PCNSE – EXAM QUESTIONS

Question #1
Which CLI command is used to simulate traffic going through the firewall and determine
which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the
traffic?

 A. check

 B. find

 C. test

 D. sim
Question #2
Refer to the exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and
security management platforms. The network team has reported excessive traffic on the
corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic
while maintaining support for all the existing monitoring/security platforms?

 A. Forward logs from firewalls only to Panorama and have Panorama forward logs to
other external services.

 B. Forward logs from external sources to Panorama for correlation, and from
Panorama send them to the NGFW.

 C. Configure log compression and optimization features on all remote firewalls.

 D. Any configuration on an M-500 would address the insufficient bandwidth

concerns.
Question #3
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

 A. Virtual router

 B. Security zone

 C. ARP entries

 D. Netflow Profile
Question #4
An administrator has been asked to configure a Palo Alto Networks NGFW to provide
protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

 A. Anti-Spyware

 B. Instruction Prevention

 C. File Blocking

 D. Antivirus
Question #5
A company needs to preconfigure firewalls to be sent to remote sites with the least amount
of preconfiguration. Once deployed, each firewall must establish secure tunnels back to
multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

 A. Preconfigured GlobalProtect satellite

 B. Preconfigured GlobalProtect client

 C. Preconfigured IPsec tunnels

 D. Preconfigured PPTP Tunnels

Question #6
An administrator has been asked to configure active/passive HA for a pair of Palo Alto
Networks NGFWs.

The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?

 A. 0

 B. 99

 C. 1

 D. 255
Question #7
An administrator pushes a new configuration from Panorama to a pair of firewalls that are
configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

 A. The passive firewall, which then synchronizes to the active firewall.

 B. The active firewall, which then synchronizes to the passive firewall.

 C. Both the active and passive firewalls, which then synchronize with each other.

 D. Both the active and passive firewalls independently, with no synchronization

afterward
Question #8
When configuring a GlobalProtect Portal, what is the purpose of specifying an
Authentication Profile?

 A. To enable Gateway authentication to the Portal

 B. To enable Portal authentication to the Gateway

 C. To enable user authentication to the Portal

 D. To enable client machine authentication to the Portal

Question #9
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in
Panorama reports. The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being
sent from the firewall to Panorama?

A.

B.
C.

D
Question #10
If a template stack is assigned to a device and the stack includes three templates with
overlapping settings, which settings are published to the device when the template stack is
pushed?

 A. The settings assigned to the template that is on top of the stack.

 B. The administrator will be promoted to choose the settings for that chosen
firewall.

 C. All the settings configured in all templates.

 D. Depending on the firewall location, Panorama decides with settings to send.

Question #11
Which method will dynamically register tags on the Palo Alto Networks NGFW?

 A. Restful API or the VMware API on the firewall or on the User-ID agent or the
ready-only domain controller (RODC)

 B. Restful API or the VMware API on the firewall or on the User-ID agent

 C. XML API or the VMware API on the firewall or on the User-ID agent or the CLI

 D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Question #12
How does an administrator schedule an Applications and Threats dynamic update while
delaying installation of the update for a certain amount of time?

 A. Configure the option for ‫ג‬€Threshold‫ג‬€.

 B. Disable automatic updates during weekdays.

 C. Automatically ‫ג‬€download only€ and then install Applications and Threats later,
after the administrator approves the update.

 D. Automatically ‫ג‬€download and install‫ג‬€ but with the ‫ג‬€disable new applications‫ג‬€
option used.

Question #13
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

 A. Device>Setup>Services>AutoFocus
  B. Device> Setup>Management >AutoFocus

 C. AutoFocus is enabled by default on the Palo Alto Networks NGFW

 D. Device>Setup>WildFire>AutoFocus

 E. Device>Setup> Management> Logging and Reporting Settings

Question #14
An administrator encountered problems with inbound decryption. Which option should the
administrator investigate as part of triage?

 A. Security policy rule allowing SSL to the target server

 B. Firewall connectivity to a CRL

 C. Root certificate imported into the firewall with ‫ג‬€Trust‫ג‬€ enabled

 D. Importation of a certificate from an HSM

Question #15
Which two virtualization platforms officially support the deployment of Palo Alto Networks
VM-Series firewalls? (Choose two.)

 A. Red Hat Enterprise Virtualization (RHEV)

 B. Kernel Virtualization Module (KVM)

 C. Boot Strap Virtualization Module (BSVM)

 D. Microsoft Hyper-V
Question #16
Which User-ID method maps IP addresses to usernames for users connecting through an
802.1x-enabled wireless network device that has no native integration with PAN-OSֲ®
software?

 A. XML API

 B. Port Mapping

 C. Client Probing

 D. Server Monitoring
Question #17
Decrypted packets from the website https://www.microsoft.com will appear as which
application and service within the Traffic log?
  A. web-browsing and 443

 B. SSL and 80

 C. SSL and 443

 D. web-browsing and 80
Question #18
Which PAN-OSֲ® policy must you configure to force a user to provide additional credentials
before he is allowed to access an internal application that contains highly-sensitive business
data?

 A. Security policy

 B. Decryption policy

 C. Authentication policy

 D. Application Override policy

Question #19
A Security policy rule is configured with a Vulnerability Protection Profile and an action of
`Deny`. Which action will this cause configuration on the matched traffic?

 A. The configuration is invalid. The Profile Settings section will be grayed out when
the Action is set to ‫ג‬€Deny‫ג‬€.

 B. The configuration will allow the matched session unless a vulnerability signature is
detected. The ‫ג‬€Deny‫ג‬€ action will supersede the per-severity defined actions defined
in the associated Vulnerability Protection Profile.

 C. The configuration is invalid. It will cause the firewall to skip this Security policy
rule. A warning will be displayed during a commit.

 D. The configuration is valid. It will cause the firewall to deny the matched sessions.
Any configured Security Profiles have no effect if the Security policy rule action is set to
‫ג‬€Deny‫ג‬€.
Question #20
A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been
configured with a PBF rule that the user's traffic matches when it goes to
http://www.company.com.How can the firewall be configured automatically disable the PBF
rule if the next hop goes down?

 A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in
question.
  B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in
question.

 C. Enable and configure a Link Monitoring Profile for the external interface of the
firewall.

 D. Configure path monitoring for the next hop gateway on the default route in the
virtual router.
Question #21
What are two benefits of nested device groups in Panorama? (Choose two.)

 A. Reuse of the existing Security policy rules and objects

 B. Requires configuring both function and location for every device

 C. All device groups inherit settings from the Shared group

 D. Overwrites local firewall configuration

Question #22
Which Captive Portal mode must be configured to support MFA authentication?

 A. NTLM

 B. Redirect

 C. Single Sign-On

 D. Transparent
Question #23
An administrator needs to implement an NGFW between their DMZ and Core network.

EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

 A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and
DMZ

 B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces

only

 C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the

GlobalProtect License to support LSVPN and EIGRP protocols)

 D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Question #24
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port
and the switch port to which it connects.

How would an administrator configure the interface to 1Gbps?

 A. set deviceconfig interface speed-duplex 1Gbps-full-duplex

 B. set deviceconfig system speed-duplex 1Gbps-duplex

 C. set deviceconfig system speed-duplex 1Gbps-full-duplex

 D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Question #25
A web server is hosted in the DMZ, and the server is configured to listen for incoming
connections only on TCP port 8080.

A Security policy rule allowing access from the Trust zone to the DMZ zone need to be
configured to enable we browsing access to the server.

Which application and service need to be configured to allow only cleartext web-browsing
traffic to thins server on tcp/8080?

 A. application: web-browsing; service: application-default

 B. application: web-browsing; service: service-https

 C. application: ssl; service: any

 D. application: web-browsing; service: (custom with destination TCP port 8080)

Question #26
If the firewall has the following link monitoring configuration, what will cause a failover?

 A. ethernet1/3 and ethernet1/6 going down

 B. ethernet1/3 going down

 C. ethernet1/3 or ethernet1/6 going down

 D. ethernet1/6 going down

Question #27
In the image, what caused the commit warning?

 A. The CA certificate for FWDtrust has not been imported into the firewall.

 B. The FWDtrust certificate has not been flagged as Trusted Root CA.

 C. SSL Forward Proxy requires a public certificate to be imported into the firewall.

 D. The FWDtrust certificate does not have a certificate chain.

Question #28
Which method does an administrator use to integrate all non-native MFA platforms in PAN-
OSֲ® software?

 A. Okta

 B. DUO

 C. RADIUS

 D. PingID
Question #29
How would an administrator monitor/capture traffic on the management interface of the
Palo Alto Networks NGFW?

 A. Use the debug dataplane packet-diag set capture stage firewall file command.

 B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).

 C. Use the debug dataplane packet-diag set capture stage management file
command.

 D. Use the tcpdump command.

Question #30
An administrator needs to optimize traffic to prefer business-critical applications over non-
critical applications.

QoS natively integrates with which feature to provide service quality?

 A. Port Inspection

 B. Certificate revocation

 C. Content-ID

 D. App-ID

Question #31
A session in the Traffic log is reporting the application as `incomplete.`
What does `incomplete` mean?

 A. The three-way TCP handshake was observed, but the application could not be
identified.
  B. The three-way TCP handshake did not complete.

 C. The traffic is coming across UDP, and the application could not be identified.

 D. Data was received but was instantly discarded because of a Deny policy was
applied before App-ID could be applied.

Question #32
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address.

Traffic will be steered to the specific server based on the application,

where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)
  A. Untrust (Any) to Untrust (10.1.1.1), web-browsing ‫ג‬€" Allow

 B. Untrust (Any) to Untrust (10.1.1.1), ssh ‫ג‬€" Allow

 C. Untrust (Any) to DMZ (1.1.1.100), web-browsing ‫ג‬€" Allow

 D. Untrust (Any) to DMZ (1.1.1.100), ssh ‫ג‬€" Allow

 E. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing ‫ג‬€" Allow

Question #33
An administrator needs to determine why users on the trust zone cannot reach certain
websites. The only information available is shown on the following image.

Which configuration change should the administrator make?

A.

B.
C.

D.
E.

Question #34
Which three settings are defined within the Templates object of Panorama? (Choose three.)
 A. Setup
 B. Virtual Routers
 C. Interfaces
 D. Security
 E. Application Override

Question #35
A customer has an application that is being identified as unknown-tcp for one of their
custom PostgreSQL database connections.

Which two configuration options can be used to correctly categorize their custom database
application? (Choose two.)

 A. Application Override policy.

 B. Security policy to identify the custom application.

 C. Custom application.

 D. Custom Service object.

Question #36
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is
missing the Policies tab.
Which profile is the cause of the missing Policies tab?

 A. Admin Role

 B. WebUI

 C. Authentication

 D. Authorization
Question #37
An administrator has left a firewall to use the default port for all management services.
Which three functions are performed by the dataplane? (Choose three.)

 A. WildFire updates

 B. NAT

 C. NTP

 D. antivirus

 E. file blocking

Question #38
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After
upgrading all devices to the latest PAN-OSֲ® software, the administrator enables log
forwarding from the firewalls to Panorama.

Pre-existing logs from the firewalls are not appearing in Panorama.

Which action would enable the firewalls to send their pre-existing logs to Panorama?

 A. Use the import option to pull logs into Panorama.

 B. A CLI command will forward the pre-existing logs to Panorama.

 C. Use the ACC to consolidate pre-existing logs.

 D. The log database will need to exported form the firewalls and manually imported
into Panorama.
Question #39
A firewall just submitted a file to WildFire for analysis. Assume a 5-minute window for
analysis. The firewall is configured to check for verdicts every 5 minutes.

How quickly will the firewall receive back a verdict?

 A. More than 15 minutes

 B. 5 minutes

 C. 10 to 15 minutes

 D. 5 to 10 minutes
Question #40
What are the differences between using a service versus using an application for Security
Policy match?

 A. Use of a ‫ג‬€service‫ג‬€ enables the firewall to take immediate action with the first
observed packet based on port numbers. Use of an ‫ג‬€application‫ג‬€ allows the firewall
to take immediate action if the port being used is a member of the application
standard port list.

 B. There are no differences between ‫ג‬€service‫ג‬€ or ‫ג‬€application‫ג‬€. Use of an

‫ג‬€application‫ג‬€ simplifies configuration by allowing use of a friendly application name
instead of port numbers.

 C. Use of a ‫ג‬€service‫ג‬€ enables the firewall to take immediate action with the first
observed packet based on port numbers. Use of an ‫ג‬€application‫ג‬€ allows the firewall
to take action after enough packets allow for App-ID identification regardless of the
ports being used

 D. Use of a ‫ג‬€service‫ג‬€ enables the firewall to take action after enough packets allow
for App-ID identification
Question #41
Which Palo Alto Networks VM-Series firewall is valid?

 A. VM-25

 B. VM-800

 C. VM-50

 D. VM-400
Question #42
An administrator wants multiple web servers in the DMZ to receive connections initiated
from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at
10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing
traffic correctly?

A.
B.

C.

D.

Question #43
An administrator creates a custom application containing Layer 7 signatures. The latest
application and threat dynamic update is downloaded to the same NGFW.
The update contains an application that matches the same traffic signatures as the custom
application.
Which application should be used to identify traffic traversing the NGFW?

 A. Custom application

 B. System logs show an application error and neither signature is used.

  C. Downloaded application

 D. Custom and downloaded application signature files are merged and both are used
Question #44
Starting with PAN-OS version 9.1, GlobalProtect logging information is now recorded in
which firewall log?

 A. GlobalProtect

 B. System

 C. Authentication

 D. Configuration
Question #45
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing
from 192.168.111.3 and to the destination 10.46.41.113?

 A. ethernet1/6

 B. ethernet1/3

 C. ethernet1/7

 D. ethernet1/5
Question #46
Which three authentication services can an administrator use to authenticate admins into
the Palo Alto Networks NGFW without defining a corresponding admin account on the local
firewall? (Choose three.)
  A. Kerberos

 B. PAP

 C. SAML

 D. TACACS+

 E. RADIUS

 F. LDAP

Question #47
Which event will happen if an administrator uses an Application Override Policy?

 A. Threat-ID processing time is decreased.

 B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

 C. The application name assigned to the traffic by the security rule is written to the
Traffic log.

 D. App-ID processing time is increased.

Question #48
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in
general?

 A. Deny application facebook-chat before allowing application facebook

 B. Deny application facebook on top

 C. Allow application facebook on top

 D. Allow application facebook before denying application facebook-chat

Question #49
A client is concerned about resource exhaustion because of denial-of-service attacks against
their DNS servers.

Which option will protect the individual servers?

 A. Enable packet buffer protection on the Zone Protection Profile.

 B. Apply an Anti-Spyware Profile with DNS sinkholing.

 C. Use the DNS App-ID with application-default.

  D. Apply a classified DoS Protection Profile.
Question #50
If the firewall is configured for credential phishing prevention using the `Domain Credential
Filter` method, which login will be detected as credential theft?

 A. Mapping to the IP address of the logged-in user.

 B. First four letters of the username matching any valid corporate username.

 C. Using the same user's corporate username and password.

 D. Matching any valid corporate username.

Question #51
An administrator has users accessing network resources through Citrix XenApp 7.x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to
the network and access resources?

 A. Client Probing

 B. Terminal Services agent

 C. GlobalProtect

 D. Syslog Monitoring
Question #52
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version
of PAN-OSֲ® software.

The firewall has internet connectivity through an Ethernet interface, but no internet
connectivity from the management interface.

The Security policy has the default security rules and a rule that allows all web- browsing
traffic from any to any zone.
What must the administrator configure so that the PAN-OSֲ® software can be upgraded?

 A. Security policy rule

 B. CRL

 C. Service route

 D. Scheduler
Question #53
Which feature prevents the submission of corporate login information into website forms?
  A. Data filtering

 B. User-ID

 C. File blocking

 D. Credential phishing prevention

Question #54
Which option is part of the content inspection process?

 A. Packet forwarding process

 B. SSL Proxy re-encrypt

 C. IPsec tunnel encryption

 D. Packet egress process

Question #55
In a virtual router, which object contains all potential routes?

 A. MIB

 B. RIB

 C. SIP

 D. FIB

Question #56
An administrator creates an SSL decryption rule decrypting traffic on all ports.

The administrator also creates a Security policy rule allowing only the applications
DNS, SSL, and web-browsing.

The administrator generates three encrypted BitTorrent connections and checks the Traffic
logs.

There are three entries. The first entry shows traffic dropped as application Unknown.

The next two entries show traffic allowed as application SSL.

Which action will stop the second and subsequent encrypted BitTorrent connections from
being allowed as SSL?

 A. Create a decryption rule matching the encrypted BitTorrent traffic with action
‫ג‬€No-Decrypt,‫ג‬€ and place the rule at the top of the Decryption policy.

 B. Create a Security policy rule that matches application ‫ג‬€encrypted BitTorrent‫ג‬€

and place the rule at the top of the Security policy.

 C. Disable the exclude cache option for the firewall.

 D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach
the profile to the decryption rule.

Question #57
Refer to the exhibit.

Which certificates can be used as a Forward Trust certificate?

 A. Certificate from Default Trust Certificate Authorities

 B. Domain Sub-CA

 C. Forward-Trust

 D. Domain-Root-Cert
Question #58
Which option would an administrator choose to define the certificate and protocol that
Panorama and its managed devices use for SSL/TLS services?

 A. Configure a Decryption Profile and select SSL/TLS services.

 B. Set up SSL/TLS under Policies > Service/URL Category > Service.

  C. Set up Security policy rule to allow SSL communication.

 D. Configure an SSL/TLS Profile.

Question #59
Which menu item enables a firewall administrator to see details about traffic that is
currently active through the NGFW?

 A. ACC

 B. System Logs

 C. App Scope

 D. Session Browser
Question #60
Which protection feature is available only in a Zone Protection Profile?

 A. SYN Flood Protection using SYN Flood Cookies

 B. ICMP Flood Protection

 C. Port Scan Protection

 D. UDP Flood Protections

Question #61
Which CLI command can be used to export the tcpdump capture?

 A. scp export tcpdump from mgmt.pcap to < username@host:path>

 B. scp extract mgmt-pcap from mgmt.pcap to < username@host:path>

 C. scp export mgmt-pcap from mgmt.pcap to < username@host:path>

 D. download mgmt-pcap
Question #62
An administrator has configured the Palo Alto Networks NGFW's management interface to
connect to the internet through a dedicated path that does not traverse back through the
NGFW itself. Which configuration setting or step will allow the firewall to get automatic
application signature updates?

 A. A scheduler will need to be configured for application signatures.

 B. A Security policy rule will need to be configured to allow the update requests from
the firewall to the update servers.

 C. A Threat Prevention license will need to be installed.

  D. A service route will need to be configured.
Question #63
Which three options are supported in HA Lite? (Choose three.)

 A. Virtual link

 B. Active/passive deployment

 C. Synchronization of IPsec security associations

 D. Configuration synchronization

 E. Session synchronization
Question #64
Which CLI command enables an administrator to view details about the firewall including
uptime, PAN-OSֲ® version, and serial number?

 A. debug system details

 B. show session info

 C. show system info

 D. show system details

Question #65
During the packet flow process, which two processes are performed in application
identification? (Choose two.)

 A. Pattern based application identification

 B. Application override policy match

 C. Application changed from content inspection

 D. Session application identified

Question #66
Which tool provides an administrator the ability to see trends in traffic over periods of time,
such as threats detected in the last 30 days?

 A. Session Browser

 B. Application Command Center

 C. TCP Dump

 D. Packet Capture
Question #67
The certificate information displayed in the following image is for which type of certificate?

 A. Forward Trust certificate

 B. Self-Signed Root CA certificate

 C. Web Server certificate

 D. Public CA signed certificate

Question #68
Which three steps will reduce the CPU utilization on the management plane? (Choose
three.)

 A. Disable SNMP on the management interface.

 B. Application override of SSL application.

 C. Disable logging at session start in Security policies.

 D. Disable predefined reports.

 E. Reduce the traffic being decrypted by the firewall.

Question #69
Which feature must you configure to prevent users from accidentally submitting their
corporate credentials to a phishing website?

 A. URL Filtering profile

 B. Zone Protection profile

  C. Anti-Spyware profile

 D. Vulnerability Protection profile

Question #70
How can a candidate or running configuration be copied to a host external from Panorama?

 A. Commit a running configuration.

 B. Save a configuration snapshot.

 C. Save a candidate configuration.

 D. Export a named configuration snapshot.

Question #71
If an administrator does not possess a website's certificate, which SSL decryption mode will
allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S)
websites?

 A. SSL Forward Proxy

 B. SSL Inbound Inspection

 C. SSL Reverse Proxy

 D. SSL Outbound Inspection

Question #72
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs.

The administrator determines that these sessions are form external users accessing the
company's proprietary accounting application.

The administrator wants to reliably identify this traffic as their accounting application and to
scan this traffic for threats.

Which option would achieve this result?

 A. Create a custom App-ID and enable scanning on the advanced tab.

 B. Create an Application Override policy.

 C. Create a custom App-ID and use the ‫ג‬€ordered conditions‫ג‬€ check box.

 D. Create an Application Override policy and a custom threat signature for the
application.
Question #73
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but
new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

 A. View the System logs and look for the error messages about BGP.

 B. Perform a traffic pcap on the NGFW to see any BGP problems.

 C. View the Runtime Stats and look for problems with BGP configuration.

 D. View the ACC tab to isolate routing issues.

Question #74
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding
new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

 A. View Runtime Stats in the virtual router.

 B. View System logs.

 C. Add a redistribution profile to forward as BGP updates.

 D. Perform a traffic pcap at the routing stage.

Question #75
Which three firewall states are valid? (Choose three.)

 A. Active

 B. Functional

 C. Pending

 D. Passive

 E. Suspended
Question #76
Which virtual router feature determines if a specific destination IP address is reachable?

 A. Heartbeat Monitoring

 B. Failover

 C. Path Monitoring

 D. Ping-Path
Question #77
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks
NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

 A. Decryption Mirror interface with the Threat Analysis license

 B. Virtual Wire interface with the Decryption Port Export license

 C. Tap interface with the Decryption Port Mirror license

 D. Decryption Mirror interface with the associated Decryption Port Mirror license
Question #78
When is the content inspection performed in the packet flow process?

 A. after the application has been identified

 B. before session lookup

 C. before the packet forwarding process

 D. after the SSL Proxy re-encrypts the packet

Question #79
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any
port.
Which log entry can the administrator use to verify that sessions are being decrypted?

 A. In the details of the Traffic log entries

 B. Decryption log

 C. Data Filtering log

 D. In the details of the Threat log entries

Question #80
An administrator has been asked to configure a Palo Alto Networks NGFW to provide
protection against external hosts attempting to exploit a flaw in an operating system on an
internal system. Which Security Profile type will prevent this attack?

 A. Vulnerability Protection

 B. Anti-Spyware

 C. URL Filtering

 D. Antivirus
Question #81
Which processing order will be enabled when a Panorama administrator selects the setting
`Objects defined in ancestors will take higher precedence?`

 A. Descendant objects will take precedence over other descendant objects.

 B. Descendant objects will take precedence over ancestor objects.

 C. Ancestor objects will have precedence over descendant objects.

 D. Ancestor objects will have precedence over other ancestor objects.

Question #82
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure
mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

 A. Use custom certificates

 B. Enable LDAP or RADIUS integration

 C. Set up multi-factor authentication

 D. Configure strong password authentication

Question #83
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing
from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the
image?
  A. ethernet1/7

 B. ethernet1/5

 C. ethernet1/6

 D. ethernet1/3
Question #84
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through
DNAT.

Which Security policy rule will allow traffic to flow to the web server?

 A. Untrust (any) to Untrust (10.1.1.100), web browsing ‫ג‬€" Allow

 B. Untrust (any) to Untrust (1.1.1.100), web browsing ‫ג‬€" Allow

 C. Untrust (any) to DMZ (1.1.1.100), web browsing ‫ג‬€" Allow

 D. Untrust (any) to DMZ (10.1.1.100), web browsing ‫ג‬€" Allow

Question #85
A web server is hosted in the DMZ and the server is configured to listen for incoming
connections on TCP port 443. A Security policies rules allowing access from the Trust zone to
the DMZ zone needs to be configured to allow web-browsing access.

The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted
with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to
be configured to allow cleartext web-browsing traffic to this server on tcp/443?

 A. Rule #1: application: web-browsing; service: application-default; action: allow Rule

#2: application: ssl; service: application-default; action: allow

 B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2:
application: ssl; service: application-default; action: allow

 C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2:

application: web-browsing; service: application-default; action: allow
  D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2:
application: ssl; service: application-default; action: allow
Question #86
Which two options prevent the firewall from capturing traffic passing through it? (Choose
two.)

 A. The firewall is in multi-vsys mode.

 B. The traffic is offloaded.

 C. The traffic does not match the packet capture filter.

 D. The firewall's DP CPU is higher than 50%.

Question #87
A global corporate office has a large-scale network with only one User-ID agent, which
creates a bottleneck near the User-ID agent server.

Which solution in PAN-OSֲ® software would help in this case?

 A. application override

 B. Virtual Wire mode

 C. content inspection

 D. redistribution of user mappings

Question #88
An administrator has been asked to create 100 virtual firewalls in a local,on-premise lab
environment (not in ‫ג‬€the cloud‫ג‬€).

Bootstrapping is the most expedient way to perform this task.

Which option describes deployment of a bootstrap package in an on-premise virtual

environment?

 A. Use config-drive on a USB stick.

 B. Use an S3 bucket with an ISO.

 C. Create and attach a virtual hard disk (VHD).

 D. Use a virtual CD-ROM with an ISO.

Question #89
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule
with a `No Decrypt` action? (Choose two.)
  A. Block sessions with expired certificates

 B. Block sessions with client authentication

 C. Block sessions with unsupported cipher suites

 D. Block sessions with untrusted issuers

 E. Block credential phishing

Question #90
Which User-ID method should be configured to map IP addresses to usernames for users
connected through a terminal server?

 A. port mapping

 B. server monitoring

 C. client probing

 D. XFF headers
Question #91
Which feature can be configured on VM-Series firewalls?

 A. aggregate interfaces

 B. machine learning

 C. multiple virtual systems

 D. GlobalProtect
Question #92
In High Availability, which information is transferred via the HA data link?

 A. session information

 B. heartbeats

 C. HA state information

 D. User-ID information
Question #93
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

 A. Create a custom application.

  B. Create a custom object for the custom application server to identify the custom
application.

 C. Submit an App-ID request to Palo Alto Networks.

 D. Create a Security policy to identify the custom application.

Question #94
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate,
which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the
server?

 A. TLS Bidirectional Inspection

 B. SSL Inbound Inspection

 C. SSH Forward Proxy

 D. SMTP Inbound Decryption

Question #95
A client has a sensitive application server in their data center and is particularly concerned
about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server
against resource exhaustion originating from multiple IP addresses (DDoS attack)?

 A. Define a custom App-ID to ensure that only legitimate application traffic reaches
the server.

 B. Add a Vulnerability Protection Profile to block the attack.

 C. Add QoS Profiles to throttle incoming requests.

 D. Add a DoS Protection Profile with defined session count.

Question #96
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

 A. Verify AutoFocus status using the CLI ‫ג‬€test‫ג‬€ command.

 B. Check the WebUI Dashboard AutoFocus widget.

 C. Check for WildFire forwarding logs.

 D. Check the license.

 E. Verify AutoFocus is enabled below Device Management tab.

Question #97
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
  A. show running resource-monitor

 B. debug data-plane dp-cpu

 C. show system resources

 D. debug running resources

Question #98
Which DoS protection mechanism detects and prevents session exhaustion attacks?

 A. Packet Based Attack Protection

 B. Flood Protection

 C. Resource Protection

 D. TCP Port Scan Protection

Question #99
Which two subscriptions are available when configuring Panorama to push dynamic updates
to connected devices? (Choose two.)

 A. Content-ID

 B. User-ID

 C. Applications and Threats

 D. Antivirus
Question #100
View the GlobalProtect configuration screen capture.What is the purpose of this
configuration?

 A. It configures the tunnel address of all internal clients to an IP address range

starting at 192.168.10.1.

 B. It forces an internal client to connect to an internal gateway at IP address

192.168.10.1.

 C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that

it is an internal client.
  D. It forces the firewall to perform a dynamic DNS update, which adds the internal
gateway's hostname and IP address to the DNS server.
Question #101
Which three user authentication services can be modified to provide the Palo Alto Networks
NGFW with both usernames and role names? (Choose three.)

 A. TACACS+

 B. Kerberos

 C. PAP

 D. LDAP

 E. SAML

 F. RADIUS
Question #102
What is exchanged through the HA2 link?

 A. hello heartbeats

 B. User-ID information

 C. session synchronization

 D. HA state information
Question #103
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

 A. Both SSH keys and SSL certificates must be generated.

 B. No prerequisites are required.

 C. SSH keys must be manually generated.

D. SSL certificates must be generated.
Question #104
A customer wants to combine multiple Ethernet interfaces into a single virtual interface
using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

 A. ae.8

 B. aggregate.1

 C. ae.1
  D. aggregate.8
Question #105
Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose
three.)

 A. Push

 B. Pull

 C. Okta Adaptive

 D. Voice

 E. SMS
Question #106
VPN traffic intended for an administrator's firewall is being maliciously intercepted and
retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this
malicious behaviour?

 A. Zone Protection

 B. Replay

 C. Web Application

 D. DoS Protection
Question #107
Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet
zone to a web server hosted on the DMZ zone? The web server is reachable using a
Destination NAT policy in the Palo Alto Networks firewall.
A.

B.
C.

D.

Question #108
An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum
allowable bandwidth for the YouTube application. However, YouTube is consuming more
than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

 A. Enable QoS interface

 B. Enable QoS in the Interface Management Profile

 C. Enable QoS Data Filtering Profile

 D. Enable QoS monitor

Question #109
Which log file can be used to identify SSL decryption failures?

 A. Traffic

 B. ACC

 C. Configuration
  D. Threats
Question #110
A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)

 A. tunnel.1

 B. vpn-tunnel.1

 C. tunnel.1025

 D. vpn-tunnel.1024
Question #111
Based on the following image, what is the correct path of root, intermediate, and end-user
certificate?
  A. Palo Alto Networks > Symantec > VeriSign

 B. VeriSign > Symantec > Palo Alto Networks

 C. Symantec > VeriSign > Palo Alto Networks

 D. VeriSign > Palo Alto Networks > Symantec

Question #112
An administrator wants a new Palo Alto Networks NGFW to obtain automatic application
updates daily, so it is configured to use a scheduler for the application database.
Unfortunately, they required the management network to be isolated so that it cannot
reach the Internet.
Which configuration will enable the firewall to download and install application updates
automatically?

 A. Download and install application updates cannot be done automatically if the

MGT port cannot reach the Internet.

 B. Configure a service route for Palo Alto Networks Services that uses a dataplane
interface that can route traffic to the Internet, and create a Security policy rule to allow
the traffic from that interface to the update servers if necessary.

 C. Configure a Policy Based Forwarding policy rule for the update server IP address
so that traffic sourced from the management interfaced destined for the update
servers goes out of the interface acting as your Internet connection.

 D. Configure a Security policy rule to allow all traffic to and from the update servers.
Question #113
A company wants to install a NGFW firewall between two core switches on a VLAN trunk
link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic
to its own zone.
Which option differentiates multiple VLANs into separate zones?

 A. Create V-Wire objects with two V-Wire interfaces and define a range of ‫ג‬€0-
4096‫ג‬€ in the ‫ג‬€Tag Allowed‫ג‬€ field of the V-Wire object.

 B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single
VLAN ID to the ‫ג‬€Tag Allowed‫ג‬€ field of the V-Wire object. Repeat for every additional
VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to
a unique zone.

 C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a
common virtual router. The physical Layer 3 interface would handle untagged traffic.
Assign each interface/subinterface to a unique zone. Do not assign any interface an IP
address.
  D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each
VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic.
Assign each interface/subinterface to a unique zone.
Question #114
Which data flow describes redistribution of user mappings?

 A. User-ID agent to firewall

 B. Domain Controller to User-ID agent

 C. User-ID agent to Panorama

D. firewall to firewall
Question #115
Where can an administrator see both the management plane and data plane CPU utilization
in the WebUI?

 A. System Utilization log

 B. System log

 C. Resources widget

 D. CPU Utilization widget

Question #116
Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose
four.)

 A. Short message service

 B. Push

 C. User logon

 D. Voice

 E. SSH key

 F. One-Time Password
Question #117
Which two features does PAN-OSֲ® software use to identify applications? (Choose two.)

 A. transaction characteristics

 B. session number

 C. port number
  D. application layer payload
Question #118
An administrator wants to upgrade a firewall from PAN-OSֲ® 9.1 to PAN-OSֲ® 10.0. The
firewall is not a part of an HA pair.
What needs to be updated first?

 A. Applications and Threats

 B. XML Agent

 C. WildFire

 D. PAN-OS Upgrade Agent

Question #119
When backing up and saving configuration files, what is achieved using only the firewall and
is not available in Panorama?

 A. Load configuration version

 B. Save candidate config

 C. Export device state

 D. Load named configuration snapshot

Question #120
Which two settings can be configured only locally on the firewall and not pushed from a
Panorama template or template stack? (Choose two.)

 A. HA1 IP Address

 B. Master Key

 C. Zone Protection Profile

 D. Network Interface Type

Question #121
An administrator just submitted a newly found piece of spyware for WildFire analysis. The
spyware passively monitors behavior without the user's knowledge.

What is the expected verdict from WildFire?

 A. Malware

 B. Grayware
  C. Phishing

 D. Spyware
Question #122
When configuring the firewall for packet capture, what are the valid stage types?

 A. receive, management, transmit, and non-syn

 B. receive, management, transmit, and drop

 C. receive, firewall, send, and non-syn

 D. receive, firewall, transmit, and drop

Question #123
Which operation will impact the performance of the management plane?

 A. DoS protection

 B. WildFire submissions

 C. generating a SaaS Application report

 D. decrypting SSL sessions

Question #124
Which User-ID method maps IP addresses to usernames for users connecting through a web
proxy that has already authenticated the user?

 A. syslog listening

 B. server monitoring

 C. client probing

 D. port mapping
Question #125
The firewall determines if a packet is the first packet of a new session or if a packet is part of
an existing session using which kind of match?

 A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination

Port, Protocol, and Source Security Zone

 B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination

Port, Protocol

 C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination

Port, Source User, URL Category, and Source Security Zone
  D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination
Port, Source User, Source Security Zone, Destination Security Zone, Application, and
URL Category
Question #126
Which GlobalProtect Client connect method requires the distribution and use of machine
certificates?

 A. At-boot

 B. Pre-logon

 C. User-logon (Always on)

 D. On-demand
Question #127
Which feature can provide NGFWs with User-ID mapping information?

 A. Web Captcha

 B. Native 802.1q authentication

 C. GlobalProtect

 D. Native 802.1x authentication

Question #128
Which Panorama administrator types require the configuration of at least one access
domain? (Choose two.)

 A. Role Based

 B. Custom Panorama Admin

 C. Device Group

 D. Dynamic

 E. Template Admin

Question #129
Which option enables a Palo Alto Networks NGFW administrator to schedule Application
and Threat updates while applying only new content-IDs to traffic?
  A. Select download-and-install

 B. Select download-only

 C. Select download-and-install, with ‫ג‬€Disable new apps in content update‫ג‬€

selected

 D. Select disable application updates and select ‫ג‬€Install only Threat updates‫ג‬€
Question #130
Which is the maximum number of samples that can be submitted to WildFire per day, based
on a WildFire subscription?

 A. 10,000

 B. 15,000

 C. 7,500

 D. 5,000
Question #131
In which two types of deployment is active/active HA configuration supported?

(Choose two.)

 A. Layer 3 mode

 B. TAP mode

 C. Virtual Wire mode

 D. Layer 2 mode
Question #132
For which two reasons would a firewall discard a packet as part of the packet flow
sequence? (Choose two.)

 A. ingress processing errors

 B. rule match with action ‫ג‬€deny‫ג‬€

 C. rule match with action ‫ג‬€allow‫ג‬€

 D. equal-cost multipath
Question #133
Which logs enable a firewall administrator to determine whether a session was decrypted?

 A. Traffic
  B. Security Policy

 C. Decryption

 D. Correlated Event
Question #134
An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ®
software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and
from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS
software?

 A. Static route pointing application PaloAlto-updates to the update servers

 B. Security policy rule allowing PaloAlto-updates as the application

 C. Scheduler for timed downloads of PAN-OS software

 D. DNS settings for the firewall to use for resolution

Question #135
A client has a sensitive application server in their data center and is particularly concerned
about session flooding because of denial-of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server
against session floods originating from a single IP address?

 A. Add an Anti-Spyware Profile to block attacking IP address

 B. Define a custom App-ID to ensure that only legitimate application traffic reaches
the server

 C. Add QoS Profiles to throttle incoming requests

 D. Add a tuned DoS Protection Profile

Question #136
An administrator deploys PA-500 NGFWs as an active/passive high availability pair.

The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OSֲ®
software?

 A. Antivirus update package.

 B. Applications and Threats update package.

 C. User-ID agent.

 D. WildFire update package.

Question #137
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent
against compromised hosts trying to phone-home or beacon out to external command-and-
control (C2) servers.

Which Security Profile type will prevent these behaviors?

 A. Anti-Spyware

 B. WildFire

 C. Vulnerability Protection

 D. Antivirus
Question #138
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS
8.1 version?

 A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in

templates or template stacks.

 B. An administrator must use the Expedition tool to adapt the configuration to the
pre-PAN-OS 8.1 state.

 C. When Panorama is reverted to an earlier PAN-OS release, variables used in

templates or template stacks will be removed automatically.

 D. Administrators need to manually update variable characters to those used in pre-

PAN-OS 8.1.
Question #139
Which two methods can be configured to validate the revocation status of a certificate?
(Choose two.)

 A. CRL
  B. CRT

 C. OCSP

 D. Cert-Validation-Profile

 E. SSL/TLS Service Profile

Question #140
Which administrative authentication method supports authorization by an external service?

 A. Certificates

 B. LDAP

 C. RADIUS

 D. SSH keys

Question #141
Which three file types can be forwarded to WildFire for analysis as a part of the basic
WildFire service? (Choose three.)

 A. .dll

 B. .exe

 C. .fon

 D. .apk

 E. .pdf

 F. .jar
Question #142
An administrator has been asked to configure active/active HA for a pair of firewalls.

The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?

 A. The two firewalls will share a single floating IP and will use gratuitous ARP to share
the floating IP.

 B. Each firewall will have a separate floating IP, and priority will determine which
firewall has the primary IP.
  C. The firewalls do not use floating IPs in active/active HA.

 D. The firewalls will share the same interface IP address, and device 1 will use the
floating IP if device 0 fails.
Question #143
Which version of GlobalProtect supports split tunneling based on destination domain, client
process, and HTTP/HTTPS video streaming application?

 A. GlobalProtect version 4.0 with PAN-OS 8.1

 B. GlobalProtect version 4.1 with PAN-OS 8.1

 C. GlobalProtect version 4.1 with PAN-OS 8.0

 D. GlobalProtect version 4.0 with PAN-OS 8.0

Question #144
How does Panorama prompt VMWare NSX to quarantine an infected VM?

 A. HTTP Server Profile

 B. Syslog Server Profile

 C. Email Server Profile

 D. SNMP Server Profile

Question #145
An administrator accidentally closed the commit window/screen before the commit was
finished. Which two options could the administrator use to verify the progress or success of
that commit task? (Choose two.)
A.

B.
C.

D.

Question #146
Which two actions would be part of an automatic solution that would block sites with
untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

 A. Create a no-decrypt Decryption Policy rule.

 B. Configure a Dynamic Address Group for untrusted sites.

  C. Create a Security Policy rule with a vulnerability Security Profile attached.

 D. Enable the ‫ג‬€Block sessions with untrusted issuers‫ג‬€ setting.

Question #147
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard
against resource exhaustion.

When platform utilization is considered, which steps must the administrator take to
configure and apply packet buffer protection?

 A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet
Buffer Protection per ingress zone.

 B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer
protection.

 C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet
Buffer Protection per ingress zone.

 D. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet
Buffer Protection per egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone
Buffer Protection per zone.
Question #148
What is the purpose of the firewall decryption broker?

 A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection
tools.

 B. force decryption of previously unknown cipher suites

 C. reduce SSL traffic to a weaker cipher before sending it to a security chain of

inspection tools.

 D. inspect traffic within IPsec tunnels

Question #149
SAML SLO is supported for which two firewall features? (Choose two.)

 A. GlobalProtect Portal

 B. CaptivePortal

 C. WebUI

 D. CLI
Question #150
What are the two behavior differences between Highlight Unused Rules and the Rule Usage
Hit counter when a firewall is rebooted? (Choose two.)

 A. Rule Usage Hit counter will not be reset.

 B. Highlight Unused Rules will highlight all rules.

 C. Highlight Unused Rules will highlight zero rules.

 D. Rule Usage Hit counter will reset.

Question #151
Which is not a valid reason for receiving a decrypt-cert-validation error?

 A. Unsupported HSM

 B. Unknown certificate status

 C. Client authentication

 D. Untrusted issuer

Question #152
In the following image from Panorama, why are some values shown in red?

 A. sg2 session count is the lowest compared to the other managed devices.

 B. us3 has a logging rate that deviates from the administrator-configured thresholds.

 C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
D. sg2 has misconfigured session thresholds.
Question #153
The firewall is not downloading IP addresses from MineMeld. Based on the image, what
most likely is wrong?

 A. A Certificate Profile that contains the client certificate needs to be selected.

 B. The source address supports only files hosted with an ftp://<address/file>.

 C. External Dynamic Lists do not support SSL connections.

 D. A Certificate Profile that contains the CA certificate needs to be selected.

Question #154
Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose
three.)

 A. video streaming application

 B. Client Application Process

 C. Destination Domain

 D. Source Domain

 E. Destination user/group

 F. URL Category
Question #155
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

 A. Successful GlobalProtect Deployed Activity

 B. GlobalProtect Deployment Activity

 C. Successful GlobalProtect Connection Activity

 D. GlobalProtect Quarantine Activity

Question #156
Which two features can be used to tag a username so that it is included in a dynamic user
group? (Choose two.)

 A. log forwarding auto-tagging

 B. XML API

 C. GlobalProtect agent

 D. User-ID Windows-based agent

Question #157
SD-WAN is designed to support which two network topology types? (Choose two.)

 A. point-to-point

 B. hub-and-spoke

 C. full-mesh

 D. ring
Question #158
Which option describes the operation of the automatic commit recovery feature?

 A. It enables a firewall to revert to the previous configuration if rule shadowing is

detected.

 B. It enables a firewall to revert to the previous configuration if application

dependency errors are found.

 C. It enables a firewall to revert to the previous configuration if a commit causes HA

partner connectivity failure.

 D. It enables a firewall to revert to the previous configuration if a commit causes

Panorama connectivity failure.
Question #159
Which three items are important considerations during SD-WAN configuration planning?
(Choose three.)

 A. branch and hub locations

 B. link requirements

 C. the name of the ISP

 D. IP Addresses
Question #160
Starting with PAN-OS version 9.1, application dependency information is now reported in
which two locations? (Choose two.)

 A. on the App Dependency tab in the Commit Status window

 B. on the Policy Optimizer's Rule Usage page

 C. on the Application tab in the Security Policy Rule creation window

 D. on the Objects > Applications browser pages

Question #161
Which two events trigger the operation of automatic commit recovery? (Choose two.)

 A. when an aggregate Ethernet interface component fails

 B. when Panorama pushes a configuration

 C. when a firewall performs a local commit

 D. when a firewall HA pair fails over

Question #162
Panorama provides which two SD-WAN functions? (Choose two.)

 A. network monitoring

 B. control plane

 C. data plane

 D. physical network links

Question #163
Updates to dynamic user group membership are automatic therefore using dynamic user
groups instead of static group objects allows you to:

 A. respond to changes in user behaviour or potential threats using manual policy

changes

 B. respond to changes in user behaviour or potential threats without manual policy

changes

 C. respond to changes in user behaviour or potential threats without automatic

policy changes
  D. respond to changes in user behaviour and confirmed threats with manual policy
changes

Question #164
How can an administrator configure the firewall to automatically quarantine a device using
GlobalProtect?

 A. by adding the device's Host ID to a quarantine list and configure GlobalProtect to

prevent users from connecting to the GlobalProtect gateway from a quarantined
device

 B. by exporting the list of quarantined devices to a pdf or csv file by selecting

PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate
XSOAR playbook

 C. by using security policies, log forwarding profiles, and log settings

 D. there is no native auto-quarantine feature so a custom script would need to be

leveraged
Question #165
To protect your firewall and network from single source denial of service (DoS) attacks that
can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

 A. PBP (Protocol Based Protection)

 B. BGP (Border Gateway Protocol)

 C. PGP (Packet Gateway Protocol)

 D. PBP (Packet Buffer Protection)

Question #166
A bootstrap USB flash drive has been prepared using a Windows workstation to load the
initial configuration of a firewall that was previously being used in a lab. The USB flash drive
was formatted using file system FAT32 and the initial configuration is stored in a file named
init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The
contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been
restarted using command: > request restart system
Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused
because:

 A. The bootstrap.xml file is a required file, but it is missing

 B. Firewall must be in factory default state or have all private data deleted for
bootstrapping

 C. The hostname is a required parameter, but it is missing in init-cfg.txt

 D. The USB must be formatted using the ext3 file system. FAT32 is not supported
Question #167
An Administrator is configuring Authentication Enforcement and they would like to create
an exemption rule to exempt a specific group from authentication. Which authentication
enforcement object should they select?

 A. default-no-captive-portal

 B. default-authentication-bypass

 C. default-browser-challenge

 D. default-web-form
Question #168
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial
configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file
system ntfs and the initial configuration is stored in a file named init-cfg.txt.
The contents of init-cfg.txt in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been
powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is
caused because:

 A. the bootstrap.xml file is a required file, but it is missing

 B. nit-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml

 C. The USB must be formatted using the ext4 file system

 D. There must be commas between the parameter names and their values instead of
the equal symbols

 E. The USB drive has been formatted with an unsupported file system
Question #169
To more easily reuse templates and template stacks, you can create template variables in
place of firewall-specific and appliance-specific IP literals in your configurations.
Which one is the correct configuration?

 A. &Panorama

 B. @Panorama

 C. $Panorama

 D. #Panorama
Question #170
On the NGFW, how can you generate and block a private key from export and thus harden
your security posture and prevent rogue administrators or other bad actors from misusing
keys?

 A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2.
Import the certificate 3. Select Import Private key 4. Click Generate to generate the
new certificate

 B. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the

certificate 4. Select Block Private Key Export

 C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2.
Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate
the new certificate

 D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the

certificate 4. Select Block Private Key Export
Question #171
What is the maximum number of samples that can be submitted to WildFire manually per
day?

 A. 1,000

 B. 2,000

 C. 5,000

 D. 15,000
Question #172
What file type upload is supported as part of the basic WildFire service?

 A. ELF

 B. BAT

 C. PE

 D. VBS
Question #173
An administrator accidentally closed the commit window/screen before the commit was
finished.
Which two options could the administrator use to verify the progress or success of that
commit task? (Choose two.)

 A. Task Manager
  B. System Logs

 C. Traffic Logs

 D. Configuration Logs
Question #174
Before an administrator of a VM-500 can enable DoS and zone protection, what actions
need to be taken?

 A. Create a zone protection profile with flood protection configured to defend an

entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.

 B. Add a WildFire subscription to activate DoS and zone protection features.

 C. Replace the hardware firewall, because DoS and zone protection are not available
with VM-Series systems.

 D. Measure and monitor the CPU consumption of the firewall data plane to ensure
that each firewall is properly sized to support DoS and zone protection.
Question #175
An organization has recently migrated its infrastructure and configuration to NGFWs, for
which Panorama manages the devices. The organization is coming from a
L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer
needed.
Which Panorama tool can help this organization?

 A. Test Policy Match

 B. Application Groups

 C. Policy Optimizer

 D. Config Audit

Question #176
DRAG DROP -
Please match the terms to their corresponding definitions.

Question #177
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series
firewalls into their AWS tenant.

Which two statements are correct regarding the bootstrap package contents? (Choose two.)

 A. The bootstrap package is stored on an AFS share or a discrete container file

bucket.

 B. The bootstrap.xml file allows for automated deployment of VM-Series firewalls

with full network and policy configurations.

 C. The /config, /content and /software folders are mandatory while the /license and
/plugin folders are optional.

 D. The init-cfg.txt and bootstrap.xml files are both optional configuration items for
the /config folder.

 E. The directory structure must include a /config, /content, /software and /license
folders.
Question #178
Which Panorama objects restrict administrative access to specific device-groups?

 A. admin roles
  B. authentication profiles

 C. templates

 D. access domains
Question #179
An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?

 A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

 B. Use an enterprise CA-signed certificate for the Forward Untrust certificate.

 C. Use the same Forward Trust certificate on all firewalls in the network.

 D. Obtain a certificate from a publicly trusted root CA for the Forward Trust
certificate.
Question #180
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.
168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message?

 A. Verify that the IP addresses can be pinged and that routing issues are not causing
the connection failure.

 B. Check whether the VPN peer on one end is set up correctly using policy-based
VPN.

 C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is
accurate.

 D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both
VPN peers or disabled on both VPN peers.
Question #181
The following objects and policies are defined in a device group hierarchy.

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group

NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service
Objects" is enabled in Panorama?

 A. Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -

Branch Policy1

 B. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -

Shared Policy1 -Shared Policy2 -Branch Policy1

 C. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC

Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1

 D. Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -

Shared Policy1 -Branch Policy1
Question #182
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?

 A. To comply with data privacy regulations, WildFire signatures and verdicts are not
shared globally.

 B. Palo Alto Networks owns and maintains one global cloud and four WildFire
regional clouds.

 C. Each WildFire cloud analyzes samples and generates malware signatures and
verdicts independently of the other WildFire clouds.

 D. The WildFire Global Cloud only provides bare metal analysis.

Question #183
A firewall is configured with SSL Forward Proxy decryption and has the following four
enterprise certificate authorities (CAs):

i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also

installed in the trusted store of the end-user browser and system.)

ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted

Root CA

An end-user visits https://www.example-website.com/ with a server certificate Common

Name (CN): www.example-website.com.

The firewall does the SSLForward Proxy decryption for the website and the server
certificate is not trusted by the firewall.
The end-user's browser will show that the certificate for www. example-website.com was
issued by which of the following?

 A. Enterprise-Trusted-CA which is a self-signed CA

 B. Enterprise-Root-CA which is a self-signed CA

 C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA

 D. Enterprise-Untrusted-CA which is a self-signed CA

Question #184
What are three reasons for excluding a site from SSL decryption? (Choose three.)

 A. the website is not present in English

 B. unsupported ciphers

 C. certificate pinning

 D. unsupported browser version

 E. mutual authentication
Question #185
DRAG DROP -
Match each SD-WAN configuration element to the description of that element.

Question #186
When overriding a template configuration locally on a firewall, what should you consider?

 A. Panorama will update the template with the overridden value.

  B. The firewall template will show that it is out of sync within Panorama.

 C. Only Panorama can revert the override.

 D. Panorama will lose visibility into the overridden configuration.

Question #187
When setting up a security profile, which three items can you use? (Choose three.)

 A. Wildfire analysis

 B. anti-ransomware

 C. antivirus

 D. URL filtering

 E. decryption profile
Question #188
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are
currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA
session (and prevents network outage)?

 A. Upgrade directly to the target major version.

 B. Upgrade the HA pair to a base image.

 C. Upgrade one major version at a time.

 D. Upgrade two major versions at a time.

Question #189
What are three types of Decryption Policy rules? (Choose three.)

 A. SSL Inbound Inspection

 B. SSH Proxy

 C. SSL Forward Proxy

 D. Decryption Broker

 E. Decryption Mirror

Question #190
During SSL decryption, which three factors affect resource consumption? (Choose three.)

 A. key exchange algorithm

  B. transaction size

 C. TLS protocol version

 D. applications ta non-standard ports

 E. certificate issuer

Question #191
An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule
is decrypted?

 A. A Decryption profile must be attached to the Decryption policy that the traffic
matches.

 B. There must be a certificate with both the Forward Trust option and Forward
Untrust option selected.

 C. A Decryption profile must be attached to the Security policy that the traffic
matches.

 D. There must be a certificate with only the Forward Trust option selected.

Question #192
Which two features require another license on the NGFW? (Choose two.)

 A. SSL Inbound Inspection

 B. SSL Forward Proxy

 C. Decryption Mirror

 D. Decryption Broker
Question #193
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The
administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the
organization?

 A. WildFire and Threat Prevention combine to minimize the attack surface.

 B. After 24 hours, WildFire signatures are included in the antivirus update.

  C. Protection against unknown malware can be provided in near real-time.

 D. WildFire and Threat Prevention combine to provide the utmost security posture
for the firewall.
Question #194
What are two characteristic types that can be defined for a variable? (Choose two.)

 A. zone

 B. FQDN

 C. IP netmask

 D. path group
Question #195
A remote administrator needs access to the firewall on an untrust interface. Which three
options would you configure on an Interface Management profile to secure management
access? (Choose three.)

 A. Permitted IP Addresses

 B. SSH

 C. https

 D. User-ID

 E. HTTP
Question #196
An administrator needs to troubleshoot a User-ID deployment. The administrator believes
that there is an issue related to LDAP authentication.

The administrator wants to create a packet capture on the management plane.

Which CLI command should the administrator use to obtain the packet capture for
validating the configuration?

 A. > scp export mgmt-pcap from mgmt.pcap to (username@host:path)

 B. > scp export poap-mgmt from poap.mgmt to (username@host:path)

 C. > ftp export mgmt-pcap from mgmt.pcap to <FTF host>

 D. > scp export pcap from pcap to (username@host:path)

Question #197
When you configure an active/active high availability pair, which two links can you use?
(Choose two.)

 A. ‫׀׀‬3

 B. Console Backup

 C. HSCI-C

 D. HA2 backup
Question #198
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL
decryption? (Choose two.)

 A. the web server requires mutual authentication

 B. the website matches a category that is not allowed for most users

 C. the website matches a high-risk category

 D. the website matches a sensitive category

Question #199
PBF can address which two scenarios? (Choose two.)

 A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link

 B. providing application connectivity the primary circuit fails

 C. enabling the firewall to bypass Layer 7 inspection

 D. forwarding all traffic by using source port 78249 to a specific egress interface
Question #200
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on
the neighbour is correct, but the route is not in the neighbour's routing table.
Which two configurations should you check on the firewall? (Choose two.)

 A. Ensure that the OSPF neighbour state is "2-Way"

 B. In the OSPF configuration, ensure that the correct redistribution profile is selected
in the OSPF Export Rules section.

 C. Within the redistribution profile ensure that Redist is selected.

 D. In the redistribution profile check that the source type is set to "ospf."
Question #201
Which value in the Application column indicates UDP traffic that did not match an App-ID
signature?
  A. unknown-udp

 B. unknown-ip

 C. incomplete

 D. not-applicable
Question #202
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

 A. App-ID

 B. Custom URL Category

 C. User-ID

 D. Destination Zone

 E. Source Interface
Question #203
An administrator needs to gather information about the CPU utilization on both the
management plane and the data plane.
Where does the administrator view the desired data?

 A. Resources Widget on the Dashboard

 B. Monitor > Utilization

 C. Support > Resources

 D. Application Command and Control Center

Question #204
Which CLI command displays the physical media that are connected to ethernet1/8?

 A. > show system state filter-pretty sys.s1.p8.stats

 B. > show system state filter-pretty sys.s1.p8.med

 C. > show interface ethernet1/8

 D. > show system state filter-pretty sys.s1.p8.phy

Question #205
A variable name must start with which symbol?

 A. $

 B. !
  C. #

 D. &
Question #206
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing?
(Choose two.)

 A. self-signed CA certificate

 B. server certificate

 C. wildcard server certificate

 D. client certificate

 E. enterprise CA certificate

Question #207
Given the following configuration, which route is used for destination 10.10.0.4? set
network virtual-router 2 routing-table ip static-route "Route 1" nexthop ip-address
192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 1" metric 30 set
network virtual-router 2 routing-table ip static-route "Route 1" destination 10.10.0.0/24 set
network virtual-router 2 routing-table ip static-route "Route 1" re route-table unicast set
network virtual-router 2 routing-table ip static-route "Route 2" nexthop ip-address
192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 2" metric 20 set
network virtual-router 2 routing-table ip static-route "Route 2" destination 10.10.0.0/24 set
network virtual-router 2 routing-table ip static-route "Route 2" route-table unicast set
network virtual-router 2 routing-table ip static-route "Route 3" nexthop ip-address
10.10.20.1 set network virtual-router 2 routing-table ip static-route "Route 3" metric 5 set
network virtual-router 2 routing-table ip static-route "Route 3" destination 0.0.0.0/0 set
network virtual-router 2 routing-table ip static-route "Route 3" route-table unicast set
network virtual-router 2 routing-table ip static-route "Route 4" nexthop ip-address
192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 4" metric 10 set
network virtual-router 2 routing-table ip static-route "Route 4" destination 10.10.1.0/25 set
network virtual-router 2 routing-table ip static-route "Route 4" route-table unicast

 A. Route 1

 B. Route 3

 C. Route 2

 D. Route 4
Question #208
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the
world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises
infrastructure. The administrator wants to scale the configuration out quickly and wants all
of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)

 A. virtual systems

 B. template stacks

 C. variables

 D. collector groups
Question #209
As a best practice, which URL category should you target first for SSL decryption?

 A. Health and Medicine

 B. High Risk

 C. Online Storage and Backup

 D. Financial Services

Question #210
Which three statements accurately describe Decryption Mirror? (Choose three.)

 A. Decryption, storage, inspection, and use of SSL traffic regulated in certain

countries.

 B. You should consult with your corporate counsel before activating and using
Decryption Mirror in a production environment.

 C. Decryption Mirror requires a tap interface on the firewall.

 D. Only management consent is required to use the Decryption Mirror future.

E. Use of Decryption Mirror might enable malicious users with administrative access to the
firewall to harvest sensitive information that is submitted via an encrypted channel.
Question #211
Which User-ID mapping method should be used in a high-security environment where all IP
address-to-user mappings should always be explicitly known?

 A. LDAP Server Profile configuration

 B. GlobalProtect

 C. Windows-based User-ID agent

 D. PAN-OS integrated User-ID agent

Question #212
DRAG DROP -
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and
Panorama configuration. Place the steps in order.

Question #213
DRAG DROP -
Place the steps in the WildFire process workflow in their correct order.

Question #214
In a Panorama template, which three types of objects are configurable? (Choose three.)

 A. certificate profiles

 B. HIP objects

 C. QoS profiles

 D. security profiles

 E. interface management profiles

Question #215
An internal system is not functioning. The firewall administrator has determined that the
incorrect egress interface is being used.

After looking at the configuration, the administrator believes that the firewall is not using a
static route.
What are two reasons why the firewall might not use a static route? (Choose two.)

 A. duplicate static route

 B. no install on the route

  C. disabling of the static route

 D. path monitoring on the static route

Question #216
A customer is replacing its legacy remote-access VPN solution. Prisma Access has been
selected as the replacement.

During onboarding, the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared

The customer wants to forward to a Splunk SIEM the logs that are generated by users that
are connected to Prisma Access for Mobile Users.

Which two settings must the customer configure? (Choose two.)

 A. Configure Panorama Collector group device log forwarding to send logs to the
Splunk syslog server.

 B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.

 C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake
checkbox. Apply the Log Forwarding profile to all of the security policy rules in
Mobile_User_Device_Group.

 D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk
syslog server. Apply the Log Forwarding profile to all of the security policy rules in the
Mobile_User_Device_Group.
Question #217
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which
type of certificate should the administrator use?

 A. machine certificate

 B. server certificate

 C. certificate authority (CA) certificate

 D. client certificate
Question #218
In a security-first network, what is the recommended threshold value for content updates to
be dynamically updated?

 A. 1 to 4 hours

 B. 6 to 12 hours

 C. 24 hours

 D. 36 hours
Question #219
A network security engineer has applied a File Blocking profile to a rule with the action of
Block. The user of a Linux CLI operating system has opened a ticket.

The ticket states that the user is being blocked by the firewall when trying to download a
TAR file.

The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?

 A. Threat log

 B. Data Filtering log

 C. WildFire Submissions log

 D. URL Filtering log

Question #220
In a firewall, which three decryption methods are valid? (Choose three.)

 A. SSL Outbound Proxyless Inspection

 B. SSL Inbound Inspection

 C. SSH Proxy

 D. SSL Inbound Proxy

 E. Decryption Mirror
Question #221
DRAG DROP -
Match each type of DoS attack to an example of that type of attack.

Question #222
Using multiple templates in a stack to manage many firewalls provides which two
advantages? (Choose two.)

 A. inherit address-objects from templates

 B. define a common standard template configuration for firewalls

 C. standardize server profiles and authentication configuration across all stacks

 D. standardize log-forwarding profiles for security polices across all stacks

Question #223
The SSL Forward Proxy decryption policy is configured. The following four certificate
authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver
certificate?

 A. Forward-Untrust-Certificate

 B. Forward-Trust-Certificate

 C. Firewall-CA

 D. Firewall-Trusted-Root-CA
Question #224
A company needs to preconfigure firewalls to be sent to remote sites with the least amount
of preconfiguration. Once deployed, each firewall must establish secure tunnels back to
multiple regional data centers to include the future regional data centers.
Which VPN preconfigured configuration would adapt to changes when deployed to the
future site?

 A. GlobalProtect client

 B. PPTP tunnels

 C. IPsec tunnels using IKEv2

 D. GlobalProtect satellite
Question #225
When an in-band data port is set up to provide access to required services, what is required
for an interface that is assigned to service routes?

 A. You must set the interface to Layer 2, Layer 3, or virtual wire.

 B. The interface must be used for traffic to the required services.

  C. You must use a static IP address.

 D. You must enable DoS and zone protection.

Question #226
What does SSL decryption require to establish a firewall as a trusted third party and to
establish trust between a client and server to secure SSL/TLS connection?

 A. link state

 B. profiles

 C. stateful firewall connection

 D. certificates

Question #227
When you configure a Layer 3 interface, what is one mandatory step?

 A. Configure virtual routers to route the traffic for each Layer 3 interface.

 B. Configure Interface Management profiles, which need to be attached to each

Layer 3 interface.

 C. Configure Security profiles, which need to be attached to each Layer 3 interface.

 D. Configure service routes to route the traffic for each Layer 3 interface.

Question #228
Which statement accurately describes service routes and virtual systems?

 A. Virtual systems can only use one interface for all global service and service routes
of the firewall.

 B. Virtual systems that do not have specific service routes configured inherit the
global service and service route settings for the firewall.

 C. Virtual systems cannot have dedicated service routes configured; and virtual
systems always use the global service and service route settings for the firewall.

 D. The interface must be used for traffic to the required external services.

Question #229
An administrator is considering upgrading the Palo Alto Networks NGFW and central
management Panorama version.
What is considered best practice for this scenario?

 A. Perform the Panorama and firewall upgrades simultaneously.

 B. Upgrade the firewall first, wait at least 24 hours, and then upgrade the Panorama
version.

 C. Upgrade Panorama to a version at or above the target firewall version.

 D. Export the device state, perform the update, and then import the device state.
Question #230
An administrator has 750 firewalls. The administrator's central-management Panorama
instance deploys dynamic updates to the firewalls. The administrator notices that the
dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls,

but the configuration does not appear, what is the root cause?

 A. Panorama does not have valid licenses to push the dynamic updates.

 B. Panorama has no connection to Palo Alto Networks update servers.

 C. Locally-defined dynamic update settings take precedence over the settings that
Panorama pushed.

 D. No service route is configured on the firewalls to Palo Alto Networks update

servers.
Question #231
An enterprise Information Security team has deployed policies based on AD groups to
restrict user access to critical infrastructure systems.

However, a recent phishing campaign against the organization has prompted information
Security to look for more controls that can secure access to critical assets.

For users that need to access these systems, Information Security wants to use PAN-OS
multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?

 A. Use a Credential Phishing agent to detect, prevent, and mitigate credential

phishing campaigns.

 B. Create an authentication profile and assign another authentication factor to be

used by a Captive Portal authentication policy.
  C. Configure a Captive Portal authentication policy that uses an authentication
sequence.

 D. Configure a Captive Portal authentication policy that uses an authentication

profile that references a RADIUS profile.
Question #232
An administrator wants to enable zone protection.
Before doing so, what must the administrator consider?

 A. Activate a zone protection subscription.

 B. Security policy rules do not prevent lateral movement of traffic between zones.

 C. The zone protection profile will apply to all interfaces within that zone.

 D. To increase bandwidth, no more than one firewall interface should be connected

to a zone.
Question #233
When you import the configuration of an HA pair into Panorama, how do you prevent the
import from affecting ongoing traffic?

 A. Disable HA.

 B. Disable the HA2 link.

 C. Set the passive link state to "shutdown."

 D. Disable config sync.

Question #234
Before you upgrade a Palo Alto Networks NGFW, what must you do?

 A. Make sure that the PAN-OS support contract is valid for at least another year.

 B. Export a device state of the firewall.

 C. Make sure that the firewall is running a supported version of the app + threat
update.

 D. Make sure that the firewall is running a version of antivirus software and a version
of WildFire that support the licensed subscriptions.
Question #235
The UDP-4501 protocol-port is used between which two GlobalProtect components?

 A. GlobalProtect app and GlobalProtect satellite

 B. GlobalProtect app and GlobalProtect portal

  C. GlobalProtect app and GlobalProtect gateway

 D. GlobalProtect portal and GlobalProtect gateway

Question #236
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and
Prisma Access for mobile users, which is managed by Panorama.

The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user
mapping information.

However, Information Security wants to use this information in Prisma Access for policy
enforcement based on group mapping.

Information Security uses on- premises Active Directory (AD) but is uncertain about what is
needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

 A. Configure Prisma Access to learn group mapping via SAML assertion.

 B. Set up group mapping redistribution between an onsite Palo Alto Networks

firewall and Prisma Access.

 C. Assign a master device in Panorama through which Prisma Access learns groups.

 D. Create a group mapping configuration that references an LDAP profile that points
to on-premises domain controllers.
Question #237
What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

 A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.

 B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.

 C. Traffic matches implied policy rules and is redistributed round robin across SD-
WAN links.

 D. Traffic is forwarded to the first physical interface participating in SD-WAN based

on lowest interface number (i.e., Eth1/1 over Eth1/3).
Question #238
A remote administrator needs firewall access on an untrusted interface. Which two
components are required on the firewall to configure certificate-based administrator
authentication to the web Ul? (Choose two.)

 A. certificate authority (CA) certificate

  B. server certificate

 C. client certificate

 D. certificate profile
Question #239
An administrator with 84 firewalls and Panorama does not see any WildFire logs in
Panorama. All 84 firewalls have an active WildFire subscription. On each firewall, WildFire
logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to
Panorama is missing?

 A. WildFire logs

 B. System logs

 C. Threat logs

 D. Traffic logs
Question #240
A company wants to use their Active Directory groups to simplify their Security policy
creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?

 A. Configure an LDAP Server profile and enable the User-ID service on the
management interface.

 B. Configure a group mapping profile to retrieve the groups in the target template.

 C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID

agents.

 D. Configure a master device within the device groups.

Question #241
How can packet buffer protection be configured?

 A. at zone level to protect firewall resources and ingress zones, but not at the device
level

 B. at the interface level to protect firewall resources

 C. at the device level (globally) to protect firewall resources and ingress zones, but
not at the zone level

 D. at the device level (globally) and, if enabled globally, at the zone level
Question #242
An existing NGFW customer requires direct internet access offload locally at each site, and
IPSec connectivity to all branches over public internet.

One requirement is that no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

 A. Configure a remote network on PAN-OS

 B. Upgrade to a PAN-OS SD-WAN subscription

 C. Configure policy-based forwarding

 D. Deploy Prisma SD-WAN with Prisma Access

Question #243
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical
business application uptime requirements. What is the correct setting?

 A. Change the HA timer profile to "user-defined" and manually set the timers.

 B. Change the HA timer profile to "fast".

 C. Change the HA timer profile to "aggressive" or customize the settings in advanced

profile.
D. Change the HA timer profile to "quick" and customize in advanced profile.
Question #244
What is the function of a service route?

 A. The service packets exit the firewall on the port assigned for the external service.
The server sends its response to the configured source interface and source IP address.

 B. The service packets enter the firewall on the port assigned from the external
service. The server sends its response to the configured destination interface and
destination IP address.

 C. The service route is the method required to use the firewall's management plane
to provide services to applications.

 D. Service routes provide access to external services, such as DNS servers, external
authentication servers or Palo Alto Networks services like the Customer Support Portal.
Question #245
DRAG DROP -
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct
order.

Question #246
Which of the following commands would you use to check the total number of the sessions
that are currently going through SSL Decryption processing?

 A. show session all filter ssl-decryption yes total-count yes

 B. show session all ssl-decrypt yes count yes

 C. show session all filter ssl-decrypt yes count yes

 D. show session filter ssl-decryption yes total-count yes

Question #247
Refer to the image. An administrator is tasked with correcting an NTP service configuration
for firewalls that cannot use the Global template NTP servers.

The administrator needs to change the IP address to a preferable server for this template
stack but cannot impact other template stacks. How can the issue be corrected?

 A. Override the value on the NYCFW template.

 B. Override a template value using a template stack variable.

 C. Override the value on the Global template.

 D. Enable "objects defined in ancestors will take higher precedence" under

Panorama settings.
Question #248
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command
would you use to check the details of the end entity certificate that is signed by the Forward
Trust Certificate or Forward Untrust Certificate?

 A. show system setting ssl-decrypt certs

 B. show system setting ssl-decrypt certificate

 C. debug dataplane show ssl-decrypt ssl-stats

 D. show system setting ssl-decrypt certificate-cache

Question #249
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during
the onboarding process?

 A. removing the Panorama serial number from the ZTP service

 B. performing a factory reset of the firewall

  C. performing a local firewall commit

 D. removing the firewall as a managed device in Panorama

Question #250
In URL filtering, which component matches URL patterns?

 A. live URL feeds on the management plane

 B. security processing on the data plane

 C. single-pass pattern matching on the data plane

 D. signature matching on the data plane

Question #251
In a template, you can configure which two objects? (Choose two.)

 A. Monitor profile

 B. application group

 C. SD-WAN path quality profile

 D. IPsec tunnel
Question #252
An organization's administrator has the funds available to purchase more firewalls to
increase the organization's security posture. The partner SE recommends placing the
firewalls as close as possible to the resources that they protect.

Is the SE's advice correct, and why or why not?

 A. No. Firewalls provide new defense and resilience to prevent attackers at every
stage of the cyberattack lifecycle, independent of placement.

 B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.

 C. No. Placing firewalls in front of perimeter DDoS devices provides greater

protection for sensitive devices inside the network.

 D. Yes. Zone Protection profiles can be tailored to the resources that they protect via
the configuration of specific device types and operating systems.
Question #253
An administrator needs to validate that policies that will be deployed will match the
appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that
unwanted traffic is not allowed?
  A. Preview Changes

 B. Policy Optimizer

 C. Managed Devices Health

 D. Test Policy Match

Question #254
DRAG DROP -
Match each GlobalProtect component to the purpose of that component.

Question #255
What is a key step in implementing WildFire best practices?

 A. Configure the firewall to retrieve content updates every minute.

 B. Ensure that a Threat Prevention subscription is active.

 C. In a mission-critical network, increase the WildFire size limits to the maximum

value.

 D. n a security-first network, set the WildFire size limits to the minimum value.
Question #256
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations
(SAs)?

 A. Phase 2 SAs are synchronized over HA2 links.

  B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.

 C. Phase 1 SAs are synchronized over HA1 links.

 D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Question #257
A security engineer needs to mitigate packet floods that occur on a set of servers behind the
internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?

 A. Vulnerability Protection profile

 B. DoS Protection profile

 C. Data Filtering profile

 D. URL Filtering profile

Question #258
What are three reasons why an installed session can be identified with the "application
incomplete" tag? (Choose three.)

 A. There was no application data after the TCP connection was established.

 B. The client sent a TCP segment with the PUSH flag set.

 C. The TCP connection was terminated without identifying any application data.

 D. There is not enough application data after the TCP connection was established.

 E. The TCP connection did not fully establish.

Question #259
Which three statements correctly describe Session 380280? (Choose three.)

 A. The application was initially identified as "ssl."

 B. The session has ended with the end-reason "unknown."

 C. The session cid not go through SSL decryption processing.

 D. The application shifted to "web-browsing."

 E. The session went through SSL decryption processing.

Question #260
An administrator's device-group commit push is failing due to a new URL category.
How should the administrator correct this issue?

 A. update the Firewall Apps and Threat version to match the version of Panorama

 B. change the new category action to "alert" and push the configuration again
  C. ensure that the firewall can communicate with the URL cloud

 D. verity that the URL seed tile has been downloaded and activated on the firewall
Question #261
A security engineer needs firewall management access on a trusted interface. Which three
settings are required on an SSL/TLS Service Profile to provide secure
Web Ul authentication? (Choose three.)

 A. Authentication Algorithm

 B. Encryption Algorithm

 C. Certificate

 D. Maximum TLS version

 E. Minimum TLS version

Question #262
Which type of interface does a firewall use to forward decrypted traffic to a security chain
for inspection?

 A. Layer 3

 B. Layer 2

 C. Tap

 D. Decryption Mirror
Question #263
Which configuration task is best for reducing load on the management plane?

 A. Enable session logging at start

 B. Disable logging on the default deny rule

 C. Set the URL filtering action to send alerts

 D. Disable pre-defined reports

Question #264
An engineer is in the planning stages of deploying User-ID in a diverse directory services
environment. Which server OS platforms can be used for server monitoring with User-ID?

 A. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange

 B. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory

 C. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

  D. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory
Question #265
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in
Panorama reports. The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being
sent from the NGFW to Panorama?
A.

B.
C.

D.

Question #266
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries
about grayware in any of the logs of the corresponding firewall.

Which setting can the administrator configure on the firewall to log grayware verdicts?

 A. in Threat General Settings, select "Report Grayware Files"

 B. within the log settings option in the Device tab

 C. in WildFire General Settings, select "Report Grayware Files"

  D. within the log forwarding profile attached to the Security policy rule

Question #267
Your company has 10 Active Directory domain controllers spread across multiple WAN links.
All users authenticate to Active Directory. Each link has substantial network bandwidth to
support all mission-critical applications.

The firewall's management plane is highly utilized. Given this scenario, which type of User-
ID agent is considered a best practice by Palo Alto Networks?

 A. PAN-OS integrated agent

 B. Citrix terminal server agent with adequate data-plane resources

 C. Captive Portal

 D. Windows-based User-ID agent on a standalone server

Question #268
Which component enables you to configure firewall resource protection settings?

 A. DoS Protection Profile

 B. QoS Profile

 C. Zone Protection Profile

 D. DoS Protection policy

Question #269
How can an administrator use the Panorama device-deployment option to update the apps
and threat version of an HA pair of managed firewalls?

 A. Choose the download and install action for both members of the HA pair in the
Schedule object

 B. Switch context to the firewalls to start the download and install process

 C. Download the apps to the primary no further action is required

 D. Configure the firewall's assigned template to download the content updates

Question #270
A Panorama administrator configures a new zone and uses the zone in a new Security policy.
After the administrator commits the configuration to Panorama, which device-group
commit push operation should the administrator use to ensure that the push is successful?

 A. merge with candidate config

 B. include device and network templates

 C. specify the template as a reference template

 D. force template values

Question #271
What would allow a network security administrator to authenticate and identify a user with
a new BYOD-type device that is not joined to the corporate domain?

 A. a Security policy with 'known-user' selected in the Source User field

 B. a Security policy with 'unknown' selected in the Source User field

 C. an Authentication policy with 'known-user' selected in the Source User field

 D. an Authentication policy with 'unknown' selected in the Source User field

Question #272
An administrator needs firewall access on a trusted interface.

Which two components are required to configure certificate-based, secure authentication

to the web
UI? (Choose two.)

 A. server certificate

 B. SSL/TLS Service Profile

 C. certificate profile

 D. SSH Service Profile

Question #273
An administrator is building Security rules within a device group to block traffic to and from
malicious locations. How should those rules be configured to ensure that they are evaluated
with a high priority?

 A. Create the appropriate rules with a Block action and apply them at the top of the
local firewall Security rules

 B. Create the appropriate rules with a Block action and apply them at the top of the
Security Pre-Rules
  C. Create the appropriate rules with a Block action and apply them at the top of the
Security Post-Rules

 D. Create the appropriate rules with a Block action and apply them at the top of the
Default Rules
Question #274
When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL
decryption can be implemented using a phased approach in alignment with
Palo Alto Networks best practices. What should you recommend?

 A. Enable SSL decryption for known malicious source IP addresses

 B. Enable SSL decryption for malicious source users

 C. Enable SSL decryption for source users and known malicious URL categories

 D. Enable SSL decryption for known malicious destination IP addresses

Question #275
What are two valid deployment options for Decryption Broker? (Choose two.)

 A. Transparent Bridge Security Chain

 B. Transparent Mirror Security Chain

 C. Layer 2 Security Chain

 D. Layer 3 Security Chain

Question #276
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with
an external router using the BGP protocol. The peer relationship is not establishing.

What command could the engineer run to see the current state of the BGP state between
the two devices?

 A. show routing protocol bgp rib-out

 B. show routing protocol bgp peer

 C. show routing protocol bgp summary

 D. show routing protocol bgp state

Question #277
What is the best description of the HA4 Keep-alive Threshold (ms)?
  A. the timeframe that the local firewall waits before going to Active state when
another cluster member is preventing the cluster from fully synchronizing

 B. the timeframe within which the firewall must receive keepalives from a cluster
member to know that the cluster member is functional

 C. the maximum interval between hello packets that are sent to verify that the HA
functionality on the other firewall is operational

 D. the time that a passive or active-secondary firewall will wait before taking over as
the active or active-primary firewall
Question #278
An engineer is tasked with enabling SSL decryption across the environment.

What are three valid parameters of an SSL Decryption policy? (Choose three.)

 A. GlobalProtect HIP

 B. source users

 C. App-ID

 D. URL categories

 E. source and destination IP addresses

Question #279
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-
session DoS attacks. Which sessions does Packet Buffer Protection apply to?

 A. It applies to existing sessions and is not global

 B. It applies to existing sessions and is global

 C. It applies to new sessions and is global

 D. It applies to new sessions and is not global

Question #280
What are two best practices for incorporating new and modified App-IDs? (Choose two.)

 A. Run the latest PAN-OS version in a supported release tree to have the best
performance for the new App-IDs

 B. Study the release notes and install new App-IDs if they are determined to have
low impact
  C. Configure a security policy rule to allow new App-IDs that might have network-
wide impact

 D. Perform a Best Practice Assessment to evaluate the impact of the new or

modified App-IDs
Question #281
The manager of the network security team has asked you to help configure the company's
Security Profiles according to Palo Alto Networks best practice. As part of that effort, the
manager has assigned you the Vulnerability Protection profile for the Internet gateway
firewall.

Which action and packet-capture setting for items of high severity and critical severity best
matches Palo Alto Networks best practice?

 A. action 'reset-server' and packet capture 'disable'

 B. action 'default' and packet capture 'single-packet'

 C. action 'reset-both' and packet capture 'extended-capture'

 D. action 'reset-both' and packet capture 'single-packet'

Question #282
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data
flow best describes redistribution of user mappings?

 A. User-ID agent to firewall

 B. firewall to firewall

 C. Domain Controller to User-ID agent

 D. User-ID agent to Panorama

Question #283
An administrator is attempting to create policies for deployment of a device group and
template stack. When creating the policies, the zone drop-down list does not include the
required zone. What must the administrator do to correct this issue?

 A. Add a firewall to both the device group and the template

 B. Add the template as a reference template in the device group

 C. Enable "Share Unused Address and Service Objects with Devices" in Panorama
settings

 D. Specify the target device as the master device in the device group
Question #284
What best describes the HA Promotion Hold Time?

 A. the time that the passive firewall will wait before taking over as the active firewall
after communications with the HA peer have been lost

 B. the time that is recommended to avoid a failover when both firewalls experience
the same link/path monitor failure simultaneously

 C. the time that is recommended to avoid an HA failover due to the occasional

flapping of neighboring devices

 D. the time that a passive firewall with a low device priority will wait before taking
over as the active firewall it the firewall is operational again
Question #285
What is considered the best practice with regards to zone protection?

 A. Use separate log-forwarding profiles to forward DoS and zone threshold event
logs separately from other threat logs

 B. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse

 C. Set the Alarm Rate threshold for event-log messages to high severity or critical
severity

 D. If the levels of zone and DoS protection consume too many firewall resources,
disable zone protection
Question #286
An administrator allocates bandwidth to a Prisma Access Remote Networks compute
location with three remote networks. What is the minimum amount of bandwidth the
administrator could configure at the compute location?

 A. 90Mbps

 B. 75Mbps

 C. 50Mbps

D. 300Mbps

Question #287
A user at an internal system queries the DNS server for their web server with a private IP of
10.250.241.131 in the DMZ. The DNS server returns an address of the web servers public
address, 200.1.1.10. In order to reach the web server, which security rule and U-Turn NAT
rule must be configured on the firewall?

 A. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: DMZ
Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security
Rule: Source IP: Any Destination Zone: DMZ Destination IP: 10.250.241.131

 B. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: DMZ
Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security
Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP:
10.250.241.131

 C. NAT Rule: Source Zone: Untrust_L3 Source IP: Any Destination Zone: Untrust_L3
Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security
Rule: Source Zone: Untrust-L3 Source IP: Any Destination Zone: DMZ Destination IP:
10.250.241.131

 D. NAT Rule: Source Zone: Trust_L3 Source IP: Any Destination Zone: Untrust_L3
Destination IP: 200.1.1.10 Destination Translation address: 10.250.241.131 Security
Rule: Source Zone: Trust-L3 Source IP: Any Destination Zone: DMZ Destination IP:
200.1.1.10
Question #288
An engineer must configure the Decryption Broker feature. Which Decryption Broker
security chain supports bi-directional traffic flow?

 A. Layer 2 security chain

 B. Layer 3 security chain

 C. Transparent Bridge security chain

 D. Transparent Proxy security chain

Question #289
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices
to the latest PAN-OS software, the administrator enables log forwarding from the firewalls
to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to
Panorama?

 A. Use the import option to pull logs.

 B. Use the scp logdb export command.

 C. Export the log database.

 D. Use the ACC to consolidate the logs.

Question #290
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto
Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from
the network in a way that is minimally invasive?

 A. Layer 2

 B. Virtual Wire

 C. Tap

 D. Layer 3
Question #291
A network-security engineer attempted to configure a bootstrap package on Microsoft
Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap
package, the engineer only had the following directories: /config, /license and /software.
Why did the bootstrap process fail for the VM-Series firewall in
Azure?

 A. All public cloud deployments require the /plugins folder to support proper firewall
native integrations
  B. The VM-Series firewall was not pre-registered in Panorama and prevented the
bootstrap process from successfully completing

 C. The /config or /software folders were missing mandatory files to successfully

bootstrap
D. The /content folder is missing from the bootstrap package
Question #292
Which GlobalProtect component must be configured to enable Clientless VPN?

 A. GlobalProtect satellite

 B. GlobalProtect app

 C. GlobalProtect portal

 D. GlobalProtect gateway
Question #293
Which statement regarding HA timer settings is true?

 A. Use the Moderate profile for typical failover timer settings

 B. Use the Critical profile for faster failover timer settings

 C. Use the Aggressive profile for slower failover timer settings

 D. Use the Recommended profile for typical failover timer settings

Question #294
You need to allow users to access the office-suite applications of their choice. How should
you configure the firewall to allow access to any office-suite application?

 A. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre
Office

 B. Create an Application Group and add business-systems to it

 C. Create an Application Filter and name it Office Programs, then filter it on the
office-programs subcategory

 D. Create an Application Filter and name it Office Programs, then filter it on the
business-systems category
Question #295
Which statement is correct given the following message from the PanGPA.log on the
GlobalProtect app?
Failed to connect to server at port:4767
  A. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port
4767

 B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

 C. The PanGPS process failed to connect to the PanGPA process on port 4767

 D. The PanGPA process failed to connect to the PanGPS process on port 4767

Question #296
A customer is replacing their legacy remote access VPN solution. The current solution is in
place to secure only Internet egress for the connected clients. Prisma
Access has been selected to replace the current remote access VPN solution. During
onboarding the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
How can you configure Prisma Access to provide the same level of access as the current VPN
solution?

 A. Configure mobile users with trust-to-untrust Security policy rules to allow the
desired traffic outbound to the Internet

 B. Configure remote networks with a service connection and trust-to-untrust

Security policy rules to allow the desired traffic outbound to the Internet

 C. Configure remote networks with trust-to-trust Security policy rules to allow the
desired traffic outbound to the Internet

 D. Configure mobile users with a service connection and trust-to-trust Security policy
rules to allow the desired traffic outbound to the Internet

Question #297
An administrator analyzes the following portion of a VPN system log and notices the
following issue:
`Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id
10.1.10.4/24 type IPv4 address protocol 0 port 0.`
What is the cause of the issue?
  A. bad local and peer identification IP addresses in the IKE gateway

 B. IPSec crypto profile mismatch

 C. mismatched Proxy-IDs

 D. IPSec protocol mismatch

Question #298
A network security engineer must implement Quality of Service policies to ensure specific
levels of delivery guarantees for various applications in the environment.
They want to ensure that they know as much as they can about QoS before deploying.
Which statement about the QoS feature is correct?

 A. QoS can be used in conjunction with SSL decryption

 B. QoS is only supported on hardware firewalls

 C. QoS is only supported on firewalls that have a single virtual system configured

 D. QoS can be used on firewalls with multiple virtual systems configured

Question #299
What type of address object would be useful for internal devices where the addressing
structure assigns meaning to certain bits in the address, as illustrated in the diagram?

 A. IP Netmask

 B. IP Range

 C. IP Address

 D. IP Wildcard Mask
Question #300
Given the following snippet of a WildFire submission log, did the end-user get access to the
requested information and why or why not?

 A. No, because WildFire classified the severity as ‫ג‬€high‫ג‬€

 B. Yes, because the action is set to ‫ג‬€allow‫ג‬€

 C. No, because WildFire categorized a file with the verdict ‫ג‬€malicious‫ג‬€

 D. Yes, because the action is set to ‫ג‬€alert‫ג‬€

Question #301
Which statement is true regarding a Best Practice Assessment?

 A. It runs only on firewalls

 B. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture

 C. It shows how your current configuration compares to Palo Alto Networks

recommendations

 D. When guided by an authorized sales engineer, it helps determine the areas of

greatest risk where you should focus prevention activities
Question #302
What are three important considerations during SD-WAN configuration planning? (Choose
three.)

 A. link requirements

 B. IP Addresses

 C. connection throughput

 D. dynamic routing

 E. branch and hub locations

Question #303
A standalone firewall with local objects and policies needs to be migrated into Panorama.
What procedure should you use so Panorama is fully managing the firewall?

 A. Use the "import device configuration to Panorama" operation, then "export or

push device config bundle" to push the configuration

 B. Use the "import Panorama configuration snapshot" operation, then perform a

device-group commit push with "include device and network templates"

 C. Use the "import Panorama configuration snapshot" operation, then "export or

push device config bundle" to push the configuration

 D. Use the "import device configuration to Panorama" operation, then perform a

device-group commit push with "include device and network templates"
Question #304
When you navigate to Network > GlobalProtect > Portals > Agent > (config) > App and look
in the Connect Method section, which three options are available? (Choose three.)

 A. user-logon (always on)

 B. certificate-logon

 C. pre-logon then on-demand

 D. on-demand (manual user initiated connection)

 E. post-logon (always on)

Question #305
An administrator has configured PAN-OS SD-WAN and has received a request to find out the
reason for a session failover for a session that has already ended.

Where would you find this in Panorama or firewall logs?

 A. System Logs

 B. Session Browser

 C. You cannot find failover details on closed sessions

 D. Traffic Logs

Question #306
Where is information about packet buffer protection logged?
  A. All entries are in the System log

 B. All entries are in the Alarms log

 C. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions,
and blocked IP address are in the Threat log

 D. Alert entries are in the System log. Entries for dropped traffic, discarded sessions,
and blocked IP addresses are in the Threat log
12
Question #307
SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the
website https://www.important-website.com certificate. End-users are receiving the
"security certificate is not trusted" warning. Without SSL decryption, the web browser
shows that the website certificate is trusted and signed by a well-known certificate chain:
Well-Known-Intermediate and Well-Known-Root-CA.
The network security administrator who represents the customer requires the following two
behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/
website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

 A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate
and commit the configuration

 B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on

all end-user systems in the user and local computer stores

 C. Navigate to Device > Certificate Management > Certificates > Device Certificates,
import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root
CA check box, and commit the configuration

 D. Navigate to Device > Certificate Management > Certificates > Default Trusted
Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA,
select the Trusted Root CA check box, and commit the configuration
10
Question #308
An administrator needs to evaluate a recent policy change that was committed and pushed
to a firewall device group. How should the administrator identify the configuration changes?

 A. review the configuration logs on the Monitor tab

 B. use Test Policy Match to review the policies in Panorama

 C. context-switch to the affected firewall and use the configuration audit tool
  D. click Preview Changes under Push Scope
20
Question #309
The administrator for a small company has recently enabled decryption on their Palo Alto
Networks firewall using a self-signed root certificate. They have also created a Forward Trust
and Forward Untrust certificate and set them as such.
The admin has not yet installed the root certificate onto client systems.
What effect would this have on decryption functionality?

 A. Decryption will not function because self-signed root certificates are not
supported

 B. Decryption will function, but users will see certificate warnings for each SSL site
they visit

 C. Decryption will not function until the certificate is installed on client systems

 D. Decryption will function, and there will be no effect to end users

3
Question #310
A network administrator plans a Prisma Access deployment with three service connections,
each with a BGP peering to a CPE. The administrator needs to minimize the BGP
configuration and management overhead on on-prem network devices.
What should the administrator implement?

 A. hot potato routing

 B. summarized BGP routes before advertising

 C. default routing

 D. target service connection for traffic steering

12
Question #311
During the process of developing a decryption strategy and evaluating which websites are
required for corporate users to access, several sites have been identified that cannot be
decrypted due to technical reasons. In this case, the technical reason is unsupported
ciphers. Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?

 A. Create a Security policy to allow access to those sites

 B. Install the unsupported cipher into the firewall to allow the sites to be decrypted

 C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
  D. Allow the firewall to block the sites to improve the security posture
9
Question #312
A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent
performance?

 A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that

are less processor-intensive

 B. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

 C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use
less processor-intensive decryption methods for lower-risk traffic

 D. Use RSA in a Decryption profile for higher-priority and higher-risk traffic, and use
less processor-intensive decryption methods for lower-risk traffic
15
Question #313
With the default TCP and UDP settings on the firewall, what will be the identified application
in the following session?

 A. unknown-udp

 B. not-applicable

 C. insufficient-data
  D. incomplete
16
Question #314
A remote administrator needs firewall access on an untrusted interface. Which two
components are required on the firewall to configure certificate-based administrator
authentication to the web UI? (Choose two.)

 A. client certificate

 B. certificate profile

 C. certificate authority (CA) certificate

 D. server certificate
9
Question #315
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator
would turn on the feature inside which type of SD-WAN profile?

 A. Traffic Distribution profile

 B. Path Quality profile

 C. Certificate profile

 D. SD-WAN interface profile

4
Question #316
DRAG DROP -
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses
multiple routing protocols, and the engineer is trying to determine routing priority.
Match the default Administrative Distances for each routing protocol.
Select and Place:

16
Question #317
Which feature of Panorama allows an administrator to create a single network configuration
that can be reused repeatedly for large-scale deployments even if values of configured
objects, such as routes and interface addresses, change?

 A. template variables

 B. the 'Shared' device group

 C. template stacks

 D. a device group
12
Question #318
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the
internet gateway and wants to be sure of the functions that are supported on the vwire
interface.
What are three supported functions on the VWire interface? (Choose three.)

 A. IPSec

 B. OSPF

 C. SSL Decryption

 D. QoS

 E. NAT
16
Question #319
A firewall has been assigned to a new template stack that contains both "Global" and
"Local" templates in Panorama, and a successful commit and push has been performed.
While validating the configuration on the local firewall, the engineer discovers that some
settings are not being applied as intended.
The setting values from the "Global" template are applied to the firewall instead of the
"Local" template that has different values for the same settings.
What should be done to ensure that the settings in the "Local" template are applied while
maintaining settings from both templates?

 A. Move the "Local" template above the "Global" template in the template stack.

 B. Perform a commit and push with the "Force Template Values" option selected.

 C. Override the values on the local firewall and apply the correct settings for each
value.

 D. Move the "Global" template above the "Local" template in the template stack.
7
Question #320
A network administrator wants to deploy SSL Inbound Inspection. What two attributes
should the required certificate have? (Choose two.)

 A. a client certificate

 B. a private key

 C. a server certificate

 D. a subject alternative name

28
Question #321
When using certificate authentication for firewall administration, which method is used for
authorization?

 A. LDAP

 B. Radius

 C. Local

 D. Kerberos
8
Question #322
Which three use cases are valid reasons for requiring an Active/Active high availability
deployment? (Choose three.)

 A. The environment requires real full-time redundancy from both firewalls at all
times.

 B. The environment requires that traffic be load-balanced across both firewalls to

handle peak traffic spikes.

 C. The environment requires Layer 2 interfaces in the deployment.

 D. The environment requires that all configuration must be fully synchronized

between both members of the HA pair.

 E. The environment requires that both firewalls maintain their own routing tables for
faster dynamic routing protocol convergence.
35
Question #323
An organization wishes to roll out decryption but gets some resistance from engineering
leadership regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?

 A. Guest devices may not trust the CA certificate used for the forward trust
certificate

 B. Guests may use operating systems that can't be decrypted

 C. The organization has no legal authority to decrypt their traffic

 D. Guest devices may not trust the CA certificate used for the forward untrust
certificate
8
Question #324
An administrator needs to build Security rules in a Device Group that allow traffic to specific
users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from
Panorama?

 A. The Security rules must be targeted to a firewall in the device group and have
Group Mapping configured.

 B. User-ID Redistribution must be configured on Panorama to ensure that all

firewalls have the same mappings.

 C. A master device with Group Mapping configured must be set in the device group
where the Security rules are configured.
  D. A User-ID Certificate profile must be configured on Panorama.
5
Question #325
Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive
application to go directly to the internet through the branch's ISP link instead of going back
to the data-center hub through the VPN tunnel, thus saving WAN bandwidth costs?

 A. SD-WAN Full Mesh with branches only

 B. SD-WAN direct internet access (DIA) links

 C. SD-WAN Interface profile

 D. VPN Cluster
8
Question #326
What can you use with GlobalProtect to assign user-specific client certificates to each
GlobalProtect user?

 A. CSP Responder

 B. Certificate profile

 C. SCEP

 D. SSL/TLS Service profile

5
Question #327
A user at an external system with the IP address 65.124.57.5 queries the DNS server at
4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an
address of 172.16.15.1.
In order to reach the web server, which Security rule and NAT rule must be configured on
the firewall?
  A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation:
192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application:
Web-browsing

 B. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation:

192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168.15.47) - Application:
Web-browsing

 C. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation:

192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application:
Web-browsing

 D. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation:

192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application:
Web-browsing
11
Question #328
A network administrator is trying to prevent domain username and password submissions
to phishing sites on some allowed URL categories.
Which set of steps does the administrator need to take in the URL Filtering profile to
prevent credential phishing on the firewall?

 A. Choose the URL categories in the User Credential Submission column and set
action to block Select the User credential Detection tab and select Use Domain
Credential Filter Commit

 B. Choose the URL categories in the User Credential Submission column and set
action to block Select the User credential Detection tab and select use IP User Mapping
Commit

 C. Choose the URL categories on Site Access column and set action to block Click the
User credential Detection tab and select IP User Mapping Commit

 D. Choose the URL categories in the User Credential Submission column and set
action to block Select the URL filtering settings and enable Domain Credential Filter
Commit
6
Question #329
WildFire will submit for analysis blocked files that match which profile settings?

 A. files matching Anti-Spyware signatures

 B. files matching Anti-Virus signatures

 C. files that are blocked by a File Blocking profile

 D. files that are blocked by URL filtering

 4
Question #330
A firewall has Security policies from three sources:
1. locally created policies
2. shared device group policies as pre-rules
3. the firewall's device group as post-rules
How will the rule order populate once pushed to the firewall?

 A. shared device group policies, local policies, firewall device group policies

 B. firewall device group policies, local policies, shared device group policies

 C. local policies, firewall device group policies, shared device group policies

 D. shared device group policies, firewall device group policies, local policies
14
Question #331
Which function is handled by the management plane (control plane) of a Palo Alto Networks
firewall?

 A. logging

 B. signature matching for content inspection

 C. Quality of Service

 D. IPSec tunnel standup

7
Question #332
An administrator wants to enable WildFire inline machine learning.
Which three file types does WildFire inline ML analyze? (Choose three.)

 A. APK

 B. VBscripts

 C. Powershell scripts

 D. ELF

 E. MS Office
4
Question #333
An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?
  A. PDF Export under Panorama > templates

 B. Variable CSV export under Panorama > templates

 C. Managed Devices > Device Association

 D. Manage variables under Panorama > templates

21
Question #334
What is a feature of the PA-440 hardware platform?

 A. It supports Zero Touch Provisioning to assist in automated deployments.

 B. It supports 10GbE SFP+ modules.

 C. It has twelve 1GbE Copper ports.

 D. It has dedicated interfaces for high availability.

3
Question #335
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy
between the firewall and switch.
Which statement is correct about the configuration of the interfaces assigned to an
aggregated interface group?

 A. They can have different hardware media such as the ability to mix fiber optic and
copper.

 B. They can have a different interface type such as Layer 3 or Layer 2.

 C. They can have a different interface type from an aggregate interface group.

 D. They can have a different bandwidth.

12
Question #336
A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to
use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?

 A. First migrate SSH rules to App-ID; then implement SSL decryption.

 B. Configure SSL decryption without migrating port-based security rules to App-ID

rules.

 C. First implement SSL decryption; then migrate port-based rules to App-ID rules.
  D. First migrate port-based rules to App-ID rules; then implement SSL decryption.
9
Question #337
A security engineer received multiple reports of an IPSec VPN tunnel going down the night
before. The engineer couldn't find any events related to VPN under system logs.
What is the likely cause?

 A. Tunnel Inspection settings are misconfigured.

 B. The log quota for GTP and Tunnel needs to be adjusted.

 C. The Tunnel Monitor is not configured.

 D. Dead Peer Detection is not enabled.

11
Question #338
A firewall administrator notices that many Host Sweep scan attacks are being allowed
through the firewall sourced from the outside zone.
What should the firewall administrator do to mitigate this type of attack?

 A. Create a Zone Protection profile, enable reconnaissance protection, set action to

Block, and apply it to the outside zone.

 B. Create a DOS Protection profile with SYN Flood protection enabled and apply it to
all rules allowing traffic from the outside zone.

 C. Enable packet buffer protection in the outside zone.

 D. Create a Security rule to deny all ICMP traffic from the outside zone.
3
Question #339
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an
active/passive HA pair. The HA Passive Link State is set to "Auto" under
Device > High Availability > General > Active/Passive Settings. The AE interface is configured
with LACP enabled and is up only on the active firewall.
Why is the AE interface showing down on the passive firewall?

 A. It does not participate in LACP negotiation unless Fast Failover is selected under
the Enable LACP selection on the LACP tab of the AE Interface.

 B. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is

selected under the High Availability Options on the LACP tab of the AE Interface.

 C. It performs pre-negotiation of LACP when the mode Passive is selected under the
Enable LACP selection on the LACP tab of the AE Interface.
  D. It participates in LACP negotiation when Fast is selected for Transmission Rate
under the Enable LACP selection on the LACP tab of the AE Interface.
4
Question #340
A company requires that a specific set of ciphers be used when remotely managing their
Palo Alto Networks appliances.
Which profile should be configured in order to achieve this?

 A. Certificate profile

 B. SSL/TLS Service profile

 C. SSH Service profile

 D. Decryption profile
19
Question #341
An engineer needs to permit XML API access to a firewall for automation on a network
segment that is routed through a Layer 3 subinterface on a Palo Alto
Networks firewall. However, this network segment cannot access the dedicated
management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer
fulfill this request?

 A. Specify the subinterface as a management interface in Setup > Device >

Interfaces.

 B. Add the network segment's IP range to the Permitted IP Addresses list.

 C. Enable HTTPS in an Interface Management profile on the subinterface.

 D. Configure a service route for HTTP to use the subinterface.

6
Question #342
A client wants to detect the use of weak and manufacturer-default passwords for IoT
devices.
Which option will help the customer?

 A. Configure a Data Filtering profile with alert mode.

 B. Configure an Antivirus profile with alert mode.

 C. Configure an Anti-Spyware profile with alert mode.

 D. Configure a Vulnerability Protection profile with alert mode.

 7
Question #343
When using SSH keys for CLI authentication for firewall administration, which method is
used for authorization?

 A. Radius

 B. Kerberos

 C. LDAP

 D. Local
3
Question #344
An engineer needs to see how many existing SSL decryption sessions are traversing a
firewall.
What command should be used?

 A. debug sessions | match proxy

 B. debug dataplane pool statistics | match proxy

 C. show dataplane pool statistics | match proxy

 D. show sessions all

10
Question #345
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks
firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently?
(Choose two.)

 A. #set deviceconfig setting session tcp-reject-non-syn no

 B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack
Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set ‫ג‬€Asymmetric Path"
to Global

 C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack
Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to
Bypass

 D. > set session tcp-reject-non-syn no

12
Question #346
A company is using wireless controllers to authenticate users.
Which source should be used for User-ID mappings?

 A. server monitoring

 B. XFF headers

 C. Syslog

 D. client probing
4
Question #347
A network security administrator has an environment with multiple forms of authentication.
There is a network access control system in place that authenticates and restricts access for
wireless users, multiple Windows domain controllers, and an MDM solution for company-
provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum
coverage?

 A. agentless User-ID with redistribution

 B. Syslog listener

 C. captive portal

 D. standalone User-ID agent

9
Question #348
You have upgraded your Panorama and Log Collectors to 10.2.x.
Before upgrading your firewalls using Panorama, what do you need do?

 A. Commit and Push the configurations to the firewalls.

 B. Refresh your licenses with Palo Alto Network Support ‫ג‬€"

Panorama/Licenses/Retrieve License Keys from License Server.

 C. Refresh the Master Key in Panorama/Master Key and Diagnostic.

 D. Re-associate the firewalls in Panorama/Managed Devices/Summary.

4
Question #349
Which steps should an engineer take to forward system logs to email?

 A. Create a new email profile under Device > server profiles; then navigate to Device
> Log Settings > System and add the email profile under email.
  B. Enable log forwarding under the email profile in the Objects tab.

 C. Create a new email profile under Device > server profiles; then navigate to Objects
> Log Forwarding profile > set log type to system and the add email profile.

 D. Enable log forwarding under the email profile in the Device tab.
Question #350
An administrator discovers that a file blocked by the WildFire inline ML feature on the
firewall is a false-positive action.
How can the administrator create an exception for this particular file?

 A. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.

 B. Disable the WildFire profile on the related Security policy.

 C. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.

 D. Add partial hash and filename in the file section of the WildFire inline ML tab of
the Antivirus profile.
Question #351
What can be used to create dynamic address groups?

 A. tags

 B. FQDN addresses

 C. dynamic address

 D. region objects
4
Question #352
A firewall administrator wants to avoid overflowing the company syslog server with traffic
logs.
What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?

 A. Disable logging on security rules allowing DNS.

 B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then,
under traffic logs match list, create a new filter with application not equal to DNS.

 C. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then,
under traffic logs match list, create a new filter with application equal to DNS.

 D. Create a security rule to deny DNS traffic with the syslog server in the destination.
9
Question #353
An administrator has configured a pair of firewalls using high availability in Active/Passive
mode.
Path Monitoring has been enabled with a Failure Condition of "any."
A path group is configured with Failure Condition of "all" and contains a destination IP of
8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.
Which scenario will cause the Active firewall to fail over?

 A. IP address 8.8.8.8 is unreachable for 1 second.

 B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds.

 C. IP address 4.2.2.2 is unreachable for 2 seconds.

 D. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

4
Question #354
A firewall administrator has been tasked with ensuring that all Panorama configuration is
committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this?

 A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push
to Devices.

 B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to
Devices.

 C. Use the Scheduled Config Push to schedule Push to Devices and separately
schedule an API call to commit all Panorama changes.

 D. Use the Scheduled Config Export to schedule Push to Devices and separately
schedule an API call to commit all Panorama changes.
27
Question #355
Which configuration is backed up using the Scheduled Config Export feature in Panorama?

 A. Panorama running configuration and running configuration of all managed devices

 B. Panorama candidate configuration

 C. Panorama candidate configuration and candidate configuration of all managed

devices.

 D. Panorama running configuration

3
Question #356
While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the
Application column.
What best explains these occurrences?

 A. A handshake did take place, but the application could not be identified.

 B. A handshake took place, but no data packets were sent prior to the timeout.

 C. A handshake did not take place, and the application could not be identified.

 D. A handshake took place; however, there were not enough packets to identify the
application.
8
Question #357
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.
When upgrading Log Collectors to 10.2, you must do what?

 A. Upgrade the Log Collectors one at a time.

 B. Add Panorama Administrators to each Managed Collector.

 C. Upgrade all the Log Collectors at the same time.

 D. Add a Global Authentication Profile to each Managed Collector.

5
Question #358
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls
forward traffic logs to Panorama.
In which section is this configured?

 A. Templates > Device > Log Settings

 B. Device Groups > Objects > Log Forwarding

 C. Monitor > Logs > Traffic

 D. Panorama > Managed Devices

3
Question #359
An engineer is pushing configuration from Panorama to a managed firewall.
What happens when the pushed Panorama configuration has Address Object names that
duplicate the Address Objects already configured on the firewall?

 A. The firewall ignores only the pushed objects that have the same name as the
locally configured objects, and it will commit the rest of the pushed configuration.
  B. The firewall rejects the pushed configuration, and the commit fails.

 C. The firewall fully commits all of the pushed configuration and overwrites its locally
configured objects.

 D. The firewall renames the duplicate local objects with "-1" at the end signifying
they are clones; it will update the references to the objects accordingly and fully
commit the pushed configuration.
8
Question #360
Which Panorama feature protects logs against data loss if a Panorama server fails?

 A. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a
server fails inside the Collector Group.

 B. Panorama Collector Group automatically ensures that no logs are lost if a server
fails inside the Collector Group.

 C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails
inside the HA Cluster.

 D. Panorama HA automatically ensures that no logs are lost if a server fails inside the
HA Cluster.
23
Question #361
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch
between peers.
Where can the administrator find the corresponding logs after running a test command to
initiate the VPN?

 A. Traffic logs

 B. System logs

 C. Tunnel Inspection logs

 D. Configuration logs
3
Question #362
An administrator is required to create an application-based Security policy rule to allow
Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only
Evernote?

 A. Create an Application Override using TCP ports 443 and 80.

  B. Add the HTPP, SSL, and Evernote applications to the same Security policy.

 C. Add the Evernote application to the Security policy rule, then add a second
Security policy rule containing both HTTP and SSL.

 D. Add only the Evernote application to the Security policy rule.

15
Question #363
Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex
Data Lake?

 A. Legacy

 B. Management Only

 C. Log Collector

 D. Panorama
3
Question #364
A network administrator configured a site-to-site VPN tunnel where the peer device will act
as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?

 A. Use the Dynamic IP address type.

 B. Enable Passive Mode.

 C. Set up certificate authentication.

 D. Configure the peer address as an FQDN.

16
Question #365
An administrator is seeing one of the firewalls in a HA active/passive pair moved to
"suspended" state due to Non-functional loop.
Which three actions will help the administrator resolve this issue? (Choose three.)

 A. Check the HA Link Monitoring interface cables.

 B. Check High Availability > Active/Passive Settings > Passive Link State

 C. Check the High Availability > Link and Path Monitoring settings.

 D. Check the High Availability > HA Communications > Packet Forwarding settings.

 E. Use the CLI command show high-availability flap-statistics

 39
Question #366
Which CLI command is used to determine how much disk space is allocated to logs?

 A. debug log-receiver show

 B. show system info

 C. show system logdb-quota

 D. show logging-status
4
Question #367
An administrator has configured a pair of firewalls using high availability in Active/Passive
mode.
Link and Path Monitoring is enabled with the Failure Condition set to `any`.
There is one link group configured containing member interfaces ethernet1/1 and
ethernet1/2 with a Group Failure Condition set to `all`.
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a
failure?

 A. Active

 B. Passive

 C. Active-Secondary

 D. Non-functional
5
Question #368
Your company occupies one floor in a single building. You have two Active Directory domain
controllers on a single network. The firewall's management-plane resources are lightly
utilized.
Given the size of this environment, which User-ID collection method is sufficient?

 A. Windows-based agent deployed on each domain controller

 B. PAN-OS integrated agent deployed on the firewall

 C. a syslog listener

 D. Citrix terminal server agent deployed on the network

7
Question #369
Which statement best describes the Automated Commit Recovery feature?
  A. It performs a connectivity check between the firewall and Panorama after every
configuration commit on the firewall. It reverts the configuration changes on the
firewall if the check fails.

 B. It restores the running configuration on a firewall if the last configuration commit

fails.

 C. It restores the running configuration on a firewall and Panorama if the last

configuration commit fails.

 D. It performs a connectivity check between the firewall and Panorama after every
configuration commit on the firewall. It reverts the configuration changes on the
firewall and on Panorama if the check fails.
4
Question #370
An engineer has been tasked with reviewing traffic logs to find applications the firewall is
unable to identify with App-ID.
Why would the application field display as incomplete?

 A. There is insufficient application data after the TCP connection was established.

 B. The TCP connection was terminated without identifying any application data.

 C. The TCP connection did not fully establish.

 D. The client sent a TCP segment with the PUSH flag set.
20
Question #371
Which Security profile generates a packet threat type found in threat logs?

 A. WildFire

 B. Zone Protection

 C. Anti-Spyware

 D. Antivirus
23
Question #372
What can an engineer use with GlobalProtect to assign user-specific client certificates to
each GlobalProtect user?

 A. SCEP

 B. SSL/TLS Service profile

  C. OCSP Responder

 D. Certificate profile
6
Question #373
An engineer was tasked to simplify configuration of multiple firewalls with a specific set of
configurations shared across all devices.
Which two advantages would be gained by using multiple templates in a stack? (Choose
two.)

 A. standardizes log-forwarding profiles for security policies across all stacks

 B. defines a common standard template configuration for firewalls

 C. inherits address-objects from the templates

 D. standardizes server profiles and authentication configuration across all stacks

11
Question #374
A network engineer is troubleshooting a VPN and wants to verify whether the
decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?

 A. Show running tunnel flow lookup

 B. Show vpn flow name <tunnel name>

 C. Show vpn ipsec-sa tunnel <tunnel name>

 D. Show vpn tunnel name | match encap

6
Question #375
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP
after enabling the Advance Routing Engine run on PAN-OS 10.2?

 A. create a BFD profile under Network > Routing > Routing Profiles > BFD and then
select the BFD profile under Network > Virtual Router > BGP > General > Global BFD
Profile

 B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then
select the BFD profile under Network > Routing > Logical Routers > BGP > General >
Global BFD Profile

 C. create a BFD profile under Network > Network Profiles > BFD Profile and then
select the BFD profile under Network > Virtual Router > BGP > BFD
  D. create a BFD profile under Network > Network Profiles > BFD Profile and then
select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
31
Question #376
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?

 A. PBF > Static route > Security policy enforcement

 B. BGP < PBF > NAT

 C. PBF > Zone Protection Profiles > Packet Buffer Protection

 D. NAT > Security policy enforcement > OSPF

19
Question #377
While investigating a SYN flood attack, the firewall administrator discovers that legitimate
traffic is also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to
limit the drop to only the attacking sessions?

 A. Enable resources protection under the DoS Protection profile.

 B. Change the SYN flood action from Random Early Drop to SYN cookies.

 C. Increase the activate rate for the SYN flood protection.

 D. Change the DoS Protection profile type from aggregate to classified.

10
Question #378
A firewall administrator wants to have visibility on one segment of the company network.
The traffic on the segment is routed on the Backbone switch. The administrator is planning
to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are
enough system resources to get extra traffic on the firewall. The administrator needs to
complete this operation with minimum service interruptions and without making any IP
changes.
What is the best option for the administrator to take?

 A. Configure the TAP interface for segment X on the firewall

 B. Configure a Layer 3 interface for segment X on the firewall.

 C. Configure vwire interfaces for segment X on the firewall.

  D. Configure a new vsys for segment X on the firewall.
42
Question #379
A company is deploying User-ID in their network. The firewall team needs to have the ability
to see and choose from a list of usernames and user groups directly inside the Panorama
policies when creating new security rules.
How can this be achieved?

 A. by configuring User-ID group mapping in Panorama > User Identification

 B. by configuring Master Device in Panorama > Device Groups

 C. by configuring User-ID source device in Panorama > Managed Devices

 D. by configuring Data Redistribution Client in Panorama > Data Redistribution

10
Question #380
After some firewall configuration changes, an administrator discovers that application
identification has started failing. The administrator investigates further and notices that a
high number of sessions were going to a discard state with the application showing as
unknown-tcp.
Which possible firewall change could have caused this issue?

 A. enabling Forward segments that exceed the TCP App-ID inspection queue in
Device > Setup > Content-ID > Content-ID Settings

 B. enabling Forward segments that exceed the TCP content inspection queue in
Device > Setup > Content-ID > Content-ID Settings

 C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size
and the number of available packet buffers.

 D. Jumbo frames were disabled on the firewall, which reduced the queue sizes
dedicated for out-of-order and application identification.
21
Question #381
Which three actions can Panorama perform when deploying PAN-OS images to its managed
devices? (Choose three.)

 A. upload-only

 B. install and reboot

 C. upload and install

  D. upload and install and reboot

 E. verify and install

25
Question #382
A firewall administrator is investigating high packet buffer utilization in the company
firewall. After looking at the threat logs and seeing many flood attacks coming from a single
source that are dropped by the firewall, the administrator decides to enable packet buffer
protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a
high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?

 A. Apply DOS profile to security rules allow traffic from outside.

 B. Enable packet buffer protection for the affected zones.

 C. Add the default Vulnerability Protection profile to all security rules that allow
traffic from outside.

 D. Add a Zone Protection profile to the affected zones

7
Question #383
A firewall administrator is investigating high packet buffer utilization in the company
firewall. After looking at the threat logs and seeing many flood attacks coming from a single
source that are dropped by the firewall, the administrator decides to enable packet buffer
protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a
high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?

 A. Apply DOS profile to security rules allow traffic from outside.

 B. Enable packet buffer protection for the affected zones.

 C. Add the default Vulnerability Protection profile to all security rules that allow
traffic from outside.

 D. Add a Zone Protection profile to the affected zones.

7
Question #384
What is a correct statement regarding administrative authentication using external services
with a local authorization method?
  A. The administrative accounts you define on an external authentication server serve
as references to the accounts defined locally on the firewall.

 B. Prior to PAN-OS 10.2, an administrator used the firewall to manage role

assignments, but access domains have not been supported by this method.

 C. Starting with PAN-OS 10.2, an administrator needs to configure Cloud Identity

Engine to use external authentication services for administrative authentication.

 D. The administrative accounts you define locally on the firewall serve as references
to the accounts defined on an external authentication server.
8
Question #385
A network administrator notices there is a false-positive situation after enabling Security
profiles. When the administrator checks the threat prevention logs, the related signature
displays: threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this
signature?

 A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select
the signature exceptions tab and then click show all signatures Search related threat ID
and click enable Change the default action Commit

 B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select
the Exceptions tab and then click show all signatures Search related threat ID and click
enable Commit

 C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related
profile Select the Exceptions tab and then click show all signatures Search related
threat ID and click enable Commit

 D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select
DNS exceptions tabs Search related threat ID and click enable Commit
14
Question #386
In the screenshot above, which two pieces of information can be determined from the ACC
configuration shown? (Choose two.)

 A. Insecure-credentials, brute-force, and protocol-anomaly are all a part of the

vulnerability Threat Type.

 B. The Network Activity tab will display all applications, including FTP.
  C. Threats with a severity of ‫ג‬€high‫ג‬€ are always listed at the top of the Threat Name
list.

 D. The ACC has been filtered to only show the FTP application.
5
Question #387

Given the screenshot, how did the firewall handle the traffic?

 A. Traffic was allowed by policy but denied by profile as encrypted.

 B. Traffic was allowed by policy but denied by profile as a threat.

 C. Traffic was allowed by profile but denied by policy as a threat.

 D. Traffic was allowed by policy but denied by profile as a nonstandard port.

7
Question #388
Your company wants greater visibility into their traffic and has asked you to start planning
an SSL Decryption project. The company does not have a PKI infrastructure, and multiple
certificates would be needed for this project. Which type of certificate can you use to
generate other certificates?

 A. self-signed root CA

 B. external CA certificate

 C. server certificate

 D. device certificate
4
Question #389

Refer to the screenshots. Without the ability to use Context Switch, where do admin
accounts need to be configured in order to provide admin access to Panorama and to the
managed devices?

 A. The Panorama section overrides the Device section. The accounts need to be
configured only in the Panorama section.

 B. The sections are independent. The accounts need to be configured in both the
Device and Panorama sections.

 C. The Device section overrides Panorama section. The accounts need to be

configured only in the Device section.

 D. Configuration in the sections is merged together. The accounts need to be

configured in either section.
6
Question #390
A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted
in their DMZ to prevent the hosted service from being exploited.
Which combination of features can allow PAN-OS to detect exploit traffic in a session with
TLS encapsulation?

 A. a WildFire profile and a File Blocking profile

 B. a Vulnerability Protection profile and a Decryption policy

 C. a Vulnerability Protection profile and a QoS policy

 D. a Decryption policy and a Data Filtering profile

5
Question #391
Engineer was tasked to simplify configuration of multiple firewalls with a specific set of
configurations shared across all devices.
Which two advantages would be gained by using multiple templates in a stack? (Choose
two.)

 A. inherits address-objects from the templates

 B. standardizes server profiles and authentication configuration across all stacks

 C. standardizes log-forwarding profiles for security policies across all stacks

 D. defines a common standard template configuration for firewalls

11
Question #392
Which protocol is supported by GlobalProtect Clientless VPN?

 A. FTP

 B. HTTPS

 C. SSH

 D. RDP
14
Question #393
During the implementation of SSL Forward Proxy decryption, an administrator imports the
company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The
company’s Root and Intermediate CA certificates are also distributed to trusted devices
using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate
certificates requiring an Enterprise CA chain of trust are signed by the company’s
Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward
Untrust certificates on the firewall for use with decryption?

 A. Generate two subordinate CA certificates, one for Forward Trust and one for
Forward Untrust.

 B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward

Untrust.

 C. Generate a single subordinate CA certificate for both Forward Trust and Forward
Untrust.

 D. Generate a single self-signed CA certificate for Forward Trust and another for
Forward Untrust.
10
Question #394
A firewall administrator needs to check which egress interface the firewall will use to route
the IP 10.2.5.3.

Which command should they use?

 A. test routing fib-lookup ip 10.2.5.0/24 virtual-router default

 B. test routing route ip 10.2.5.3

 C. test routing route ip 10.2.5.3 virtual-router default

 D. test routing fib-lookup ip 10.2.5.3 virtual-router default

6
Question #395
A client is concerned about web shell attacks against their servers.

Which profile will protect the individual servers?

 A. Anti-Spyware profile

 B. Zone Protection profile

 C. DoS Protection profile

 D. Antivirus profile
7
Question #396
Which firewall feature do you need to configure to query Palo Alto Networks service
updates over a data-plane interface instead of the management interface?

 A. service route

 B. data redistribution

 C. SNMP setup

 D. dynamic updates
11
Question #397
How is an address object of type IP range correctly defined?

 A. 192 168 40 1-192 168 40 255

 B. 192.168 40 1/24

 C. 192.168 40 1, 192.168 40.255

 D. 192 168 40 1-255

6
Question #398
An administrator wants to prevent users from unintentionally accessing malicious domains
where data can be exfiltrated through established connections to remote systems. From the
Pre-defined Categories tab within the URL Filtering profile what is the right configuration to
prevent such connections?

 A. Set the malware category to block

 B. Set the Command and Control category to block

 C. Set the phishing category to override

 D. Set the hacking category to continue

11
Question #399
In order to fulfill the corporate requirement to back up the configuration of Panorama and
the Panorama-managed firewalls securely which protocol should you select when adding a
new scheduled config export?

 A. HTTPS

 B. FTP
  C. SMB v3

 D. SCP
8
Question #400
A network administrator created an intrazone Security policy rule on the firewall. The
source zones were set to IT, Finance, and HR. Which two types of traffic will the rule apply
to? (Choose two.)

 A. traffic between zone Finance and zone HR

 B. traffic between zone IT and zone Finance

 C. traffic within zone HR

 D. traffic within zone IT

Question #401
An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a
Palo Alto Networks firewall. However, the link does not seem to be coming up.

If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-
power, rx-power, vendor name, and part number via the CLI?

 A. show system state filter sw.dev.interface.config

 B. show chassis status slot s1

 C. show system state filter-pretty sys.s1.*

 D. show system state filter ethernet1/1

6
Question #402
An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool
with a decrypt mirror interface.

Which statement is true regarding the configuration of the Decryption Port Mirroring
feature?

 A. The engineer should install the Decryption Port Mirror license and reboot the
firewall.

 B. The PA-850 firewall does not support decrypt mirror interface, so the engineer
needs to upgrade the firewall to PA-3200 series.

 C. The engineer must assign an IP from the same subnet with the forensic tool to the
decrypt mirror interface.
  D. The engineer must assign the related virtual-router to the decrypt mirror
interface.
4
Question #403
Which statement is true regarding a heatmap in a BPA report?

 A. When guided by authorized sales engineer, it helps determine the areas of the
greatest security risk.

 B. It runs only on firewalls.

 C. It provides a percentage of adoption for each assessment area.

 D. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture.
9
Question #404
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for
management.

Which profile should be configured to ensure that management access via web browsers is
encrypted with a trusted certificate?

 A. A Certificate profile should be configured with a trusted root CA

 B. An SSL/TLS Service profile should be configured with a certificate assigned.

 C. An Interface Management profile with HTTP and HTTPS enabled should be

configured.

 D. An Authentication profile with the allow list of users should be configured.

5
Question #405
In an existing deployment, an administrator with numerous firewalls and Panorama does
not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription. On
each firewall, WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to
Panorama is missing?

 A. System logs

 B. WildFire logs

 C. Threat logs
  D. Traffic logs
23
Question #406
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map
IP addresses to usernames.

The company uses four Microsoft Active Directory servers and two Microsoft Exchange
servers, which can provide logs for login events.

All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27.
The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft
Exchange servers reside in 192.168.28.48/28.

What information does the administrator need to provide in the User Identification >
Discovery section?

 A. the IP-address and corresponding server type (Microsoft Active Directory or

Microsoft Exchange) for each of the six servers

 B. network 192.168.28.32/28 with server type Microsoft Active Directory and

network 192.168.28.48/28 with server type Microsoft Exchange

 C. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled
to automatically obtain all five of the other servers

 D. network 192.168.28.32/27 with server type Microsoft

7
Question #407
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server
is configured to respond only to the ssh requests coming from IP 172.16.15.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule
must be configured on the firewall?

 A. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1
Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

 B. NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10
Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

 C. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10
Security Rule:
 Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

 D. NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh
21
Question #408
What is the best definition of the Heartbeat Interval?

 A. the interval during which the firewall will remain active following a link monitor
failure

 B. the frequency at which the HA peers exchange ping

 C. the interval in milliseconds between hello packets

 D. the frequency at which the HA peers check link or path availability

8
Question #409
A QoS profile is configured as shown in the image. The following throughput is realized:

Class 3 traffic 325Mbps -

Class 5 traffic 470Mbps -

Class 7 traffic: 330Mbps -

What happens as a result?

 A. Available bandwidth from the unused classes will be used to maintain the Egress
Guaranteed throughput for each.

 B. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5
maintaining their Egress Guaranteed throughput.
  C. All traffic continues to flow based on the overhead in each class’s Egress Max
settings.

 D. Classes 3, 5, and 7 will each have round-robin packet drops as needed against the
profile Egress Max.
11
Question #410
Which three options does Panorama offer for deploying dynamic updates to its managed
devices? (Choose three.)

 A. Check dependencies

 B. Schedules

 C. Verify

 D. Revert content

 E. Install
8
Question #411
A network security engineer configured IP multicast in the virtual router to support a new
application. Users in different network segments are reporting that they are unable to
access the application.

What must be enabled to allow an interface to forward multicast traffic?

 A. IGMP

 B. SSM

 C. BFD

 D. PIM
3
Question #412
Review the screenshots and consider the following information:

• FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG
• There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

 A. Server-1 on FW-1 will have IP 2.2.2.2

Server-1 will not be pushed to FW-2

 B. Server-1 on FW-1 will have IP 3.3.3.3

Server-1 will not be pushed to FW-2

 C. Server-1 on FW-1 will have IP 1.1.1.1

Server-1 will not be pushed to FW-2

 D. Server-1 on FW-1 will have IP 4.4.4.4

Server-1 on FW-2 will have IP 1.1.1.1
7
Question #413
Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose
two.)

 A. All traffic from source network 192.168.100.0/24 is sent to an external syslog

target.

 B. All threats are logged to Panorama.

 C. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake.

 D. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data
Lake.
10
Question #414
Which benefit do policy rule UUIDs provide?

 A. Functionality for scheduling policy actions

 B. The use of user IP mapping and groups in policies

 C. An audit trail across a policy’s lifespan

 D. Cloning of policies between device-groups

2
Question #415
A system administrator runs a port scan using the company tool as part of vulnerability
check. The administrator finds that the scan is identified as a threat and is dropped by the
firewall. After further investigating the logs the administrator finds that the scan is dropped
in the Threat Logs.

What should the administrator do to allow the tool to scan through the firewall?

 A. Add the tool IP address to the reconnaissance protection source address exclusion
in the DoS Protection profile.

 B. Add the tool IP address to the reconnaissance protection source address exclusion
in the Zone Protection profile.

 C. Remove the Zone Protection profile from the zone setting.

 D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.
5
Question #416
A customer wants to combine multiple Ethernet interfaces into a single virtual interface
using link aggregation.
What is the valid naming convention for aggregate interfaces?

 A. po1/250

 B. aggregate.1

 C. ae.1

 D. lag.100
5
Question #417
A company with already deployed Palo Alto firewalls has purchased their first Panorama
server. The security team has already configured all firewalls with the Panorama IP address
and added all the firewall serial numbers in Panorama.

What are the next steps to migrate configuration from the firewalls to Panorama?

 A. Export Named Configuration Snapshot on each firewall, followed by Impart

Named Configuration Snapshot in Panorama.

 B. Use the Firewall Migration plugin to retrieve the configuration directly from the
managed devices.

 C. Import Device Configuration to Panorama, followed by Export or Push Device

Config Bundle.

 D. Use API calls to retrieve the configuration directly from the managed devices.
5
Question #418
Based on the screenshots above, and with no configuration inside the Template Stack itself,
what access will the device permit on its Management port?
  A. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses
defined as $permitted-subnet-1.

 B. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses
defined as $permitted-subnet-2.

 C. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses
defined as $permitted-subnet-1 and $permitted-subnet-2.

 D. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses
defined as $permitted-subnet-1 and $permitted-subnet-2.
20
Question #419
View the screenshots. A QoS profile and policy rules are configured as shown.

Based on this information, which two statements are correct? (Choose two.)

 A. SMTP has a higher priority but lower bandwidth than Zoom.

 B. Facetime has a higher priority but lower bandwidth than Zoom.

 C. google-video has a higher priority and more bandwidth than WebEx.

 D. DNS has a higher priority and more bandwidth than SSH.

7
Question #420
An engineer is attempting to resolve an issue with slow traffic.

Which PAN-OS feature can be used to prioritize certain network traffic?

 A. Prisma Access for Mobile Users

 B. Forward Error Correction (FEC)

 C. SaaS Quality Profile

 D. Quality of Service (QoS)

5
Question #421
An auditor is evaluating the configuration of Panorama and notices a discrepancy between
the Panorama template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you
consider?

 A. Only Panorama can revert the override.

 B. The modification will not be visible in Panorama.

 C. Panorama will update the template with the overridden value.

 D. The firewall template will show that it is out of sync within Panorama.
7
Question #422
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to
the GlobalProtect gateway?

 A. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

 B. It stops the tunnel-establishment processing to the GlobalProtect gateway

immediately.

 C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

 D. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

5
Question #423
Review the images. A firewall policy that permits web traffic includes the global-logs policy
as depicted.

What is the result of traffic that matches the “Alert -Threats” Profile Match List?
  A. The source address of SMTP traffic that matches a threat is automatically blocked
as BadGuys for 180 minutes.

 B. The source address of traffic that matches a threat is automatically blocked as

BadGuys for 180 minutes.

 C. The source address of traffic that matches a threat is automatically tagged as

BadGuys for 180 minutes.

 D. The source address of SMTP traffic that matches a threat is automatically tagged
as BadGuys for 180 minutes.
8
Question #424
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the
CLI.

Which CLI command can the engineer use?

 A. test vpn flow

 B. test vpn tunnel

 C. test vpn gateway

 D. test vpn ike-sa

7
Question #425
What is the dependency for users to access services that require authentication?

 A. An authentication profile that includes those services

 B. An authentication sequence that includes those services

 C. Disabling the authentication timeout

 D. A Security policy allowing users to access those services

5
Question #426
An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

 A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys
firewall can have each vsys in a different device group.
  B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys
firewall can have each vsys in a different device group.

 C. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys
firewall must have all its vsys in a single device group.

 D. Only one vsys or one firewall can be assigned to a device group, except for a
multi-vsys firewall, which must have all its vsys in a single device group.
11
Question #427
An engineer needs to collect User-ID mappings from the company’s existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

 A. Client probing

 B. XFF Headers

 C. Syslog

 D. Server Monitoring
10
Question #428
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The
engineer uses a forward trust certificate from the enterprise PKI that expires December 31,
2025.

The validity date on the PA-generated certificate is taken from what?

 A. The root CA

 B. The untrusted certificate

 C. The server certificate

 D. The trusted certificate

8
Question #429
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel.
The administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

 A. IKE Gateway profile

  B. IPSec Crypto profile

 C. IKE Crypto profile

 D. IPSec Tunnel settings

10
Question #430
Which statement about High Availability timer settings is true?

 A. Use the Moderate timer for typical failover timer settings.

 B. Use the Critical timer for faster failover timer settings.

 C. Use the Aggressive timer for faster failover timer settings.

 D. Use the Recommended timer for faster failover timer settings.

6
Question #431
A firewall administrator is trying to identify active routes learned via BGP in the virtual
router runtime stats within the GUI.

Where can they find this information?

 A. Routes listed in the routing table with flags Oi

 B. Routes listed in the routing table with flags A?B

 C. Under the BGP Summary tab

 D. Routes listed in the forwarding table with BGP in the Protocol column
7
Question #432
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)

 A. PA-220

 B. PA-800 Series

 C. PA-5000 Series

 D. PA-500

 E. PA-3400 Series
8
Question #433
As a best practice, logging at session start should be used in which case?

 A. While troubleshooting

 B. Only on Deny rules

 C. Only when log at session end is enabled

 D. On all Allow rules

7
Question #434
What must be configured to apply tags automatically to User-ID logs?

 A. User mapping

 B. Log Forwarding profile

 C. Log settings

 D. Group mapping
11
Question #435
The profile is configured to provide granular defense against targeted flood attacks for
specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

 A. Vulnerability Protection

 B. DoS Protection

 C. Packet Buffer Protection

 D. Zone Protection
6
Question #436
Which states will a pair of firewalls be in if their HA Group ID is mismatched?

 A. Active/Non-functional

 B. Active/Passive

 C. Init/Init

 D. Active/Active
 6
Question #437
An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s
IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.

How can the engineer remediate this issue?

 A. Add a Security policy to allow UDP/500.

 B. Add a Security policy to allow the IKE application.

 C. Add a Security policy to allow the IPSec application.

 D. Add a Security policy to allow UDP/4501.

28
Question #438
An administrator wants to grant read-only access to all firewall settings, except
administrator accounts, to a new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

 A. Superuser (read-only)

 B. Device administrator (read-only)

 C. Firewall administrator (read-only)

 D. System administrator (read-only)

8
Question #439
An engineer has been given approval to upgrade their environment to PAN-OS 10.2.

The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair,
and virtual log collectors.

What is the recommended order when upgrading to PAN-OS 10.2?

 A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama

 B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

 C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

 D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

15
Question #440
Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a
planned Decryption roll out. The administrator has also installed the self-signed root
certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received
unsecured website warnings.

What is the cause of the unsecured website warnings?

 A. The forward trust certificate has not been signed by the self-singed root CA
certificate.

 B. The forward trust certificate has not been installed in client systems.

 C. The forward untrust certificate has not been signed by the self-singed root CA
certificate.

 D. The self-signed CA certificate has the same CN as the forward trust and untrust
certificates.
19
Question #441
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

 A. Browser-supported cipher documentation

 B. Cipher documentation supported by the endpoint operating system

 C. URL risk-based category distinctions

 D. Legal compliance regulations and acceptable usage policies

3
Question #442
Four configuration choices are listed, and each could be used to block access to a specific
URL.
If you configured each choice to block the same URL, then which choice would be evaluated
last in the processing order to block access to the URL?

 A. Custom URL category in URL Filtering profile

 B. PAN-DB URL category in URL Filtering profile

 C. EDL in URL Filtering profile

 D. Custom URL category in Security policy rule

9
Question #443
A network security engineer needs to enable Zone Protection in an environment that makes
use of Cisco TrustSec Layer 2 protections.

What should the engineer configure within a Zone Protection profile to ensure that the
TrustSec packets are identified and actions are taken upon them?

 A. Stream ID in the IP Option Drop options

 B. Record Route in IP Option Drop options

 C. Ethernet SGT Protection

 D. TCP Fast Open in the Strip TCP options

6
Question #444
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks
firewall?

 A. Enable Advanced Routing in General Settings of Device > Setup > Management,
then commit and reboot.

 B. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings,
then commit and reboot.

 C. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles
and then commit.

 D. Enable Advanced Routing in Network > Virtual Routers > Router Settings >
General, then commit and reboot.
5
Question #445
An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry
and IoT.
Which type of certificate must be installed?

 A. External CA certificate

 B. Server certificate

 C. Device certificate

 D. Self-signed root CA certificate

9
Question #446
Which Palo Alto Networks tool provides configuration heat map displays for security
controls?

 A. Expedition

 B. Security Life Cycle Review

 C. Prevention Posture Assessment

 D. Best Practice Assessment

3
Question #447
An engineer is configuring SSL Inbound Inspection for public access to a company’s
application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is

performed successfully?

 A. Intermediate CA(s) and End-entity certificate

 B. Root CA and Intermediate CA(s)

 C. Self-signed certificate with exportable private key

 D. Self-signed CA and End-entity certificate

8
Question #448
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows
egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?

 A. A Machine Certificate for the firewall signed by the organization’s PKI

  B. A web server certificate signed by the organization’s PKI

 C. A subordinate Certificate Authority certificate signed by the organization’s PKI

 D. A self-signed Certificate Authority certificate generated by the firewall

16
Question #449
A company has configured a URL Filtering profile with override action on their firewall.

Which two profiles are needed to complete the configuration? (Choose two.)

 A. Decryption

 B. HTTP Server

 C. SSL/TLS Service

 D. Interface Management
6
Question #450
Which three authentication types can be used to authenticate users? (Choose three.)

 A. Local database authentication

 B. PingID

 C. Kerberos single sign-on

 D. GlobalProtect client

 E. Cloud authentication service

Question #451
Which feature checks Panorama connectivity status after a commit?

 A. HTTP Server profiles

 B. Device monitoring data under Panorama settings

 C. Automated commit recovery

 D. Scheduled config export

5
Question #452
What are two explanations for this type of issue? (Choose two.)

 A. Either management or a data-plane interface is used as HA1-backup.

 B. One of the firewalls has gone into the suspected state.

 C. The peer IP is not included in the permit list on Management Interface Settings.

 D. The Backup Peer HA1 IP Address was not configured when the commit was issued.
9
Question #453
A network administrator wants to deploy SSL Forward Proxy decryption. What two
attributes should a forward trust certificate have? (Choose two.)

 A. A certificate authority (CA) certificate

 B. A private key

 C. A server certificate

 D. A subject alternative name

34
Question #454
An administrator is assisting a security engineering team with a decryption rollout for
inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from
decrypting all of the traffic they want to decrypt.

Which three items should be prioritized for decryption? (Choose three.)

 A. Financial, health, and government traffic categories

 B. Less-trusted internal IP subnets

 C. Known malicious IP space

  D. High-risk traffic categories

 E. Public-facing servers
30
Question #455
During a laptop-replacement project, remote users must be able to establish a
GlobalProtect VPN connection to the corporate network before logging in to their new
Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator
chooses to use the Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

 A. The Certificate profile in the GlobalProtect Portal Authentication Settings.

 B. Registry keys on the Windows system.

 C. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then
On-demand.

 D. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.

9
Question #456

Using the above screenshot of the ACC, what is the best method to set a global filter,
narrow down Blocked User Activity, and locate the user(s) that could be compromised by a
botnet?

 A. Click the hyperlink for the ZeroAccess.Gen threat.

 B. Click the source user with the highest threat count.

 C. Click the left arrow beside the ZeroAccess.Gen threat.

 D. Click the hyperlink for the botnet Threat Category.

 9
Question #457
What is the best description of the Cluster Synchronization Timeout (min)?

 A. The maximum interval between hello packets that are sent to verify that the HA
functionality on the other firewall is operational

 B. The maximum time that the local firewall waits before going to Active state when
another cluster member is preventing the cluster from fully synchronizing

 C. The timeframe within which the firewall must receive keepalives from a cluster
member to know that the cluster member is functional

 D. The time that a passive or active-secondary firewall will wait before taking over as
the active or active-primary firewall
8
Question #458
Which two policy components are required to block traffic in real time using a dynamic user
group (DUG)? (Choose two.)

 A. A Decryption policy to decrypt the traffic and see the tag

 B. A Deny policy with the “tag” App-ID to block the tagged traffic

 C. An Allow policy for the initial traffic

 D. A Deny policy for the tagged traffic

6
Question #459
An administrator is receiving complaints about application performance degradation. After
checking the ACC, the administrator observes that there is an excessive amount of SSL
traffic.

Which three elements should the administrator configure to address this issue? (Choose
three.)

 A. QoS on the egress interface for the traffic flows

 B. QoS on the ingress interface for the traffic flows

 C. A QoS profile defining traffic classes

 D. A QoS policy for each application ID

 E. An Application Override policy for the SSL traffic

7
Question #460
An administrator creates a custom application containing Layer 7 signatures. The latest
application and threat dynamic update is downloaded to the same firewall. The update
contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

 A. Custom application

 B. Unknown application

 C. Downloaded application

 D. Incomplete application
3
Question #461
An administrator creates an application-based security policy rule and commits the change
to the firewall.

Which two methods should be used to identify the dependent applications for the
respective rule? (Choose two.)

 A. Review the App Dependency application list from the Commit Status view.

 B. Open the security policy rule and review the Depends On application list.

 C. Reference another application group containing similar applications.

 D. Use the show predefined xpath command and review the output.
9
Question #462
An engineer is creating a template and wants to use variables to standardize the
configuration across a large number of devices.

Which two variable types can be defined? (Choose two.)

 A. IP netmask

 B. Zone

 C. Path group

 D. FQDN
4
Question #463
Users have reported an issue when they are trying to access a server on your network. The
requests aren't taking the expected route. You discover that there are two different static
routes on the firewall for the server.

What is used to determine which route has priority?

 A. The first route installed

 B. Bidirectional Forwarding Detection

 C. The route with the lowest administrative distance

 D. The route with the highest administrative distance

18
Question #464
A company has configured GlobalProtect to allow their users to work from home. A
decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose two.)

 A. Enable decryption

 B. Exclude video traffic

 C. Create a Tunnel Inspection policy

 D. Block traffic that is not work-related

5
Question #465
Which log type would provide information about traffic blocked by a Zone Protection
profile?

 A. Data Filtering

 B. IP-Tag

 C. Threat

 D. Traffic
4
Question #466
Where can an administrator see both the management-plane and data-plane CPU utilization
in the WebUI?

 A. Session Browser
  B. System Logs widget

 C. System Resources widget

 D. General Information widget

3
Question #467
An administrator wants to perform HIP checks on the endpoints to ensure their security
posture.

Which license is required on all Palo Alto Networks next-generation firewalls that will be
performing the HIP checks?

 A. GlobalProtect Gateway

 B. Current and Active Support License

 C. Threat Prevention

 D. GlobalProtect Portal
6
Question #468
A network security administrator wants to configure SSL inbound inspection.

Which three components are necessary for inspecting the HTTPS traffic as it enters the
firewall? (Choose three.)

 A. An SSL/TLS Service profile

 B. The web server's security certificate with the private key

 C. A Decryption profile

 D. A Decryption policy

 E. The client's security certificate with the private key

12
Question #469
You have been asked to implement GlobalProtect for your organization. You have decided
on https://gp.mycompany.com for your Portal, and have received the certificate and key.

Where would you navigate to on the firewall UI to import the certificate?

 A. Device > Certificate Management > Device Certificates > Certificates

 B. Device Certificates > Certificate Management > Certificates > Device

  C. Device > Device Certificates > Certificate Management > Certificates

 D. Device > Certificate Management > Certificates > Device Certificates

15
Question #470
An engineer has been asked to limit which routes are shared by running two different areas
within an OSPF implementation. However, the devices share a common link for
communication.

Which virtual router configuration supports running multiple instances of the OSPF protocol
over a single link?

 A. ASBR

 B. OSPFv3

 C. ECMP

 D. OSPF
6
Question #471
An administrator is configuring a Panorama device group.

Which two objects are configurable? (Choose two.)

 A. URL Filtering profiles

 B. SSL/TLS profiles

 C. Address groups

 D. DNS Proxy
5
Question #472
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication
services for authenticating users.

What should the administrator be aware of regarding the authentication sequence, based
on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?

 A. The priority assigned to the Authentication profile defines the order of the
sequence.

 B. The firewall evaluates the profiles in the alphabetical order the Authentication
profiles have been named until one profile successfully authenticates the user.
  C. If the authentication times out for the first Authentication profile in the
authentication sequence, no further authentication attempts will be made.

 D. The firewall evaluates the profiles in top-to-bottom order until one Authentication
profile successfully authenticates the user.
9
Question #473
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls
have been configured to use High Availability mode with Active/Passive. The ARP tables for
upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no
longer in conflict?

 A. Change the interface type on the interfaces that have conflicting MAC addresses
from L3 to VLAN.

 B. On one pair of firewalls, run the CLI command: set network interface vlan arp.

 C. Change the Group IDs in the High Availability settings to be different from the
other firewall pair on the same subnet.

 D. Configure a floating IP between the firewall pairs.

6
Question #474
The same route appears in the routing table three times using three different protocols.

Which mechanism determines how the firewall chooses which route to use?

 A. Administrative distance

 B. Metric

 C. Order in the routing table

 D. Round Robin load balancing

15
Question #475
An engineer has discovered that certain real-time traffic is being treated as best effort due
to it exceeding defined bandwidth.

Which QoS setting should the engineer adjust?

 A. QoS interface: Egress Guaranteed

  B. QoS profile: Egress Max

 C. QoS profile: Egress Guaranteed

 D. QoS interface: Egress Max

4
Question #476
A Security policy rule is configured with a Vulnerability Protection Profile and an action of
“Deny”.

Which action will this configuration cause on the matched traffic?

 A. It will cause the firewall to deny the matched sessions. Any configured Security
Profiles have no effect if the Security policy rule action is set to “Deny”.

 B. The configuration will allow the matched session unless a vulnerability signature is
detected. The “Deny” action will supersede the per-severity defined actions defined in
the associated Vulnerability Protection Profile.

 C. It will cause the firewall to skip this Security policy rule. A warning will be
displayed during a commit.

 D. The Profile Settings section will be grayed out when the Action is set to “Deny”.
4
Question #477
Which feature detects the submission of corporate login information into website forms?

 A. App-ID

 B. File Blocking profile

 C. Data Filtering profile

 D. Credential Phishing
3
Question #478
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose
three.)

 A. Short message service

 B. Push

 C. User logon

 D. One-Time Password
  E. SSH key
4
Question #479
An administrator needs to identify which NAT policy is being used for internet traffic.

From the GUI of the firewall, how can the administrator identify which NAT policy is in use
for a traffic flow?

 A. From the Monitor tab, click Traffic view and review the information in the detailed
log view.

 B. From the Monitor tab, click Traffic view, ensure that the Source or Destination
NAT columns are included and review the information in the detailed log view.

 C. From the Monitor tab, click App Scope > Network Monitor and filter the report for
NAT rules.

 D. From the Monitor tab, click Session Browser and review the session details.
13
Question #480
Which three external services perform both authentication and authorization for
administration of firewalls? (Choose three.)

 A. Kerberos

 B. TACACS+

 C. SAML

 D. Radius

 E. LDAP
6
Question #481
A firewall administrator has been tasked with ensuring that all firewalls forward System logs
to Panorama.

In which section is this configured?

 A. Monitor > Logs > System

 B. Objects > Log Forwarding

 C. Device > Log Settings

 D. Panorama > Managed Devices

 10
Question #482
A customer would like to support Apple Bonjour in their environment for ease of
configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour
Reflector in a segmented network?

 A. Virtual Wire interface

 B. Layer 3 interface

 C. Layer 2 interface

 D. Loopback interface
4
Question #483
An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which
three directories are mandatory as part of the bootstrap package directory structure?
(Choose three.)

 A. /plugins

 B. /license

 C. /opt

 D. /content

 E. /software
5
Question #484
A company requires the firewall to block expired certificates issued by internet-hosted
websites. The company plans to implement decryption in the future, but it does not
perform SSL Forward Proxy decryption at this time.

Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify
and block expired certificates issued by internet-hosted websites?

 A. By having a Certificate profile that contains the website's Root CA assigned to the
respective Security policy rule

 B. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and
the server/client session keys in order to validate a certificate's authenticity and
expiration
  C. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in
order to validate a certificates authenticity and expiration

 D. By having a Decryption profile that blocks sessions with expired certificates in the
No Decryption section and assigning it to a No Decrypt policy rule
4
Question #485
A company is looking to increase redundancy in their network.

Which interface type could help accomplish this?

 A. Tap

 B. Layer 2

 C. Virtual wire

 D. Aggregate ethernet
9
Question #486
An auditor has requested that roles and responsibilities be split inside the security team.
Group A will manage templates, and Group B will manage device groups inside Panorama.

Which two specific firewall configurations will Group B manage? (Choose two.)

 A. Routing

 B. Security rules

 C. Interfaces

 D. Address objects
10
Question #487
An engineer is deploying VoIP and needs to ensure that voice traffic is treated with the
highest priority on the network.

Which QoS priority should be assigned to such an application?

 A. Medium

 B. Low

 C. High

 D. Real-time
 5
Question #488
A network security administrator wants to enable Packet-Based Attack Protection in a Zone
Protection profile.

What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

 A. TCP Drop

 B. ICMP Drop

 C. SYN Random Early Drop

 D. TCP Port Scan Block

7
Question #489
Given the following snippet of a WildFire submission log, did the end-user get access to the
requested information and why or why not?

 A. No, because this is an example from a defeated phishing attack.

 B. Yes, because the action is set to “allow”

 C. No, because the severity is “high” and the verdict “malicious”

 D. Yes, because the action is set to “alert”

7
Question #490
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the
process by upgrading the Panorama servers, but gets an error when trying to install.

When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a
failed install?

 A. GlobalProtect agent version

 B. Outdated plugins

 C. Management only mode

  D. Expired certificates
8
Question #491
How can Panorama help with troubleshooting problems such as high CPU or resource
exhaustion on a managed firewall?

 A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected.

Panorama generates a system log and can send email alerts.

 B. Panorama provides visibility into all the system and traffic logs received from
firewalls. It does not offer any ability to see or monitor resource utilization on managed
firewalls.

 C. Panorama provides information about system resources of the managed devices

in the Managed Devices > Health menu.

 D. Panorama monitors all firewalls using SNMP. It generates a system log and can
send email alerts when resource exhaustion is detected on a managed firewall.
10
Question #492
An administrator is configuring SSL decryption and needs to ensure that all certificates for
both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall.

When certificates are being imported to the firewall for these purposes, which three
certificates require a private key? (Choose three.)

 A. Forward Untrust certificate

 B. Enterprise Root CA certificate

 C. Forward Trust certificate

 D. End-entity (leaf) certificate

 E. Intermediate certificate(s)
23
Question #493
An administrator would like to determine which action the firewall will take for a specific
CVE.

Given the screenshot below, where should the administrator navigate to view this
information?
  A. The profile rule action

 B. CVE column

 C. The profile rule threat name

 D. Exceptions tab
13
Question #494
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto
Networks firewall running PAN-OS 10.2. After OSPF was configured the administrator
noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

 A. Run the CLI command show advanced-routing ospf neighbor

 B. In the WebUI, view the Runtime Stats in the virtual router

 C. Look for configuration problems in Network > virtual router > OSPF

 D. In the WebUI, view Runtime Stats in the logical router

19
Question #495
In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy
Decryption policy?
  A. The existing session is transferred to the active firewall.

 B. The firewall drops the session.

 C. The session is sent to fastpath.

 D. The firewall allows the session but does not decrypt the session.
18
Question #496
An administrator just enabled HA Heartbeat Backup on two devices. However, the status on
the firewall's dashboard is showing as down.

What could an administrator do to troubleshoot the issue?

 A. Go to Device > High Availability > General > HA Pair Settings > Setup and
configuring the peer IP for heartbeat backup

 B. Go to Device > High Availability > HA Communications > General > and check the
Heartbeat Backup under Election Settings

 C. Check peer IP address for heartbeat backup to Device > High Availability > HA
Communications > Packet Forwarding settings

 D. Check peer IP address in the permit list in Device > Setup > Management >
Interfaces > Management Interface Settings
 15
Question #497
An engineer troubleshoots an issue that causes packet drops.

Which command should the engineer run in the CLI to see if packet buffer protection is
enabled and activated?

 A. show session id

 B. show system state | match packet-buffer-protection

 C. show session packet-buffer- protection

 D. show running resource-monitor

7
Question #498
An engineer configures SSL decryption in order to have more visibility to the internal users’
traffic when it is egressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

 A. High availability (HA)

 B. Layer 3

 C. Layer 2

 D. Tap

 E. Virtual Wire
4
Question #499
If an administrator wants to apply QoS to traffic based on source, what must be specified in
a QoS policy rule?

 A. Post-NAT destination address

 B. Pre-NAT destination address

 C. Pre-NAT source address

 D. Post-NAT source address

14
Question #500
An engineer reviews high availability (HA) settings to understand a recent HA failover event.
Review the screenshot below.

Which timer determines how long the passive firewall will wait before taking over as the
active firewall after losing communications with the HA peer?

 A. Heartbeat Interval

 B. Promotion Hold Time

 C. Additional Master Hold Up Time

 D. Monitor Fail Hold Up Time

Question #501
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to
a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is
153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and
interfaces information below.
What should the NAT rule destination zone be set to?

 A. None

 B. Inside

 C. DMZ

 D. Outside
53
Question #502
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in
Transparent Proxy mode.

Which three elements must be in place before a transparent web proxy can function?
(Choose three.)

 A. User-ID for the proxy zone

 B. DNS Security license

 C. Prisma Access explicit proxy license

 D. Cortex Data Lake license

 E. Authentication Policy Rule set to default-web-form

 22
Question #503
Which source is the most reliable for collecting User-ID user mapping?

 A. Microsoft Active Directory

 B. Microsoft Exchange

 C. GlobalProtect

 D. Syslog Listener
6
Question #504
Which type of zone will allow different virtual systems to communicate with each other?

 A. Tap

 B. Tunnel

 C. Virtual Wire

 D. External
4
Question #505
An organization is interested in migrating from their existing web proxy architecture to the
Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain
the destination IP address of the web server and the client browser is redirected to the
proxy.

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

 A. SSL forward proxy

 B. Explicit proxy

 C. Transparent proxy

 D. DNS proxy
13
Question #506
An engineer discovers the management interface is not routable to the User-ID agent.

What configuration is needed to allow the firewall to communicate to the User-ID agent?
  A. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP

 B. Create a NAT policy for the User-ID agent server

 C. Create a custom service route for the UID Agent

 D. Add a static route to the virtual router

3
Question #507
An engineer receives reports from users that applications are not working and that websites
are only partially loading in an asymmetric environment. After investigating, the engineer
observes the flow_tcp_non_syn_drop counter increasing in the show counters global
output.

Which troubleshooting command should the engineer use to work around this issue?

 A. set deviceconfig setting tcp asymmetric-path drop

 B. set session tcp-reject-non-syn yes

 C. set deviceconfig setting tcp asymmetric-path bypass

 D. set deviceconfig setting session tcp-reject-non-syn no

9
Question #508
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device
certificate installed?

 A. Panorama

 B. M600 Log Collectors

 C. Cortex Data Lake

 D. On Palo Alto Networks Update Servers

4
Question #509
Which GlobalProtect gateway setting is required to enable split-tunneling by access route,
destination domain, and application?

 A. Satellite mode

 B. Tunnel mode

 C. No Direct Access to local networks

  D. IPSec mode
4
Question #510
A superuser is tasked with creating administrator accounts for three contractors. For
compliance purposes, all three contractors will be working with different device-groups in
their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

 A. Create a Dynamic Admin with the Panorama Administrator role.

 B. Create a Dynamic Read only superuser.

 C. Create a Device Group and Template Admin.

 D. Create a Custom Panorama Admin.

13
Question #511
An administrator connects four new remote offices to the corporate data center. The
administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks
next-generation firewall.

What should the administrator configure in order to connect the sites?

 A. Generic Routing Encapsulation (GRE) Tunnels

 B. GlobalProtect Satellite

 C. SD-WAN

 D. IKE Gateways
12
Question #512
A customer wants to set up a site-to-site VPN using tunnel interfaces.

What format is the correct naming convention for tunnel interfaces?

 A. tun.1025

 B. tunnel.50

 C. vpn.1024

 D. gre1/2
11
Question #513
An engineer notices that the tunnel monitoring has been failing for a day and the VPN
should have failed over to a backup path.

What part of the network profile configuration should the engineer verify?

 A. Destination IP

 B. Threshold

 C. Action

 D. Interval
9
Question #514
Which three multi-factor authentication methods can be used to authenticate access to the
firewall? (Choose three.)

 A. One-time password

 B. User certificate

 C. SMS

 D. Voice

 E. Fingerprint
17
Question #515
Which two profiles should be configured when sharing tags from threat logs with a remote
User-ID agent? (Choose two.)

 A. LDAP

 B. Log Ingestion

 C. HTTP

 D. Log Forwarding
8
Question #516
What is the PAN-OS NPTv6 feature based on RFC 6296 used for?

 A. Application port number translation

  B. IPv6-to-IPv6 network prefix translation

 C. Stateful translation to provide better security

 D. IPv6-to-IPv6 host portion translation

6
Question #517
An administrator has been tasked with deploying SSL Forward Proxy.

Which two types of certificates are used to decrypt the traffic? (Choose two.)

 A. Device certificate

 B. Subordinate CA from the administrator’s own PKI infrastructure

 C. Self-signed root CA

 D. External CA certificate
10
Question #518
An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

 A. Inherit all Security policy rules and objects

 B. Inherit settings from the Shared group

 C. Inherit IPSec crypto profiles

 D. Inherit parent Security policy rules and objects

6
Question #519
A network security administrator wants to inspect HTTPS traffic from users as it egresses
through a firewall to the Internet/Untrust zone from trusted network zones. The security
admin wishes to ensure that if users are presented with invalid or untrusted security
certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

 A. A self-signed certificate generated on the firewall

 B. A web server certificate signed by the organization’s PKI

 C. A web server certificate signed by an external Certificate Authority

  D. A subordinate Certificate Authority certificate signed by the organization’s PKI
16
Question #520
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through
the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the
voice packets payload and opens dynamic pinholes for media ports.

What can the engineer do to solve the VoIP traffic issue?

 A. Disable ALG under H.323 application

 B. Increase the TCP timeout under H.323 application

 C. Increase the TCP timeout under SIP application

 D. Disable ALG under SIP application

3
Question #521
After importing a pre-configured firewall configuration to Panorama, what step is required
to ensure a commit/push is successful without duplicating local configurations?

 A. Ensure Force Template Values is checked when pushing configuration.

 B. Push the Template first, then push Device Group to the newly managed firewall.

 C. Push the Device Group first, then push Template to the newly managed firewall.

 D. Perform the Export or push Device Config Bundle to the newly managed firewall.
6
Question #522
Which new PAN-OS 11.0 feature supports IPv6 traffic?

 A. OSPF

 B. IKEv1

 C. DHCP Server

 D. DHCPv6 Client with Prefix Delegation

2
Question #523
If a URL is in multiple custom URL categories with different actions, which action will take
priority?
  A. Block

 B. Allow

 C. Alert

 D. Override
6
Question #524
An engineer is reviewing the following high availability (HA) settings to understand a recent
HA failover event.

Which timer determines the frequency between packets sent to verify that the HA
functionality on the other HA firewall is operational?

 A. Hello Interval

 B. Monitor Fail Hold Up Time

 C. Heartbeat Interval

 D. Promotion Hold Time

19
Question #525
Which three items must be configured to implement application override? (Choose three.)
  A. Application filter

 B. Application override policy rule

 C. Custom app

 D. Decryption policy rule

 E. Security policy rule

13
Question #526
An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a virtualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet
traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this
traffic?

 A. Set DNS and Palo Alto Networks Services to use the MGT source interface.

 B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

 C. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

 D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.
18
Question #527
An organization conducts research on the benefits of leveraging the Web Proxy feature of
PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy
method? (Choose two.)

 A. No client configuration is required for explicit proxy, which simplifies the

deployment complexity.

 B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.

 C. It supports the X-Authenticated-User (XAU) header, which contains the

authenticated username in the outgoing request.

 D. Explicit proxy allows for easier troubleshooting, since the client browser is aware
of the existence of the proxy.
 15
Question #528
Which three external authentication services can the firewall use to authenticate admins
into the Palo Alto Networks NGFW without creating administrator account on the local
firewall? (Choose three.)

 A. TACACS+

 B. Kerberos

 C. SAML

 D. RADIUS

 E. LDAP
10
Question #529
With the default TCP and UDP settings on the firewall, what will be the identified application
in the following session?

 A. insufficient-data

 B. incomplete

 C. not-applicable

 D. unknown-tcp
 15
Question #530
To ensure that a Security policy has the highest priority, how should an administrator
configure a Security policy in the device group hierarchy?

 A. Clone the security policy and add it to the other device groups.

 B. Add the policy to the target device group and apply a master device to the device
group.

 C. Reference the targeted device’s templates in the target device group.

 D. Add the policy in the shared device group as a pre-rule.

7
Question #531
Based on the graphic, which statement accurately describes the output shown in the Server
Monitoring panel?

 A. The User-ID agent is connected to a domain controller labeled lab-client.

 B. The host lab-client has been found by the User-ID agent.

 C. The host lab-client has been found by a domain controller.

 D. The User-ID agent is connected to the firewall labeled lab-client.

13
Question #532
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

 A. Deny

 B. Allow

 C. Discard

 D. Next VR
7
Question #533
An engineer manages a high availability network and requires fast failover of the routing
protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

 A. OSPF

 B. IGRP

 C. OSPFv3 virtual link

 D. BGP

 E. RIP
5
Question #534
A company has recently migrated their branch office’s PA-220s to a centralized Panorama.
This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device
group and template configuration is managed solely within Panorama.

They notice that commit times have drastically increased for the PA-220s after the
migration.

What can they do to reduce commit times?

 A. Disable “Share Unused Address and Service Objects with Devices” in Panorama
Settings.

 B. Perform a device group push using the “merge with device candidate config”
option.

 C. Update the apps and threat version using device-deployment.

 D. Use “export or push device config bundle” to ensure that the firewall is integrated
with the Panorama config.
 13
Question #535
An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

 A. 1

 B. 2

 C. 3

 D. 4
5
Question #536
An administrator notices that an interface configuration has been overridden locally on a
firewall. They require all configuration to be managed from Panorama and overrides are not
allowed.

What is one way the administrator can meet this requirement?

 A. Reload the running configuration and perform a Firewall local commit.

 B. Perform a commit force from the CLI of the firewall.

 C. Perform a template commit push from Panorama using the “Force Template
Values” option.

 D. Perform a device-group commit push from Panorama using the “Include Device
and Network Templates” option.
2
Question #537
Where can a service route be configured for a specific destination IP?

 A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4

 B. Use Device > Setup > Services > Services

 C. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

 D. Use Device > Setup > Services > Service Route Configuration > Customize >
Destination
14
Question #538
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN
configuration.

What part of the configuration should the engineer verify?

 A. IKE Crypto Profile

 B. Security policy

 C. Proxy-IDs

 D. PAN-OS versions
5
Question #539
Information Security is enforcing group-based policies by using security-event monitoring on
Windows User-ID agents for IP-to-User mapping in the network. During the rollout,
Information Security identified a gap for users authenticating to their VPN and wireless
networks.

Root cause analysis showed that users were authenticating via RADIUS and that
authentication events were not captured on the domain controllers that were being
monitored. Information Security found that authentication events existed on the Identity
Management solution (IDM).
There did not appear to be direct integration between PAN-OS and the IDM solution.

How can Information Security extract and learn IP-to-user mapping information from
authentication events for VPN and wireless users?

 A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over
TLS.

 B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication
events directly from the IDM solution.

 C. Add domain controllers that might be missing to perform security-event

monitoring for VPN and wireless users.

 D. Configure the Windows User-ID agents to monitor the VPN concentrators and
wireless controllers for IP-to-User mapping.
21
Question #540
An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was
activated?
  A. Configuration

 B. Data Filtering

 C. Traffic

 D. Threat
6
Question #541
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various
services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information
for use in these rules?

 A. A service route to the LDAP server

 B. A User-ID agent on the LDAP server

 C. A Master Device

 D. Authentication Portal
14
Question #542
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the
trust zone access to a server in the same zone by using an external, public NAT IP for that
server.

Given the rule below, what change should be made to make sure the NAT works as
expected?
  A. Change destination NAT zone to Trust_L3.

 B. Change destination translation to Dynamic IP (with session distribution) using

firewall eth1/2 address.

 C. Change Source NAT zone to Untrust_L3.

 D. Add source Translation to translate original source IP to the firewall eth1/2

interface translation.
10
Question #543
An engineer is configuring a template in Panorama which will contain settings that need to
be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

 A. Service Route Configuration

 B. Dynamic Address Groups

 C. NTP Server Address

  D. Antivirus Profile

 E. Authentication Profile
6
Question #544
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly
uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

 A. Add SSL application to the same rule.

 B. SSL and web-browsing must both be explicitly allowed.

 C. Add SSL and web-browsing applications to the same rule.

 D. Add web-browsing application to the same rule.

15
Question #545
In a security-first network, what is the recommended threshold value for apps and threats
to be dynamically updated?

 A. 1 to 4 hours

 B. 6 to 12 hours

 C. 24 hours

 D. 36 hours
9
Question #546
An engineer configures a specific service route in an environment with multiple virtual
systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

 A. Destination-Based Service Route

 B. Inherit Global Setting

 C. IPv6 Source or Destination Address

 D. IPv4 Source Interface

10
Question #547
An administrator is receiving complaints about application performance degradation. After
checking the ACC, the administrator observes that there is an excessive amount of VoIP
traffic.

Which three elements should the administrator configure to address this issue? (Choose
three.)

 A. A QoS policy for each application

 B. An Application Override policy for the SIP traffic

 C. A QoS profile defining traffic classes

 D. QoS on the ingress interface for the traffic flows

 E. QoS on the egress interface for the traffic flows

20
Question #548
What are three tasks that cannot be configured from Panorama by using a template stack?
(Choose three.)

 A. Rename a vsys on a multi-vsys firewall

 B. Change the firewall management IP address

 C. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC

mode

 D. Add administrator accounts

 E. Configure a device block list

11
Question #549

Based on the screenshots above, what is the correct order in which the various rules are
deployed to firewalls inside the DATACENTER_DG device group?

 A. shared pre-rules

DATACENTER_DG pre-rules -
 rules configured locally on the firewall

DATACENTER_DG post-rules -
shared post-rules
shared default rules

 B. shared pre-rules

DATACENTER_DG pre-rules -
rules configured locally on the firewall
shared post-rules

DATACENTER_DG post-rules -
DATACENTER_DG default rules

 C. shared pre-rules

DATACENTER_DG pre-rules -
rules configured locally on the firewall
shared post-rules

DATACENTER_DG post-rules -
shared default rules

 D. shared pre-rules

DATACENTER_DG pre-rules -
rules configured locally on the firewall

DATACENTER_DG post-rules -
shared post-rules
DATACENTER_DG default rules
19
Question #550
A company wants to implement threat prevention to take action without redesigning the
network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

 A. Virtual Wire

 B. Layer 2

 C. Layer 3

 D. TAP
Question #551
Which operation will impact the performance of the management plane?

 A. Enabling DoS protection

 B. Enabling packet buffer protection

 C. Decrypting SSL sessions

 D. Generating a Saas Application report

8
Question #552
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

 A. Tunnel inspection

 B. NAT

 C. QoS

 D. DOS protection
5
Question #553
Why would a traffic log list an application as "not-applicable"?

 A. There was not enough application data after the TCP connection was established.

 B. The TCP connection terminated without identifying any application data.

 C. The firewall denied the traffic before the application match could be performed.

 D. The application is not a known Palo Alto Networks App-ID.

10
Question #554
What must be configured to apply tags automatically based on User-ID logs?

 A. Device ID

 B. Log settings

 C. Group mapping

 D. Log Forwarding profile

15
Question #555
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The
engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a
DNS response based on the original destination IP address and translated destination IP
address configured for the rule. The engineer wants the firewall to rewrite a DNS response
of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

 A. Enable DNS rewrite under the destination address translation in the Translated
Packet section of the NAT rule with the direction Forward.

 B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to

192.168.1.10 with the destination port equal to UDP/53.

 C. Enable DNS rewrite under the destination address translation in the Translated
Packet section of the NAT rule with the direction Reverse.

 D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to

1.1.1.10 with the destination port equal to UDP/53.
7
Question #556
An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored
path?

 A. Initial

 B. Passive

 C. Active-secondary

 D. Tentative
4
Question #557
You are auditing the work of a co-worker and need to verify that they have matched the
Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best
Practice standard? (Choose three.)

 A. Critical

 B. High

 C. Medium
  D. Informational

 E. Low
11
Question #558
In the New App Viewer under Policy Optimizer, what does the compare option for a specific
rule allow an administrator to compare?

 A. Applications configured in the rule with their dependencies

 B. The security rule with any other security rule selected

 C. Applications configured in the rule with applications seen from traffic matching
the same rule

 D. The running configuration with the candidate configuration of the firewall

4
Question #559
Given the following snippet of a WildFire submission log, did the end user successfully
download a file?

 A. Yes, because the final action is set to "allow."

 B. No, because the action for the wildfire-virus is "reset-both."

 C. No, because the URL generated an alert.

 D. Yes, because both the web-browsing application and the flash file have the "alert"
action.
20
Question #560
Which two factors should be considered when sizing a decryption firewall deployment?
(Choose two.)
  A. Number of security zones in decryption policies

 B. Encryption algorithm

 C. TLS protocol version

 D. Number of blocked sessions

3
Question #561
After switching to a different WAN connection, users have reported that various websites
will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not
reaching the users behind the firewall. The engineer later concludes that the maximum
transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

 A. Change the subnet mask from /23 to /24.

 B. Lower the interface MTU value below 1500.

 C. Adjust the TCP maximum segment size (MSS) value.

 D. Enable the Ignore IPv4 Don't Fragment (DF) setting.

 15
Question #562
An engineer configures a new template stack for a firewall that needs to be deployed. The
template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS
Service profile configured named Management?

 A. Values in Global Settings

 B. Values in Datacenter

 C. Values in efw01ab.chi

 D. Values in Chicago
2
Question #563
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN
service.

What should an administrator configure to enable automatic failover to the backup tunnel?

 A. Replay Protection

 B. Zone Protection

 C. Tunnel Monitor

 D. Passive Mode
2
Question #564
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an
external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?

 A. Proxy IDs

 B. ToS Header

 C. GRE Encapsulation

 D. Tunnel Monitor
4
Question #565
A firewall engineer creates a new App-ID report under Monitor > Reports > Application
Reports > New Applications to monitor new applications on the network and better assess
any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

 A. It matches to the New App-IDs downloaded in the last 90 days.

 B. It matches to the New App-IDs in the most recently installed content releases.

 C. It matches to the New App-IDs downloaded in the last 30 days.

 D. It matches to the New App-IDs installed since the last time the firewall was
rebooted.
5
Question #566
An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?

 A. Passive

 B. Initial

 C. Active

 D. Active-primary
9
Question #567
An engineer needs to configure a standardized template for all Panorama-managed
firewalls. These settings will be configured on a template named "Global" and will be
included in all template stacks.
Which three settings can be configured in this template? (Choose three.)

 A. Log Forwarding profile

 B. SSL decryption exclusion

 C. Email scheduler

 D. Login banner

 E. Dynamic updates
11
Question #568
An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to
download and install the CA certificate, and clearly notify them that their traffic will be
decrypted?

 A. Authentication Portal

 B. SSL Decryption profile

 C. SSL decryption policy

 D. comfort pages
23
Question #569
Which two key exchange algorithms consume the most resources when decrypting SSL
traffic? (Choose two.)

 A. ECDSA

 B. ECDHE

 C. RSA

 D. DHE
9
Question #570
An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS
servers configured via a global template. As a troubleshooting step, the engineer needs to
configure a local DNS server in place of the template value.
Which two actions can be taken to ensure that only the specific firewall is affected during
this process? (Choose two.)

 A. Override the DNS server on the template stack.

 B. Configure the DNS server locally on the firewall.

 C. Change the DNS server on the global template.

 D. Configure a service route for DNS on a different interface.

12
Question #571
An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?

 A. Monitor > Logs > Traffic

 B. Device > High Availability > Active/Passive Settings

 C. Monitor > Logs > System

 D. Dashboard > Widgets > High Availability

12
Question #572
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS
11.0. The client currently uses RADIUS authentication in their environment.

Which two pieces of information should the consultant provide regarding Web Proxy
authentication? (Choose two.)

 A. Kerberos or SAML authentication need to be configured.

 B. RADIUS is only supported for a transparent Web Proxy.

 C. RADIUS is not supported for explicit or transparent Web Proxy.

 D. LDAP or TACACS+ authentication need to be configured.

6
Question #573
A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One
of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows
Active Directory for authentication.
What is the most operationally efficient way to redistribute the most accurate IP addresses
to username mappings?

 A. Deploy a PAN-OS integrated User-ID agent on each vsys

 B. Deploy the GlobalProtect vsys as a User-ID data hub

 C. Deploy a M-200 as a User-ID collector

 D. Deploy Windows User-ID agents on each domain controller

5
Question #574
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1
to 11.0.x to take advantage of the newTLSv1.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

 A. Required: Download and install the latest preferred PAN-OS 10.1 maintenance
release and reboot.
Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.

 B. Optional: Download and install the latest preferred PAN-OS 10.1 release.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.

 C. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release
and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.

 D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance
release and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release
and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
13
Question #575
Which two actions must an engineer take to configure SSL Forward Proxy decryption?
(Choose two.)
  A. Configure the decryption profile.

 B. Configure SSL decryption rules.

 C. Define a Forward Trust Certificate.

 D. Configure a SSL / TLS service profile.

10
Question #576
A firewall engineer supports a mission-critical network that has zero tolerance for
application downtime. A best-practice action taken by the engineer is to configure an
Applications and Threats update schedule with a new App-ID threshold of 48 hours.

Which two additional best-practice guideline actions should be taken with regard to
dynamic updates? (Choose two.)

 A. Configure an Applications and Threats update schedule with a threshold of 24 to

48 hours.

 B. Click "Review Apps" after application updates are installed in order to assess how
the changes might impact Security policy.

 C. Create a Security policy rule with an application filter to always allow certain
categories of new App-IDs.

 D. Select the action "download-only" when configuring an Applications and Threats

update schedule.
19
Question #577
When a new firewall joins a high availability (HA) cluster, the cluster members will
synchronize all existing sessions over which HA port?

 A. HA1

 B. HA2

 C. HA3

 D. HA4
Question #578
What can the Log Forwarding built-in action with tagging be used to accomplish?

 A. Forward selected logs to the Azure Security Center.

 B. Block the destination zones of selected unwanted traffic.

 C. Block the source zones of selected unwanted traffic.

  D. Block the destination IP addresses of selected unwanted traffic.
Question #579
An administrator notices interface ethernet1/2 failed on the active firewall in an active I
passive firewall high availability(HA) pair.

Based on the image below, what - if any - action was taken by the active firewall when the
link failed?

 A. No action was taken because interface ethernet1/1 did not fail.

 B. The active firewall failed over to the passive HA member due to an AE1 Link Group
failure.

 C. No action was taken because Path Monitoring is disabled.

 D. The active firewall failed over to the passive HA member because "any" is selected
for the Link Monitoring "Failure Condition".
5
Question #580
A firewall administrator wants to be able to see all NAT sessions that are going through a
firewall with source NAT.

Which CLI command can the administrator use?

 A. show session all filter nat source

  B. show running nat-rule-ippool rule “rule_name”

 C. show running nat-policy

 D. show session all filter nat-rule-source

5
Question #581
An engineer needs to configure a standardized template for all Panorama-managed
firewalls. These settings will be configured on a template named "Global" and will be
included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

 A. Log Forwarding profile

 B. SSL decryption exclusion

 C. Tags

 D. Login banner

 E. Dynamic updates
10
Question #582
All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors.
The company also wants to deploy a syslog server and forward all firewall logs to the syslog
server and to the log collectors. There is a known logging peak time during the day and the
security team has asked the firewall engineer to determine how many logs per second the
current Palo Alto Networks log collectors are processing at that particular time.

Which method is the most time-efficient to complete this task?

 A. Navigate to Panorama > Managed Collectors, and open the Statistics window for
each Log Collector during the peak time

 B. Navigate to ACC > Network Activity, and determine the total number of sessions
and threats during the peak time

 C. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to
the last page to find out how many logs have been received

 D. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each
managed firewall and check the log rates during the peak time
5
Question #583
A firewall engineer is configuring quality of service (QoS) policy for the IP address of a
specific server in an effort to limit the bandwidth consumed by frequent downloads of large
files from the internet.

Which combination of pre-NAT and/or post-NAT information should be used in the QoS
rule?

 A. Pre-NAT source IP address -

Pre-NAT source zone

 B. Post-NAT source IP address -

Pre-NAT source zone

 C. Pre-NAT source IP address -

Post-NAT source zone

 D. Post-NAT source IP address -

Post-NAT source zone
5
Question #584
The decision to upgrade PAN-OS has been approved. The engineer begins the process by
upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a

failed install?

 A. GlobalProtect agent version

 B. Outdated plugins

 C. Management only mode

 D. Expired certificates
1
Question #585
Following a review of firewall logs for traffic generated by malicious activity, how can an
administrator confirm that WildFire has identified a virus?

 A. By navigating to Monitor > Logs > Traffic, applying filter “(subtype eq virus)”

 B. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq virus)”

 C. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq wildfire-
virus)”
  D. By navigating to Monitor > Logs > WildFire Submissions, applying filter “(subtype
eq wildfire-virus)”
3
Question #586
A firewall engineer is managing a Palo Alto Networks NGFW which is not in line of any DHCP
traffic.

Which interface mode can the engineer use to generate Enhanced Application logs (EALs)
for classifying IoT devices while receiving broadcast DHCP traffic?

 A. Virtual wire

 B. Layer 3

 C. Layer 2

 D. Tap
17
Question #587
An administrator is considering deploying WildFire globally.

What should the administrator consider with regards to the WildFire infrastructure?

 A. To comply with data privacy regulations, WildFire signatures and verdicts are not
shared globally.

 B. Palo Alto Networks owns and maintains one global cloud and four WildFire
regional clouds.

 C. Each WildFire cloud analyzes samples independently of the other WildFire clouds.

 D. The WildFire Global Cloud only provides bare metal analysis.

3
Question #588
Which log type is supported in the Log Forwarding profile?

 A. User-ID

 B. GlobalProtect

 C. Configuration

 D. Tunnel
4
Question #589
A firewall engineer needs to update a company’s Panorama-managed firewalls to the latest
version of PAN-OS. Strict security requirements are blocking internet access to Panorama
and to the firewalls. The PAN-OS images have previously been downloaded to a secure host
on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

 A. Upload the image to Panorama > Device Deployment > Software menu, and
deploy it to the firewalls.

 B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu,
and deploy it to the firewalls.

 C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.

 D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the
firewalls.
4
Question #590
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose
two.)

 A. HA cluster members must be the same firewall model and run the same PAN-OS
version.

 B. HA cluster members must share the same zone names.

 C. Panorama must be used to manage HA cluster members.

 D. Dedicated HA communication interfaces for the cluster must be used over HSCI
interfaces.
7
Question #591
Why are external zones required to be configured on a Palo Alto Networks NGFW in an
environment with multiple virtual systems?

 A. To allow traffic between zones in different virtual systems while the traffic is
leaving the appliance

 B. External zones are required because the same external zone can be used on
different virtual systems

 C. To allow traffic between zones in different virtual systems without the traffic
leaving the appliance
  D. Multiple external zones are required in each virtual system to allow the
communications between virtual systems
3
Question #592
Which two are required by IPSec in transport mode? (Choose two.)

 A. Auto generated key

 B. NAT Traversal

 C. IKEv1

 D. DH-group 20 (ECP-384 bits)

3
Question #593
A firewall engineer needs to patch the company’s Palo Alto Networks firewalls to the latest
version of PAN-OS. The company manages its firewalls by using Panorama. Logs are
forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire
appliances for analysis.

What must the engineer consider when planning deployment?

 A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-
OS version before updating the firewalls.

 B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target
PAN-OS version downloaded, after which the order of patching does not matter.

 C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to

the target PAN-OS version before updating the firewalls.

 D. Only Panorama must be patched to the target PAN-OS version before updating
the firewalls.
2
Question #594
Which rule type controls end user SSL traffic to external websites?

 A. SSL Inbound Inspection

 B. SSH Proxy

 C. SSL Forward Proxy

 D. SSL Outbound Proxyless Inspection

3
Question #595
An internal audit team has requested additional information to be included inside traffic
logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

 A. Custom Log Format within Device > Server Profiles > Syslog

 B. Built-in Actions within Objects > Log Forwarding Profile

 C. Logging and Reporting Settings within Device > Setup > Management

 D. Data Patterns within Objects > Custom Objects

6
Question #596
When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to
check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL
Inbound Inspection certificate?

 A. show system setting ssl-decrypt certs

 B. show system setting ssl-decrypt certificate

 C. debug dataplane show ssl-decrypt ssl-stats

 D. show system setting ssl-decrypt certificate-cache

7
Question #597
Which two items must be configured when implementing application override and allowing
traffic through the firewall? (Choose two.)

 A. Application filter

 B. Application override policy rule

 C. Security policy rule

 D. Custom app
9
Question #598
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A
firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B
firewall uses a static IP address assigned to the outside interface of the firewall. However,
the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the
configurations to work? (Choose two.)

Site A configuration:

Site B configuration:

 A. Match IKE version on both firewalls.

 B. Configure Local Identification on Site B firewall.

 C. Enable NAT Traversal on Site B firewall.

 D. Disable passive mode on Site A firewall.

3
Question #599
Which server platforms can be monitored when a company is deploying User-ID through
server monitoring in an environment with diverse directory services?
  A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

 B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server

 C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

 D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

2
Question #600
An engineer is monitoring an active/passive high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?

 A. Active-primary

 B. Active

 C. Active-secondary

 D. Initial

Question #601
A root cause analysis investigation into a recent security incident reveals that several
decryption rules have been disabled. The security team wants to generate email alerts when
decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

 A. With the relevant system log filter inside Device > Log Settings

 B. With the relevant configuration log filter inside Device > Log Settings

 C. With the relevant configuration log filter inside Objects > Log Forwarding

 D. With the relevant system log filter inside Objects > Log Forwarding
3
Question #602
An engineer has been given approval to upgrade their environment to the latest of PAN-OS.

The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair,
and virtual log collectors.

What is the recommended order of operational steps when upgrading?

 A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama

  B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

 C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

 D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

7
Question #603
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption
are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce
the load on the firewall?

 A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

 B. Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority.

 C. Use the highest TLS protocol version to maximize security.

 D. Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority.
14
Question #604
A firewall engineer has determined that, in an application developed by the company’s
internal team, sessions often remain idle for hours before the client and server exchange
any data. The application is also currently identified as unknown-tcp by the firewalls. It is
determined that because of a high level of trust, the application does not require to be
scanned for threats, but it needs to be properly identified in Traffic logs for reporting
purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is
used to identify the application?

 A. Create a custom application with specific timeouts and signatures based on

patterns discovered in packet captures.

 B. Access the Palo Alto Networks website and complete the online form to request
that a new application be added to App-ID.

 C. Create a custom application with specific timeouts, then create an application

override rule and reference the custom application.

 D. Access the Palo Alto Networks website and raise a support request through the
Customer Support Portal.
21
Question #605
What happens when the log forwarding built-in action with tagging is used?
  A. Selected logs are forwarded to the Azure Security Center.

 B. Destination zones of selected unwanted traffic are blocked.

 C. Destination IP addresses of selected unwanted traffic are blocked.

 D. Selected unwanted traffic source zones are blocked.

7
Question #606
A firewall engineer creates a source NAT rule to allow the company’s internal private
network 10.0.0.0/23 to access the internet. However, for security reasons, one server in
that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore
should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

 A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet
to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.

 B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet
to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.

 C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source

address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet
set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).

 D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source

address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet
set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-1) above (NAT-Rule-2).
11
Question #607
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose
three.)

 A. Create a URL filtering profile.

 B. Create an anti-virus profile.

 C. Enable User-ID.

 D. Configure a URL profile to block the phishing category.

  E. Create a decryption policy rule.
3
Question #608
A company is expanding its existing log storage and alerting solutions. All company Palo Alto
Networks firewalls currently forward logs to Panorama.

Which two additional log forwarding methods will PAN-OS support? (Choose two.)

 A. HTTP

 B. SSL

 C. Email

 D. TLS
1
Question #609
A firewall administrator has confirmed reports of a website is not displaying as expected,
and wants to ensure that decryption is not causing the issue.

Which three methods can the administrator use to determine if decryption is causing the
website to fail? (Choose three.)

 A. Move the policy with action decrypt to the top of the decryption policy rulebase.

 B. Investigate decryption logs of the specific traffic to determine reasons for failure.

 C. Temporarily disable SSL decryption for all websites to troubleshoot the issue.

 D. Disable SSL handshake logging.

 E. Create a policy-based "No Decrypt" rule in the decryption policy to exclude

specific traffic from decryption.
4
Question #610
After implementing a new NGFW, a firewall engineer is alerted to a VoIP traffic issue. After
troubleshooting, the engineer confirms that the firewall is alerting the voice packets
payload.

What can the engineer do to solve the VoIP traffic issue?

 A. Increase the TCP timeout under SIP application

 B. Disable ALG under SIP application

  C. Disable ALG under H.323 application

 D. Increase the TCP timeout under H.323 application

2
Question #611
An administrator is considering deploying WildFire globally.

What should the administrator consider with regards to the WildFire analysis process?

 A. Each WildFire cloud analyzes samples independently of the other WildFire clouds.

 B. To comply with data privacy regulations, WildFire signatures and verdicts are not
shared globally.

 C. Palo Alto Networks owns and maintains one global cloud and four WildFire
regional clouds.

 D. The WildFire Global Cloud only provides bare metal analysis.

Question #612
Which two components are required to configure certificate-based authentication to the
web UI when an administrator needs firewall access on a trusted interface? (Choose two.)

 A. Server certificate

 B. CA certificate

 C. SSL/TLS Service Profile

 D. Certificate Profile
Question #613
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations
(SAs)?

 A. Phase 2 SAs are synchronized over HA2 links.

 B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.

 C. Phase 1 SAs are synchronized over HA1 links.

 D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Question #614
Which function does the HA4 interface provide when implementing a firewall cluster which
contains firewalls configured as active-passive pairs?

 A. Perform session cache synchronization for all HA cluster members with the same
cluster ID.
  B. Perform synchronization of sessions, forwarding tables, and IPSec security
associations between firewalls in an HA pair.

 C. Perform packet forwarding to the active-passive peer during session setup and
asymmetric traffic flow.

 D. Perform synchronization of routes, IPSec security associations, and User-ID

information.
Question #615
A security engineer has configured a GlobalProtect portal agent with four gateways.

Which GlobalProtect Gateway will users connect to based on the chart provided?

 A. East

 B. South

 C. West

 D. Central
Question #616
A network security engineer needs to ensure that virtual systems can communicate with
one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created
for each virtual system.

In addition to confirming security policies, which three configuration details should the
engineer focus on to ensure communication between virtual systems? (Choose three.)

 A. Add a route with next hop next-vr by using the VR configured in the virtual
system.

 B. Layer 3 zones for the virtual systems that need to communicate.

 C. Add a route with next hop set to none, and use the interface of the virtual systems
that need to communicate.
  D. Ensure the virtual systems are visible to one another.

 E. External zones with the virtual systems added.

Question #617
A new application server 192.168.197.40 has been deployed in the DMZ. There are no public
IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another
DMZ serve that uses IP address 192.168.197.60. Firewall security and NAT rules have been
configured. The application team has confirmed that the new server is able to establish a
secure connection to an external database with IP address 203.0.113.40.

The database team reports that they are unable to establish a secure connection to
198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to
198.51.100.88.

Referring to the NAT configuration and traffic logs provided how can the firewall engineer
resolve the situation and ensure inbound and outbound connections work concurrently for
both DMZ servers?

 A. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

 B. Replace the two NAT rules with a single rule that has both DMZ servers as "Source
Address" both external servers as "Destination Address," and Source Translation
remaining as is with bidirectional option enabled.

 C. Configure separate source NAT and destination NAT rules for the two DMZ servers
without using the bidirectional option.

 D. Sharing a single NAT IP is possible for outbound connectivity not for inbound
therefore a new public IP address must be obtained for the new DMZ server and used
in the NAT rule 6 DMZ server 2.
Question #618
A security team has enabled eal-time WildFire signature lookup on all its firewalls. Which
additional action will further reduce the likelihood of newly discovered malware being
allowed through the firewalls?
  A. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus

 B. Increase the frequency of the applications and threats dynamic updates

 C. Increase the frequency of the antivirus dynamic updates

 D. Enable the "Report Grayware Files" option in Device > Setup > WildFire
Question #619
A company configures its WildFire analysis profile to forward any file type to the WildFire
public cloud. A company employee receives an email containing an unknown link that
downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?

 A. Performs malicious content analysis on the linked page: but not the corresponding
PE file

 B. Performs malicious content analysis on the linked page and the corresponding PE
file

 C. Does not perform malicious content analysis on the linked page but performs it on
the corresponding PE file

 D. Does not perform malicious content analysis on either the linked page or the
corresponding PE file