NEW QUESTION 1
If the firewall has the link monitoring configuration, what will cause a failover?

• A. ethernet1/3 and ethernet1/6 going down
• B. ethernet1/3 going down
• C. ethernet1/3 or Ethernet1/6 going down
• D. ethernet1/6 going down

Answer: A

NEW QUESTION 2
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

• A. Set tunne
• B. 1 to p2p
• C. Set tunne
• D. 1 to p2mp
• E. Set Ethernet 1/1 to p2mp
• F. Set Ethernet 1/1 to p2p

Answer: A

NEW QUESTION 3
A company hosts a publicly accessible web server behind a Palo Alto Networks next- generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

• A. Destination IPof 23.54.6.10
• B. UntrustL3 for both Source and Destination Zone
• C. Destination IP of 192.168.1.10
• D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone

Answer: AB

NEW QUESTION 4
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

• A. Brute-force signatures
• B. BrightCloud Url Filtering
• C. PAN-DB URL Filtering
• D. DNS-based command-and-control signatures

Answer: CD

NEW QUESTION 5
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

• A. QoS Statistics
• B. Applications Report
• C. Application Command Center (ACC)
• D. QoS Log

Answer: A

NEW QUESTION 6
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

• A. SNMP Trap
• B. Email
• C. RADIUS
• D. Kerberos
• E. Panorama
• F. Syslog

Answer: ABF

NEW QUESTION 7
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

• A. web-browsing and 443
• B. SSL and 80
• C. SSL and 443
• D. web-browsing and 80

Answer: B

NEW QUESTION 8
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

• A. Anti-Spyware
• B. Instruction Prevention
• C. File Blocking
• D. Antivirus

Answer: D

NEW QUESTION 9
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been
configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

• A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
• B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
• C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
• D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

Answer: D

NEW QUESTION 10
Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

• A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
• B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
• C. Configure log compression and optimization features on all remote firewalls.
• D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Answer: C

NEW QUESTION 11
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

• A. A scheduler will need to be configured for application signatures.
• B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
• C. A Threat Prevention license will need to be installed.
• D. A service route will need to be configured.

Answer: D

Explanation: The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list.

NEW QUESTION 12
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

• A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
• B. show security rule source <ip_address> destination <IP_address> destination port <portnumber> protocol <protocol number>
• C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
• D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>test security-policy-match source

Answer: A

Explanation: test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security- Policy-Applies-to-a-Traffic-Flow/ta-p/53693

NEW QUESTION 13
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

• A. To enable Gateway authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable user authentication to the Portal
• D. To enable client machine authentication to the Portal

Answer: C

Explanation: The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite. Referencehttps://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals

NEW QUESTION 14
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

• A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
• B. The devices are licensed and ready for deployment.
• C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
• D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
• E. The interface are pingable.

Answer: BC

NEW QUESTION 15
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

• A. Panorama virtual appliance on ESX(i) only
• B. M-500
• C. M-100 with Panorama installed
• D. M-100

Answer: BC

Explanation: (https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181)

NEW QUESTION 16
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

• A. XML API
• B. Port Mapping
• C. Client Probing
• D. Server Monitoring

Answer: A

Explanation: Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent

NEW QUESTION 17
In a virtual router, which object contains all potential routes?

• A. MIB
• B. RIB
• C. SIP
• D. FIB

Answer: B

NEW QUESTION 18
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile.
What should be done next?

• A. Click the simple-critical rule and then click the Action drop-down list.
• B. Click the Exceptions tab and then click show all signatures.
• C. View the default actions displayed in the Action column.
• D. Click the Rules tab and then look for rules with "default" in the Action column.

Answer: B

NEW QUESTION 19
Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

• A. 172.20.30.1
• B. 172.20.20.1
• C. 172.20.10.1
• D. 172.20.40.1

Answer: B