Q1. In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A. VLAN
B. Vwire
C. Security Profile
D. Virtual Router
Answer: A
Q2. When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset.
A. True
B. False
Answer: B
Q3. A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
Answer: C
Q4. What is the default setting for 'Action' in a Decryption Policy's rule?
A. No-decrypt
B. Decrypt
C. Any
D. None
Answer: D
Q5. Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP. Which IP should the Security Policy use as the "Destination IP" in order to allow traffic to the server.
A. The server’s public IP
B. The firewall’s gateway IP
C. The server’s private IP
D. The firewall’s MGT IP
Answer: A
Q6. Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. DHCP
C. DNS
D. Viruses
Answer: D
Q7. Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers
A. Application Identification (App-ID)
B. Group Identification (Group-ID)
C. User Identification (User-ID)
D. Threat Identification (Threat-ID)
E. Content Identification (Content-ID)
Answer: A,C,E
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 5
Q8. Company employees have been given access to the GlobalProtect Portal at https://portal.company.com:
Assume the following:
1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Answer: A,B
Q9. A company has a policy that denies all applications they classify as bad and permits only applications they classify as good. The firewall administrator created the following security policy on the company s firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers
A. Different security profiles can be applied to traffic matching rules 2 and 3.
B. Separate Log Forwarding profiles can be applied to rules 2 and 3.
C. Rule 2 denies traffic flowing across different TCP and UDP ports than rule 3.
D. A report can be created that identifies unclassified traffic on the network.
Answer: A,D
Q10. What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PAN-DB)?
A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to reduce the number of logging events.
B. URL-Filtering can now be employed as a match condition in Security policy
C. IP-Based Threat Exceptions can now be driven by custom URL categories
D. Daily database downloads for updates are no longer required as devices stay in-sync with the cloud.
Answer: D