NEW QUESTION 1
Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: D

NEW QUESTION 2
In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

• A. LDAP
• B. Kerberos
• C. Certification based authentication
• D. RADIUS with Vendor-Specific Attributes

Answer: D

NEW QUESTION 3
Which option is an IPv6 routing protocol?

• A. RIPv3
• B. OSPFv3
• C. OSPv3
• D. BGP NG

Answer: B

NEW QUESTION 4
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

• A. Zone Protection Policy with UDP Flood Protection
• B. QoS Policy to throttle traffic below maximum limit
• C. Security Policy rule to deny trafic to the IP address and port that is under attack
• D. Classified DoS Protection Policy using destination IP only with a Protect action

Answer: D

NEW QUESTION 5
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

• A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
• C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
• D. Untrust (Any) to DMZ (10.1.1.1), ssh –Allow
• E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: CD

NEW QUESTION 6
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise?( Choose three)

• A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually uploading.
• B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
• C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.
• D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one firewall.
• E. Download and install PAN-OS 7.0.4 directly on each firewall.
• F. Download and push PAN-OS 7.0.4 from Panorama to each firewall.

Answer: ACF

NEW QUESTION 7
Which Captive Portal mode must be configured to support MFA authentication?

• A. NTLM
• B. Redirect
• C. Single Sign-On
• D. Transparent

Answer: B

NEW QUESTION 8
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

• A. Set tunne
• B. 1 to p2p
• C. Set tunne
• D. 1 to p2mp
• E. Set Ethernet 1/1 to p2mp
• F. Set Ethernet 1/1 to p2p

Answer: A

NEW QUESTION 9
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

• A. Virtual router
• B. Security zone
• C. ARP entries
• D. Netflow Profile

Answer: BD

NEW QUESTION 10
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

• A. Add SSL App-ID to Rule1
• B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
• C. Add the DNS App-ID to Rule2
• D. Add the Web-browsing App-ID to Rule2

Answer: C

NEW QUESTION 11
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across USP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Answer: C

NEW QUESTION 12
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

• A. Master
• B. Universal
• C. Shared
• D. Global

Answer: C

NEW QUESTION 13
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

• A. XML API
• B. Port Mapping
• C. Client Probing
• D. Server Monitoring

Answer: A

Explanation: Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent

NEW QUESTION 14
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?

• A. A Server Profile has not been configured for logging to this Panorama device.
• B. Panorama is not licensed to receive logs from this particular firewall.
• C. The firewall is not licensed for logging to this Panorama device.
• D. None of the firwwall's policies have been assigned a Log Forwarding profile

Answer: D

NEW QUESTION 15
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

• A. Enable on Site-A only
• B. Enable on Site-B only
• C. Enable on Site-B only with passive mode
• D. Enable on Site-A and Site-B

Answer: D

NEW QUESTION 16
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

• A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
• B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
• C. The shared secerts do not match between the Palo Alto firewall and the ASA
• D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Answer: B