Please match the terms to their corresponding definitions.
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
A. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
B. Use the highest TLS protocol version to maximize security.
C. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.
D. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
Explanation: Decryption can be resource-intensive, and in scenarios where the firewall is
nearing its resource limits, optimizing decryption practices is crucial. One way to do this is
by choosing more efficient encryption algorithms that require less computational power.
C. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller
key sizes compared to RSA for a comparable level of security. This translates to
less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can
reduce the processing load associated with decryption on the firewall. This is
particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of
encrypted traffic. Instead, it offers a more resource-efficient way to manage
decryption, thus helping to maintain firewall performance even when system
resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload
on the firewall, ensuring continued protection and inspection of encrypted traffic without
overburdening the firewall's resources.
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
A. Log Collector
B. Panorama
C. Legacy
D. Management Only
An engineer is troubleshooting a traffic-routing issue. What is the correct packet-flow sequence?
A. PBF > Zone Protection Profiles > Packet Buffer Protection
B. BGP > PBF > NAT
C. PBF > Static route > Security policy enforcement
D. NAT > Security policy enforcement > OSPF
Explanation: The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match. Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc.
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
A. Log Ingestion
B. HTTP
C. Log Forwarding
D. LDAP
Explanation: >Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11- 0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
Based on the screenshots above, and with no configuration inside the Template Stack
itself, what access will the device permit on its Management port?
A. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.
B. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.
C. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
D. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
Explanation: https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-valueoption/ td-p/496620 "- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"
Which CLI command displays the physical media that are connected to ethernet1/8?
A. > show system state filter-pretty sys.si. p8. stats
B. > show system state filter-pretty sys.sl.p8.phy
C. > show system state filter-pretty sys.sl.p8.med
D. > show interface ethernet1/8
Explanation: The CLI command "show system state filter-pretty sys.sl.p8.phy" is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface. For more information on Palo Alto Networks CLI commands and their outputs, refer to the "PAN-OSĀ® CLI Reference Guide".
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
A. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"
B. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'
C. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"
D. By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
A. SSH Service profile
B. SSL/TLS Service profile
C. Certificate profile
D. Decryption profile
Explanation: SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is
for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall. There's
also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt
interface:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA
2&lang=en_US%E2%80%A9
| Page 3 out of 33 Pages |
| Previous |
Copyright © - All Rights Reserved