NEW QUESTION 1
Which feature can provide NGFWs with User-ID mapping information?

• A. Web Captcha
• B. Native 802.1q authentication
• C. GlobalProtect
• D. Native 802.1x authentication

Answer: C

NEW QUESTION 2
What is exchanged through the HA2 link?

• A. hello heartbeats
• B. User-ID information
• C. session synchronization
• D. HA state information

Answer: C

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha-links-and-backup-links

NEW QUESTION 3
If the firewall has the link monitoring configuration, what will cause a failover?

• A. ethernet1/3 and ethernet1/6 going down
• B. ethernet1/3 going down
• C. ethernet1/3 or Ethernet1/6 going down
• D. ethernet1/6 going down

Answer: A

NEW QUESTION 4
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-credential-phishing

NEW QUESTION 5
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

• A. Create a no-decrypt Decryption Policy rule.
• B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
• C. Create a Dynamic Address Group for untrusted sites
• D. Create a Security Policy rule with vulnerability Security Profile attached.
• E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD

NEW QUESTION 6
Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: D

NEW QUESTION 7
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

• A. TACACS+
• B. Kerberos
• C. PAP
• D. LDAP
• E. SAML
• F. RADIUS

Answer: ADF

NEW QUESTION 8
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect
to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

• A. A scheduler will need to be configured for application signatures.
• B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
• C. A Threat Prevention license will need to be installed.
• D. A service route will need to be configured.

Answer: D

Explanation:
The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list.
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-dynamic-updates

NEW QUESTION 9
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for “Threshold”.
• B. Disable automatic updates during weekdays.
• C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
• D. Automatically “download and install” but with the “disable new applications” option used.

Answer: A

NEW QUESTION 10
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x- enabled wireless network device that has no native integration with PAN-OS® software?

• A. XML API
• B. Port Mapping
• C. Client Probing
• D. Server Monitoring

Answer: A

Explanation:
Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a
third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-concepts

NEW QUESTION 11
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

• A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
• B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
• C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
• D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

NEW QUESTION 12
Which feature can provide NGFWs with User-ID mapping information?

• A. GlobalProtect
• B. Web Captcha
• C. Native 802.1q authentication
• D. Native 802.1x authentication

Answer: A

NEW QUESTION 13
What are three valid method of user mapping? (Choose three)

• A. Syslog
• B. XML API
• C. 802.1X
• D. WildFire
• E. Server Monitoring

Answer: ABE

NEW QUESTION 14
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

• A. To enable Gateway authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable user authentication to the Portal
• D. To enable client machine authentication to the Portal

Answer: C

Explanation:
The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals

NEW QUESTION 15
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

• A. test panoramas-connect 10.10.10.5
• B. show panoramas-status
• C. show arp all I match 10.10.10.5
• D. topdump filter "host 10.10.10.5
• E. debug dataplane packet-diag set capture on

Answer: BD

NEW QUESTION 16
How can a candidate or running configuration be copied to a host external from Panorama?

• A. Commit a running configuration.
• B. Save a configuration snapshot.
• C. Save a candidate configuration.
• D. Export a named configuration snapshot.

Answer: D

Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/administ er-panorama/back-up-panorama-and-firewall-configurations

NEW QUESTION 17
VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

• A. Zone Protection
• B. Replay
• C. Web Application
• D. DoS Protection

Answer: A

NEW QUESTION 18
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)

• A. video streaming application
• B. Client Application Process
• C. Destination Domain
• D. Source Domain
• E. Destination user/group
• F. URL Category

Answer: ABC

NEW QUESTION 19
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

• A. Security policy
• B. Decryption policy
• C. Authentication policy
• D. Application Override policy

Answer: C

NEW QUESTION 20
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

• A. Disable SNMP on the management interface.
• B. Application override of SSL application.
• C. Disable logging at session start in Security policies.
• D. Disable predefined reports.E.Reduce the traffic being decrypted by the firewall.

Answer: CDE

NEW QUESTION 21
What are three valid actions in a File Blocking Profile? (Choose three)

• A. Forward
• B. Block
• C. Alret
• D. Upload
• E. Reset-both
• F. Continue

Answer: ABC

Explanation:
https://live.paloaltonetworksHYPERLINK "https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623".com/t5/Configuration- ArticHYPERLINK "https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623"les/File-Blocking-RulebHYPERLINK "https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623"ase-and-Action-Precedence/ta-p/53623

NEW QUESTION 22
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?

• A. Use config-drive on a USB stick.
• B. Use an S3 bucket with an ISO.
• C. Create and attach a virtual hard disk (VHD).
• D. Use a virtual CD-ROM with an ISO.

Answer: D

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-features/bootstrapping-firewalls-for-rapid-deployment.html

NEW QUESTION 23
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

• A. Create a custom App-ID and enable scanning on the advanced tab.
• B. Create an Application Override policy.
• C. Create a custom App-ID and use the “ordered conditions” check box.
• D. Create an Application Override policy and custom threat signature for the application.

Answer: A

NEW QUESTION 24
Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

• A. Assign an IP address on each tunnel interface at each site
• B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
• C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
• D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 25
Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

• A. Palo Alto Networks > Symantec > VeriSign
• B. Symantec > VeriSign > Palo Alto Networks
• C. VeriSign > Palo Alto Networks > Symantec
• D. VeriSign > Symantec > Palo Alto Networks

Answer: D

NEW QUESTION 26
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

• A. App Scope
• B. ACC
• C. Session Browser
• D. System Logs

Answer: C

NEW QUESTION 27
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

• A. 99
• B. 1
• C. 255

Answer: D

Explanation:
Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9)

NEW QUESTION 28
......