PCNSE2

Question 1

Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

A. Configure a Decryption Profile and select SSL/TLS services.
B. Set up SSL/TLS under Policies > Service/URL Category > Service.
C. Set up Security policy rule to allow SSL communication.
D. Configure an SSL/TLS Profile.

Answer 1

D. Configure an SSL/TLS Profile.

Question 2

Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

A. ACC
B. System Logs
C. App Scope
D. Session Browser

Answer 2

D. Session Browser

Question 3

Which protection feature is available only in a Zone Protection Profile?

A. SYN Flood Protection using SYN Flood Cookies
B. ICMP Flood Protection
C. Port Scan Protection
D. UDP Flood Protections

Answer 3

C. Port Scan Protection

Question 4

Which CLI command can be used to export the tcpdump capture?

A. scp export tcpdump from mgmt.pcap to < username@host:path>
B. scp extract mgmt-pcap from mgmt.pcap to < username@host:path>
C. scp export mgmt-pcap from mgmt.pcap to < username@host:path>
D. download mgmt-pcap

Answer 4

C. scp export mgmt-pcap from mgmt.pcap to < username@host:path>

Question 5

An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.

Answer 5

A. A scheduler will need to be configured for application signatures.

Question 6

Which three options are supported in HA Lite? (Choose three.)

A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization

Answer 6

B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization

Question 7

Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OSֲ® version, and serial number?

A. debug system details
B. show session info
C. show system info
D. show system details

Answer 7

C. show system info

Question 8

During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. Pattern based application identification
B. Application override policy match
C. Application changed from content inspection
D. Session application identified

Answer 8

A. Pattern based application identification

B. Application override policy match

Question 9

Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

A. Session Browser
B. Application Command Center
C. TCP Dump
D. Packet Capture

Answer 9

B. Application Command Center

Question 10

Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

A. Disable SNMP on the management interface.
B. Application override of SSL application.
C. Disable logging at session start in Security policies.
D. Disable predefined reports.
E. Reduce the traffic being decrypted by the firewall.

Answer 10

A. Disable SNMP on the management interface
C. Disable logging at session start in Security policies.
D. Disable predefined reports.

Question 11

Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?

A. URL Filtering profile
B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile

Answer 11

A. URL Filtering profile

Question 12

How can a candidate or running configuration be copied to a host external from Panorama?

A. Commit a running configuration.
B. Save a configuration snapshot.
C. Save a candidate configuration.
D. Export a named configuration snapshot.

Answer 12

D. Export a named configuration snapshot.

Question 13

If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites?

A. SSL Forward Proxy
B. SSL Inbound Inspection
C. SSL Reverse Proxy
D. SSL Outbound Inspection

Answer 13

A. SSL Forward Proxy

Question 14

An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

A. Create a custom App-ID and enable scanning on the advanced tab.
B. Create an Application Override policy.
C. Create a custom App-ID and use the ג€ordered conditionsג€ check box.
D. Create an Application Override policy and a custom threat signature for the application.

Answer 14

A. Create a custom App-ID and enable scanning on the advanced tab.

Question 15

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

A. View the System logs and look for the error messages about BGP.
B. Perform a traffic pcap on the NGFW to see any BGP problems.
C. View the Runtime Stats and look for problems with BGP configuration.
D. View the ACC tab to isolate routing issues.

Answer 15

A. View the System logs and look for the error messages about BGP.
C. View the Runtime Stats and look for problems with BGP configuration.

Question 16

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

A. View Runtime Stats in the virtual router.
B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. Perform a traffic pcap at the routing stage.

Answer 16

A. View Runtime Stats in the virtual router.

B. View System logs.

Question 17

Which three firewall states are valid? (Choose three.)

A. Active
B. Functional
C. Pending
D. Passive
E. Suspended

Answer 17

A. Active
D. Passive
E. Suspended

Question 18

Which virtual router feature determines if a specific destination IP address is reachable?

A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path

Answer 18

C. Path Monitoring

Question 19

An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

A. Decryption Mirror interface with the Threat Analysis license
B. Virtual Wire interface with the Decryption Port Export license
C. Tap interface with the Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license

Answer 19

D. Decryption Mirror interface with the associated Decryption Port Mirror license

Question 20

When is the content inspection performed in the packet flow process?

A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet

Answer 20

A. after the application has been identified

Question 21

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries

Answer 21

A. In the details of the Traffic log entries

B. Decryption log
PAN10 has decryption log

Question 22

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

A. Vulnerability Protection
B. Anti-Spyware
C. URL Filtering
D. Antivirus

Answer 22

A. Vulnerability Protection

Question 23

Which processing order will be enabled when a Panorama administrator selects the setting Objects defined in ancestors will take higher precedence?

A. Descendant objects will take precedence over other descendant objects.
B. Descendant objects will take precedence over ancestor objects.
C. Ancestor objects will have precedence over descendant objects.
D. Ancestor objects will have precedence over other ancestor objects.

Answer 23

C. Ancestor objects will have precedence over descendant objects.

Question 24

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication

Answer 24

A. Use custom certificates

Question 25

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer 25

A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow

Question 26

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

A. The firewall is in multi-vsys mode.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
D. The firewalls DP CPU is higher than 50%.

Answer 26

B. The traffic is offloaded.

C. The traffic does not match the packet capture filter.

Question 27

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OSֲ® software would help in this case?

A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings

Answer 27

D. redistribution of user mappings

Question 28

An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in the cloud). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

A. Use config-drive on a USB stick.
B. Use an S3 bucket with an ISO.
C. Create and attach a virtual hard disk (VHD).
D. Use a virtual CD-ROM with an ISO.

Answer 28

D. Use a virtual CD-ROM with an ISO.

Question 29

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a No Decrypt action? (Choose two.)

A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing

Answer 29

A. Block sessions with expired certificates

D. Block sessions with untrusted issuers

Question 30

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

A. port mapping
B. server monitoring
C. client probing
D. XFF headers

Answer 30

A. port mapping

Question 31

Which feature can be configured on VM-Series firewalls?

A. aggregate interfaces
B. machine learning
C. multiple virtual systems
D. GlobalProtect

Answer 31

D. GlobalProtect

Question 32

In High Availability, which information is transferred via the HA data link?

A. session information
B. heartbeats
C. HA state information
D. User-ID information

Answer 32

A. session information

Question 33

The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

A. Create a custom application.
B. Create a custom object for the custom application server to identify the custom application.
C. Submit an App-ID request to Palo Alto Networks.
D. Create a Security policy to identify the custom application.

Answer 33

A. Create a custom application.

D. Create a Security policy to identify the custom application.

Question 34

If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption

Answer 34

B. SSL Inbound Inspection

Question 35

A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
B. Add a Vulnerability Protection Profile to block the attack.
C. Add QoS Profiles to throttle incoming requests.
D. Add a DoS Protection Profile with defined session count.

Answer 35

D. Add a DoS Protection Profile with defined session count.

Question 36

Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

A. Verify AutoFocus status using the CLI ג€testג€ command.
B. Check the WebUI Dashboard AutoFocus widget.
C. Check for WildFire forwarding logs.
D. Check the license.
E. Verify AutoFocus is enabled below Device Management tab.

Answer 36

D. Check the license.

E. Verify AutoFocus is enabled below Device Management tab.

Question 37

Which CLI command enables an administrator to check the CPU utilization of the dataplane?

A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources

Answer 37

A. show running resource-monitor

Question 38

Which DoS protection mechanism detects and prevents session exhaustion attacks?

A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection

Answer 38

C. Resource Protection

Question 39

Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.)

A. Content-ID
B. User-ID
C. Applications and Threats
D. Antivirus

Answer 39

C. Applications and Threats

D. Antivirus

Question 40

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

A. TACACS+
B. Kerberos
C. PAP
D. LDAP
E. SAML
F. RADIUS

Answer 40

A. TACACS+
E. SAML
F. RADIUS

Question 41

What is exchanged through the HA2 link?

A. hello heartbeats
B. User-ID information
C. session synchronization
D. HA state information

Answer 41

C. session synchronization

Question 42

Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

A. Both SSH keys and SSL certificates must be generated.
B. No prerequisites are required.
C. SSH keys must be manually generated.
D. SSL certificates must be generated.

Answer 42

B. No prerequisites are required.

Question 43

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

A. ae.8
B. aggregate.1
C. ae.1
D. aggregate.8

Answer 43

A. ae.8

C. ae.1

Question 44

Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.)

A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS
Reveal Solution

Answer 44

A. Push
D. Voice
E. SMS

Question 45

VPN traffic intended for an administrator’s firewall is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

A. Zone Protection
B. Replay
C. Web Application
D. DoS Protection

Answer 45

B. Replay

Question 46

An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

A. Enable QoS interface
B. Enable QoS in the Interface Management Profile
C. Enable QoS Data Filtering Profile
D. Enable QoS monitor

Answer 46

A. Enable QoS interface

Question 47

Which log file can be used to identify SSL decryption failures?

A. Traffic
B. ACC
C. Configuration
D. Threats

Answer 47

A. Traffic

Question 48

A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)

A. tunnel.1
B. vpn-tunnel.1
C. tunnel.1025
D. vpn-tunnel.1024

Answer 48

A. tunnel.1

C. tunnel.1025

Question 49

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?

A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
D. Configure a Security policy rule to allow all traffic to and from the update servers.

Answer 49

B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.

Question 50

A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

A. Create V-Wire objects with two V-Wire interfaces and define a range of 0-4096 in the Tag Allowed field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Answer 50

B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the ג€Tag Allowedג€ field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Question 51

Which data flow describes redistribution of user mappings?

A. User-ID agent to firewall
B. Domain Controller to User-ID agent
C. User-ID agent to Panorama
D. firewall to firewall

Answer 51

D. firewall to firewall

Question 52

Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

A. System Utilization log
B. System log
C. Resources widget
D. CPU Utilization widget

Answer 52

C. Resources widget

Question 53

Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose four.)

A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password

Answer 53

A. Short message service
B. Push
D. Voice
F. One-Time Password

Question 54

Which two features does PAN-OSֲ® software use to identify applications? (Choose two.)

A. transaction characteristics
B. session number
C. port number
D. application layer payload

Answer 54

A. transaction characteristics

D. application layer payload

Question 55

An administrator wants to upgrade a firewall from PAN-OSֲ® 9.1 to PAN-OSֲ® 10.0. The firewall is not a part of an HA pair.
What needs to be updated first?

A. Applications and Threats Most Voted
B. XML Agent
C. WildFire
D. PAN-OS Upgrade Agent

Answer 55

A. Applications and Threats

Question 56

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A. Load configuration version
B. Save candidate config
C. Export device state
D. Load named configuration snapshot

Answer 56

C. Export device state

Question 57

Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)

A. HA1 IP Address
B. Master Key
C. Zone Protection Profile
D. Network Interface Type

Answer 57

A. HA1 IP Address

B. Master Key

Question 58

An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?

A. Malware
B. Grayware
C. Phishing
D. Spyware

Answer 58

B. Grayware

Question 59

When configuring the firewall for packet capture, what are the valid stage types?

A. receive, management, transmit, and non-syn
B. receive, management, transmit, and drop
C. receive, firewall, send, and non-syn
D. receive, firewall, transmit, and drop

Answer 59

D. receive, firewall, transmit, and drop

Question 60

Which operation will impact the performance of the management plane?

A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions

Answer 60

C. generating a SaaS Application report

Question 61

Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?

A. syslog listening
B. server monitoring
C. client probing
D. port mapping

Answer 61

A. syslog listening

Question 62

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

Answer 62

A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone

Question 63

Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

A. At-boot
B. Pre-logon
C. User-logon (Always on)
D. On-demand

Answer 63

B. Pre-logon

Question 64

Which feature can provide NGFWs with User-ID mapping information?

A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect
D. Native 802.1x authentication
Reveal Solution

Answer 64

C. GlobalProtect

Question 65

Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)

A. Role Based
B. Custom Panorama Admin
C. Device Group
D. Dynamic
E. Template Admin

Answer 65

C. Device Group

E. Template Admin

Question 66

Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

A. Select download-and-install
B. Select download-only
C. Select download-and-install, with Disable new apps in content update selected
D. Select disable application updates and select Install only Threat updates

Answer 66

C. Select download-and-install, with Disable new apps in content update selected

Question 67

Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?

A. 10,000
B. 15,000
C. 7,500
D. 5,000
Reveal Solution

Answer 67

A. 10,000

Question 68

In which two types of deployment is active/active HA configuration supported? (Choose two.)

A. Layer 3 mode
B. TAP mode
C. Virtual Wire mode
D. Layer 2 mode

Answer 68

A. Layer 3 mode

C. Virtual Wire mode

Question 69

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)

A. ingress processing errors
B. rule match with action deny
C. rule match with action allow
D. equal-cost multipath

Answer 69

A. ingress processing errors

B. rule match with action deny

Question 70

Which logs enable a firewall administrator to determine whether a session was decrypted?

A. Traffic
B. Security Policy
C. Decryption
D. Correlated Event

Answer 70

A. Traffic

Question 71

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution

Answer 71

D. DNS settings for the firewall to use for resolution

Question 72

A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

A. Add an Anti-Spyware Profile to block attacking IP address
B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
C. Add QoS Profiles to throttle incoming requests
D. Add a tuned DoS Protection Profile

Answer 72

D. Add a tuned DoS Protection Profile

Question 73

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OSֲ® software?

A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.
Reveal Solution

Answer 73

B. Applications and Threats update package.

Question 74

A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?

A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus

Answer 74

A. Anti-Spyware

Question 75

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer 75

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.

Question 76

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile

Answer 76

A. CRL

C. OCSP

Question 77

Which administrative authentication method supports authorization by an external service?

A. Certificates
B. LDAP
C. RADIUS
D. SSH keys

Answer 77

C. RADIUS

Question 78

Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

A. .dll
B. .exe
C. .fon
D. .apk
E. .pdf
F. .jar

Answer 78

A. .dll
B. .exe
C. .fon

Question 79

An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Answer 79

A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

Question 80

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

A. GlobalProtect version 4.0 with PAN-OS 8.1
B. GlobalProtect version 4.1 with PAN-OS 8.1
C. GlobalProtect version 4.1 with PAN-OS 8.0
D. GlobalProtect version 4.0 with PAN-OS 8.0

Answer 80

B. GlobalProtect version 4.1 with PAN-OS 8.1

Question 81

How does Panorama prompt VMWare NSX to quarantine an infected VM?

A. HTTP Server Profile
B. Syslog Server Profile
C. Email Server Profile
D. SNMP Server Profile

Answer 81

A. HTTP Server Profile

Question 82

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

A. Create a no-decrypt Decryption Policy rule.
B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
C. Configure a Dynamic Address Group for untrusted sites.
D. Create a Security Policy rule with a vulnerability Security Profile attached.
E. Enable the Block sessions with untrusted issuers setting.

Answer 82

A. Create a no-decrypt Decryption Policy rule.

E. Enable the Block sessions with untrusted issuers setting.

Question 83

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.
B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection per egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

Answer 83

A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.

Question 84

What is the purpose of the firewall decryption broker?

A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
B. force decryption of previously unknown cipher suites
C. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
D. inspect traffic within IPsec tunnels

Answer 84

A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.

Question 85

SAML SLO is supported for which two firewall features? (Choose two.)

A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI

Answer 85

A. GlobalProtect Portal

C. WebUI

Question 86

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

A. Rule Usage Hit counter will not be reset.
B. Highlight Unused Rules will highlight all rules.
C. Highlight Unused Rules will highlight zero rules.
D. Rule Usage Hit counter will reset.

Answer 86

A. Rule Usage Hit counter will not be reset.

B. Highlight Unused Rules will highlight all rules.

Question 87

Which is not a valid reason for receiving a decrypt-cert-validation error?

A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer

Answer 87

A. Unsupported HSM

Question 88

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

A. video streaming application
B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category

Answer 88

A. video streaming application
B. Client Application Process
C. Destination Domain

Question 89

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity
D. GlobalProtect Quarantine Activity

Answer 89

B. GlobalProtect Deployment Activity

C. Successful GlobalProtect Connection Activity

Question 90

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A. log forwarding auto-tagging
B. XML API
C. GlobalProtect agent
D. User-ID Windows-based agent

Answer 90

B. XML API

D. User-ID Windows-based agent

Question 91

SD-WAN is designed to support which two network topology types? (Choose two.)

A. point-to-point
B. hub-and-spoke
C. full-mesh
D. ring
Reveal Solution

Answer 91

B. hub-and-spoke

C. full-mesh

Question 92

Which option describes the operation of the automatic commit recovery feature?

A. It enables a firewall to revert to the previous configuration if rule shadowing is detected.
B. It enables a firewall to revert to the previous configuration if application dependency errors are found.
C. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.
D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Answer 92

D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Question 93

Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

A. branch and hub locations
B. link requirements
C. the name of the ISP
D. IP Addresses

Answer 93

A. branch and hub locations
B. link requirements
D. IP Addresses

Question 94

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizers Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages

Answer 94

A. on the App Dependency tab in the Commit Status window

C. on the Application tab in the Security Policy Rule creation window

Question 95

Which two events trigger the operation of automatic commit recovery? (Choose two.)

A. when an aggregate Ethernet interface component fails
B. when Panorama pushes a configuration
C. when a firewall performs a local commit
D. when a firewall HA pair fails over

Answer 95

B. when Panorama pushes a configuration

C. when a firewall performs a local commit

Question 96

Panorama provides which two SD-WAN functions? (Choose two.)

A. network monitoring
B. control plane
C. data plane
D. physical network links

Answer 96

A. network monitoring

B. control plane

Question 97

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

A. respond to changes in user behaviour or potential threats using manual policy changes
B. respond to changes in user behaviour or potential threats without manual policy changes
C. respond to changes in user behaviour or potential threats without automatic policy changes
D. respond to changes in user behaviour and confirmed threats with manual policy changes

Answer 97

B. respond to changes in user behaviour or potential threats without manual policy changes

Question 98

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

A. by adding the devices Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
B. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook
C. by using security policies, log forwarding profiles, and log settings
D. there is no native auto-quarantine feature so a custom script would need to be leveraged

Answer 98

C. by using security policies, log forwarding profiles, and log settings

Question 99

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

A. PBP (Protocol Based Protection)
B. BGP (Border Gateway Protocol)
C. PGP (Packet Gateway Protocol)
D. PBP (Packet Buffer Protection)

Answer 99

D. PBP (Packet Buffer Protection)

Question 100

A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been restarted using command: > request restart system
Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:

Answer 100

B. Firewall must be in factory default state or have all private data deleted for bootstrapping

Question 101

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

A. default-no-captive-portal
B. default-authentication-bypass
C. default-browser-challenge
D. default-web-form

Answer 101

A. default-no-captive-portal

Question 102

To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations.
Which one is the correct configuration?

A. &Panorama
B. @Panorama
C. $Panorama
D. #Panorama

Answer 102

C. $Panorama

Question 103

On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3. Select Import Private key 4. Click Generate to generate the new certificate
B. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate the new certificate
D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export

Answer 103

C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate the new certificate

Question 104

What is the maximum number of samples that can be submitted to WildFire manually per day?

A. 1,000
B. 2,000
C. 5,000
D. 15,000

Answer 104

A. 1,000

Question 105

What file type upload is supported as part of the basic WildFire service?

A. ELF
B. BAT
C. PE
D. VBS
Hide Solution

Answer 105

C. PE

Question 106

An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

A. Task Manager
B. System Logs
C. Traffic Logs
D. Configuration Logs

Answer 106

A. Task Manager

B. System Logs

Question 107

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
B. Add a WildFire subscription to activate DoS and zone protection features.
C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.
D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

Answer 107

D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

Question 108

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a
L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization?

A. Test Policy Match
B. Application Groups
C. Policy Optimizer
D. Config Audit

Answer 108

C. Policy Optimizer

Question 109

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

A. The bootstrap package is stored on an AFS share or a discrete container file bucket.
B. The bootstrap.xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.
C. The /config, /content and /software folders are mandatory while the /license and /plugin folders are optional.
D. The init-cfg.txt and bootstrap.xml files are both optional configuration items for the /config folder.
E. The directory structure must include a /config, /content, /software and /license folders.

Answer 109

B. The bootstrap.xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.

E. The directory structure must include a /config, /content, /software and /license folders.

Question 110

Which Panorama objects restrict administrative access to specific device-groups?

A. admin roles
B. authentication profiles
C. templates
D. access domains

Answer 110

D. access domains

Question 111

An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?

A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
B. Use an enterprise CA-signed certificate for the Forward Untrust certificate.
C. Use the same Forward Trust certificate on all firewalls in the network.
D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

Answer 111

A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

Question 112

An administrator receives the following error message:
“IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0.”
How should the administrator identify the root cause of this error message?

A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Answer 112

B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.

Question 113

An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?

A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Answer 113

C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

Question 114

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA
An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL
Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.
The end-user’s browser will show that the certificate for www. example-website.com was issued by which of the following?

A. Enterprise-Trusted-CA which is a self-signed CA
B. Enterprise-Root-CA which is a self-signed CA
C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA
D. Enterprise-Untrusted-CA which is a self-signed CA

Answer 114

D. Enterprise-Untrusted-CA which is a self-signed CA

Question 115

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Answer 115

B. unsupported ciphers
C. certificate pinning
E. mutual authentication

Question 116

When overriding a template configuration locally on a firewall, what should you consider?

A. Panorama will update the template with the overridden value.
B. The firewall template will show that it is out of sync within Panorama.
C. Only Panorama can revert the override.
D. Panorama will lose visibility into the overridden configuration.

Answer 116

D. Panorama will lose visibility into the overridden configuration.

Question 117

When setting up a security profile, which three items can you use? (Choose three.)

A. Wildfire analysis
B. anti-ransomware
C. antivirus
D. URL filtering
E. decryption profile

Answer 117

A. Wildfire analysis
C. antivirus
D. URL filtering

Question 118

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

A. Upgrade directly to the target major version.
B. Upgrade the HA pair to a base image.
C. Upgrade one major version at a time.
D. Upgrade two major versions at a time.

Answer 118

C. Upgrade one major version at a time.

Question 119

What are three types of Decryption Policy rules? (Choose three.)

A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror

Answer 119

A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy

Question 120

During SSL decryption, which three factors affect resource consumption? (Choose three.)

A. key exchange algorithm
B. transaction size
C. TLS protocol version
D. applications ta non-standard ports
E. certificate issuer

Answer 120

A. key exchange algorithm
B. transaction size
C. TLS protocol version

Question 121

An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A. A Decryption profile must be attached to the Decryption policy that the traffic matches.
B. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
C. A Decryption profile must be attached to the Security policy that the traffic matches.
D. There must be a certificate with only the Forward Trust option selected.

Answer 121

D. There must be a certificate with only the Forward Trust option selected.

Question 122

Which two features require another license on the NGFW? (Choose two.)

A. SSL Inbound Inspection
B. SSL Forward Proxy
C. Decryption Mirror
D. Decryption Broker

Answer 122

C. Decryption Mirror

D. Decryption Broker

Question 123

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization?

A. WildFire and Threat Prevention combine to minimize the attack surface.
B. After 24 hours, WildFire signatures are included in the antivirus update.
C. Protection against unknown malware can be provided in near real-time.
D. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall.

Answer 123

C. Protection against unknown malware can be provided in near real-time.

Question 124

What are two characteristic types that can be defined for a variable? (Choose two.)

A. zone
B. FQDN
C. IP netmask
D. path group

Answer 124

B. FQDN

C. IP netmask

Question 125

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

A. Permitted IP Addresses
B. SSH
C. https
D. User-ID
E. HTTP

Answer 125

A. Permitted IP Addresses
B. SSH
C. https

Question 126

An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

A. > scp export mgmt-pcap from mgmt.pcap to (username@host:path)
B. > scp export poap-mgmt from poap.mgmt to (username@host:path)
C. > ftp export mgmt-pcap from mgmt.pcap to
D. > scp export pcap from pcap to (username@host:path)

Answer 126

A. > scp export mgmt-pcap from mgmt.pcap to (username@host:path)

Question 127

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

A. ׀׀3
B. Console Backup
C. HSCI-C
D. HA2 backup

Answer 127

A. HA3

D. HA2 backup

Question 128

What are two common reasons to use a “No Decrypt” action to exclude traffic from SSL decryption? (Choose two.)

A. the web server requires mutual authentication
B. the website matches a category that is not allowed for most users
C. the website matches a high-risk category
D. the website matches a sensitive category

Answer 128

A. the web server requires mutual authentication

D. the website matches a sensitive category

Question 129

PBF can address which two scenarios? (Choose two.)

A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. providing application connectivity the primary circuit fails
C. enabling the firewall to bypass Layer 7 inspection
D. forwarding all traffic by using source port 78249 to a specific egress interface

Answer 129

A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. providing application connectivity the primary circuit fails

Question 130

A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour’s routing table.
Which two configurations should you check on the firewall? (Choose two.)

A. Ensure that the OSPF neighbour state is “2-Way”
B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
C. Within the redistribution profile ensure that Redist is selected.
D. In the redistribution profile check that the source type is set to “ospf.”

Answer 130

B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
C. Within the redistribution profile ensure that Redist is selected.

Question 131

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

A. unknown-udp
B. unknown-ip
C. incomplete
D. not-applicable

Answer 131

A. unknown-udp

Question 132

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

A. App-ID
B. Custom URL Category
C. User-ID
D. Destination Zone
E. Source Interface

Answer 132

B. Custom URL Category
C. User-ID
D. Destination Zone

Question 133

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?

A. Resources Widget on the Dashboard
B. Monitor > Utilization
C. Support > Resources
D. Application Command and Control Center

Answer 133

A. Resources Widget on the Dashboard

Question 134

Which CLI command displays the physical media that are connected to ethernet1/8?

A. > show system state filter-pretty sys.s1.p8.stats
B. > show system state filter-pretty sys.s1.p8.med
C. > show interface ethernet1/8
D. > show system state filter-pretty sys.s1.p8.phy

Answer 134

D. > show system state filter-pretty sys.s1.p8.phy

Question 135

A variable name must start with which symbol?

A. $
B. !
C. #
D. &
Reveal Solution

Answer 135

A. $

Question 136

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A. self-signed CA certificate
B. server certificate
C. wildcard server certificate
D. client certificate
E. enterprise CA certificate

Answer 136

A. self-signed CA certificate

E. enterprise CA certificate

Question 137

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)

A. virtual systems
B. template stacks
C. variables
D. collector groups

Answer 137

B. template stacks

C. variables

Question 138

Which three statements accurately describe Decryption Mirror? (Choose three.)

A. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.
B. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
C. Decryption Mirror requires a tap interface on the firewall.
D. Only management consent is required to use the Decryption Mirror future.
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.

Answer 138

A. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.
B. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.

Question 139

As a best practice, which URL category should you target first for SSL decryption?

A. Health and Medicine
B. High Risk
C. Online Storage and Backup
D. Financial Services

Answer 139

B. High Risk

Question 140

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A. LDAP Server Profile configuration
B. GlobalProtect
C. Windows-based User-ID agent
D. PAN-OS integrated User-ID agent

Answer 140

B. GlobalProtect

Question 141

Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.

Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.

Step 3. Upload or drag and drop the technical support file.

Step 4. Map the zone type and area of the architecture to each zone.

Step 5.Follow the steps to download the BPA report bundle.

Question 142

In a Panorama template, which three types of objects are configurable? (Choose three.)

A. certificate profiles
B. HIP objects
C. QoS profiles
D. security profiles
E. interface management profiles

Answer 142

A. certificate profiles
C. QoS profiles
E. interface management profiles

Question 143

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)

A. duplicate state
B. no install on the route
C. disabling of the static route
D. path monitoring on the static route

Answer 143

B. no install on the route

D. path monitoring on the static route

Question 144

A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users. Which two settings must the customer configure? (Choose two.)

A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.
D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of the security policy rules in the Mobile_User_Device_Group.

Answer 144

B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.

Question 145

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

A. machine certificate
B. server certificate
C. certificate authority (CA) certificate
D. client certificate

Answer 145

B. server certificate

Question 146

Topic 1
In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?

A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours

Answer 146

B. 6 to 12 hours

Question 147

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket.
The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user’s TAR file?

A. Threat log
B. Data Filtering log
C. WildFire Submissions log
D. URL Filtering log

Answer 147

B. Data Filtering log

Question 148

In a firewall, which three decryption methods are valid? (Choose three.)

A. SSL Outbound Proxyless Inspection
B. SSL Inbound Inspection
C. SSH Proxy
D. SSL Inbound Proxy
E. Decryption Mirror

Answer 148

B. SSL Inbound Inspection
C. SSH Proxy
E. Decryption Mirror

Question 149

Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

A. inherit address-objects from templates
B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks
D. standardize log-forwarding profiles for security polices across all stacks

Answer 149

B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks

Question 150

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

A. GlobalProtect client
B. PPTP tunnels
C. IPsec tunnels using IKEv2
D. GlobalProtect satellite

Answer 150

D. GlobalProtect satellite

Question 151

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A. You must set the interface to Layer 2, Layer 3, or virtual wire.
B. The interface must be used for traffic to the required services.
C. You must use a static IP address.
D. You must enable DoS and zone protection.

Answer 151

B. The interface must be used for traffic to the required services.

Question 152

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure SSL/TLS connection?

A. link state
B. profiles
C. stateful firewall connection
D. certificates

Answer 152

D. certificates

Question 153

When you configure a Layer 3 interface, what is one mandatory step?

A. Configure virtual routers to route the traffic for each Layer 3 interface.
B. Configure Interface Management profiles, which need to be attached to each Layer 3 interface.
C. Configure Security profiles, which need to be attached to each Layer 3 interface.
D. Configure service routes to route the traffic for each Layer 3 interface.

Answer 153

A. Configure virtual routers to route the traffic for each Layer 3 interface.

Question 154

Which statement accurately describes service routes and virtual systems?

A. Virtual systems can only use one interface for all global service and service routes of the firewall.
B. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.
C. Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall.
D. The interface must be used for traffic to the required external services.

Answer 154

B. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.

Question 155

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version.
What is considered best practice for this scenario?

A. Perform the Panorama and firewall upgrades simultaneously.
B. Upgrade the firewall first, wait at least 24 hours, and then upgrade the Panorama version.
C. Upgrade Panorama to a version at or above the target firewall version.
D. Export the device state, perform the update, and then import the device state.

Answer 155

C. Upgrade Panorama to a version at or above the target firewall version.

Question 156

An administrator has 750 firewalls. The administrator’s central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

A. Panorama does not have valid licenses to push the dynamic updates.
B. Panorama has no connection to Palo Alto Networks update servers.
C. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
D. No service route is configured on the firewalls to Palo Alto Networks update servers.

Answer 156

C. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

Question 157

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?

A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.
C. Configure a Captive Portal authentication policy that uses an authentication sequence.
D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

Answer 157

B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

Question 158

An administrator wants to enable zone protection.
Before doing so, what must the administrator consider?

A. Activate a zone protection subscription.
B. Security policy rules do not prevent lateral movement of traffic between zones.
C. The zone protection profile will apply to all interfaces within that zone.
D. To increase bandwidth, no more than one firewall interface should be connected to a zone.

Answer 158

C. The zone protection profile will apply to all interfaces within that zone.

Question 159

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A. Disable HA.
B. Disable the HA2 link.
C. Set the passive link state to “shutdown.”
D. Disable config sync.

Answer 159

D. Disable config sync.

Question 160

Before you upgrade a Palo Alto Networks NGFW, what must you do?

A. Make sure that the PAN-OS support contract is valid for at least another year.
B. Export a device state of the firewall.
C. Make sure that the firewall is running a supported version of the app + threat update.
D. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
Hide Solution

Answer 160

C. Make sure that the firewall is running a supported version of the app + threat update.

Question 161

The UDP-4501 protocol-port is used between which two GlobalProtect components?

A. GlobalProtect app and GlobalProtect satellite
B. GlobalProtect app and GlobalProtect portal
C. GlobalProtect app and GlobalProtect gateway
D. GlobalProtect portal and GlobalProtect gateway

Answer 161

C. GlobalProtect app and GlobalProtect gateway

Question 162

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

A. Configure Prisma Access to learn group mapping via SAML assertion.
B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
C. Assign a master device in Panorama through which Prisma Access learns groups.
D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Answer 162

C. Assign a master device in Panorama through which Prisma Access learns groups.

Question 163

What happens to traffic traversing SD-WAN fabric that doesn’t match any SD-WAN policies?

A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.
B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.
C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).
Hide Solution

Answer 163

C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.

Question 164

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)

A. certificate authority (CA) certificate
B. server certificate
C. client certificate
D. certificate profile

Answer 164

A. certificate authority (CA) certificate

D. certificate profile

Question 165

An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

A. WildFire logs
B. System logs
C. Threat logs
D. Traffic logs

Answer 165

A. WildFire logs

Question 166

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?

A. Configure an LDAP Server profile and enable the User-ID service on the management interface.
B. Configure a group mapping profile to retrieve the groups in the target template.
C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D. Configure a master device within the device groups.

Answer 166

D. Configure a master device within the device groups.

Question 167

How can packet buffer protection be configured?

A. at zone level to protect firewall resources and ingress zones, but not at the device level
B. at the interface level to protect firewall resources
C. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level
D. at the device level (globally) and, if enabled globally, at the zone level

Answer 167

D. at the device level (globally) and, if enabled globally, at the zone level

Question 168

An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?

A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Configure policy-based forwarding
D. Deploy Prisma SD-WAN with Prisma Access

Answer 168

B. Upgrade to a PAN-OS SD-WAN subscription

Question 169

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting?

A. Change the HA timer profile to “user-defined” and manually set the timers.
B. Change the HA timer profile to “fast”.
C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.
D. Change the HA timer profile to “quick” and customize in advanced profile.

Answer 169

C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.

Question 170

What is the function of a service route?

A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.
B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address.
C. The service route is the method required to use the firewall’s management plane to provide services to applications.
D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.

Answer 170

A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.

Question 171

Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

A. show session all filter ssl-decryption yes total-count yes
B. show session all ssl-decrypt yes count yes
C. show session all filter ssl-decrypt yes count yes
D. show session filter ssl-decryption yes total-count yes

Answer 171

C. show session all filter ssl-decrypt yes count yes

Question 172

While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache

Answer 172

B. show system setting ssl-decrypt certificate

Question 173

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

A. removing the Panorama serial number from the ZTP service
B. performing a factory reset of the firewall
C. performing a local firewall commit
D. removing the firewall as a managed device in Panorama

Answer 173

C. performing a local firewall commit

Question 174

In URL filtering, which component matches URL patterns?

A. live URL feeds on the management plane
B. security processing on the data plane
C. single-pass pattern matching on the data plane
D. signature matching on the data plane

Answer 174

C. single-pass pattern matching on the data plane

Question 175

In a template, you can configure which two objects? (Choose two.)

A. Monitor profile
B. application group
C. SD-WAN path quality profile
D. IPsec tunnel

Answer 175

A. Monitor profile

D. IPsec tunnel

Question 176

An organization’s administrator has the funds available to purchase more firewalls to increase the organization’s security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect.
Is the SE’s advice correct, and why or why not?

A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement.
B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.
C. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network.
D. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems.

Answer 176

B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.

Question 177

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

A. Preview Changes
B. Policy Optimizer
C. Managed Devices Health
D. Test Policy Match

Answer 177

D. Test Policy Match

Question 178

What is a key step in implementing WildFire best practices?

A. Configure the firewall to retrieve content updates every minute.
B. Ensure that a Threat Prevention subscription is active.
C. In a mission-critical network, increase the WildFire size limits to the maximum value.
D. n a security-first network, set the WildFire size limits to the minimum value.

Answer 178

B. Ensure that a Threat Prevention subscription is active.

Question 179

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

A. Phase 2 SAs are synchronized over HA2 links.
B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 SAs are synchronized over HA1 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Answer 179

A. Phase 2 SAs are synchronized over HA2 links.

Question 180

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?

A. Vulnerability Protection profile
B. DoS Protection profile
C. Data Filtering profile
D. URL Filtering profile

Answer 180

B. DoS Protection profile

Question 181

What are three reasons why an installed session can be identified with the “application incomplete” tag? (Choose three.)

A. There was no application data after the TCP connection was established.
B. The client sent a TCP segment with the PUSH flag set.
C. The TCP connection was terminated without identifying any application data.
D. There is not enough application data after the TCP connection was established.
E. The TCP connection did not fully establish.

Answer 181

A. There was no application data after the TCP connection was established.

C. The TCP connection was terminated without identifying any application data.

E. The TCP connection did not fully establish.

Question 182

An administrator’s device-group commit push is failing due to a new URL category.
How should the administrator correct this issue?

A. update the Firewall Apps and Threat version to match the version of Panorama
B. change the new category action to “alert” and push the configuration again
C. ensure that the firewall can communicate with the URL cloud
D. verity that the URL seed tile has been downloaded and activated on the firewall

Answer 182

A. update the Firewall Apps and Threat version to match the version of Panorama

Question 183

A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure
Web Ul authentication? (Choose three.)

A. Authentication Algorithm
B. Encryption Algorithm
C. Certificate
D. Maximum TLS version
E. Minimum TLS version

Answer 183

C. Certificate
D. Maximum TLS version
E. Minimum TLS version

Question 184

Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

A. Layer 3
B. Layer 2
C. Tap
D. Decryption Mirror

Answer 184

A. Layer 3