1. How can a candidate or running configuration be copied to a host external from Panorama?

2. Which log file can be used to identify SSL decryption failures?

3. A customer wants to set up a site-to-site VPN using tunnel interfaces?

Which two formats are correct for naming tunnel interfaces? (Choose two.)

4. If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

5. A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections.

Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

6. Which operation will impact the performance of the management plane?

7. Which protection feature is available only in a Zone Protection Profile?

8. Which two features does PAN-OS® software use to identify applications? (Choose two)

9. Which method will dynamically register tags on the Palo Alto Networks NGFW?

10. To more easily reuse templates and template slacks, you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations

Which one is the correct configuration?

11. When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

12. An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.

What must the administrator configure so that the PAN-OS® software can be upgraded?

13. An administrator needs to upgrade an NGFW to the most current version of PAN-OS®

software.

The following is occurring:

• Firewall has Internet connectivity through e1/1.

• Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

• Service route is configured, sourcing update traffic from e1/1.

• A communication error appears in the System logs when updates are performed.

• Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

14. Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

15. Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

16. A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

17. A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.

How quickly will the firewall receive back a verdict?

18. Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

19. Which three authentication factors does PAN-OS® software support for MFA (Choose three.)

20. An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.

What is the expected verdict from WildFire?

21. In the following image from Panorama, why are some values shown in red?

22. Exhibit:

What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

23. A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config.

The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because

24. An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.

Which option would achieve this result?

25. Which CLI command can be used to export the tcpdump capture?

26. A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

27. A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

28. Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

29. Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

30. Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

31. An administrator has left a firewall to use the default port for all management services.

Which three functions are performed by the dataplane? (Choose three.)

32. An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?

33. Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

34. Which option is part of the content inspection process?

35. Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

36. Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

37. Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

38. An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion.

When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

39. Which three options are supported in HA Lite? (Choose three.)

40. An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications.

QoS natively integrates with which feature to provide service quality?

41. How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

42. Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

43. Which event will happen if an administrator uses an Application Override Policy?

44. Which logs enable a firewall administrator to determine whether a session was decrypted?

45. A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.

Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

46. SAML SLO is supported for which two firewall features? (Choose two.)

47. During the packet flow process, which two processes are performed in application identification? (Choose two.)

48. An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.

Which Security Profile type will prevent this attack?

49. An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?

50. In a virtual router, which object contains all potential routes?

51. When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

52. Which administrative authentication method supports authorization by an external service?

53. To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

54. The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

55. A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.

Which solution in PAN-OS® software would help in this case?

56. Which is not a valid reason for receiving a decrypt-cert-validation error?

57. A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.

Which option will protect the individual servers?

58. Which feature prevents the submission of corporate login information into website forms?

59. What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

60. Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

61. A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.

How would an administrator configure the interface to 1Gbps?

62. Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?

63. If the firewall has the link monitoring configuration, what will cause a failover?

64. Which virtual router feature determines if a specific destination IP address is reachable?

65. An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab.

Which profile is the cause of the missing Policies tab?

66. When configuring the firewall for packet capture, what are the valid stage types?

67. Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

68. Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

69. An administrator has users accessing network resources through Citrix XenApp 7 x.

Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

70. An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panoram A. Pre-existing logs from the firewalls are not appearing in Panoram A.

Which action would enable the firewalls to send their pre-existing logs to Panorama?

71. A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

72. What is the purpose of the firewall decryption broker?

73. If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?

74. When is the content inspection performed in the packet flow process?

75. Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

76. Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

77. If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

78. An administrator accidentally closed the commit window/screen before the commit was finished.

Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

79. Which feature can provide NGFWs with User-ID mapping information?

80. Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

81. How does Panorama prompt VMWare NSX to quarantine an infected VM?

82. Which DoS protection mechanism detects and prevents session exhaustion attacks?

83. Import the certificate.

3 Select Import Private Key

4 Click Generate to generate the new certificate

B. 1 Select Device > Certificates

2 Select Certificate Profile

3 Generate the certificate

4 Select Block Private Key Export.

C. 1 Select Device > Certificates

2 Select Certificate Profile.

3 Generate the certificate

4 Select Block Private Key Export

D. 1 Select Device > Certificate Management > Certificates > Device > Certificates

2 Generate the certificate

3 Select Block Private Key Export

4 Click Genet ale to generate the new certificate.

84. Which three settings are defined within the Templates object of Panorama? (Choose three.)

85. To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

86. Which feature can provide NGFWs with User-ID mapping information?

87. A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)

88. An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.

Which two options enable the administrator to troubleshoot this issue? (Choose two.)

89. Refer to the exhibit.

Which will be the egress interface if the traffic’s ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

90. Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

91. What file type upload is supported as part of the basic WildFire service?

92. Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best

place on the Palo Alto Networks NGFW to check whether the configuration is correct?

A)

B)

C)

D)

93. The firewall identifies a popular application as an unknown-tcp.

Which two options are available to identify the application? (Choose two.)

94. An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.

Which configuration setting or step will allow the firewall to get automatic application signature updates?

95. View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

96. Which three firewall states are valid? (Choose three.)

97. Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

98. Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

99. Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?