Q1. Click the Exhibit button below,
A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?
A. 172.20.30.1
B. 172.20.40.1
C. 172.20.20.1
D. 172.20.10.1
Answer: B
Q2. The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?
A. QoS Statistics
B. Applications Report
C. Application Command Center (ACC)
D. QoS Log
Answer: A
Q3. How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration
Answer: D
Q4. What are three valid actions in a File Blocking Profile? (Choose three)
A. Forward
B. Block
C. Alret
D. Upload
E. Reset-both
F. Continue
Answer: B,C,F
Explanation:
https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking- Rulebase-and-Action-Precedence/ta-p/53623
Q5. Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)
A. Vulnerability Object
B. DoS Protection Profile
C. Data Filtering Profile
D. Zone Protection Profile
Answer: B,D
Q6. Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error?
A. Set tunnel. 1 to p2p
B. Set tunnel. 1 to p2mp
C. Set Ethernet 1/1 to p2mp
D. Set Ethernet 1/1 to p2p
Answer: A
Q7. A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama?
A. Device state and license files
B. Configuration and serial number files
C. Configuration and statistics files
D. Configuration and Large Scale VPN (LSVPN) setups file
Answer: B
Q8. ION NO: 40
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)
A. Brute-force signatures
B. BrightCloud Url Filtering
C. PAN-DB URL Filtering
D. DNS-based command-and-control signatures
Answer: C,D
Q9. Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)
A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
B. The devices are licensed and ready for deployment.
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
E. The interface are pingable.
Answer: B,C
Q10. A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?
A. Blocked Activity
B. Bandwidth Activity
C. Threat Activity
D. Network Activity
Answer: A
Q11. How does Panorama handle incoming logs when it reaches the maximum storage capacity?
A. Panorama discards incoming logs when storage capacity full.
B. Panorama stops accepting logs until licenses for additional storage space are applied
C. Panorama stops accepting logs until a reboot to clean storage space.
D. Panorama automatically deletes older logs to create space for new ones.
Answer: D
Explanation:
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/se t-up-panorama/determine-panorama-log-storage-requirements)
Q12. A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)
A. Panorama virtual appliance on ESX(i) only B. M-500
C. M-100 with Panorama installed D. M-100
Answer: A,C
Explanation:
(https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design- Guide/ta-p/72181)
Q13. Support for which authentication method was added in PAN-OS 7.0?
A. RADIUS
B. LDAP
C. Diameter
D. TACACS+
Answer: D
Q14. A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information:
•DMZ zone: DMZ-L3
•Public zone: Untrust-L3
•Guest zone: Guest-L3
•Web server zone: Trust-L3
•Public IP address (Untrust-L3): 1.1.1.1
•Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?
A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3
Answer: A
Q15. A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?
A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol
<protocol number>
C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol
<protocol number>
D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
test security-policy-match source
Answer: A
Explanation:
test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security- Policy-Applies-to-a-Traffic-Flow/ta-p/53693
Q16. A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?
A. The firewall does not have an active WildFire subscription.
B. The engineer's account does not have permission to view WildFire Submissions.
C. A policy is blocking WildFire Submission traffic.
D. Though WildFire is working, there are currently no WildFire Submissions log entries.
Answer: A
Q17. A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?
A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules
Answer: A
Q18. Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to- client flows only?
A. Disable Server Response Inspection
B. Apply an Application Override
C. Disable HIP Profile
D. Add server IP Security Policy exception
Answer: A
Q19. A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
? Users outside the company are in the "Untrust-L3" zone
? The web server physically resides in the "Trust-L3" zone.
? Web server public IP address: 23.54.6.10
? Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)
A. Untrust-L3 for both Source and Destination zone
B. Destination IP of 192.168.1.10
C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
D. Destination IP of 23.54.6.10
Answer: A,D