IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at feedback@certsout.com
Support
If you have any questions about our product, please provide the following items: exam code screenshot of the question login id/email please contact us at and our technical experts will provide support within 24 hours. support@certsout.com
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Question #:1
Which statement regarding HA timer settings is true?
Use the Recommended profile for typical failover timer settings
Use the Moderate profile for typical failover timer settings
Use the Aggressive profile for slower failover timer settings.
Use the Critical profile for faster failover timer settings.
Answer: A
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
Question #:2
What are three prerequisites for credential phishing prevention to function? (Choose three.)
In the URL filtering profile, use the drop-down list to enable user credential detection.
Enable Device-ID in the zone.
Select the action for Site Access for each category.
Add the URL filtering profile to one or more Security policy rules.
Set phishing category to block in the URL Filtering profile.
Answer: A D E
Question #:3
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Custom URL category in URL Filtering profile
EDL in URL Filtering profile
PAN-DB URL category in URL Filtering profile
Custom URL category in Security policy rule
Answer: C
Question #:4
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
Windows User-ID agent
GlobalProtect
XMLAPI
External dynamic list
Dynamic user groups
Answer: A B C
Explanation
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:
A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2. The agent then sends the user information to the firewall or Panorama for user mapping2.
B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3. GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.
C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.
Question #:5
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.) /content /software /piugins /license
Answer: A B D
Question #:6
Where can a service route be configured for a specific destination IP?
Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4
Use Device > Setup > Services > Services
Use Device > Setup > Services > Service Route Configuration > Customize > Destination
Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
Answer: C
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Question #:7
A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?
Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both external servers as "Destination Address." and Source Translation remaining as is with bidirectional option enabled
B. C.
Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
D.
Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
Answer: C
Explanation
The table displays NAT rules configured on the firewall. The key points are:
Source Zone and define the traffic flow. Destination Zone
Source Address and specify the IP addresses involved. Destination Address
Service indicates the type of traffic (e.g., any, ping).
Source Translation and show the translated IP addresses for NAT. Destination Translation
Issue and Resolution Options
The application server at 192.168.197.40 can establish outbound connections but faces issues with inbound connections due to the shared NAT IP 198.51.100.88. The external database server cannot establish a secure connection back to 192.168.197.40.
Options to Resolve the Issue:
Replace the Two NAT Rules with a Single Rule:
Combining both DMZ servers into one NAT rule might simplify configuration but could cause issues in distinguishing inbound traffic for each server.
Pros: Simplifies rule management.
Cons: Might not address the inbound traffic issue properly.
New Public IP Address:
Obtaining a new public IP address for the new server (192.168.197.40) ensures dedicated inbound and outbound NAT.
Pros: Clear separation of traffic, resolves inbound connectivity issues.
Cons: Requires additional public IP.
Separate Source NAT and Destination NAT Rules:
Configuring distinct NAT rules for source and destination addresses without using the bidirectional option.
Pros: Clear and distinct rules for each direction of traffic.
Cons: More complex to manage, might require more firewall resources.
Move the NAT Rule:
Question #:8
Adjusting the order of NAT rules to prioritize the new server’s rule.
Pros: Simple reordering might resolve prioritization conflicts.
Cons: Might not fully resolve the inbound connection issue.
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
Use the highest TLS protocol version to maximize security.
Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.
Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
Answer: C
Explanation
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it
offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Question #:9
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?
Proxy IDs
GRE Encapsulation
Tunnel Monitor
ToS Header
Answer: A
Question #:10
If a URL is in multiple custom URL categories with different actions, which action will take priority? Allow Override Block Alert
Answer: C
Explanation
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
A.
A.
B. C. D.
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
About certsout.com
certsout.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed below.
Sales: sales@certsout.com
Feedback: feedback@certsout.com
Support: support@certsout.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 hours.