Topic 1 : Main Questions pool
Which CLI command can be used to export the tcpdumpcapture?
A.
scp export tcpdump from mgmt.pcap to <username@host:path>
B.
scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
C.
scp export mgmt-pcap from mgmt.pcap to <username@host:path>
D.
download mgmt.-pcap
scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Reference:
https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/55415
Anadministrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual
authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
A.
Use custom certificates
B.
Enable LDAP or RADIUS integration
C.
Set up multi-factor authentication
D.
Configure strong password authentication
Use custom certificates
Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your
Which CLI command is used to simulate traffic goingthrough the firewall and determine which Security
policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A.
check
B.
find
C.
test
D.
sim
test
http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect theindividual servers?
A.
Enable packet buffer protection on the Zone Protection Profile.
B.
Apply an Anti-Spyware Profile with DNS sinkholing.
C.
Use the DNS App-ID with application-default.
D.
Apply a classified DoS Protection Profile.
Enable packet buffer protection on the Zone Protection Profile.
Which feature can provide NGFWs with User-ID mapping information?
A.
GlobalProtect
B.
WebCaptcha
C.
Native 802.1q authentication
D.
Native 802.1x authentication
GlobalProtect
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo AltoNetworks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
A.
Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.
B.
Forward logs from external sources to Panorama for correlation, and from Panorama send them to the
NGFW.
C.
Configure log compression and optimization features on all remote firewalls.
D.
Any configuration on an M-500 would address the insufficient bandwidth concerns
Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
A.
Untrust (any) to Untrust (10. 1.1. 100), web browsing – Allow
B.
Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow
C.
Untrust (any) to DMZ (1. 1. 1. 100), web browsing – Allow
D.
Untrust (any) to DMZ (10. 1. 1. 100), web browsing – Allow
Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow
QUESTIONNO: 85
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust
to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to
allow cleartext web- browsingtraffic to this server on tcp/443.
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl;
service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-https;action: allow Rule #2: application: ssl; service:
application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow
Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service:
application-default; action: allow
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A.
port mapping
B.
server monitoring
C.
client probing
D.
XFF headers
port mapping
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-for-terminal-serverusers
When is the content inspection performed in the packet flow process?
A.
after the application has been identified
B.
before session lookup
C.
before the packet forwarding process
D.
after the SSL Proxy re-encrypts the packet
after the application has been identified
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone andto assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?
A.
Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for
every additional VLANand use a VLAN ID of0 for untagged traffic. Assign each interface/subinterface
to a unique zone.
B.
Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the "Tag
Allowed field one of the V-Wire object Repeat for every additional VLAN and usea VIAN ID of 0 for
untagged traffic. Assign each interface/subinterfaceto a unique zone.
C.
Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed
filed of the V-Wire object
D.
Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3interface would handle untagged traffic. Assign each interface /subinterface to a
unique zone. Do not assign any interface anIP address
Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed
filed of the V-Wire object
Page 6 out of 28 Pages |
Previous |