers the management interface is not routable to the User-ID agent

What configuration is needed to allow the firewall to communicate to the User-ID agent?

A. Create a NAT policy for the User-ID agent server

B. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
C. Create a custom service route for the UID Agent
D. Add a static route to the virtual router

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: To allow the firewall to communicate with the User-ID agent, you need to configure a custom
service route for the UID Agent 23. A custom service route allows you to specify which interface and
source IP address the firewall uses to connect to a specific destination service. By default, the firewall uses
its management interface for services such as User-ID, but you can override this behavior by creating a
custom service route. To configure a custom service route for the UID Agent, you need to do the following
steps:
The correct answer is C. Create a custom service route for UID Agent

QUESTION 241
Which log type will help the engineer verify whether packet buffer protection was activated?

A. Data Filtering
B. Configuration
C. Threat
D. Traffic

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation: The log type that will help the engineer verify whether packet buffer protection was activated
is Threat Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a
malicious activity on the network. These logs contain information about the source, destination, and type of
threat detected. They also contain information about the packet buffer protection that was activated in
response to the detected threat. This information can help the engineer verify that packet buffer protection
was activated and determine which actions were taken in response to the detected threat.

QUESTION 242
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination
domain, and application?

A. No Direct Access to local networks

B. Tunnel mode
C. iPSec mode
D. Satellite mode

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: To enable split-tunneling by access route, destination domain, and application, you need to
configure a split tunnel based on the domain and application on your GlobalProtect gateway 2. This allows
you to specify which domains and applications are included or excluded from the VPN tunnel.

QUESTION 243
Which three multi-factor authentication methods can be used to authenticate access to the firewall?
(Choose three.)

A. One-time password
B. User certificate
C. Voice
D. SMS
E. Fingerprint

Correct Answer: ABE

Section: (none)
Explanation

Explanation/Reference:
Explanation: The three multi-factor authentication methods that can be used to authenticate access to the
firewall are One-time Password (OTP), User Certificate, and Fingerprint. One-time Password (OTP) is a
form of two-factor authentication in which a token or code is generated and sent to the user over a secure
connection. The user then enters the code to authenticate their access.
User Certificate is a form of two-factor authentication in which the user is required to present a valid
certificate in order to access the system. The certificate is usually stored on a physical device, such as a
USB drive, and is usually issued by the authentication service provider. Fingerprint is a form of two-factor
authentication in which the user is required to present a valid fingerprint in order to access the system. The
fingerprint is usually stored on a physical device, such as a fingerprint reader, and is usually issued by the
authentication service provider.

QUESTION 244
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at
the threat logs and seeing many flood attacks coming from a single source that are dropped a by the
firewall, the administrator decides to enable packet butter protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer
utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

A. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
B. Enable packet buffer protection for the affected zones.
C. Add a Zone Protection profile to the affected zones.
D. Apply DOS profile to security rules allow traffic from outside.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and- dos-
protection/zone-defense/packet-buffer-protection

QUESTION 245
Which CLI command displays the physical media that are connected to ethernet1/8?

A. > show system state filter-pretty sys.si.p8.stats

B. > show system state filter-pretty sys.sl.p8.phy
C. > show interface ethernet1/8
D. > show system state filter-pretty sys.sl.p8.med

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation: Example output:
> show system state filter-pretty sys.s1.p1.phy

sys.s1.p1.phy: {
link-partner: { },
media: CAT5,
type: Ethernet,
}
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

QUESTION 246

Which time determines how long the passive firewall will wait before taking over as the active firewall alter
losing communications with the HA peer?

A. Heartbeat Interval
B. Additional Master Hold Up Time
C. Promotion Hold Time
D. Monitor Fall Hold Up Time
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:

QUESTION 247
Which operation will impact the performance of the management plane?

A. Enabling DoS protection.

B. Enabling packet buffer protection.
C. Decrypting SSL sessions.
D. Generating a Saas Application report.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 248
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

A. Tunnel inspection.
B. NAT.
C. QoS.
D. DOS protection.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Similar to how User-ID provides user-based policy rules and App-ID provides app-based policy rules,
Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or
location. By providing traceability for devices and associating network events with specific devices, Device-
ID lets you gain context for how events relate to devices and adds policy rules that are associated with
devices, instead of users, locations, or IP addresses, which can change over time. You can use Device-ID
in Security, Decryption, Quality of Service (QoS), and Authentication policies.

QUESTION 249
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)

A. Virtual Wire
B. Layer 2
C. Layer 3
D. TAP

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure- interfaces/virtual-wire-
interfaces
QUESTION 250
Why would a traffic log list an application as "not-applicable"?

A. There was not enough application data after the TCP connection was established.
B. The TCP connection terminated without identifying any application data.
C. The firewall denied the traffic before the application match could be performed.
D. The application is not a known Palo Alto Networks App-ID.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
If traffic hits a security rule that's set to "deny," based on any parameter before the application, the traffic
log shows the application as not-applicable. This occurs because the traffic was dropped or denied before
the application match could be performed.

QUESTION 251
What must be configured to apply tags automatically based on User-ID logs?

A. Device ID.
B. Log settings.
C. Group mapping.
D. Log Forwarding profile.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate- security-
actions

QUESTION 252
An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer
verify whether packet buffer protection was activated?

A. Configuration.
B. Data Filtering.
C. Traffic.
D. Threat.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

QUESTION 253
Information Security is enforcing group-based policies by using security-event monitoring on Windows
User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a
gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users
were authenticating via RADIUS and that authentication events were not captured on the domain
controllers that were being monitored. Information Security found that authentication events existed on the
Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and
the IDM solution. How can Information Security extract and learn IP-to-user mapping information from
authentication events for VPN and wireless users?

A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the
IDM solution.
C. Add domain controllers that might be missing to perform security-event monitoring for VPN and
wireless users.
D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for
IP-to-User mapping.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To obtain user mappings from existing network services that authenticate users-such as wireless
controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control
(NAC) mechanisms-Configure User-ID to Monitor Syslog Senders for User Mapping. https://
docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users

QUESTION 254
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?

A. IKE Crypto Profile.

B. Security policy.
C. Proxy-IDs.
D. PAN-OS versions.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS

QUESTION 255
An administrator notices that an interface configuration has been overridden locally on a firewall. They
require all configuration to be managed from Panorama and overrides are not allowed. What is one way
the administrator can meet this requirement?

A. Reload the running configuration and perform a Firewall local commit.

B. Perform a commit force from the CLI of the firewall.
C. Perform a template commit push from Panorama using the "Force Template Values" option.
D. Perform a device-group commit push from Panorama using the "Include Device and Network
Templates" option.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The network settings are under the templates and you would need to force the template values to clear out
the local change.

QUESTION 256
An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not
match any QoS classes, what default class is assigned?

A. 1
B. 2
C. 3
D. 4

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos- classes

QUESTION 257
A company has recently migrated their branch office's PA-220s to a centralized Panorama. This Panorama
manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template
configuration is managed solely within Panorama. They notice that commit times have drastically
increased for the PA-220s after the migration. What can they do to reduce commit times?

A. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
B. Perform a device group push using the "merge with device candidate config" option.
C. Update the apps and threat version using device-deployment.
D. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama
config.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage- device-
groups/manage-unused-shared-objects

QUESTION 258
An engineer manages a high availability network and requires fast failover of the routing protocols. The
engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.)

A. OSPF
B. IGRP
C. OSPFv3 Virtual Link
D. BGP
E. RIP

Correct Answer: ADE

Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd- for-
dynamic-routing-protocols

QUESTION 259
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A. Deny
B. Allow
C. Discard
D. Next VR

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based- forwarding/create-a-
policy-based-forwarding-rule

QUESTION 260
To ensure that a Security policy has the highest priority, how should an administrator configure a Security
policy in the device group hierarchy?

A. Clone the security policy and add it to the other device groups.
B. Add the policy to the target device group and apply a master device to the device group.
C. Reference the targeted device's templates in the target device group.
D. Add the policy in the shared device group as a pre-rule.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 261
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN- OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the
outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the
proxy.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web- proxy

QUESTION 262
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also
plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the
original destination IP address and translated destination IP address configured for the rule. The engineer
wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10. What should the engineer do to
complete the configuration?

A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the
NAT rule with the direction Forward.
B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the
destination port equal to UDP/53.
C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the
NAT rule with the direction Reverse.
D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the
destination port equal to UDP/53.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 263
An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state
describes the firewall that is experiencing a failure of a monitored path?

A. Initial
B. Passive
C. Active-secondary
D. Tentative

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
State of a firewall (in an active/active configuration) caused by one of the following:
- Failure of a firewall.
- Failure of a monitored object (a link or path).
- The firewall leaves suspended or non-functional state. https://docs.paloaltonetworks.com/pan-os/9-1/pan-
os-admin/high-availability/ha-firewall-states

QUESTION 264
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks
Best Practices for Anti-Spyware Profiles. For which three severity levels should single- packet captures be
enabled to meet the Best Practice standard? (Choose three.)

A. Critical
B. High
C. Medium
D. Informational
E. Low

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Explanation:
Enable extended-capture for critical, high, and medium severity events and single-packet capture for low
severity events. Use the default extended-capture value of 5 packets, which provides enough information
to analyze the threat in most cases. (Too much packet capture traffic may result Don't enable packet
capture for informational events because it's not in dropping packet captures.)
very useful compared to capturing information about higher severity events and creates a relatively high
volume of low-value traffic.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security- profiles-
vulnerability-protection

QUESTION 265
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an
administrator to compare?

A. Applications configured in the rule with their dependencies.

B. The security rule with any other security rule selected.
C. Applications configured in the rule with applications seen from traffic matching the same rule.
D. The running configuration with the candidate configuration of the firewall.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/cloud-based-app-id- service/new-app-
viewer-policy-optimizer

QUESTION 266
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

A. Number of security zones in decryption policies.

B. Encryption algorithm.
C. TLS protocol version.
D. Number of blocked sessions.

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy- decryption/
size-the-decryption-firewall-deployment

QUESTION 267
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent?
(Choose two.)

A. LDAP
B. Log Ingestion
C. HTTP
D. Log Forwarding

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to- automate-
security-actions

QUESTION 268
Which three authentication types can be used to authenticate users? (Choose three.)

A. Local database authentication.

B. PingID.
C. Kerberos single sign-on.
D. GlobalProtect client.
E. Cloud authentication service.
Correct Answer: ABC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/authentication/authentication-types

QUESTION 269
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a
commit/push is successful without duplicating local configurations?

A. Ensure Force Template Values is checked when pushing configuration.

B. Push the Template first, then push Device Group to the newly managed firewal.
C. Push the Device Group first, then push Template to the newly managed firewall.
D. Perform the Export or push Device Config Bundle to the newly managed firewall.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 270
An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding
defined bandwidth. Which QoS setting should the engineer adjust?

A. QoS interface: Egress Guaranteed

B. QoS profile: Egress Max
C. QoS profile: Egress Guaranteed
D. QoS interface: Egress Max

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos- concepts/qos-
bandwidth-management

QUESTION 271
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a
specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group
information for use in these rules?

A. A service route to the LDAP server.

B. A Master Device.
C. Authentication Portal.
D. A User-ID agent on the LDAP server.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To configure LDAP authentication on Panorama, you need to:
- Define an LDAP server profile that specifies the connection details and credentials for accessing the
LDAP server.
- Define an authentication profile that references the LDAP server profile and defines how users
authenticate to Panorama (such as username format and password expiration). Define an authentication
sequence (optional) that allows users to authenticate using multiple methods (such as local database,
LDAP, RADIUS, etc.).
- Assign the authentication profile or sequence to a Panorama administrator role or a device group role.

QUESTION 272
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.
In which section is this configured?

A. Monitor -> Logs -> System

B. Objects -> Log Forwarding
C. Device -> Log Settings
D. Panorama -> Managed Devices

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log- collection/configure-log-
forwarding-to-panorama

QUESTION 273
An engineer is tasked with configuring SSL forward proxy for traffic going to external sites. Which of the
following statements is consistent with SSL decryption best practices?

A. The forward trust certificate should not be stored on an HSM.

B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.
C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL
decryption.
D. The forward untrust certificate should not be signed by a Trusted Root CA.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 274
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by
upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on
Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

A. GlobalProtect agent version.

B. Outdated plugins.
C. Management only mode.
D. Expired certificates.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Before you upgrade to PAN-OS 11.0, you must download the Panorama plugin version supported on PAN-
OS 11.0 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 11.0.
See the Compatibility Matrixfor more information. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-
upgrade/upgrade-panorama- plugins/panorama-plugins-upgrade-downgrade-considerations

QUESTION 275
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

A. Video Streaming Application

B. Destination Domain
C. Client Application Process
D. Source Domain
E. URL Category

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Explanation:
The GlobalProtect Gateway supports three methods for split tunneling:
Access Route - You can define a list of IP addresses or subnets that are accessible through the VPN
tunnel. All other traffic goes directly to the internet. Domain and Application - You can define a list of
domains or applications that are accessible through the VPN tunnel. All other traffic goes directly to the
internet. You can also use this method to exclude specific domains or applications from the VPN tunnel.
Video Traffic - You can exclude video streaming traffic from the VPN tunnel based on predefined
categories or custom URLs. This method reduces latency and jitter for video streaming applications.

QUESTION 276
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy
mode. Which three elements must be in place before a transparent web proxy can function? (Choose
three.)

A. User-ID for the proxy zone.

B. DNS Security license.
C. Prisma Access explicit proxy license.
D. Cortex Data Lake license.
E. Authentication Policy Rule set to default-web-form.

Correct Answer: ACD

Section: (none)
Explanation

Explanation/Reference:
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web- proxy

QUESTION 277
Which log type will help the engineer verify whether packet buffer protection was activated?

A. Data Filtering
B. Configuration
C. Threat
D. Traffic

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The log type that will help the engineer verify whether packet buffer protection was activated is Threat
Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious
activity on the network. These logs contain information about the source, destination, and type of threat
detected. They also contain information about the packet buffer protection that was activated in response
to the detected threat. This information can help the engineer verify that packet buffer protection was
activated and determine which actions were taken in response to the detected threat.

QUESTION 278
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy
feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP
address of the web server and the client browser is redirected to the proxy. Which PAN-OS proxy method
should be configured to maintain this type of traffic flow?

A. SSL forward proxy.

B. Explicit proxy.
C. Transparent proxy.
D. DNS proxy.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
For the transparent proxy method, the request contains the destination IP address of the web server and
the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is
no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID
configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not
support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web- proxy

QUESTION 279
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN- OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Option B: Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence
of the proxy. This means that the client can see the proxy's IP address and port number, and can use tools
like ping or traceroute to check connectivity and latency issues. Transparent proxies are invisible to the
client browser, which makes it harder to diagnose problems. Option C: Explicit proxy supports interception
of traffic using non-standard HTTPS ports. This means that the proxy can handle HTTPS requests that use
ports other than 443, which may be required by some applications or websites. Transparent proxies can
only intercept HTTPS traffic on port 443, which limits their functionality.

QUESTION 280
Which three multi-factor authentication methods can be used to authenticate access to the firewall?
(Choose three.)
A. One-time password.
B. User certificate.
C. Voice.
D. SMS.
E. Fingerprint.

Correct Answer: ABE

Section: (none)
Explanation

Explanation/Reference:
Explanation:
The three multi-factor authentication methods that can be used to authenticate access to the firewall are
One-time Password (OTP), User Certificate, and Fingerprint. One-time Password (OTP) is a form of two-
factor authentication in which a token or code is generated and sent to the user over a secure connection.
The user then enters the code to authenticate their access. User Certificate is a form of two-factor
authentication in which the user is required to present a valid certificate in order to access the system. The
certificate is usually stored on a physical device, such as a USB drive, and is usually issued by the
authentication service provider. Fingerprint is a form of two-factor authentication in which the user is
required to present a valid fingerprint in order to access the system. The fingerprint is usually stored on a
physical device, such as a fingerprint reader, and is usually issued by the authentication service provider.

QUESTION 281
An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits
of using nested device groups? (Choose two.)

A. Inherit settings from the Shared group.

B. Inherit IPSec crypto profiles.
C. Inherit all Security policy rules and objects.
D. Inherit parent Security policy rules and objects.

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Option B: Inherit IPSec crypto profiles This is correct because IPSec crypto profiles are one of the objects
that can be inherited from a parent device group. You can also create IPSec crypto profiles for use in
shared or device group policy.
Option D: Inherit parent Security policy rules and objects. This is correct because Security policy rules and
objects are also inheritable from a parent device group. You can also create Security policy rules and
objects for use in shared or device group policy.

QUESTION 282
A network security administrator has been tasked with deploying User-ID in their organization. What are
three valid methods of collecting User-ID information in a network? (Choose three.)

A. Windows User-ID agent.

B. GlobalProtect.
C. XMLAPI.
D. External dynamic list.
E. Dynamic user groups.

Correct Answer: ABC

Section: (none)
Explanation

Explanation/Reference:
Explanation:
User-ID is a feature that enables the firewall to identify users and groups based on their IP addresses,
usernames, or other attributes. There are three valid methods of collecting User-ID information in a
network:
- Windows User-ID agent: This is a software agent that runs on a Windows server and collects user
mapping information from Active Directory, Exchange servers, or other sources.
- GlobalProtect: This is a VPN solution that provides secure remote access for users and devices. It also
collects user mapping information from endpoints that connect to the firewall using GlobalProtect.
- XMLAPI: This is an application programming interface that allows third-party applications or scripts to
send user mapping information to the firewall using XML format.

QUESTION 283
An engineer is tasked with configuring a Zone Protection profile on the untrust zone. Which three settings
can be configured on a Zone Protection profile? (Choose three.)

A. Ethernet SGT Protection

B. Protocol Protection
C. DoS Protection
D. Reconnaissance Protection
E. Resource Protection

Correct Answer: BCD

Section: (none)
Explanation

Explanation/Reference:
Explanation:
Option B: Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols
or application functions. For example, a Zone Protection profile can be configured to block traffic that uses
non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain
protocols, such as SIP.
Option C: DoS Protection: DoS protection is used to protect against various types of denial-of- service
(DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be
configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns,
such as malformed packets or packets with invalid headers. Option D: Reconnaissance Protection:
Reconnaissance protection is used to prevent attackers from gathering information about the network,
such as by using port scans or other techniques. A Zone Protection profile can be configured to limit the
rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to drop traffic
that matches specific patterns, such as packets with invalid flags or payloads.

QUESTION 284
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

A. Panorama
B. M600 Log Collectors
C. Cortex Data Lake
D. On Palo Alto Networks Update Servers

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Device Telemetry data is stored on Cortex Data Lake, which is a cloud-based service that collects and
stores logs from your firewalls and other sources. Cortex Data Lake also enables you to analyze and
visualize your data using various applications. To use Device Telemetry, you need to install a device
certificate on your firewall. This certificate authenticates your firewall to Cortex Data Lake and encrypts the
data in transit.

QUESTION 285
An engineer receives reports from users that applications are not working and that websites are only
partially loading in an asymmetric environment. After investigating, the engineer observes the
flow_tcp_non_syn_drop counter increasing in the show counters global output. Which troubleshooting
command should the engineer use to work around this issue?

A. set deviceconfig setting tcp asymmetric-path drop

B. set session tcp-reject-non-syn yes
C. set deviceconfig setting tcp asymmetric-path bypass
D. set deviceconfig setting session tcp-reject-non-syn no

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-
reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows
non-SYN first packet through without dropping it. The flow_tcp_non_syn_drop counter increases when the
firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic
flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this
case, disabling the tcp-reject-non-syn option using the "set deviceconfig setting session tcp-reject-non-syn
no" command can help work around the issue. This allows the firewall to accept non-SYN packets and
create a session for the existing flow.

QUESTION 286
An engineer discovers the management interface is not routable to the User-ID agent. What configuration
is needed to allow the firewall to communicate to the User-ID agent?

A. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP.
B. Create a NAT policy for the User-ID agent server.
C. Create a custom service route for the UID Agent.
D. Add a static route to the virtual router.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To allow the firewall to communicate with the User-ID agent, you need to configure a custom service route
for the UID Agent. A custom service route allows you to specify which interface and source IP address the
firewall uses to connect to a specific destination service. By default, the firewall uses its management
interface for services such as User-ID, but you can override this behavior by creating a custom service
route. To configure a custom service route for the UID Agent, you need to do the following steps:
- Go to Device -> Setup -> Services and click Service Route Configuration. In the Service column, select
User-ID Agent from the drop-down list. In the Interface column, select an interface that can reach the User-
ID agent server from the drop-down list.
- In the Source Address column, select an IP address that belongs to that interface from the drop- down
list.
- Click OK and Commit your changes.

QUESTION 287
Which type of zone will allow different virtual systems to communicate with each other?

A. Tap
B. Tunnel
C. Virtual Wire
D. External

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
External zones are required to allow traffic between zones in different virtual systems, without the traffic
leaving the firewall.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual- systems/communication- between-
virtual-systems/inter-vsys-traffic-that-remains-within- the-firewall/external-zone

QUESTION 288
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These
settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

A. Log Forwarding profile

B. SSL decryption exclusion
C. Tags
D. Login banner
E. Dynamic updates

Correct Answer: BDE

Section: (none)
Explanation

Explanation/Reference:

QUESTION 289
All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company
also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log
collectors. There is a known logging peak time during the day and the security team has asked the firewall
engineer to determine how many logs per second the current Palo Alto Networks log collectors are
processing at that particular time.

Which method is the most time-efficient to complete this task?

A. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector
during the peak time
B. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the
peak time
C. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out
how many logs have been received
D. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall
and check the log rates during the peak time

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 290
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the
Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?

A. GlobalProtect agent version

B. Outdated plugins
C. Management only mode
D. Expired certificates

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 291
A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an
effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?

A. Pre-NAT source IP address -

Pre-NAT source zone
B. Post-NAT source IP address -
Pre-NAT source zone
C. Pre-NAT source IP address -
Post-NAT source zone
D. Post-NAT source IP address -
Post-NAT source zone

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 292
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator
confirm that WildFire has identified a virus?

A. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"
B. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq virus)"
C. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire- virus)"
D. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 293
A firewall engineer is managing a Palo Alto Networks NGFW which is not in line of any DHCP traffic.

Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying
IoT devices while receiving broadcast DHCP traffic?

A. Virtual wire
B. Layer 3
C. Layer 2
D. Tap
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 294
An administrator is considering deploying WildFire globally.

What should the administrator consider with regards to the WildFire infrastructure?

A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 295
Which log type is supported in the Log Forwarding profile?

A. User-ID
B. GlobalProtect
C. Configuration
D. Tunnel

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 296
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of
PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The
PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the
firewalls.
C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.
D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
QUESTION 297
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

A. HA cluster members must be the same firewall model and run the same PAN-OS version.
B. HA cluster members must share the same zone names.
C. Panorama must be used to manage HA cluster members.
D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:

QUESTION 298
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with
multiple virtual systems?

A. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
B. External zones are required because the same external zone can be used on different virtual systems
C. To allow traffic between zones in different virtual systems without the traffic leaving the appliance
D. Multiple external zones are required in each virtual system to allow the communications between virtual
systems

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 299
Which two are required by IPSec in transport mode? (Choose two.)

A. Auto generated key

B. NAT Traversal
C. IKEv1
D. DH-group 20 (ECP-384 bits)

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 300
A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-
OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log
Collectors, and file samples are forwarded to WildFire appliances for analysis.
What must the engineer consider when planning deployment?

A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN- OS version before
updating the firewalls.
B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version
downloaded, after which the order of patching does not matter.
C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS
version before updating the firewalls.
D. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 301
Which rule type controls end user SSL traffic to external websites?

A. SSL Inbound Inspection

B. SSH Proxy
C. SSL Forward Proxy
D. SSL Outbound Proxyless Inspection

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 302
An internal audit team has requested additional information to be included inside traffic logs forwarded
from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

A. Custom Log Format within Device > Server Profiles > Syslog
B. Built-in Actions within Objects > Log Forwarding Profile
C. Logging and Reporting Settings within Device > Setup > Management
D. Data Patterns within Objects > Custom Objects

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 303
When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the
details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?

A. show system setting ssl-decrypt certs

B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 304
Which two items must be configured when implementing application override and allowing traffic through
the firewall? (Choose two.)

A. Application filter
B. Application override policy rule
C. Security policy rule
D. Custom app

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 305
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses
a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP
address assigned to the outside interface of the firewall. However, the use of dynamic peering is not
working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to
work? (Choose two.)

Site A configuration:

Site B configuration:
A. Match IKE version on both firewalls.
B. Configure Local Identification on Site B firewall.
C. Enable NAT Traversal on Site B firewall.
D. Disable passive mode on Site A firewall.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 306
Which server platforms can be monitored when a company is deploying User-ID through server monitoring
in an environment with diverse directory services?

A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 307
An engineer is monitoring an active/passive high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?

A. Active-primary
B. Active
C. Active-secondary
D. Initial

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 308
A root cause analysis investigation into a recent security incident reveals that several decryption rules have
been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

A. With the relevant system log filter inside Device > Log Settings
B. With the relevant configuration log filter inside Device > Log Settings
C. With the relevant configuration log filter inside Objects > Log Forwarding
D. With the relevant system log filter inside Objects > Log Forwarding

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 309
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled
and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on
the firewall?

A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
B. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
C. Use the highest TLS protocol version to maximize security.
D. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 310
An engineer has been given approval to upgrade their environment to the latest of PAN-OS.

The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log
collectors.

What is the recommended order of operational steps when upgrading?

A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama

B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 311
A firewall engineer has determined that, in an application developed by the company's internal team,
sessions often remain idle for hours before the client and server exchange any data. The application is
also currently identified as unknown- tcp by the firewalls. It is determined that because of a high level of
trust, the application does not require to be scanned for threats, but it needs to be properly identified in
Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify
the application?

A. Create a custom application with specific timeouts and signatures based on patterns discovered in
packet captures.
B. Access the Palo Alto Networks website and complete the online form to request that a new application
be added to App-ID.
C. Create a custom application with specific timeouts, then create an application override rule and
reference the custom application.
D. Access the Palo Alto Networks website and raise a support request through the Customer Support
Portal.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 312
What happens when the log forwarding built-in action with tagging is used?

A. Selected logs are forwarded to the Azure Security Center.

B. Destination zones of selected unwanted traffic are blocked.
C. Destination IP addresses of selected unwanted traffic are blocked.
D. Selected unwanted traffic source zones are blocked.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 313
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23
to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not
be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.
B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.
C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to
dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to
10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).
D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to
dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to
10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-1) above (NAT-Rule-2).

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

QUESTION 314
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three.)

A. Create a URL filtering profile.

B. Create an anti-virus profile.
C. Enable User-ID.
D. Configure a URL profile to block the phishing category.
E. Create a decryption policy rule.

Correct Answer: ACE

Section: (none)
Explanation

Explanation/Reference:

QUESTION 315
A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks
firewalls currently forward logs to Panorama.

Which two additional log forwarding methods will PAN-OS support? (Choose two.)

A. HTTP
B. SSL
C. Email
D. TLS

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:

QUESTION 316
A firewall administrator has confirmed reports of a website is not displaying as expected, and wants to
ensure that decryption is not causing the issue.

Which three methods can the administrator use to determine if decryption is causing the website to fail?
(Choose three.)

A. Move the policy with action decrypt to the top of the decryption policy rulebase.
B. Investigate decryption logs of the specific traffic to determine reasons for failure.
C. Temporarily disable SSL decryption for all websites to troubleshoot the issue.
D. Disable SSL handshake logging.
E. Create a policy-based "No Decrypt" rule in the decryption policy to exclude specific traffic from
decryption.

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:

QUESTION 317
After implementing a new NGFW, a firewall engineer is alerted to a VoIP traffic issue. After
troubleshooting, the engineer confirms that the firewall is alerting the voice packets payload.

What can the engineer do to solve the VoIP traffic issue?

A. Increase the TCP timeout under SIP application

B. Disable ALG under SIP application
C. Disable ALG under H.323 application
D. Increase the TCP timeout under H.323 application

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 318
An administrator is considering deploying WildFire globally.

What should the administrator consider with regards to the WildFire analysis process?

A. Each WildFire cloud analyzes samples independently of the other WildFire clouds.
B. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
C. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 319
Which two components are required to configure certificate-based authentication to the web UI when an
administrator needs firewall access on a trusted interface? (Choose two.)

A. Server certificate
B. CA certificate
C. SSL/TLS Service Profile
D. Certificate Profile
Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 320
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

A. Phase 2 SAs are synchronized over HA2 links.

B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 SAs are synchronized over HA1 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 321
Which function does the HA4 interface provide when implementing a firewall cluster which contains
firewalls configured as active-passive pairs?

A. Perform session cache synchronization for all HA cluster members with the same cluster ID.
B. Perform synchronization of sessions, forwarding tables, and IPSec security associations between
firewalls in an HA pair.
C. Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.
D. Perform synchronization of routes, IPSec security associations, and User-ID information.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 322
A security engineer has configured a GlobalProtect portal agent with four gateways.

Which GlobalProtect Gateway will users connect to based on the chart provided?

A. East
B. South
C. West
D. Central

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

QUESTION 323
A network security engineer needs to ensure that virtual systems can communicate with one another within
a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to
ensure communication between virtual systems? (Choose three.)

A. Add a route with next hop next-vr by using the VR configured in the virtual system.
B. Layer 3 zones for the virtual systems that need to communicate.
C. Add a route with next hop set to none, and use the interface of the virtual systems that need to
communicate.
D. Ensure the virtual systems are visible to one another.
E. External zones with the virtual systems added.

Correct Answer: ADE

Section: (none)
Explanation

Explanation/Reference:

QUESTION 324
A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP
addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that
uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application
team has confirmed that the new server is able to establish a secure connection to an external database
with IP address 203.0.113.40.

The database team reports that they are unable to establish a secure connection to 198.51.100.88 from
203.0.113.40. However, it confirms a successful ping test to 198.51.100.88.

Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the
situation and ensure inbound and outbound connections work concurrently for both DMZ servers?
A. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
B. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address" both
external servers as "Destination Address," and Source Translation remaining as is with bidirectional
option enabled.
C. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the
bidirectional option.
D. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP
address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

QUESTION 325
A security team has enabled eal-time WildFire signature lookup on all its firewalls. Which additional action
will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

A. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus
B. Increase the frequency of the applications and threats dynamic updates
C. Increase the frequency of the antivirus dynamic updates
D. Enable the "Report Grayware Files" option in Device > Setup > WildFire

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 326
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A
company employee receives an email containing an unknown link that downloads a malicious Portable
Executable (PE) file.

What does Advanced WildFire do when the link is clicked?

A. Performs malicious content analysis on the linked page: but not the corresponding PE file
B. Performs malicious content analysis on the linked page and the corresponding PE file
C. Does not perform malicious content analysis on the linked page but performs it on the corresponding
PE file
D. Does not perform malicious content analysis on either the linked page or the corresponding PE file

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:

PCNSE Exam Topics
No ratings yet
PCNSE Exam Topics
228 pages
NGFW Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Dumps
No ratings yet
NGFW Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Dumps
4 pages
PCNSE Compressed
No ratings yet
PCNSE Compressed
115 pages
Paloalto Networks PCNSE Exam
No ratings yet
Paloalto Networks PCNSE Exam
22 pages
Forgotten Realms Piety System
No ratings yet
Forgotten Realms Piety System
75 pages
PCNSE
100% (3)
PCNSE
99 pages
Pcnse PDF
No ratings yet
Pcnse PDF
11 pages
CertKingdom PCNSE
No ratings yet
CertKingdom PCNSE
84 pages
PCNSE Dump
100% (3)
PCNSE Dump
37 pages
(Apr-2022) New PassLeader PCNSE v10 Exam Dumps
No ratings yet
(Apr-2022) New PassLeader PCNSE v10 Exam Dumps
6 pages
Test - Palo Alto Networks Certified Network Security Engineer (PCNSE) : Exam Practice Questions
No ratings yet
Test - Palo Alto Networks Certified Network Security Engineer (PCNSE) : Exam Practice Questions
19 pages
Imperfect Therapist Learning From F The - Jeffrey Kottler Diane Blau
100% (9)
Imperfect Therapist Learning From F The - Jeffrey Kottler Diane Blau
280 pages
PCNSE (287 Questions)
No ratings yet
PCNSE (287 Questions)
9 pages
Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer
No ratings yet
Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer
49 pages
PCNSE Palo Alto Networks Exam Practice Questions
No ratings yet
PCNSE Palo Alto Networks Exam Practice Questions
22 pages
Palo Alto Networks - Testking.pcnse7.v2016!09!07.by - Pierre.51q
100% (1)
Palo Alto Networks - Testking.pcnse7.v2016!09!07.by - Pierre.51q
37 pages
8.0 My PDF
No ratings yet
8.0 My PDF
48 pages
Palo Alto Networks - Actualtests.pcnse.v2018!09!13.by - Ben.70q
No ratings yet
Palo Alto Networks - Actualtests.pcnse.v2018!09!13.by - Ben.70q
39 pages
Palo-Alto-Networks Testking PCNSE v2018-11-18 by Jeremy 79q PDF
No ratings yet
Palo-Alto-Networks Testking PCNSE v2018-11-18 by Jeremy 79q PDF
45 pages
Palo Alto Networks - Examlabs.pcnse.v2021!04!06.by - Zeynep.103q Formatted
No ratings yet
Palo Alto Networks - Examlabs.pcnse.v2021!04!06.by - Zeynep.103q Formatted
47 pages
5 6334870826508091951
No ratings yet
5 6334870826508091951
89 pages
PCNSE7 60q v2
No ratings yet
PCNSE7 60q v2
16 pages
PCNSE - Premium.exam.263q: Pcnse Palo Alto Networks Certified Network Security Engineer
No ratings yet
PCNSE - Premium.exam.263q: Pcnse Palo Alto Networks Certified Network Security Engineer
103 pages
Ace
No ratings yet
Ace
24 pages
PCNSE8 Q
No ratings yet
PCNSE8 Q
37 pages
Palo Alto Networks - actualTests.pcnsE6.v2015!11!26.by - Ndanga.51q
No ratings yet
Palo Alto Networks - actualTests.pcnsE6.v2015!11!26.by - Ndanga.51q
38 pages
PCNSC (Wing)
No ratings yet
PCNSC (Wing)
29 pages
PCNSE
100% (1)
PCNSE
11 pages
PCNSE - Prepaway.premium - Exam.162q yKUtEdP
No ratings yet
PCNSE - Prepaway.premium - Exam.162q yKUtEdP
63 pages
PCNSE Prepaway Premium Exam 167q
No ratings yet
PCNSE Prepaway Premium Exam 167q
65 pages
PCNSE - Ppwy.premium - Exam.173q Oct 16 2021
No ratings yet
PCNSE - Ppwy.premium - Exam.173q Oct 16 2021
67 pages
Pcnse V16.35
No ratings yet
Pcnse V16.35
109 pages
Works Transcender Pcnse Sample Question 2023-Mar-10 by Burgess 99q Vce
No ratings yet
Works Transcender Pcnse Sample Question 2023-Mar-10 by Burgess 99q Vce
18 pages
Pcnse Exam
100% (2)
Pcnse Exam
259 pages
PCNSE Demo
No ratings yet
PCNSE Demo
11 pages
Pcnse Exam
No ratings yet
Pcnse Exam
257 pages
PaloAltoNetworks - Pcnse.v.q150 Stamped
No ratings yet
PaloAltoNetworks - Pcnse.v.q150 Stamped
63 pages
Palo Alto Networks - Examlabs.pcnse.v2021!04!06.by - Zeynep.103q
No ratings yet
Palo Alto Networks - Examlabs.pcnse.v2021!04!06.by - Zeynep.103q
56 pages
PCNSA
100% (1)
PCNSA
151 pages
Works - Passleader.pcnse - pdf.2022 Oct 25.by - Toby.94q.vce
No ratings yet
Works - Passleader.pcnse - pdf.2022 Oct 25.by - Toby.94q.vce
25 pages
Pcnse Demo
No ratings yet
Pcnse Demo
14 pages
Pcnse 5
No ratings yet
Pcnse 5
18 pages
Palo Alto Firewall Interview Questions and Answers
100% (2)
Palo Alto Firewall Interview Questions and Answers
13 pages
PCNSC Demo
No ratings yet
PCNSC Demo
5 pages
Pcnse 5
No ratings yet
Pcnse 5
19 pages
Dumps: A Company Provides Vce Files Free and Valid Dumps PDF
No ratings yet
Dumps: A Company Provides Vce Files Free and Valid Dumps PDF
5 pages
Paloalto Networks PCNSE6
No ratings yet
Paloalto Networks PCNSE6
70 pages
Palo-Alto-Networks Premium PCNSE by VCEplus 263q
No ratings yet
Palo-Alto-Networks Premium PCNSE by VCEplus 263q
153 pages
Palo Alto Networks - Passit4sure - Pcnse6.v2015!05!11.by - Queen.42q
No ratings yet
Palo Alto Networks - Passit4sure - Pcnse6.v2015!05!11.by - Queen.42q
26 pages
Palo Alto Networks - Premium.pcnse - by.VCEplus.163q
No ratings yet
Palo Alto Networks - Premium.pcnse - by.VCEplus.163q
96 pages
PCNSE
No ratings yet
PCNSE
13 pages
Works - Transcender.pcnse - Practice.test.2024 Feb 01.by - Baldwin.38q.vce
No ratings yet
Works - Transcender.pcnse - Practice.test.2024 Feb 01.by - Baldwin.38q.vce
38 pages
Palto Alto 2
No ratings yet
Palto Alto 2
4 pages
PCNSE6 Actualtests Premium Exam 60q
100% (1)
PCNSE6 Actualtests Premium Exam 60q
40 pages
Palo-Alto-Networks Certkey ACE v2018-10-19 by Simon 99q PDF
No ratings yet
Palo-Alto-Networks Certkey ACE v2018-10-19 by Simon 99q PDF
42 pages
Online Meetings Phrasebook
No ratings yet
Online Meetings Phrasebook
7 pages
Content
No ratings yet
Content
240 pages
16.02 Munib Vs People
No ratings yet
16.02 Munib Vs People
16 pages
Understanding The Self
No ratings yet
Understanding The Self
2 pages
Gain Competitive Advantage With Smarter Core Banking Solutions From IBM and Temenos
No ratings yet
Gain Competitive Advantage With Smarter Core Banking Solutions From IBM and Temenos
4 pages
Hans Kurath
No ratings yet
Hans Kurath
13 pages
Street Guidelines Bda
No ratings yet
Street Guidelines Bda
162 pages
Renko Ashi Trading System 2
100% (2)
Renko Ashi Trading System 2
18 pages
Christianity
No ratings yet
Christianity
22 pages
Affidavit of Certificate of Marriage
100% (1)
Affidavit of Certificate of Marriage
2 pages
Project SAUP
No ratings yet
Project SAUP
4 pages
People Vs ONG
No ratings yet
People Vs ONG
6 pages
Covid Us Case Study
No ratings yet
Covid Us Case Study
83 pages
Electric Circuits 9th Chapter 2
100% (1)
Electric Circuits 9th Chapter 2
31 pages
Comprehensive Reviewer 1-100
No ratings yet
Comprehensive Reviewer 1-100
24 pages
Mean Percentage Score Template
No ratings yet
Mean Percentage Score Template
13 pages
Jurisprudence-Mid term-ID-537-13th Batch
No ratings yet
Jurisprudence-Mid term-ID-537-13th Batch
7 pages
100 Scientists Who Shaped World History
No ratings yet
100 Scientists Who Shaped World History
13 pages
Cultural Diversity
No ratings yet
Cultural Diversity
3 pages
Homework - 2 - Reinvestment Risk - Credit Risk
No ratings yet
Homework - 2 - Reinvestment Risk - Credit Risk
2 pages
Rizal
No ratings yet
Rizal
13 pages
Secondary Student Teachers Internship Assignment
No ratings yet
Secondary Student Teachers Internship Assignment
4 pages
Pas 7 Cash and Cash Equivalents
No ratings yet
Pas 7 Cash and Cash Equivalents
5 pages
Transporting 20 Dangerous 20 Goods
No ratings yet
Transporting 20 Dangerous 20 Goods
45 pages
Where Can Buy Microsoft Power BI Quick Start Guide Ebook With Cheap Price
100% (1)
Where Can Buy Microsoft Power BI Quick Start Guide Ebook With Cheap Price
24 pages
QA of Globalisation and The Indian Economy
No ratings yet
QA of Globalisation and The Indian Economy
3 pages
MLC Declaration Form
No ratings yet
MLC Declaration Form
1 page
Framework For Risk Assessment For Power Projects in Sudan
No ratings yet
Framework For Risk Assessment For Power Projects in Sudan
19 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.