Beruflich Dokumente
Kultur Dokumente
Number: PCNSE7
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
PCNSE7
http://www.gratisexam.com/
Exam A
QUESTION 1
A network administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects > Security
Profiles > Anti-Spyware and selects the default profile.
A. Click the simple-critical rule and then click the Action drop-down list.
B. Click the Exceptions tab and then click Show all signatures.
C. View the default actions displayed in the Action column.
D. Click the Rules tab and then look for rules with default in the Action column.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto Networks. You can view the default action by navigating to
Objects > Security Profiles > Anti-Spyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click the Exceptions tab and then
click Show all signatures and you will see a list of the signatures with the default action in the Action column. To change the default action, you must create a new
profile and then create rules with a non-default action, and/or add individual signature exceptions to Exceptions in the profile.
References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-up-antivirus-anti-spyware-and-vulnerability-protection.html
QUESTION 2
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two.)
A. The devices are pre-configured with a virtual wire pair out of the first two interfaces.
B. The devices are licensed and ready for deployment.
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
E. The interfaces are pingable.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
B: The licence should be available in an email from the Palo Alto corporation.
http://www.gratisexam.com/
C: In order to configure the Palo Alto Next-Generation Firewalls (NGFW), we need to connect our laptop to the management port and assign our laptop with the IP
address from the 192.168.1.2-192.168.1.254 range, because the default management IP address of PA is 192.168.1.1:
References: https://popravak.wordpress.com/2014/07/31/initial-setup-of-palo-alto-networks-next-generation-firewall/
QUESTION 3
Which two mechanisms help prevent a split brain scenario in an Active/Passive High Availability (HA) pair? (Choose two.)
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
E:For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-
band HA interfaces across both firewalls.
Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
B:
1. In Device > High Availability > General, edit the Control Link (HA1) section.
2. Select the interface that you have cabled for use as the HA1 link in the Port drop down menu. Set the IP address and netmask.Enter a Gateway IP address only if
the HA1 interfaces are on separate subnets. Do not add a gateway if the devices are directly connected.
References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/high-availability/configure-active-passive-ha
QUESTION 4
http://www.gratisexam.com/
Click the Exhibit button.
An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company network.
A. Right-click on the bittorrent link and select Value from the context menu.
B. Create a global filter for bittorrent traffic and then view Traffic logs.
C. Create a local filter for bittorrent traffic and then view Traffic logs.
D. Click on the bittorrent application link to view network activity.
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
The application filter is a dynamic item that is created by selecting filter options (Category, Subcategory, Technology) in the application browser. Any new
applications coming to PAN-OS in a content update that match the same filters, the set will automatically be added to the Application Filter created. For example,
when a 'peer-to-peer' is selected as a Technology Filter, that filter will automatically update if a new application gets added to that category in the latest content
package.
References: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Block-Traffic-Based-on-Application-Filters-with-an/ta-p/59965
QUESTION 5
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has to be decrypted.
B. It is used when web servers request a client certificate.
C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by the firewall.
D. It is used for Captive Portal to identify unknown users.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Though a single certificate can be used for both Forward Trust and Forward Untrust, creating a separate certificate specifically for Untrust (which must be generated
as a CA) allows for easy differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure session.
Verify the CA to be blocked, keeping in mind that doing so blocks access to all sites issued by this CA.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Prevent-Access-to-Encrypted-Websites-Based-on-Certificate/ta-p/57585
QUESTION 6
Which command can be used to validate a Captive Portal policy?
Correct Answer: C
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
You can use the test security-policy-match command to determine whether the policy is configured correctly. For example, suppose you have a rule that blocks user
duane from playing World of Warcraft; you could test the policy as follows:
test security-policy-match application worldofwarcraft source-user acme\duane source any destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/verify-the-user-id-configuration
QUESTION 7
What are three valid actions in a File Blocking Profile? (Choose three.)
A. Forward
B. Block
C. Alert
D. Upload
E. Reset-both
F. Continue
Explanation/Reference:
You can configure a file blocking profile with the following actions:
Forward When the specified file type is detected, the file is sent to WildFire for analysis. A log is also generated in the data filtering log.
Block When the specified file type is detected, the file is blocked and a customizable block page is presented to the user. A log is also generated in the data
filtering log.
http://www.gratisexam.com/
Alert When the specified file type is detected, a log is generated in the data filtering log.
Continue When the specified file type is detected, a customizable response page is presented to the user. The user can click through the page to download the
file. A log is also generated in the data filtering log. Because this type of forwarding action requires user interaction, it is only applicable for web traffic.
Continue-and-forward When the specified file type is detected, a customizable continuation page is presented to the user. The user can click through the page
to download the file. If the user clicks through the continue page to download the file, the file is sent to WildFire for analysis. A log is also generated in the data
filtering log.
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/file-blocking-profiles.html
QUESTION 8
Which setting will allow a DoS protection profile to limit the maximum concurrent sessions from a source IP address?
A. Set the type to Aggregate, clear the Sessions box and set the Maximum Concurrent Sessions to 4000.
B. Set the type to Classified, clear the Sessions box and set the Maximum Concurrent Sessions to 4000.
C. Set the type to Classified, check the Sessions box and set the Maximum Concurrent Sessions to 4000.
D. Set the type to Aggregate, check the Sessions box and set the Maximum Concurrent Sessions to 4000.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
References: Advanced Threat Prevention Deployment, Tech Note, PAN-OS 7.0, page 41
https://live.paloaltonetworks.com/t5/Documentation-Articles/Threat-Prevention-Deployment-Tech-Note/ta-p/53157?attachment-id=2533
QUESTION 9
A company has a pair of Palo Alto Networks firewalls configured as an Active/Passive High Availability (HA) pair. What allows the firewall administrator to determine
the last date a failover event occurred?
http://www.gratisexam.com/
A. From the CLI issue use the show system info command
B. Apply the filter subtype eq ha to the System log
C. Apply the filter subtype eq ha to the Configuration log
D. Check the status of the High Availability widget on the Dashboard tab of the GUI
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The show system info command shows the uptime of the device. It can be determine when a failover event occurred.
References: http://blog.webernetz.net/2013/11/21/cli-commands-for-troubleshooting-palo-alto-firewalls/
QUESTION 10
The company's Panorama server (IP: 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being
used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
B: The show panorama-status command shows the Panorama connection status.
Sample Output
The following command shows information about the Panorama connection.
username@hostname> show panorama-status
Panorama Server 1 : 10.1.7.90
State : Unknown
username@hostname>
http://www.gratisexam.com/
D: Issue
The Managed Devices show not connected to Panorama and are not able to establish a new connection to Panorama.
The Packet Capture on Panorama Management Interface shows SYN packets received from devices on port 3978, but no SYN ACK is sent from Panorama.
> tcpdump filter "port 3978"
> view-pcap mgmt-pcap mgmt.pcap
References: https://live.paloaltonetworks.com/t5/Management-Articles/Managed-Devices-Unable-to-Establish-Connections-to-Panorama/ta-p/53248
https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/pan-os-5x/CLI_Reference_Guide-Panorama-
5.1_PAN-OS-5.0.pdf
QUESTION 11
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect
gateway using a pre-installed machine certificate before the user has logged in.
References: https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-quick-configs/remote-access-vpn-with-pre-logon
QUESTION 12
Which three log-forwarding destinations require a server profile to be configured? (Choose three.)
A. SNMP Trap
http://www.gratisexam.com/
B. Email
C. RADIUS
D. Kerberos
E. Panorama
F. Syslog
Explanation/Reference:
Enable a Log Forwarding Profile (see step 4 below).
1. Select Objects > Log Forwarding Profile and Add a new security profile group.
2. Give the profile group a descriptive Name to help identify it when adding the profile to security policies or security zones.
3. If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual systems.
4. Add settings for the Traffic logs, Threat logs, and WildFire logs:
Select the Panorama check box for the severity of the Traffic, Threat, or WildFire logs that you want to be forwarded to Panorama.
Specify logs that you want to forward to additional destinations: SNMP Trap destinations, Email servers, or Syslog servers.
5. Click OK to save the log forwarding profile.
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/log-forwarding-profiles.html
QUESTION 13
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus
software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the Internet and SSL Forward Proxy Decryption is not enabled.
Which component, once enabled on a perimeter firewall, will allow the identification of existing infected hosts in an environment?
A. Anti-spyware profiles applied to outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security polices with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Starting with PAN-OS 6.0, DNS sinkhole is an action that can be enabled in Anti-Spyware profiles. A DNS sinkhole can be used to identify infected hosts on a
protected network using DNS traffic in environments where the firewall can see the DNS query to a malicious URL.
http://www.gratisexam.com/
The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain
name to resolve to a definable IP address (fake IP) that is given to the client. If the client attempts to access the fake IP address and there is a security rule in place
that blocks traffic to this IP, the information is recorded in the logs.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891
QUESTION 14
An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is the
output from the command:
A. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
C. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.
D. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.
Correct Answer: B
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
The Proxy IDs could have been checked for mismatch.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-Error-IKE-Phase-1-Negotiation-is-Failed-as-Initiator-Main/ta-p/59532
QUESTION 15
How does Panorama handle incoming logs when it reaches the maximum storage capacity?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
When Panorama reaches the maximum capacity, it automatically deletes older logs to create space for new ones.
References: https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/set-up-panorama/determine-panorama-log-storage-
requirements
QUESTION 16
Which client software can be used to connect remote Linux clients into a Palo Alto Networks infrastructure without sacrificing the ability to scan traffic and protect
against threats?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
References: http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/
http://www.gratisexam.com/
QUESTION 17
Only two Trust to Untrust allow rules have been created in the Security policy.
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When users try to access https://
www.youtube.com in a web browser, they get an error indicating that the server cannot be found.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/App-IDs-for-SSL-Secured-Versions-of-Well-Known-Services/ta-p/57428
QUESTION 18
Which three options are available when creating a security profile? (Choose three.)
A. Anti-malware
B. File Blocking
C. URL Filtering
D. IDS/IPS
E. Threat Prevention
http://www.gratisexam.com/
F. Antivirus
Explanation/Reference:
Using the URL Category as match criteria allows you to customize security profiles (antivirus, anti-spyware, vulnerability, file-blocking, Data Filtering, and DoS) on a
per-URL-category basis.
QUESTION 19
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two.)
A. Vulnerability Object
B. DoS Protection Profile
C. Data Filtering Profile
D. Zone Protection Profile
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
B: There are two DoS protection mechanisms that the Palo Alto Networks firewalls support.
* Flood ProtectionDetects and prevents attacks where the network is flooded with packets resulting in too many half-open sessions and/or services being unable
to respond to each request. In this case the source address of the attack is usually spoofed.
* Resource Protection Detects and prevent session exhaustion attacks. In this type of attack, a large number of hosts (bots) are used to establish as many fully
established sessions as possible to consume all of a systems resources.
You can enable both types of protection mechanisms in a single DoS protection profile.
D: Provides additional protection between specific network zones in order to protect the zones against attack. The profile must be applied to the entire zone, so it is
important to carefully test the profiles in order to prevent issues that may arise with the normal traffic traversing the zones. When defining packets per second (pps)
thresholds limits for zone protection profiles, the threshold is based on the packets per second that do not match a previously established session.
Incorrect Answers:
A: Vulnerability protection stops attempts to exploit system flaws or gain unauthorized access to systems. For example, this feature will protect against buffer
overflows, illegal code execution, and other attempts to exploit system vulnerabilities.
C: Data Filtering helps to prevent sensitive information such as credit card or social security numbers from leaving a protected network.
http://www.gratisexam.com/
References: References: PAN-OS, Administrators Guide, Version 7.0, Page 830
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/about-security-profiles
QUESTION 20
The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there
is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?
A. QoS Statistics
B. Applications Report
C. Application Command Center (ACC)
D. QoS Log
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Select Network > QoS to view the QoS Policies page and click the Statistics link to view QoS bandwidth, active sessions of a selected QoS node or class, and
active applications for the selected QoS node or class.
For example, see the statistics for ethernet 1/1 with QoS enabled:
http://www.gratisexam.com/
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configure-qos
QUESTION 21
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to
a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Step 1: Configure a DoS Protection profile for flood protection.
1. Select Objects > Security Profiles > DoS Protection and Add a profile Name.
2. Select Classified as the Type.
3. For Flood Protection, select the check boxes for all of the following types of flood protection:
SYN Flood
UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
Step 2: Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.
This step include: (Optional) For Destination Address, select Any or enter the IP address of the device you want to protect.
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/configure-dos-protection-against-flooding-of-new-sessions
QUESTION 22
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two.)
A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes.
B. Enter the command request system system-mode- logger then enter to confirm the change to Log Collector mode.
C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
http://www.gratisexam.com/
D. Enter the command logger-mode enable then enter to confirm the change to Log Collector mode.
E. Log in to the Panorama CLI of the dedicated Log Collector.
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
Step 1 (E): Access the Command Line Interface (CLI) on the M-100 appliance.
When prompted, log in to the appliance.
Step 2 (B): Switch from Panorama Mode to Log Collector Mode.
1. To switch to Log Collector mode, enter the following command:
request system logger-mode logger
2. Enter Yes to confirm the change to Log Collector mode. The appliance will reboot. If you see a CMS Login prompt, press Enter without typing a username or
password. When the Panorama login prompt appears, enter the default admin account and the password assigned during initial configuration.
References: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-up-panorama/set-up-the-m-100-appliance#91340
QUESTION 23
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The
destination NAT rule is configured to translate both IP address and port to 10.1.1.100 on T port 8080.
Which NAT and security rules must he configured on the firewall? (Choose two.)
A. A security policy with a source of any from untrust-l3 zone to a destination of 10.1.1.100 in dmz-l3 zone using web-browsing application.
http://www.gratisexam.com/
B. A NAT rule with a source of any from untrust-l3 zone to a destination of 10.1.1.100 in dmz-l3 zone using service-http service.
C. A NAT rule with a source of any from untrust-l3 zone to a destination of 1.1.1.100 in untrus-l3 zone using service-http service.
D. A security policy with a source of any from untrust-l3 zone to a destination of 1.1.1.100 in dmz-l3 zone using web-browsing application.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
B: NAT.
When your public-facing servers have private IP addresses assigned on the network segment where they are physically located, you will need a source NAT rule for
translating the source address of the server to the external address upon egress. You do this by creating a static NAT rule that instructs the firewall to translate the
internal source address, 10.1.1.100, to the external web server address, 1.1.1.100 in our example. However, in the case of a public-facing server, the server must
both be able to send packets and receive them. In this case, you need a reciprocal policy that will translate the public address that will be the destination IP address
in incoming packets from users on the Internet into the private address to enable the firewall to properly route the packet to your DMZ network. On the firewall you
do this by creating a bi-directional static NAT policy
D: Security policy.
Restrict access from the Internet to the servers on the DMZ to specific server IP addresses only.
Set the Destination Address to the Public web server address object you created earlier. The public web server address object references the public IP address
1.1.100 of the web server that is accessible on the DMZ.
References:
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat-policies
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic-security-policies
QUESTION 24
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the
administrator wants to test one of the security policies.
Which LI command syntax will display the rule that matches the test?
A. test security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol
<protocol number>
B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol
number>
C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol
number>
D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol
<protocol number>
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
If you know the source or destination IP address, the test command from the CLI will search the security policies and display the best match:
Example:
> test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
The output will show which policy rule will be applied to this traffic match based on the source and destination IP addresses.
References: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy-Applies-to-a-Traffic-Flow/ta-p/53693
QUESTION 25
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two.)
A. Brute-force signatures
B. BrightCloud URL Filtering
C. PAN-DB URL Filtering
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
C: PAN-DB categorizes URLs based on their content at the domain, file and page level, and receives updates from WildFire cloud-based malware analysis
environment every 30 minutes to make sure that, when web content changes, so do categorizations. This continuous feedback loop enables you to keep pace with
the rapidly changing nature of the web, automatically.
D: DNS is a very necessary and ubiquitous application, as such, it is a very commonly abused protocol for command-and-control and data exfiltration. This tech brief
summarizes the DNS classification, inspection and protection capabilities supported by our next-generation security platform, which includes:
http://www.gratisexam.com/
1. Malformed DNS messages (symptomatic of vulnerability exploitation attack).
2. DNS responses with suspicious composition (abused query types, DNS-based denial of service attacks).
3. DNS queries for known malicious domains. Our ability to prevent threats from hiding within DNS
The passive DNS network feature allows you to opt-in to share anonymized DNS query and response data with our global passive DNS network. The data is
continuously mined to discover malicious domains that are then added to the PAN-OS DNS signature set that is delivered daily, enabling timely detection of
compromised hosts within the network and the disruption of command-and-control channels that rely on name resolution.
References:
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/techbriefs/dns-protection
QUESTION 26
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall.
Which pair of files needs to be imported back into the replacement firewall that is using Panorama?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
To minimize the effort required to restore the configuration on a managed firewall involving a Return Merchandise Authorization (RMA), replace the serial number of
the old firewall with that of the new/replacement firewall on Panorama. To then restore the configuration on the replacement firewall, either import a firewall state
that you previously generated and exported from the firewall or use Panorama to generate a partial device state for managed firewalls running PAN-OS 5.0 and later
versions. By replacing the serial number and importing the device state, you can resume using Panorama to manage the firewall.
References: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/troubleshooting/replace-an-rma-firewall
QUESTION 27
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has
decided to configure a destination NAT Policy rule.
http://www.gratisexam.com/
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Create the NAT policy.
1. Select Policies > NAT and click Add.
2. Enter a descriptive Name for the policy.
3. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone
you created for the external network from the Destination Zone drop down.
4. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop-down in the Source Address Translation section of the screen and
then click Add. Select the address object you just created.
5. Click OK to save the NAT policy.
References:
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat-policies
QUESTION 28
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that
this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?
A. Create a Custom Application without signatures, then Create an Application Override policy that includes the: Source, Destination, Destination Port/Protocol, and
Custom Application of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.
C. Modify the session timer settings on the closest referenced application to meet the needs of the in-house application.
http://www.gratisexam.com/
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
An application override could be used with custom internal applications that use non-standard port numbers or internal applications classified by the firewall as
"unknown" for which custom definitions have been created.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044
QUESTION 29
What must be used in Security Policy Rules that contain addresses where NAT policy applies?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
NAT Policy Rule Functionality
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet
matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the
packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones.
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules
QUESTION 30
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?
A. Blocked Activity
B. Bandwidth Activity
C. Threat Activity
D. Network Activity
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Network Activity tab of the Application Command Center (ACC) displays an overview of traffic and user activity on your network including:
Top applications in use
Top users who generate traffic (with a drill down into the bytes, content, threats or URLs accessed by the user)
Most used security rules against which traffic matches occur
In addition, you can also view network activity by source or destination zone, region, or IP address, ingress or egress interfaces, and GlobalProtect host information
such as the operating systems of the devices most commonly used on the network.
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/acc-tabs.html
QUESTION 31
A network security engineer has been asked to analyze WildFire activity. However, the WildFire Submissions item is not visible from the Monitor tab.
Correct Answer: A
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
Native integration with all Palo Alto Networks products allows WildFire to inform and update subscribers with new protective capabilities for the network, cloud and
endpoint in real time.
References: https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/wildfire
QUESTION 32
A network administrator uses Panorama to push security policies to managed firewalls at branch offices.
Which policy type should be configured on Panorama if the administrator wants to allow local administrators at the branch office sites to override these policies?
A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules.
Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users.
Note: Rules in Panorama can be added as Pre or Post rules within each device group. Administrators can decide to manage rules as Pre, Post or use a
combination of both, including the insertion of locally added rules, which are placed in order between the Pre and Post rules managed from Panorama.
Incorrect Answers:
B: Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally
defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny
rules to use for logging of all blocked traffic.
References: Panorama Design and Planning Guide Tech Note PAN-OS 4.1, page 6
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/Panorama-Design-Planning.pdf
QUESTION 33
Click the Exhibit button below.
http://www.gratisexam.com/
A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a
192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
What is the next hop IP address for the HTTPS traffic from Wills PC?
A. 172.20.30.1
B. 172.20.40.1
C. 172.20.20.1
D. 172.20.10.1
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Which three functions are found on the dataplane of a PA-5050? (Choose three.)
A. Protocol Decoder
B. Dynamic routing
C. Management
D. Network processing
E. Signature Match
http://www.gratisexam.com/
Explanation
Explanation/Reference:
In these devices, dataplane zero, or dp0 for short, functions as the master dataplane and determines which dataplane will be used as the session owner that is
responsible for processing and inspection.
The data plane provides all data processing and security detection and enforcement, including:
* (B) All networking connectivity, packet forwarding, switching, routing, and network address translation
* Application identification, using the content of the applications, not just port or protocol
* SSL forward proxy, including decryption and re-encryption
* Policy lookups to determine what security policy to enforce and what actions to take, including scanning for threats, logging, and packet marking
* Application decoding, threat scanning for all types of threats and threat prevention
* Logging, with all logs sent to the control plane for processing and storage
E: The following diagram depicts both the hardware and software architecture of the next-generation firewall
Incorrect Answers:
C: Management is done in the control plane.
http://www.gratisexam.com/
References:
https://www.niap-ccevs.org/st/st_vid10392-st.pdf
QUESTION 35
What are three valid methods of user mapping? (Choose three.)
A. Syslog
B. XML API
C. 802.1X
D. WildFire
E. Server Monitoring
Explanation/Reference:
A: To obtain user mappings from existing network services that authenticate userssuch as wireless controllers, 802.1x devices, Apple Open Directory servers,
proxy servers, or other Network Access Control (NAC) mechanisms Configure User-ID to Receive User Mappings from a Syslog Sender.
B: For other clients that you cant map using the preceding methods, you can Send User Mappings to User-ID Using the XML API.
References:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/map-ip-addresses-to-users
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/user-id/configure-user-mapping-using-the-pan-os-integrated-user-id-agent.html
QUESTION 36
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three.)
A. Clean
B. Benign
C. Adware
D. Suspicious
http://www.gratisexam.com/
E. Grayware
F. Malware
Explanation/Reference:
The WildFire verdicts are: Benign, Grayware, Malware.
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/log-severity-levels-and-wildfire-verdicts
QUESTION 37
What can cause missing SSL packets when performing a packet capture on dataplane interfaces?
A. The packets are hardware offloaded to the offload processor on the dataplane.
B. The missing packets are offloaded to the management plane CPU.
C. The packets are not captured because they are encrypted.
D. There is a hardware problem with the offloading FPGA on the management plane.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?
http://www.gratisexam.com/
C. Disable HIP Profile
D. Add server IP to Security Policy exception
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
In the Other Settings section, select the option to Disable Server Response Inspection. This setting disables the antivirus and anti-spyware scanning on the server-
side responses, and thus reduces the load on the firewall.
References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic-security-policies
QUESTION 39
How are IPv6 DNS queries configured to use interface ethernet1/3?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Configure the service routes.
1. Select Device > Setup > Services > Global and click Service Route Configuration.
Note: For the purposes of activating your licenses and getting the most recent content and software updates, you will want to change the service route for DNS, Palo
Alto Updates, URL Updates, WildFire, and AutoFocus.
2. Click the Customize radio button, and select one of the following:
For a predefined service, select IPv4 or IPv6 and click the link for the service for which you want to modify the Source Interface and select the interface you just
configured.
References: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/set-up-network-access-for-external-services
QUESTION 40
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall.
Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?
http://www.gratisexam.com/
A. From the LI, issue the show counter global filter pcap yes command.
B. From the CLI, issue the show counter global filter packet-filter yes command.
C. From the GUI, select show global counters under the monitor tab.
D. From the CLI, issue the show counter interface command for the ingress interface.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
You can check global counters for a specific source and destination IP addresses by setting a packet filter. We recommend that you use the global counter
command with a packet filter to get specific traffic outputs. These outputs will help isolate the issue between two peers.
Use the following CLI command to show when traffic is passing through the Palo Alto Networks firewall from that source to destination.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 20.220 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 6387398 4 info packet pktproc Packets received
pkt_recv_zero 370391 0 info packet pktproc Packets received from QoS 0
Etc.
References: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific-source-and/ta-p/65794
QUESTION 41
A host attached to ethernet1/3 cannot access the Internet. The default gateway is attached to ethernet1/4. After troubleshooting, it is determined that traffic cannot
pass from ethernet1/3 to ethernet1/4.
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
In a Layer 2 deployment, the firewall provides switching between two or more interfaces. Each group of interfaces must be assigned to a VLAN object in order for
the firewall to switch between them.
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the
traffic. Choose this option when routing is required.
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/getting-started/basic-interface-deployments
QUESTION 42
The GlobalProtect Portal interface and IP address have been configured.
Which other value needs to be defined to complete the network settings configuration of the GlobalProtect Portal?
A. Server Certificate
B. Client Certificate
C. Authentication Profile
D. Certificate Profile
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Specify the network settings to enable agents to connect to the portal.
If you have not yet created the network interface for the portal, see Create Interfaces and Zones for GlobalProtect for instructions. If you havent yet created an SSL/
TLS service profile for the portal, see Deploy Server Certificates to the GlobalProtect Components.
References: https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-access-to-
the-globalprotect-portal#47470
QUESTION 43
Which interface configuration will accept specific VLAN IDs?
A. Tap Mode
B. Subinterface
C. Access Interface
D. Trunk Interface
Correct Answer: B
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic.
References: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.html
QUESTION 44
A company has a policy that denies all applications it classifies as bad and permits only applications it classifies as good. The firewall administrator created the
following security policy on the company's firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? (Choose two.)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Set up the backup control link connection.
1. In Device > High Availability > General, edit the Control Link (HA1 Backup) section.
2. Select the HA1 backup interface and set the IPv4/IPv6 Address and Netmask.
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-availability/configure-active-passive-ha
QUESTION 46
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-100
B. VM-200
C. VM-1000-HV
D. VM-300
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Licenses for the VM-Series NSX Edition Firewall
In order to automate the provisioning and licensing of the VM-Series NSX Edition firewall in the VMware integrated NSX solution, two license bundles are available:
One bundle includes the VM-Series capacity license (VM-1000-HV only), Threat Prevention license and a premium support entitlement.
Another bundle includes the VM-Series capacity license (VM-1000-HV only) with the complete suite of licenses that include Threat Prevention, GlobalProtect,
WildFire, PAN-DB URL Filtering, and a premium support entitlement.
http://www.gratisexam.com/
References: https://www.paloaltonetworks.com/documentation/70/virtualization/virtualization/about-the-vm-series-firewall/license-types-vm-series-firewalls.html
QUESTION 47
Which two interface types can be used when configuring GlobalProtect Portal? (Choose two.)
A. Virtual Wire
B. Loopback
C. Layer 3
D. Tunnel
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
GlobalProtect portal requires a Layer 3 or loopback interface for GlobalProtect clients to connect to.
References: https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/create-interfaces-
and-zones-for-globalprotect
QUESTION 48
Which three options does the WF-500 appliance support for local analysis? (Choose three.)
A. E-mail links
B. APK files
C. jar files
D. PNG files
E. Portable Executable (PE) files
Explanation/Reference:
WildFire Advanced File Type Support
In addition to Portable Executable (PE) files, a subscription allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), Flash,
PDF, Microsoft Office, and JAR (Java Applet). In addition to these files types, you can also configure the firewall to extract and forward email links contained in
SMTP and POP3 email messages by forwarding the email-link file type.
http://www.gratisexam.com/
Note: To enable a WF-500 appliance for local analysis, you only need to install a support license. This will enable the appliance to communicate with the Palo Alto
Networks update server to download the operating system images and daily content updates. To receive the full benefits of the WildFire service, each firewall must
have a WildFire subscription.
References: https://www.paloaltonetworks.com/documentation/61/wildfire/wf_admin/wildfire-overview/wildfire-subscription-requirements
QUESTION 49
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in
Panoramas traffic logs.
A. A Server Profile has not been configured for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. The firewall is not licensed for logging to this Panorama device.
D. None of the firewall's policies have been assigned a Log Forwarding profile.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
In order to see entries in the Panorama Monitor > Traffic or Monitor > Log screens, a profile must be created on the Palo Alto Networks device (or pushed from
Panorama) to forward log traffic to Panorama.
Steps
1. Go to Policies > Security and open the Options for a rule.
2. Under Log Setting, select New for Log Forwarding to create a new forwarding profile:
http://www.gratisexam.com/
Etc.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-a-Profile-to-Forward-Logs-to-Panorama/ta-p/54038
QUESTION 50
Support for which authentication method was added in PAN-OS 7.0?
A. RADIUS
B. LDAP
C. Diameter
D. TACACS+
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Devices now support Terminal Access Controller Access-Control System Plus ( TACACS+) protocol for authenticating administrative users. TACACS+ provides
greater security than RADIUS insofar as it encrypts usernames and passwords (instead of just passwords), and is also more reliable (it uses TCP instead of UDP).
References: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0-release-information/authentication-features#91847
QUESTION 51
http://www.gratisexam.com/
Company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two.)
A. Traffic that matches rtp-base will bypass the App-ID and Content-ID engines.
B. Traffic will be forced to operate over UDP Port 16384.
C. Traffic utilizing UDP Port 16384 will now be identified as rtp-base.
D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
An application override policy is changes how the Palo Alto Networks firewall classifies network traffic into applications. An application override with a custom
application prevents the session from being processed by the App-ID engine, which is a Layer-7 inspection.
References: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044
http://www.gratisexam.com/