Product Questions: 75

Question: 1

A session in the Traffic log is reporting the application as "incomplete”

What does "incomplete" mean?

A. The three-way TCP handshake did not complete.

B. Data was received but wan instantly discarded because of a Deny policy was applied before App ID
could be applied.
C. The three-way TCP handshake was observed, but the application could not be identified.
D. The traffic is coming across UDP, and the application could not be identified.

Answer: A

Question: 2

Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

A. Untrust (any) to Untrust (10. 1.1. 100), web browsing – Allow

B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow
C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing – Allow
D. Untrust (any) to DMZ (10. 1. 1. 100), web browsing – Allow

https://www.dumpsschool.com/
 Questions & Answers PDF P-3

Answer: B

Question: 3

Which version of Global Protect supports split tunneling based on destination domain, client process,
and HTTP/HTTPs video streaming application?

A. Glovbalprotect version 4.0 with PAn-OS 8.0

B. Glovbalprotect version 4.1 with PAn-OS 8.1
C. Glovbalprotect version 4.0 with PAn-OS 8.1
D. Glovbalprotect version 4.1 with PAn-OS 8.0

Answer: C

Question: 4

A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against
compromised hosts trying to phone-number or bacon out to eternal command-and-control (C2)
servers.
Which Security Profile type will prevent these behaviors?

A. Vulnerability Protection
B. Antivirus
C. Wildfire
D. Anti-Spyware

Answer: D

Question: 5

An administrator has users accessing network resources through Citrix XenApp 7 .x. Which User-ID
mapping solution will map multiple mat who using Citrix to connect to the network and access
resources?

A. Client Probing
B. Globa1Protect
C. Terminal Services agent
D. Syslog Monitoring

Answer: C

Question: 6

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the
switch it connect.
How would an administrator configure the interface to IGbps?

https://www.dumpsschool.com/
 Questions & Answers PDF P-4

A. set deviceconfig system speed-duplex 10Gbps-full-duplex

B. set deviceconfig interface speed-duplex 1Gbs--full-duplex
C. set deviceconfig interface speed-duplex 1Gbs--half-duplex
D. set deviceconfig system speed-duplex 1Gbs--half-duplex.

Answer: D

Question: 7

Which Captive Portal mode must be contoured to support MFA authentication?

A. Single Sign-On
B. Redirect
C. Transparent
D. NTLM

Answer: B

Question: 8

Which method will dynamically register tags on the Palo Alto Networks NGFW?

A. Restful API or the VMware API on the firewall or on the User.-D agent or the ready -only domain
controller
B. XML API or the VMware API on the firewall on the User-ID agent or the CLI
C. Restful API or the VMware API on the firewall or on the User-ID Agent
D. XML- API or lite VM Monitoring agent on the NGFW or on the User- ID agent

Answer: D

Question: 9

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using Link
aggregation.
Which two formats are correct for naming aggregate interlaces? (Choose two.)

A. aggregate.8
B. ae.8
C. ae.1
D. aggregate.1

Answer: B, C

Question: 10

https://www.dumpsschool.com/
 Questions & Answers PDF P-5

Which CLI command enables an administrator to view detail about the firewall including uptime.
PAN -OS® version, and serial number?

A. debug system details

B. Show system detail
C. Show system info
D. Show session info

Answer: C

Question: 11

An administrator pushes a new configuration from panorama to a pair of firewalls that are configured
as active/passive HA pair.
Which NGFW receives the configuration from panorama?

A. the active firewall, which then synchronizes to the passive firewall

B. the passive firewall, which then synchronizes to the active firewall
C. both the active and passive firewalls independently, with no synchronization afterward
D. both the active and passive firewalls, which then synchronizes with each other

Answer: D

Question: 12

What is exchanged through the HA2 link?

A. hello heartbeats
B. User-ID in information
C. session synchronization
D. HA state information

Answer: C

Question: 13

A Security policy rule is configured with a Vulnerability Protection Profile and an action of Deny".
Which action will this configuration cause on the matched traffic?

A. The configuration is invalid it will cause the firewall to Skip this Security policy rule A warning will
be displayed during a command.
B. The configuration is valid It will cause the firewall to deny the matched sessions. Any configured
Security Profiles have no effect if the Security policy rule action is set to "Deny"
The configuration will allow the matched session unless a vulnerability signature is detected. The
"Deny" action will supersede the per. defined, severity defined actions defined in the associated
Vulnerability Protection Profile.

https://www.dumpsschool.com/
 Questions & Answers PDF P-6

D. The configuration is invalid. The Profile Settings section will be- grayed out when the action is set
to "Deny"

Answer: C

Question: 14

Which DoS protection mechanism detects and prevents session exhaustion attacks?

A. TCP Port Scan Protection

B. Flood Protection
C. Resource Protection
D. Pocket Based Attack Protection

Answer: C

Question: 15

An administrator wants multiple web servers in the DMZ to receive connections from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10 1.22
Based on the information shown in the age, which NAT rule will forward web-browsing traffic
correctly?

https://www.dumpsschool.com/
 Questions & Answers PDF P-7

A)

B)

C)

https://www.dumpsschool.com/
 Questions & Answers PDF P-8

D)

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Question: 16

View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

A. It forces an internal client to connect to an internal gateway at IP address 192 168 10 I.

B. It configures the tunnel address of all internal clients lo an IP address range starting at 192 168 10
1.
C. It forces the firewall to perform a dynamic DNS update, Which adds the internal gateway's
hostname and IP address to the DNS server.
D. It enables a Client to perform a reverse DNS lookup on 192 .168. 10 .1. to delect it is an internal
client.

Answer: D

Question: 17

https://www.dumpsschool.com/
 Questions & Answers PDF P-9

An administrator logs in to the Palo Alto Networks NGFW and reports and reports that the WebUI is
missing the policies tab. Which profile is the cause of the missing policies tab?

A. WebUI
B. Admin Role
C. Authorization
D. Authentication

Answer: B

Question: 18

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1
version?

A. When Panorama is reverted to an earlier PAN-OS release, variable used in template stacks will be
removed authentically.
B. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or
stacks.
C. An administrator must use the Expedition tool to adapt the configuration to the pre-pan-OS 8.1
state.
D. Administrators need to manually update variable characters to those to used in pre-PAN-OS 8.1.

Answer: B

Question: 19

Which option would an administration choose to define the certificate and protect that Panorama
and its managed devices uses for SSL/ITS services?

A. Set Up SSL/TLS under Policies > Service/URL Category > Service.

B. Configure on SSL/TLS Profile.
C. Configure a Decryption Profile and select SSL/TLS services.
D. Set up Security policy rule to allow SSL communication.

Answer: B

Question: 20

If the firewall is configured for credential phishing prevention using the "Domain Credential Filter"
method, which login will be detected as credential theft?

A. Using the name user's corporate username and password.

B. First four letters of the username matching any valid corporate username.
C. Matching any valid corporate username.
D. Mapping to the IP address of the logged-in user.

https://www.dumpsschool.com/
 Questions & Answers PDF P-10

Answer: D

Question: 21

Which three authentication faction factors does PAN-OS® software support for MFA? (Choose three.)

A. Voice
B. Pull
C. SMS
D. Push
E. Okta Adaptive

Answer: A, B, D

Question: 22

Which User-ID method should b configured to map addresses to usernames for users connected
through a terminal server?

A. XFF header
B. Client probing
C. port mapping
D. server monitoring

Answer: C

Question: 23

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks
NGFWs. The firewalls use layer 3 interface to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

A. The firewall do not use floating IPs in active/active HA.

B. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
C. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device
0 fails.
D. Each firewall will have a separate floating IP. and priority will determine which firewall has the
primary IP.

Answer: D

Question: 24

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual
authentication between panorama and the managed firewall and Log Collectors. How would the

https://www.dumpsschool.com/
 Questions & Answers PDF P-11

administrator establish the chain of trust?

A. Configure strong password

B. Set up multiple-factor authentication.
C. Use custom certificates.
D. Enable LDAP or RADIUS integration.

Answer: C

Question: 25

What will be the egress interface if the traffic’s ingress interface is Ethernet 1/6 sourcing form
192.168.11.3 and to the destination 10.46.41.113.during the.

https://www.dumpsschool.com/
 Questions & Answers PDF P-12

A. ethernet 1/6
B. ethernet 1/5
C. ethernet 1/3
D. ethernet 1/7

Answer: C

https://www.dumpsschool.com/
 Questions & Answers PDF P-13

Question: 26

An administrator sees several inbound sessions identified as unknown tcp in the Traffic logs. The
administrator determines that these sessions are from external users accessing the company’s
propriety accounting application. The administrator wants to reliability identity this as their
accounting application and to scan this traffic for threats.
Which option would achieve this result?

A. Create an Application Override policy and a custom threat signature for the application.
B. Create a custom App-ID and use the "ordered condition cheek box.
C. Create an Application Override policy
D. Create a custom App-ID and enable scanning on the advanced tab.

Answer: A

Question: 27

An administrator has enabled OSPF on a virtual router on the NGFW OSPF is not adding new routes
to the virtual router.
Which two options enable the administrator top troubleshoot this issue? (Choose two.)

A. Perform a traffic pcap at the routing stage.

B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. View Runtime Status virtual router.

Answer: B, D

Question: 28

What are two benefits of nested device groups in panorama? (Choose two )

A. overwrites local firewall configuration

B. requires configuration both function and location for every device
C. all device groups inherit setting from the Shared group
D. reuse of the existing Security policy rules and objects

Answer: B, C

Question: 29

Which feature prevents the submission of login information into website froms?

A. credential phishing prevention

B. file blocking
C. User-ID

https://www.dumpsschool.com/
 Questions & Answers PDF P-14

D. data filtering

Answer: A

Question: 30

Which feature prevents the submission of corporate login information into website forms?

A. credential submission prevention

B. file blocking
C. User-ID
D. data filtering

Answer: A

Question: 31

An administrator needs to optimize traffic to prefer business-critical applications over non-critical

applications.
QoS natively integrates with which feature to provide service quality?

A. port inspection
B. certification revocation
C. Content-ID
D. App-ID

Answer: D

Question: 32

A Palo Alto Networks NGFW just submitted a file lo WildFire tor analysis Assume a 5-minute window
for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

A. 10 to 15 minutes
B. 5 to 10 minutes
C. More than 15 minutes
D. 5 minutes

Answer: B

Question: 33

Winch three steps will reduce the CPU utilization on the management plane? (Choose three. )
Disable logging at session start in Security policies.

https://www.dumpsschool.com/
 Questions & Answers PDF P-15

A. Disable predefined reports.

B. Reduce the traffic being decrypted by the firewall.
C. Disable SNMP on the management interface.
D. Application override of SSL application.

Answer: A, B, C

Question: 34

If an administrator wants to decrypt SMTP traffic and possesses the saver’s certificate, which SSL
decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

A. TLS Bidirectional Inspection

B. SSL Inbound Inspection
C. SSH Forward now proxy
D. SMTP inbound Decryption

Answer: C

Question: 36

An administrator encountered problems with inbound decryption. Which option should the
administrator investigate as part of triage?

A. firewall connectivity to a CRL

B. Root certificate imported into the firewall with "Trust" enabled
C. importation of a certificate from an HSM
D. Security policy rule allowing SSL to the target server

Answer: D

Question: 37

Which feature can be configured on VM-Series firewalls'?

A. aggregate interlaces
B. multiple virtual systems
C. Globallprotect
D. machine learning

Answer: C

Question: 38

Which two benefits come from assigning a Decrypting Profile to a Decryption rule with a” NO
Decrypt” action? (Choose two.)

https://www.dumpsschool.com/
 Questions & Answers PDF P-16

A. Block sessions with unsuspected cipher suites

B. Block sessions with untrusted issuers
C. Block credential phishing.
D. Block sessions with client authentication
E. Block sessions with expired certificates

Answer: B, E

Question: 39

In High Availability, which information is transferred via the HA data link?

A. heartbeats
B. HA state information
C. session information
D. User-ID information

Answer: C

Question: 40

Which PAN-OS® policy must you configure to force a user to provide additional credential before he
is allowed to access an internal application that contains highly sensitive business data?

A. Authentication policy
B. Decryption policy
C. Security policy
D. Application Override policy

Answer: A

Question: 41

An administrator has left a firewall to used default port for all management services. Which three
function performed by the dataplane? (Choose three.)

A. NTP
B. antivirus
C. NAT
D. WildFire updates
E. file blocking

Answer: A, C, D

Question: 42

https://www.dumpsschool.com/
 Questions & Answers PDF P-17

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

A. Decryption tag
B. In the details of the Threat log entries
C. In the details of the Traffic log entries
D. Data filtering log

Answer: C

Question: 43

When is the content inspection performed in the packet flow process?

A. after the SSL Proxy re-encrypts the packet

B. before the packet forwarding process
C. after the application has been identified
D. before session lookup

Answer: C

Question: 44

A Company needs to preconfigured firewalls to be sent to remote sites with the least amount of
preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple
regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to Hie future site?

A. preconfigured GlobalProtcet satellite

B. preconfigured GlobalProtcet client
C. preconfigured iPsec tunnels
D. preconfigured PPTP Tunnels

Answer: A

Question: 45

Refer to the exhibit.

https://www.dumpsschool.com/
 Questions & Answers PDF P-18

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram
a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo
Alto Networks NGFW to check whether the configuration is correct?
A)

B)

https://www.dumpsschool.com/
 Questions & Answers PDF P-19

C)

D)

https://www.dumpsschool.com/
 Questions & Answers PDF P-20

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Question: 46

VPN traffic intended for an administrator's Palo Alto Networks NGfW is being maliciously intercepted
and retransmitted by the interceptor. When Creating a VPN tunnel, which protection profile cm be
enabled to prevent this malicious behavior?

A. zone Protection
B. Web Application

https://www.dumpsschool.com/
 Questions & Answers PDF P-21

C. DoS Protection
D. Replay

Answer: A

Question: 47

Which event will happen administrator uses an Application Override Policy?

A. The application name assigned to the traffic by the security rule is written to the traffic log. B.
The Palo Alto Networks NGFW Steps App-ID processing at Layer 4.
C. Threat-ID processing time is decreased.
D. App-ID processing time is increased.

Answer: B

Question: 48

The firewall identified a popular application as a unknown-tcp. Which options are available to
identify the application? (Choose two.)

A. Create a Security policy to identify the customer application.

B. Create a customer object for the customer application server to identify the custom application.
C. Submit an App-ID request to Palo Alto Networks.
D. Create a custom application.

Answer: B, D

Question: 49

Which three file types can be forward to WildMFire for analysis a part of the basic WildMFire
service?

A. .exe
B. .apk
C. .dil
D. .jar
E. .pdf
F. .fon

Answer: B, D, E

Question: 50

Which two methods can be configured to validate the revocation status of a certificate? (Choose
two)

https://www.dumpsschool.com/
 Questions & Answers PDF P-22

A. CRL
B. Cert-Validation-Profile
C. OCSP
D. CRT
E. SSL /TLS Service Profile

Answer: B, D

Question: 51

Which virtual router feature determines if a specific destination IP address is reachable'?

A. Ping-Path
B. Path Monitoring
C. Failover
D. Heartbeat Monitoring

Answer: B

Question: 52

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new
routes do not seem to be populating the virtual router.
Which two options would help the administrator Troubleshoot this issue? (Choose two.)

A. Perform a traffic pcap on the NGFW lo see any BGP problems

B. View the System logs and look for error messages about BGP
C. View the Runtime Stats and look for problems with BGP configuration
D. View the ACC lab to isolate routing issues.

Answer: C, D

Question: 53

A global corporate office has a large-scale network with only one User-ID agent, which creates a
bottleneck near the User-ID agent server. Which solution in PAN -OS® software would help in this
case?

A. content inspection
B. application override
C. Virtual Wire mode
D. redistribution of user mappings

Answer: D

https://www.dumpsschool.com/
 Questions & Answers PDF P-23

Question: 54

During the packet flow process, which two processes are performed in application identification?
(Choose two.)

A. Application changed from content inspection

B. session application identified
C. pattern based application identification
D. application override policy match

Answer: B, D

Question: 55

An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all
devices to the latest PAN-OS® software, the administrator enables logs forwarding from the firewalls
to panorama Pre-existing logs from the firewall are not appearing in Panoram
a.
Which action would enables the firewalls to send their preexisting logs to Panorama?
A. A CLI command will forward the pre-existing logs to Panorama.
B. Use the import option to pull logs panorama.
C. Use the ACC to consolidate pre-existing logs.
D. The- log database will need to be exported from the firewall and manually imported into
Panorama.

Answer: A

Question: 56

Which administrative authentication method supports authorization by an external service?

A. RADIUS
B. SSH keys
C. Certification
D. LDAP

Answer: A

Question: 57

A client has a sensitive application server in their data center and is particularly concerned about
resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect tins server against
resource exhaustion originating from multiple IP address (DDoS attack)?

A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server

https://www.dumpsschool.com/
 Questions & Answers PDF P-24

B. Add a DoS Protection Profile with defined session count.

C. Add a Vulnerability Protection Profile to block the attack.
D. Add QoS Profiles to throttle incoming requests.

Answer: B

Question: 58

Which administrative authentication method supports authorization by an external service?

A. RADIUS
B. SSH keys
C. Certification
D. LDAP

Answer: B

Question: 59

A web server is hosted in the DMZ and the server re configured to listen for income connections on
TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to
be configured to allow web-browsing access. The web server host its contents over Traffic from Trust
to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules needs to be
configured to allow cleaned web-browsing traffic to the server on tcp/443?

A. Rule# 1 application: ssl; service application-default: action allow

Role # 2 application web browsing, service application default, action allow
B. Rule #1application web-browsing, service service imp action allow
Rule #2 application ssl. service application -default, action allow
C. Rule#1 application web-brows.no service application-default, action allow
Rule #2 application ssl. Service application-default, action allow
D. Rule#1application: web-biows.no; service service-https action allow
Rule#2 application ssl. Service application-default, action allow

Answer: C

Question: 60

Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

A. No prerequisites are required

B. SSH keys must be manually generated
C. Both SSH keys and SSL certificates must be generated
D. SSL certificates must be generated

https://www.dumpsschool.com/
 Questions & Answers PDF P-25

Answer: A

Question: 61

An administrator deploys PA-500 NGFWs as an active/passive high availability pair . The devices are
not participating in dynamic router and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN OS® software?

A. Antivirus update package

B. Applications and Threats update package
C. Wildfire update package
D. User-ID agent

Answer: B

Question: 62

Which processing order will be enabled when a panorama administrator selects the setting "Objects
defined in ancestors will takes higher precedence?

A. Descendant objects, will take precedence over ancestor objects.

B. Ancestor will have precedence over descendant objects.
C. Ancestor objects will have precedence over other ancestor objects.
D. Descendant object will take precedence over other descendant objects.

Answer: B

Question: 63

An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.)
A)

B)

https://www.dumpsschool.com/
 Questions & Answers PDF P-26

C)

D)

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A, B, C

Question: 64

https://www.dumpsschool.com/
 Questions & Answers PDF P-27

How would an administrator monitor/capture traffic on the management interface of the Palo Alto
Networks NGFW?

A. Use the tcpdump command

B. Use the debug dataplane packet-diag set capture stage management file command
C. USe the debug dataplane packet-dia set capture stage firewall file command
D. Enable all four stage of traffic capture (TX, RX, DROP, Firewall)

Answer: A

Question: 65

An organization has Palo Alto Networks MGfWs that send logs to remote monitoring and security
management platforms. The network team has report has excessive traffic on the corporate WAN.
How could the Palo Alto Networks NOFW administrator reduce WAN traffic while maintaining
support for all the existing monitoring/security platforms?

A. forward logs from firewalls only to Panorama, and have Panorama forward log* lo other external
service.
B. Any configuration on an M-500 would address the insufficient bandwidth concerns.
C. Configure log compression and optimization features on all remote firewalls.
D. Forward logs from external sources to Panorama for correlation, arid from Panorama send to the
NGFW

Answer: A

Question: 66

A user's traffic traversing a Palo Alto Networks NGFW sometime can reach http//www company com
At the session times out. The NGFW has been configured with a PBF rule that the user's traffic
matches when it goes to http //www company com.
How con the firewall be configured to automatically disable the PBF rule if the next hop goes down?

A. Configure path monitoring for tine next hop gateway on the default route in tin- virtual router.
B. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
C. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
D. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.

https://www.dumpsschool.com/
 Questions & Answers PDF P-28

Answer: D

Question: 67

Which two methods can be used to verify firewall connectivity to Autofocus? (Choose two. )

A. Check the WebUl Dashboard Autofocus widget

B. Check for WildFire forwarding logs.
C. Verify AutoFocus is enabled below Device Management tab
D. Verify AutoFocus status using the CLI "test"command.
E. Check the license

Answer: A, E

Question: 68

An administrator creates a custom application containing Layer 7 signatures. The latest application
and threat dynamic update is downloaded to the same NGFW. THE update contains application that
matches the same traffic signatures as the customer application.
Which application should be used to identify traffic traversing the NGFW?

A. custom application
B. Custom and downloaded application signature files are merged and are used
C. System longs show an application errors and signature is used.
D. downloaded application

Answer: A

Question: 69

Which three options are supposed in HA Lite? (Choose three.)

A. Configuration synchronization
B. Virtual link
C. active/passive deployment
D. session synchronization
E. synchronization of IPsec security associations

Answer: A, C, E

Question: 70

Which two options prevents the firewall from capturing traffic passing through it? (Choose two.)

A. The firewall is in milti-vsys mode.

https://www.dumpsschool.com/
 Questions & Answers PDF P-29

B. The traffic does not match the packet capture filter

C. The traffic is offloaded.
D. The firewall's DP CPU is higher than 50%

Answer: B, C

Question: 71

Which two action would be part of an automatic solution that would block sites with untrusted
certificates without enabling SSL forward proxy? (Choose two.)

A. Configure an EDL to pull IP Addresses of known sites resolved from a CRL.

B. Create a Security Policy rule with vulnerability Security Profile attached.
C. Create a no-decrypt Decryption Policy rule.
D. Enable the "Block seasons with untrusted Issuers- setting.
E. Configure a Dynamic Address Group for untrusted sites.

Answer: B, D

Question: 72

How does Panorama prompt VMware NSX to quarantine an in6erface VM??

A. Syslog Server Profile

B. Email Server Profile
C. SNMP Server Profile
D. HTTP Server Profile

Answer: A

Question: 73

Which two subscriptions are available when configuring panorama to push dynamic updates to
connected devices? (Choose two.)

A. User-ID
B. Antivirus
C. Application and Threats
D. Content-ID

Answer: B, C

Question: 74

Which three user authentication services can be modified in to provide the Palo Alto Networks
NGFW with both username and role names? (Choose three.)

https://www.dumpsschool.com/
 Questions & Answers PDF P-30

A. PAP
B. SAML
C. LDAP
D. TACACS+
E. RADIUS
F. Kerberos

Answer: C, D, E

Question: 75

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks
NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is collect tot the passive firewall?

A. 0
B. 1
C. 90
D. 255

Answer: D

Question: 75

When a malware-infected host attempts to resolve a known command-and-control server, the traffic
matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

A. The IP Address of sinkhole.paloaltonetworks.com

B. The IP Address of the command-and-control server
C. The IP Address specified in the sinkhole configuration
D. The IP Address of one of the external DNS servers identified in the anti-spyware database

Answer: C

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function-
is-Working/ta-p/65864

https://www.dumpsschool.com/