Q1. Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like?
A. Single Sign-On Mode
B. On Demand Mode
C. Always On Mode
D. Optional Mode
Answer: B
Q2. What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator?
A. A “Blocked” page response when the URL filtering policy to block is enforced.
B. A “Success” page response when the site is successfully translated.
C. The browser will be redirected to the original website address.
D. An "HTTP Error 503 Service unavailable" message.
Answer: A
Q3. HOTSPOT
Assuming that the default antivirus profile is installed, match each decoder with its default action.
Answer options may be used more than once or not at all.
Answer:
Q4. A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central controller using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom application.
C. Create an application with a specified TCP timeout and assign traffic to it with an application override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom application.
Answer: C
Q5. Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to "pre-logon"?
A. Certificate Revocation List
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
Answer: C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.
Q6. When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
A. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
C. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
D. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Answer: A
Q7. Which two steps are required to make Microsoft Active Directory users appear in the firewall’s traffic log? Choose 2 answers
A. Enable User-ID on the zone object for the source zone.
B. Enable User-ID on the zone object for the destination zone.
C. Configure a RADIUS server profile to point to a domain controller.
D. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions.
E. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions.
Answer: A,E
Q8. When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of checking within a profile is:
A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering
C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories
D. None of the above
Answer: A
Q9. What is the name of the debug save file for IPSec VPN tunnels?
A. set vpn all up
B. test vpn ike-sa
C. request vpn IPsec-sa test
D. Ikemgr.pcap
Answer: D
Q10. An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
A. Virtual Wire
B. Tap
C. L3
D. L2
Answer: A