dumpstool logo
What are two characteristic types that can be defined for a variable? (Choose two )
As a best practice, which URL category should you target first for SSL decryption*?
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration
Which two solutions can the administrator use to scale this configuration? (Choose two.)
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines?
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory
What must be configured in order to select users and groups for those rules from Panorama?
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.
Which server OS platforms can be used for server monitoring with User-ID?
An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https //www firewall-do-not-trust-website com
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)
A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.
Where would you configure this setting?
An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
: 4
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?
An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
Which method will dynamically register tags on the Palo Alto Networks NGFW?
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?
Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)
A company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com
goes to http://www company com
How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)
People are having intermittent quality issues during a live meeting via web application.
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:
What could be the cause of this problem?
Only two Trust to Untrust allow rules have been created in the Security policy
Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?
Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?
Which CLI command displays the current management plan memory utilization?
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software
Why did the bootstrap process fail for the VM-Series firewall in Azure?
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)
Which three authentication factors does PAN-OS® software support for MFA (Choose three.)
TESTED 05 Jul 2022