Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
A. Deny application facebook-chat before allowing
... [Show More] application facebook
B. Deny application facebook on top
C. Allow application facebook on top
D. Allow application facebook before denying application facebook-chat
A. Deny application facebook-chat before allowing application facebook
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing
A. Block sessions with expired certificates
D. Block sessions with untrusted issuers
Which Captive Portal mode must be configured to support MFA authentication?
A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent
B. Redirect
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?
A. X-Auth IPsec VPN
B. GlobalProtect Apple IOS
C. GlobalProtect SSL
D. GlobalProtect Linux
A. X-Auth IPsec VPN
Which three authentication factors does PAN-OS software support for MFA (Choose three.)
A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS
A. Push
D. Voice
E. SMS
Which three options are available when creating a security profile? (Choose three)
A. Anti-Malware
B. File Blocking
C. Url Filtering
D. IDS/ISP
E. Threat Prevention
F. Antivirus
A. Anti-Malware
B. File Blocking
F. Antivirus
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration
D. Device > Setup > Services > Service Route Configuration
The certificate information displayed in the following image is for which type of certificate? [image]
Certificate information
Name: decrypt
Subject: /O=Palo Alto Network/CN=192.168.1.1
Issuer: /O=Palo Alto Network/CN=192.168.1.1
Not Valid Before: Jul 7 14:11:08 2017 GMT
Not Valid After: Jul 7 14:11:08 2018 GMT
Algorithm: RSA
[X] Certificate Authority
[__] Forward Trust Certificate
[__] Forward Untrust Certificate
[__] Trusted Root CA
A. Forward Trust certificate
B. Self-Signed Root CA certificate
C. Web Server certificate
D. Public CA signed certificate
B. Self-Signed Root CA certificate
Refer to the exhibit. [image]
>show routing fib
id destination next hop interface
47 0.0.0.0/0 10.26.40.1 eth1/3
46 10.46.40.0/23 0.0.0.0 eth1/3
45 10.46.41.1111/32 0.0.0.0 eth1/3
70 10.46.41.113/32 10.46.40.1 eth1/3
51 192.168.111.0/24 0.0.0.0 eth1/6
50 192.168.111.2/32 0.0.0.0 eth1/6
>show virtual-wire all
name interface1 interface2 flags
vw-1 eth1/7 eth1/5 p
Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
A. ethernet1/6
B. ethernet1/3
C. ethernet1/7
D. ethernet1/5
D. ethernet1/5
Which option is an IPv6 routing protocol?
A. RIPv3
B. OSPFv3
C. OSPv3
D. BGP NG
B. OSPFv3
An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.)
A. NTP
B. Antivirus
C. Wildfire updates
D. NAT
E. File tracking
A. NTP
C. Wildfire updates
D. NAT
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
A. Pre-NAT addresse and Pre-NAT zones
B. Post-NAT addresse and Post-Nat zones
C. Pre-NAT addresse and Post-Nat zones
D. Post-Nat addresses and Pre-NAT zones
C. Pre-NAT addresse and Post-Nat zones
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. check
B. find
C. test
D. sim
C. test
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?
A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.
C. Modify the session timer settings on the closest referenced application to meet the needs of the in-house application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
Which is not a valid reason for receiving a decrypt-cert-validation error?
A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer
A. Unsupported HSM
In which two types of deployment is active/active HA configuration supported? (Choose two.)
A. TAP mode
B. Layer 2 mode
C. Virtual Wire mode
D. Layer 3 mode
C. Virtual Wire mode
D. Layer 3 mode
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: [image]
less mp-log ikemgr.log:
[INFO]: IPsec-SA request for 108.81.64.59 queued since no phase1 found
[PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <========> Initiated SA: 69.15.96.53 [500]-108.81.64.59[500] cookie: 09e85260f28f4e15:0000000<=====
[PROTO_NOTIFY] ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <========> Failed SA: 69.15.96.53[500]-108.81.64.59[500] cookie: 09e85260f28f4e15:0000000 <==== Due to timeout.
[INFO] ====> PHASE-1 SA DELETED <====
REMAINDER OMITTED
What could be the cause of this problem?
A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
C. The shared secerts do not match between the Palo Alto firewall and the ASA
D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA. [Show Less]