To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.
The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Some new sample questions:
Question:
Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?
A. The first route installed
B. The route with the lowest administrative distance
C. Bidirectional Forwarding Detection
D. The route with the highest administrative distance
Question:
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
A. Route added with next hop set to ‘none’ and using the interface of the virtual systems that need to communicate
B. External zones with the virtual systems added
C. Route added with next hop next-vr by using the VR configured in the virtual system
D. Layer 3 zones for the virtual systems that need to communicate
Question:
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
A. IKEv1 only to deactivate the use of public key encryption
B. IKEv2 with Hybrid Key exchange
C. IKEv2 with Post-Quantum Pre-shared Keys
D. IPsec with Hybrid ID exchange
……..
Some new sample questions:
Question:
A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?
A. Use the ‘import device configuration to Panorama’ operation, commit to Panorama, then ‘export or push device config bundle’ to push the configuration.
B. Use the ‘import Panorama configuration snapshot’ operation, commit to Panorama, then ‘export or push device config bundle’ to push the configuration.
C. Use the ‘import device configuration to Panorama’ operation, commit to Panorama, then perform a device-group commit push with ‘include device and network templates’.
D. Use the ‘import Panorama configuration snapshot’ operation, commit to Panorama, then perform a device-group commit push with ‘include device and network templates’.
Question:
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
A. Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.
B. Open a support case.
C. Review traffic logs to add the exception from there.
D. Select ‘Show all signatures’ within the Vulnerability Protection Profile under ‘Exceptions’.
Question:
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can provide a solution?
A. Application Groups
B. Policy Optimizer
C. Test Policy Match
D. Config Audit
Question:
Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)
A. Ps1
B. Perl
C. Python
D. VBS
……….
Some new questions:
Q
A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
A. increase the frequency of the applications and threats dynamic updates.
B. Increase the frequency of the antivirus dynamic updates
C. Enable the ‘Hold Mode’ option in Objects > Security Profiles > Antivirus.
D. Enable the ‘Report Grayware Files’ option in Device > Setup > WildFire.
Q
Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)
A. Threat
B. HIP Match
C. Traffic
D. Configuration
Q
Which two are required by IPSec in transport mode? (Choose two.)
A. Auto generated key
B. NAT Traversal
C. IKEv1
D. DH-group 20 (ECP-384 bits)
Q
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
A. Configure a URL profile to block the phishing category.
B. Create a URL filtering profile
C. Enable User-ID.
D. Create an anti-virus profile.
E. Create a decryption policy rule.
Answer: B, C, E
Q
A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns’? (Choose two.)
A. Traffic logs
B. Data filtering logs
C. Policy Optimizer
D. Wireshark
Q
A firewall administrator is configuring an IPSec tunnel between a company’s HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.
Which two actions are required for this scenario to work? (Choose two.)
A. On the HQ firewall select peer IP address type FQDN
B. On the remote location firewall select peer IP address type Dynamic
C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel
D. On the remote location firewall enable DONS under the interface used for the IPSec tunnel
…………….