Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping. What is the quickest
... [Show More] way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter>All Rules option
D. Use the Reset Rule Hit Counter > All Rules option
Which Two App-ID applications will you need to allow in your Security policy to use facebook-chat?
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email
B. facebook-chat
C. facebook-base
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?
A. Windows-based agents deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links
A. Windows-based agent deployed on the internal network
Your company requires positive username attribution of every IP address used by the wireless devices to support a new compliance requirement. You must collect IP to user mapping as soon as possible with the minimal configuration changes to the wireless devices themselves. the wireless devices are from various manufactures. Given the scenario, choose the option for sending IP-to user mapping to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
A. syslog
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
B. anti-spyware profile applied to outbound security polices
D. URL filtering profile applied to out bound security
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
A. Virtual Wire
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Step 1 : Select Network
Step 2: Select Zones from the list of available items
Step 3: Select add
Step 4: Specify Zone Name
Step 5: Specify Zone type
Step 6: Assign interface as needed
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
A. An implicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing
A. management
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
C. No impact because the firewall automatically adds the rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
D. one
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
B. Category, Subcategory, Technology, Risk, and Characteristic
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
A. Block List
D. Allow List
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent
C. Captive Portal
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
B. Create an Application Group and add business-systems to it
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
B. It provides a percentage of adoption for each assessment area
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.
D. after it is matched by a security policy rule that allows or blocks traffic.
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days
D. Rule Usage Filter > Hit Count > Unused in 90 days
Which Security Profile mitigates attacks based on packet count?
A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile
A. zone protection profile
Which interface type uses virtual routers and routing protocols?
A. Tap
B. Layer3
C. Virtual Wire
D. Layer2
B. Layer3
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
A. Override
B. Allow
C. Block
D. Continue
B. Allow
An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall?
A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address
A. NAT policy with internal zone and internet zone specified
Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packets source and destination IP addresses?
A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware
A. DoS protection
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
A. Policies> Security> Rule Usage> No App Specified
B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps
Answer : C
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID
B. User-ID
D. App-ID
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces
C. Device>Setup>Operations
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches
A. Review Policies
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount .
A. Select a Security policy rule, and then select Hit Count > Reset.
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation
C. Aggregate [Show Less]