Question No : 1
DRAG DROP
Match each GlobalProtect component to the purpose of that component

Show Answers

Answer:


Explanation:
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure
The GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps
The GlobalProtect app software runs on endpoints and enables access to your network resources

Question No : 2
A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?

• A.Show vpn tunnel name | match encap
• B.Show vpn flow name <tunnel name>
• C.Show running tunnel flow lookup
• D.Show vpn ipsec-sa tunnel <tunnel name>

Show Answers

Answer:

Question No : 3
An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

• A.Panorama does not have valid licenses to push the dynamic updates.
• B.Panorama has no connection to Palo Alto Networks update servers.
• C.No service route is configured on the firewalls to Palo Alto Networks update servers.
• D.Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

Show Answers

Answer:

Question No : 4
A company is using wireless controllers to authenticate users.
Which source should be used for User-ID mappings?

• A.Syslog
• B.XFF headers
• C.server monitoring
• D.client probing

Show Answers

Answer:

Question No : 5
After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.



What are two explanations for this type of issue? (Choose two)

• A.The peer IP is not included in the permit list on Management Interface Settings
• B.The Backup Peer HA1 IP Address was not configured when the commit was issued
• C.Either management or a data-plane interface is used as HA1-backup
• D.One of the firewalls has gone into the suspended state

Show Answers

Answer:

Question No : 6
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?

• A.Protection against unknown malware can be provided in near real-time
• B.WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
• C.After 24 hours WildFire signatures are included in the antivirus update
• D.WildFire and Threat Prevention combine to minimize the attack surface

Show Answers

Answer:

Question No : 7
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action.
How can the administrator create an exception for this particular file?

• A.Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
• B.Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
• C.Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
• D.Disable the WildFire profile on the related Security policy.

Show Answers

Answer:

Question No : 8
An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth.
Which QoS setting should the engineer adjust?

• A.QoS profile: Egress Max
• B.QoS interface: Egress Guaranteed
• C.QoS profile: Egress Guaranteed
• D.QoS interface: Egress Max

Show Answers

Answer:
Explanation:
When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-bandwidth-management

Question No : 9
You need to allow users to access the office-suite applications of their choice.
How should you configure the firewall to allow access to any office-suite application?

• A.Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
• B.Create an Application Group and add business-systems to it.
• C.Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
• D.Create an Application Filter and name it Office Programs then filter on the business-systems category.

Show Answers

Answer:

Question No : 10
Refer to the image.



An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?

• A.Override the value on the NYCFW template.
• B.Override a template value using a template stack variable.
• C.Override the value on the Global template.
• D.Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

Show Answers

Answer:
Explanation:
Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/override-a-template-setting.html