Item 94 of 139

A consultant advises a client on designing an explicit web proxy deployment on Pan-OS 11.0. The
client currently uses RADIUS authentication in their environment which two pieces of information
should the consultant provide the client regarding web proxy authentication? (Choose two)
A. RADIUS is not supported for explicit or transparent web proxy.
B. Kerberos or SAML Authentication need to be configured.
C. LDAP or TACACS+ authentication need to be configured.
D. RADIUS is only supported for transparent web proxy.

Answer: A B

item 95 of 139
Phase two of a VPN will not establish a connection. The peer using a policy-based VPN configura-
tion. What part of configuration should the engineer verify?
A. PAN-OS Version
B. IKE Crypto profile
C. Proxy-IDs
D. Security policy
Answer C

Item 96 of 139
In the New App viewer under policy optimizer, what does the compare option for a specific rule
allow an administrator to compare?
A. The running configuration with the candidate configuration of the firewall
B. Applications configured in the rule with their dependencies
C. Applications configured in the rule with applications seen from traffic matching the same rule.
D. The security Rule with any other security rule selected.
Answer C

Item 97 of 139

What can be used as an action when creating a policy-based forwarding (PBF) policy?

A. Discard

B. Deny

C. Allow

D. Next VR

Answer A

item 98 of 139
which two factors should be considered when sizing a decryption Firewall deployment? (Choose
Two)
A. Number of blocked sessions
B. TLS protocol version
C. Encryption Algorithm
D. Number of security zones in decryption policy

Answer BC

item 99 of 139
which two profiles should be configured when sharing tags from threat logs with a remote user-ID
agent? (Choose two)
A. LDAP
B. HTTP
C. Log forwarding
D. Log ingestion
Answer BC

item 100 of 139

An engineer is tasked with deploying SSL forward proxy decryption for their organisation. what
should they review with their leadership before implementation?
A. Cipher documentation supported by the endpoint operating system
b Browser-supported cipher documentation
C. Legal complaint regulations and acceptable usage policies
D. URL risk-based category distinctions
Answer C

item 101 of 139

An engineer has been asked to limit which routes are shared by running two different areas within
an OSPF implementation. However, the devices share a common link for communication. which
virtual router configuration supports running multiple instances of OSPF protocol over a single
link?
A OSPF
B. ECMP
C. OSPFV3
D. ASBR
Answer : C
item 102 of 139

A network admistrator wants to deploy SSL forward proxy decryption. What two attributes should a
forward trust certificate have? (Choose two)

A. A subject alternative name

B. A certificate authority (CA) certificate

C. A server certificate

D. A private key

Answer BD

item 103 of 139

An administrator needs to gather information about the CPU utilization on both the management
plane and the data plane. Where does the administrator view the desired data?
A. Resource widget on the dashboard
B. Support > Resources
C. Monitor > Utilization
D. Application command and control Centre
Answer A

item 104 of 139

Which are valid ACC GlobalProtect activity tab Widgets? (Choose Two)
A. GlobalProtect Quarantine activity
B. Successful Global Protect Deployed Activity
C. GlobalProtect Deployment Activity
D. Successful GlobalProtect Connection Activity
Answer CD
Url
item 105 of 139
which link is responsible for synchronizing sessions between high availability (HA) Peers?
A. HA1
B. HA2
C. HA4
D. HA3
Answer B

item 106 of 139

what are the three prerequisites for credential phishing prevention to function? (Choose Three)
A. Enable Device ID In the Zone
B. In the URL filtering profile, use the drop-down list to enable user credential detection
C. select the action for site Access for each category
D. Add the URL filtering profile to one or more security policy rules
E. Set phishing category to block in the URL filtering profile
Answer A B E

item 107 of 139

An engineer tasked with decrypting web traffic in an environment without an established PKI.
when using a self-signed certificate generated on the firewall which type of certificate should be
installed on client devices to ensure there are no client browser warnings when decrypting
approved web traffic?
A. A Public root CA certificate
B. An Enterprise Root CA Certificate
C. The same certificate as the forward trust certificate
D. The same certificate at the forward and trust certificate
Answer C

item 108 of 139

An administrator notices that an interface configuration has been over hidden locally on a Fire-
wall. They require all configuration to be managed from panorama and overrides are not allowed.
what is one way the administrator can meet this requirement?
A. Perform a commit force from the CLI of the firewall
B. Perform a device group commit push from panorama using “Include Device and Network Tem-
plates” option
C. Reload the running configuration and perform Firewall local commit
D. Perform a template commit push from panorama using the "Force Template Values" option
Answer D

item 109 of 139

In a template which two objects can be configured? (Choose two)
A. Application group
B. Monitor profile
C. IPsec tunnel
D. SD-WAN path quality profile
Answer B C
item 110 of 139
To ensure that a security policy has the highest priority, how should an administrator configure a
security policy in the device group hierarchy?
A. Add the policy in the shared device group as a pre-rule
B. Add the policy to the target device group apply a master device to the device group
C. Reference the target device’s template in the target device group
D. Clone the security policy and add it to the other device group
Answer A

item 111 of 139

which DoS protection profile detects and prevents session exhaustion attacks against specific
definitions?
A. Resource Protection
B. TCP port scan protection
C. Packet based attack protection
D. Flood protection
Answer A

item 112 of 139

which operation will impact the performance of management plane?
A. DoS protection
B. Generating SaaS application report
C. Decrypting SSL sessions
D. Wildfire submission
Answer B
item 113 of 139
A company has recently migrated their branch office's PA-220s to a centralized Panorama. This
panorama manages a number of PA-7000 Series and PA-5200 series devices. All device group and
template configuration is managed solely within Panorama. They noticed that commit times have
drastically increased for the PA-220s after the migration. what can they do to reduce commit
times?

A. Perform a device group push using "merge with device candidate config" option
B. Disable Share Unused Address and Service Objects with Devices in Panorama Settings
C. Use export or push device config bundle to ensure that firewall is integrated with panorama
config
D. Update the apps and threat version using device deployment
Answer B

item 114 of 139

An administrator receives the following error message
IKE phase-2 negotiation failed when processing proxy ID. Received local ID 192.168.33.33/24 type
ipv4 address protocol 0 port 0, remote ID 172.16 33.33/24 ipv4 address protocol 0 port 0. How
should the administrator identify the root cause of this error message?
A. In the IPsec crypto profile configuration verify that PFS is enabled on both VPN peers or dis-
abled on both VPN peers.
B. In the IKE gateway configuration verify that the IP address for each VPN peer is accurate.
C. Check whether the VPN peer on one end is set up correctly using policy-based VPN
D. Verify that the IP addresses can be pinged and that routing issue are not causing the connec-
tion failure
Answer C
item 115 of 139
An engineer is configuring a Firewall with three interfaces
1. MGT connect to a switch with Internet access
2. Ethernet 1/1 connect to an edge router
3. Ethernet 1/2 connect to a virtualization network

The engineer needs to configure dynamic updates data plane interface for internet traffic. what
should be configured in setup > Services> service route configuration to allow this traffic?

A. Set DDNS and Palo Alto networks services to use the MGT source interface
B. Set DNS and Palo Alto network services to use Ethernet 1/2 source interface
C. Set DNS and Palo Alto networks services to use Ethernet 1/1 source interface
D. Set a DNS and Palo Alto networks services to use MGT source interface

Answer D

item 116 of 139

A company has configured a URL filtering profile with override action on their firewall. which two
profiles are needed to complete the configuration (choose Two)?
A. Interface management
B. HTTP server
C. SSL/TLS service
D. Decryption
Answer A C