3 Months Free Update
3 Months Free Update
3 Months Free Update
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
Selecting the option to revert firewall changes will replace what settings?
Which rule type is appropriate for matching traffic occurring within a specified zone?
Which Security profile would you apply to identify infected hosts on the protected network uwall user database?
You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application
Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
What is a recommended consideration when deploying content updates to the firewall from Panorama?
You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
Which three configuration settings are required on a Palo Alto networks firewall management interface?
Given the detailed log information above, what was the result of the firewall traffic inspection?
Which firewall plane provides configuration, logging, and reporting functions on a separate processor?
Which solution is a viable option to capture user identification when Active Directory is not in use?
What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)
Which protocol used to map username to user groups when user-ID is configured?
Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?
All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.
Complete the empty field in the Security policy using an application object to permit only this type of access.
Source Zone: Internal -
Destination Zone: DMZ Zone -
Application: __________
Service: application-default -
Action: allow
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.
Which type of single unified engine will get this result?
Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?
Which file is used to save the running configuration with a Palo Alto Networks firewall?
Which feature enables an administrator to review the Security policy rule base for unused rules?
An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list. What is the maximum number of entries that they can be exclude?
Which Security profile must be added to Security policies to enable DNS Signatures to be checked?
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )
What must be considered with regards to content updates deployed from Panorama?
Which type firewall configuration contains in-progress configuration changes?
Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out.
What are two possible reasons the OK button is grayed out? (Choose two.)
An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.
Which Security profile should be used?
Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?
In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?
What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.
Which Security profile feature could have been used to prevent the communications with the command-and-control server?
What are three valid ways to map an IP address to a username? (Choose three.)
An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.
Which security policy action causes this?
What is the default action for the SYN Flood option within the DoS Protection profile?
How does the Policy Optimizer policy view differ from the Security policy view?
An administrator needs to allow users to use only certain email applications.
How should the administrator configure the firewall to restrict users to specific email applications?
An administrator wishes to follow best practices for logging traffic that traverses the firewall
Which log setting is correct?
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?
Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.
How many zones can an interface be assigned with a Palo Alto Networks firewall?
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
Your company is highly concerned with their Intellectual property being accessed by unauthorized resources. There is a mature process to store and include metadata tags for all confidential documents.
Which Security profile can further ensure that these documents do not exit the corporate network?
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security Policy rules that permits only this type of access.
Choose two.
Which Security policy set should be used to ensure that a policy is applied first?
An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.
What type of Security policy rule is created?
The firewall sends employees an application block page when they try to access Youtube.
Which Security policy rule is blocking the youtube application?
Based on the security policy rules shown, ssh will be allowed on which port?
A website is unexpectedly allowed due to miscategorization.
What are two way-s to resolve this issue for a proper response? (Choose two.)
Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?
An administrator has an IP address range in the external dynamic list and wants to create an exception for one specific IP address in this address range.
Which steps should the administrator take?
An administrator has configured a Security policy where the matching condition includes a single application and the action is deny
If the application s default deny action is reset-both what action does the firewall take*?
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic
Which statement accurately describes how the firewall will apply an action to matching traffic?
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)
Which three types of entries can be excluded from an external dynamic list (EDL)? (Choose three.)
A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
Which feature must be configured to enable a data plane interface to submit DNS queries originated from the firewall on behalf of the control plane?
What is a default setting for NAT Translated Packets when the destination NAT translation is selected as Dynamic IP (with session distribution)?
What are two valid selections within an Anti-Spyware profile? (Choose two.)
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?
Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)
In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)
Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?
Which System log severity level would be displayed as a result of a user password change?
What are the two default behaviors for the intrazone-default policy? (Choose two.)
Selecting the option to revert firewall changes will replace what settings?
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)
At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?
By default, what is the maximum number of templates that can be added to a template stack?
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?
A)
B)
C)
D)
An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.
What object is best suited for this configuration?