NEW QUESTION 1
Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)

• A. Browser Toolbar
• B. Trojans
• C. Ransomeware
• D. Potentially unwanted programs
• E. Adware.

Answer: ADE

Explanation: https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfire-features/wildfire-grayware-verdict

NEW QUESTION 2
How are IPV6 DNS queries configured to user interface ethernet1/3?

• A. Network > Virtual Router > DNS Interface
• B. Objects > CustomerObjects > DNS
• C. Network > Interface Mgrnt
• D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 3
Which three rule types are available when defining policies in Panorama? (Choose three.)

• A. Pre Rules
• B. Post Rules
• C. Default Rules
• D. Stealth Rules
• E. Clean Up Rules

Answer: ABC

Explanation: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-web-interface/defining-policies-on-panorama

NEW QUESTION 4
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

• A. Configure the management interface as HA3 Backup
• B. Configure Ethernet 1/1 as HA1 Backup CConfigure Ethernet 1/1 as HA2 Backup
• C. Configure the management interface as HA2 Backup
• D. Configure the management interface as HA1 Backup
• E. Configure ethernet1/1 as HA3 Backup

Answer: BE

NEW QUESTION 5
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

• A. SSL Forward Proxy
• B. SSL Inbound Inspection
• C. TLS Bidirectional proxy
• D. SSL Outbound Inspection

Answer: B

NEW QUESTION 6
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

• A. Create a Template with the appropriate IKE Gateway settings
• B. Create a Template with the appropriate IPSec tunnel settings
• C. Create a Device Group with the appropriate IKE Gateway settings
• D. Create a Device Group with the appropriate IPSec tunnel settings

Answer: B

NEW QUESTION 7
VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

• A. Zone Protection
• B. DoS Protection
• C. Web Application
• D. Replay

Answer: A

NEW QUESTION 8
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

• A. Use the debug dataplane packet-diag set capture stage firewall file command.
• B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
• C. Use the debug dataplane packet-diag set capture stage management file command.
• D. Use the topdump command.

Answer: A

NEW QUESTION 9
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

• A. application: web-browsing; service: application-default
• B. application: web-browsing; service: service-https
• C. application: ssl; service: any
• D. application: web-browsing; service: (custom with destination TCP port 8080)

Answer: A

NEW QUESTION 10
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

• A. Panorama Log Settings
• B. Panorama Log Templates
• C. Panorama Device Group Log Forwarding
• D. Collector Log Forwarding for Collector Groups

Answer: A

Explanation: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/manage-log-collection/enable-log-forwarding-from-panorama-to-external-destinations

NEW QUESTION 11
Which interface configuration will accept specific VLAN IDs?

• A. Tab Mode
• B. Subinterface
• C. Access Interface
• D. Trunk Interface

Answer: B

NEW QUESTION 12
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

• A. web-browsing and 443
• B. SSL and 80
• C. SSL and 443
• D. web-browsing and 80

Answer: B

NEW QUESTION 13
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

• A. Disable Server Response Inspection
• B. Apply an Application Override
• C. Disable HIP Profile
• D. Add server IP Security Policy exception

Answer: A

NEW QUESTION 14
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

• A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
• B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.
• C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
• D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.
• E. Log in the Panorama CLI of the dedicated Log Collector

Answer: BE

Explanation: (https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/set-up-the-m-100-appliance)

NEW QUESTION 15
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface
Which interface type and configuration setting will support this design?

• A. Trunk interface type with specified tag
• B. Layer 3 interface type with specified tag
• C. Layer 2 interface type with a VLAN assigned
• D. Layer 3 subinterface type with specified tag

Answer: D

NEW QUESTION 16
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

• A. Security policy rule allowing SSL to the target server
• B. Firewall connectivity to a CRL
• C. Root certificate imported into the firewall with “Trust” enabled
• D. Importation of a certificate from an HSM

Answer: A