Q1. The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode
B. Should only be enabled on security policies allowing traffic to a trusted server.
C. Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet
Answer: B
Q2. With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of the device. In situations where the public ID is not static, this value can be replaced with a domain name or other text value
A. True
B. False
Answer: A
Q3. Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management Interface is not employed when sending these types of traffic?
A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and Syslog devices.
B. Define a Loopback interface for the Panorama and Syslog Devices
C. On the Device tab in the Web UI, create custom server profiles for Syslog and Panorama
D. Service Route Configuration
Answer: D
Q4. Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
A. Multi-Core Security Processor
B. Signature Match Processor
C. Network Processor
D. Protocol Decoder Processor
E. Management Processor
Answer: A,B,C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 8
Q5. A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information:
Users outside the company are in the "Untrust-L3" zone.
The web server physically resides in the "Trust-L3" zone.
Web server public IP address: 1.1.1.1
Web server private IP address: 192.168.1.10
Which NAT Policy rule will allow users outside the company to access the web server?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Q6. When a user logs in via Captive Portal, their user information can be checked against:
A. Terminal Server Agent
B. Security Logs
C. XML API
D. Radius
Answer: D
Q7. By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be configured in order to send syslog data out of a different interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs will be sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Answer: C
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reports-and-logging/define-remote-logging-destinations.html
Q8. What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
A. superuser
B. vsysadmin
C. A custom role is required for this level of access
D. deviceadmin
Answer: D
Q9. What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
A. Improved DNSbased C&C signatures.
B. Improved PANDB malware detection.
C. Improved BrightCloud malware detection.
D. Improved malware detection in WildFire.
Answer: A,B,D
Q10. What is the name of the debug save file for IPSec VPN tunnels?
A. set vpn all up
B. test vpn ike-sa
C. request vpn IPsec-sa test
D. Ikemgr.pcap
Answer: D
Q11. You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific file type, and there is a specific application that you want to match in the policy.
What are three valid actions that can be set when the specified file is detected? Choose 3 answers
A. Reset-both
B. Block
C. Continue
D. Continue-and-forward
E. Upload
Answer: B,C,D
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf page 287
Q12. Given the following routing table:
Which configuration change on the firewall would cause it to use 10.66.24.88 as the nexthop for the 192.168.93.0/30 network?
A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the metric for RIP to be lower than that of OSPF Ext
D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Answer: D
Explanation:
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-3-17278/Route%20Redistribution%20and%20Filtering%20TechNote%20-%20Rev%20B.pdf
Q13. HOTSPOT
Match the description of an application field with its name.
Answer options may be used more than once or not at all.
Answer:
Q14. Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Answer: D
Explanation:
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Q15. What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A. Security, NAT, Policy-Based Forwarding
B. Intrazone, Interzone, Global
C. Intrazone, Interzone, Universal
D. Application, User, Content
Answer: C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19