Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet
... [Show More] gateways?
A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama
A. GlobalProtect
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
B, D - p. 140-141
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. after the SSL Proxy re-encrypts the packet
C. before the packet forwarding process
D. before session lookup
A - p. 122
An administrator is configuring a NAT ruleAt a minimum, which three forms of information are required? (Choose three.)
A. name
B. source zone
C. destination interface
D. destination address
E. destination zone
B,D,E - p. 133-134
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
A. It defines the SSUTLS encryption strength used to protect the management interface.
B. It defines the CA certificate used to verify the client's browser.
C. It defines the certificate to send to the client's browser from the management interface.
D. It defines the firewall's global SSL/TLS timeout values.
In the example security policy shown, which two websites are blocked? (Choose two.)
A. LinkedIn
B. Facebook
C. YouTube
D. Amazon
A, B
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
A. tag
B. wildcard mask
C. IP address
D. subnet mask
A - p. 85-86
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
A. RIP
B. OSPF
C. IS-IS
D. EIGRP
E. BGP
A,B,E-p.64
After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?
A. Import named config snapshot
B. Load named configuration snapshot
C. Revert to running configuration
D. Revert to last saved configuration
B - p. 23
Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?
A. reconnaissance
B. delivery
C. exploitation
D. installation
B
Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management?
A. Prisma SaaS
B. Panorama
C. AutoFocus
D. GlobalProtect
B
An administrator is reviewing the Security policy rules shown in the screenshot below. Which statement is correct about the information displayed?
A. Eleven rules use the "Infrastructure* tag.
B. The view Rulebase as Groups is checked.
C. There are seven Security policy rules on this firewall.
D. Highlight Unused Rules is checked.
B -
Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?
A. exclude
B. continue
C. hold
D. override
D - p. 151-152
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?
A. Palo Alto Networks Bulletproof IP Addresses
B. Palo Alto Networks C&C IP Addresses
C. Palo Alto Networks Known Malicious IP Addresses
D. Palo Alto Networks High-Risk IP Addresses
A - p. 95
An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.
Which object should the administrator use as a match condition in the Security policy?
A. the Content Delivery Networks URL category
B. the Online Storage and Backup URL category
C. an application group containing all of the file-sharing App-IDs reported in the traffic logs
D. an application filter for applications whose subcategory is file-sharing
D - p. 108
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4
D - p. 160
Based on the security policy rules shown, ssh will be allowed on which port?
A. any port
B. same port as ssl and snmpv3
C. the default port
D. only ephemeral ports
What must be considered with regards to content updates deployed from Panorama?
A. Content update schedulers need to be configured separately per device group.
B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
C. A PAN-OS upgrade resets all scheduler configurations for content updates.
D. Panorama can only download one content update at a time for content updates of the same type.
D
Source:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama
Which three configuration settings are required on a Palo Alto networks firewall management interface?
A. default gateway
B. netmask
C. IP address
D. hostname
E. auto-negotiation
A,B,C - p. 9
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?
A. 80
B. 443
C. 4443
D. 8443
C (tcp/udp/https substitue)
Source:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8SCAS
Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?
A. local username
B. dynamic user group
C. remote username
D. static user group
B - p. 96
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
A,D - p. 141
Which administrator type utilizes predefined roles for a local administrator account?
A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
C - p.88
Which solution is a viable option to capture user identification when Active Directory is not in use?
A. Cloud Identity Engine
B. group mapping
C. Directory Sync Service
D. Authentication Portal
D - p. 21
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security Policy rules that permits only this type of access.
Choose two.
A. Service = "any"
B. Application = "Telnet"
C. Service - "application-default"
D. Application = "any"
B,C - p. 136
Which option lists the attributes that are selectable when setting up an Application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
B - p. 118
What is the purpose of the automated commit recovery feature?
A. It reverts the Panorama configuration.
B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.
C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.
D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.
C - p. 32
Which statement is true regarding NAT rules?
A. Static NAT rules have precedence over other forms of NAT.
B. Translation of the IP address and port occurs before security processing.
C. NAT rules are processed in order from top to bottom.
D. Firewall supports NAT on Layer 3 interfaces only.
A -
Which information is included in device state other than the local configuration?
A. uncommitted changes
B. audit logs to provide information of administrative account changes
C. system logs to provide information of PAN-OS changes
D. device group and template settings pushed from Panorama
D - p. 28
What is a prerequisite before enabling an administrative account which relies on a local firewall user database?
A. Configure an authentication policy
B. Configure an authentication sequence
C. Configure an authentication profile
D. Isolate the management interface on a dedicated management VLAN
C - p. 23 [Show Less]