Block 3 Flashcards
(26 cards)
114-Which data flow describes redistribution of user mappings?
UserID»_space;»»» FW1»_space;»»>FW2»_space;»»FW3
A. User-ID agent to firewall
B. Domain Controller to User-ID agent
C. User-ID agent to Panorama
D. firewall to firewall
D. firewall to firewall
115-Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
A. System Utilization log
B. System log
C. Resources widget
D. CPU Utilization widget
C. Resources widget
116-Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose four.)
A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password
A. Short message service
B. Push
D. Voice
F. One-Time Password
117-Which two features does PAN-OSֲ® software use to identify applications? (Choose two.)
A. transaction characteristics
B. session number
C. port number
D. application layer payload
A. transaction characteristics
D. application layer payload
118-An administrator wants to upgrade a firewall from PAN-OSֲ® 9.1 to PAN-OSֲ® 10.0. The firewall is not a part of an HA pair. What needs to be updated first?
A. Applications and Threats
B. XML Agent
C. WildFire
D. PAN-OS Upgrade Agent
A. Applications and Threats
119-When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
A. Load configuration version
B. Save candidate config
C. Export device state
D. Load named configuration snapshot
C. Export device state
120-Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)
A. HA1 IP Address
B. Master Key
C. Zone Protection Profile
D. Network Interface Type
A. HA1 IP Address
B. Master Key
121-An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?
A. Malware
B. Grayware
C. Phishing
D. Spyware
B. Grayware
122-When configuring the firewall for packet capture, what are the valid stage types?
A. receive, management, transmit, and non-syn
B. receive, management, transmit, and drop
C. receive, firewall, send, and non-syn
D. receive, firewall, transmit, and drop
D. receive, firewall, transmit, and drop
123-Which operation will impact the performance of the management plane?
A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions
C. generating a SaaS Application report
124-Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
syslog listening
server monitoring
client probing
port mapping
syslog listening
125-The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?
A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
126-Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
A. At-boot
B. Pre-logon
C. User-logon (Always on)
D. On-demand
B. Pre-logon
127-Which feature can provide NGFWs with User-ID mapping information?
A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect/
D. Native 802.1x authentication
C. GlobalProtect/
128-Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)
A. Role Based
B. Custom Panorama Admin
C. Device Group
D. Dynamic
E. Template Admin
C. Device Group
E. Template Admin
129- Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-only
C. Select download-and-install, with Disable new apps in content update selected
D. Select disable application updates and select Install only Threat updates
C. Select download-and-install, with Disable new apps in content update selected
130-Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?
A. 10,000
B. 15,000
C. 7,500
D. 5,000
A. 10,000
131- In which two types of deployment is active/active HA configuration supported? (Choose two.)
A. Layer 3 mode
B. TAP mode
C. Virtual Wire mode
D. Layer 2 mode
A. Layer 3 mode
C. Virtual Wire mode
132- For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)
A. ingress processing errors
B. rule match with action deny
C. rule match with action allow
D. equal-cost multipath
A. ingress processing errors
B. rule match with action deny
133- Which logs enable a firewall administrator to determine whether a session was decrypted?
A. Traffic
B. Security Policy
C. Decryption
D. Correlated Event
A. Traffic
134 - An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?
A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution
D. DNS settings for the firewall to use for resolution
135- A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
A. Add an Anti-Spyware Profile to block attacking IP address
B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
C. Add QoS Profiles to throttle incoming requests
D. Add a tuned DoS Protection Profile
D. Add a tuned DoS Protection Profile
136- An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OSֲ® software?
A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.
B. Applications and Threats update package.
137- A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
A. Anti-Spyware
