View the diagram.
What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?
Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)
Which URL profiling action does not generate a log entry when a user attempts to access that URL?
By default, what is the maximum number of templates that can be added to a template stack?
By default, the maximum number of templates that can be added to a template stack is 8. This is the recommended limit for performance reasons, as adding more templates may result in sluggish responses on the user interface. However, starting from PAN-OS 8.1.10 and 9.0.4, you can use a debug command to increase the maximum number of templates per stack to 16. This command requires a commit operation to take effect.
A template stack is a collection of templates that you can use to push common settings to multiple firewalls or Panorama managed collectors. A template contains the network and device settings that you want to share across devices, such as interfaces, zones, virtual routers, DNS, NTP, and login banners. You can create multiple templates for different device groups or locations and add them to a template stack in a hierarchical order. The settings in the lower templates override the settings in the higher templates if there are any conflicts. You can then assign a template stack to one or more devices and push the configuration changes.
Which Security profile can you apply to protect against malware such as worms and Trojans?
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall’s
Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?
Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
Place the steps in the correct packet-processing order of operations.
Text, application, table Description automatically generated with medium confidence
What are three ways application characteristics are used? (Choose three.)
Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?
GlobalProtect: GlobalProtect safeguards your mobile workforce by inspecting all traffic using your next-generation firewalls deployed as internet gateways, whether at the perimeter, in the Demilitarized Zone (DMZ), or in the cloud.
What are two valid selections within an Antivirus profile? (Choose two.)
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall handle the traffic?
How often does WildFire release dynamic updates?
Match the network device with the correct User-ID technology.
Microsoft Exchange – Server monitoring
Linux authentication – syslog monitoring
Windows Client – client probing
Citrix client – Terminal Services agent
In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?
An administrator can configure URL Filtering profiles in the Objects section of the PAN-OS GUI. A URL Filtering profile is a collection of URL filtering controls that you can apply to individual Security policy rules that allow access to the internet1. You can set site access for URL categories, allow or disallow user credential submissions, enable safe search enforcement, and various other settings1.
To create a URL Filtering profile, go to Objects > Security Profiles > URL Filtering and click Add. You can then specify the profile name, description, and settings for each URL category and action2. Youcan also configure other options such as User Credential Detection, HTTP Header Insertion, and URL Filtering Inline ML2. After creating the profile, you can attach it to a Security policy rule that allows web traffic2.
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
Which rule type is appropriate for matching traffic occurring within a specified zone?
What do you configure if you want to set up a group of objects based on their ports alone?
Given the detailed log information above, what was the result of the firewall traffic inspection?
View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow
Which dynamic update type includes updated anti-spyware signatures?
How are service routes used in PAN-OS?
Therefore, service routes are used to route management plane services through data interfaces rather than the management interface.
1: Configure Service Routes - Palo Alto Networks 2: Setting a Service Route for Services to Use a Dataplane’s Interface - Palo Alto Networks 3: How to Perform Updates when Management Interface does not have Public Internet Access - Palo Alto Networks
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)
A- Untrust (Any) to DMZ (220.127.116.11), ssh - Allow
B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
C. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
D. Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow
E. Untrust (Any) to DMZ (18.104.22.168), web-browsing - Allow
What is an advantage for using application tags?
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced- incontent-releases/review-new-app-id-impact-on- existing-policy-rules
Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
Which statement is true about Panorama managed devices?
Which object would an administrator create to block access to all high-risk applications?
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?
Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)
Which firewall plane provides configuration, logging, and reporting functions on a separate processor?
Which operations are allowed when working with App-ID application tags?
Which statement is true regarding NAT rules?
A website is unexpectedly allowed due to miscategorization.
What are two ways to resolve this issue for a proper response? (Choose two.)
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)
Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
DNS Security subscription enables users to access real-time protections using advanced predictive analytics. When techniques such as DGA/DNS tunneling detection and machine learning are used, threats hidden within DNS traffic can be proactively identified and shared through an infinitely scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of ever-expanding signatures that have been generated using a multitude of data sources. This list of signatures allows you to defend against an array of threats using DNS in real-time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and prevention capabilities of the DNS Security service will be available through content releases. To access the DNS Security service, you must have a Threat Prevention license and DNS Security license.
What are three differences between security policies and security profiles? (Choose three.)
Given the topology, which zone type should zone A and zone B to be configured with?
Which interface type can use virtual routers and routing protocols?
Based on the screenshot what is the purpose of the group in User labelled ''it"?
An administrator is reviewing the Security policy rules shown in the screenshot below.
Which statement is correct about the information displayed?
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?
Another reason to choose the Windows agent over the integrated PAN-OS agent is to save processing cycles on the firewall’s management plane.
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?
In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)
Based on the screenshot what is the purpose of the included groups?
Which definition describes the guiding principle of the zero-trust architecture?
Why does a company need an Antivirus profile?
How many zones can an interface be assigned with a Palo Alto Networks firewall?
Which option lists the attributes that are selectable when setting up an Application filters?
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)
Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications
Which policy achieves the desired results?
How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?
The best way to view a complete overview of the logs is to select the unified log entry in the side menu. The unified log is a single view that displays all the logs generated by the firewall, such as traffic, threat, URL filtering, data filtering, and WildFire logs1. The unified log allows the administrator to filter, sort, and export the logs based on various criteria, such as time range, severity, source, destination, application, or action1.
Modifying the number of columns visible on the page or the number of logs visible on each page does not provide a complete overview of the logs, but only changes the display settings of the current log view. Selecting the system logs entry in the side menu does not show all the logs generated by the firewall, but only shows the logs related to system events, such as configuration changes, system alerts, or HA status2.
1: View Logs - Palo Alto Networks 2: View and Manage Logs - Palo Alto Networks
You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?
Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate with external command-and-control (C2) servers, thus enabling you to detect malicious traffic leaving the network from infected clients.
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?
What must be considered with regards to content updates deployed from Panorama?
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
You can use an address object of type IP Wildcard Mask only in a Security policy rule.
IP Wildcard Mask
—Enter an IP wildcard address in the format of an IPv4 address followed by a slash and a mask (which must begin with a zero); for example, 10.182.1.1/0.127.248.0. In the wildcard mask, a zero (0) bit indicates that the bit being compared must match the bit in the IP address that is covered by the 0. A one (1) bit in the mask is a wildcard bit, meaning the bit being compared need not match the bit in the IP address that is covered by the 1. Convert the IP address and the wildcard mask to binary. To illustrate the matching: on binary snippet 0011, a wildcard mask of 1010 results in four matches (0001, 0011, 1001, and 1011).
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
Which file is used to save the running configuration with a Palo Alto Networks firewall?
Match the cyber-attack lifecycle stage to its correct description.
An administrator wishes to follow best practices for logging traffic that traverses the firewall
Which log setting is correct?
You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application
Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
Which Security profile must be added to Security policies to enable DNS Signatures to be checked?
Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?
Match each feature to the DoS Protection Policy or the DoS Protection Profile.
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?
What is a recommended consideration when deploying content updates to the firewall from Panorama?
An administrator wants to prevent users from submitting corporate credentials in a phishing attack.
Which Security profile should be applied?