Q1. A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
Answer: C
Q2. A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central controller using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom application.
C. Create an application with a specified TCP timeout and assign traffic to it with an application override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom application.
Answer: C
Q3. Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. last match applied
B. first match applied
C. all matches applied
D. most specific match applied
Answer: B
Q4. A Palo Alto Networks firewall has the following interface configuration;
Hosts are directly connected on the following interfaces:
Ethernet 1/6 - Host IP 192.168.62.2
Ethernet 1/3 - Host IP 10.46.40.63
The security administrator is investigating why ICMP traffic between the hosts is not working.
She first ensures that ail traffic is allowed between zones based on the following security policy rule:
The routing table of the firewall shows the following output:
Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to communicate based on this information?
A. Change the Management Profile.
B. Change the security policy to explicitly allow ICMP on this interface.
C. Change the configured zone to DMZ.
D. Change the Virtual Router setting to VR1.
Answer: D
Q5. Company employees have been given access to the GlobalProtect Portal at https://portal.company.com:
Assume the following:
1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Answer: A,B
Q6. HOTSPOT
Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are several possible values for Action:
Match each Reconnaissance Protection Action to its description. Answer options may be used more than once or not at all.
Answer:
Q7. As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
A. Revert to Running Configuration
B. Revert to last Saved Configuration
C. Load Configuration Version
D. Import Named Configuration Snapshot
Answer: A
Q8. When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs?
A. Responding side, Traffic Logs
B. Initiating side, Traffic Logs
C. Responding side, System Logs
D. Initiating side, System Logs
Answer: C
Q9. What is the default setting for 'Action' in a Decryption Policy's rule?
A. No-decrypt
B. Decrypt
C. Any
D. None
Answer: D
Q10. Both SSL decryption and SSH decryption are disabled by default.
A. True
B. False
Answer: A
Q11. When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
A. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
C. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
D. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Answer: A
Q12. Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator?
A. Terminal Server Agent
B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
D. XML API for User-ID Agent
Answer: D
Q13. Which two steps are required to make Microsoft Active Directory users appear in the firewall’s traffic log? Choose 2 answers
A. Enable User-ID on the zone object for the source zone.
B. Enable User-ID on the zone object for the destination zone.
C. Configure a RADIUS server profile to point to a domain controller.
D. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions.
E. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions.
Answer: A,E
Q14. A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
A. Filter the Session Browser for all sessions from the user with the application "adobe".
B. Filter the System log for "Download Failed" messages.
C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
D. Filter the Data Filtering logs for the user’s traffic and the name of the PDF file.
Answer: D
Q15. What are two sources of information for determining if the firewall has been successful in communicating with an external User-ID Agent?
A. System Logs and the indicator light under the User-ID Agent settings in the firewall
B. There's only one location - System Logs
C. There's only one location - Traffic Logs
D. System Logs and indicator light on the chassis
Answer: A