Q_376-400 Flashcards
Question #376 Topic 1
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
A. PBF > Static route > Security policy enforcement
B. BGP < PBF > NAT
C. PBF > Zone Protection Profiles > Packet Buffer Protection
D. NAT > Security policy enforcement > OSPF
A. PBF > Static route > Security policy enforcement
Question #377 Topic 1
While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?
A. Enable resources protection under the DoS Protection profile.
B. Change the SYN flood action from Random Early Drop to SYN cookies.
C. Increase the activate rate for the SYN flood protection.
D. Change the DoS Protection profile type from aggregate to classified.
B. Change the SYN flood action from Random Early Drop to SYN cookies.
Question #378 Topic 1
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone
switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the
firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?
A. Configure the TAP interface for segment X on the firewall
B. Configure a Layer 3 interface for segment X on the firewall.
C. Configure vwire interfaces for segment X on the firewall.
D. Configure a new vsys for segment X on the firewall.
A. Configure the TAP interface for segment X on the firewall
Question #379 Topic 1
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user
groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
A. by configuring User-ID group mapping in Panorama > User Identification
B. by configuring Master Device in Panorama > Device Groups
C. by configuring User-ID source device in Panorama > Managed Devices
D. by configuring Data Redistribution Client in Panorama > Data Redistribution
B. by configuring Master Device in Panorama > Device Groups
Question #380 Topic 1
After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator
investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings
C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers.
D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-order and application identification
A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
Forward Segments Exceeding TCP App-ID™ Inspection Queue
Enable this option to forward segments and classify the application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use the following global counter to view the number of segments in excess of this queue regardless of whether you enabled or disabled this option:
Question #381 Topic 1
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
A. upload-only
B. install and reboot
C. upload and install
D. upload and install and reboot
E. verify and install
A. upload-only
B. install and reboot
D. upload and install and reboot
Question #382 Topic 1
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many
flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect
against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
A. Apply DOS profile to security rules allow traffic from outside.
B. Enable packet buffer protection for the affected zones.
C. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
D. Add a Zone Protection profile to the affected zones
B. Enable packet buffer protection for the affected zones.
Question #383 Topic 1
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many
flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect
against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
A. Apply DOS profile to security rules allow traffic from outside.
B. Enable packet buffer protection for the affected zones.
C. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
D. Add a Zone Protection profile to the affected zones.
B. Enable packet buffer protection for the affected zones.
Question #384 Topic 1
What is a correct statement regarding administrative authentication using external services with a local authorization method?
A. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the
firewall.
B. Prior to PAN-OS 10.2, an administrator used the firewall to manage role assignments, but access domains have not been supported by this
method.
C. Starting with PAN-OS 10.2, an administrator needs to configure Cloud Identity Engine to use external authentication services for
administrative authentication.
D. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication
server.
D. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication
server.
Question #385 Topic 1
A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat
prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all
signatures Search related threat ID and click enable Change the default action Commit
B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures
Search related threat ID and click enable Commit
C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all
signatures Search related threat ID and click enable Commit
D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click
enable Commit
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all
signatures Search related threat ID and click enable Change the default action Commit
Question #386 Topic 1
-graphic-
In the screenshot above, which two pieces of information can be determined from the ACC configuration shown? (Choose two.)
A. Insecure-credentials, brute-force, and protocol-anomaly are all a part of the vulnerability Threat Type.
B. The Network Activity tab will display all applications, including FTP.
C. Threats with a severity of ג€high ג€ are always listed at the top of the Threat Name list.
D. The ACC has been filtered to only show the FTP application.
In the screenshot above, which two pieces of information can be determined from the ACC configuration shown? (Choose two.)
A. Insecure-credentials, brute-force, and protocol-anomaly are all a part of the vulnerability Threat Type.
D. The ACC has been filtered to only show the FTP application.
check filtered section on left - “ftp”
Threat activity bar show “Threat Type(vulnerability)
then lists Insecure-credentials, brute-force, and protocol-anomaly
Question #387 Topic 1
-graphic
Given the screenshot, how did the firewall handle the traffic?
A. Traffic was allowed by policy but denied by profile as encrypted.
B. Traffic was allowed by policy but denied by profile as a threat.
C. Traffic was allowed by profile but denied by policy as a threat.
D. Traffic was allowed by policy but denied by profile as a nonstandard port.
B. Traffic was allowed by policy but denied by profile as a threat.
Action: allow
Action Source from-policy
session end reason is “threat”
For more details, has been blocked by an URL filtering profile, because category “proxy-avoidance.
Question #388 Topic 1
Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have
a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other
certificates?
A. self-signed root CA
B. external CA certificate
C. server certificate
D. device certificate
A. self-signed root CA
Question #389 Topic 1
-graphic
Refer to the screenshots. Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin
access to Panorama and to the managed devices?
A. The Panorama section overrides the Device section. The accounts need to be configured only in the Panorama section.
B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections.
C. The Device section overrides Panorama section. The accounts need to be configured only in the Device section.
D. Configuration in the sections is merged together. The accounts need to be configured in either section.
B. The sections are independent. The accounts need to be configured in both the Device and Panorama sections.
Question #390 Topic 1
A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being
exploited.
Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?
A. a WildFire profile and a File Blocking profile
B. a Vulnerability Protection profile and a Decryption policy
C. a Vulnerability Protection profile and a QoS policy
D. a Decryption policy and a Data Filtering profile
B. a Vulnerability Protection profile and a Decryption policy
“exploits” are vulnerability
File blocking is different
