NEW QUESTION 1
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

• A. Zone Protection Policy with UDP Flood Protection
• B. QoS Policy to throttle traffic below maximum limit
• C. Security Policy rule to deny trafic to the IP address and port that is under attack
• D. Classified DoS Protection Policy using destination IP only with a Protect action

Answer: D

NEW QUESTION 2
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

• A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
• C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
• D. Untrust (Any) to DMZ (10.1.1.1), ssh –Allow
• E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: CD

NEW QUESTION 3
What are two benefits of nested device groups in Panorama? (Choose two.)

• A. Reuse of the existing Security policy rules and objects
• B. Requires configuring both function and location for every device
• C. All device groups inherit settings form the Shared group
• D. Overwrites local firewall configuration

Answer: BC

NEW QUESTION 4
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?

• A. Use config-drive on a USB stick.
• B. Use an S3 bucket with an ISO.
• C. Create and attach a virtual hard disk (VHD).
• D. Use a virtual CD-ROM with an ISO.

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-features/bootstrapping-firewalls-for-rapid-deployment.html

NEW QUESTION 5
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

• A. Decryption Mirror interface with the Threat Analysis license
• B. Virtual Wire interface with the Decryption Port Export license
• C. Tap interface with the Decryption Port Mirror license
• D. Decryption Mirror interface with the associated Decryption Port Mirror license

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/decryption-mirroring

NEW QUESTION 6
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

• A. The firewall is in multi-vsys mode.
• B. The traffic is offloaded.
• C. The traffic does not match the packet capture filter.
• D. The firewall’s DP CPU is higher than 50%.

Answer: BC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload

NEW QUESTION 7
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

• A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
• B. The devices are licensed and ready for deployment.
• C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
• D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
• E. The interface are pingable.

Answer: BC

NEW QUESTION 8
Which CLI command can be used to export the tcpdump capture?

• A. scp export tcpdump from mgmt.pcap to <username@host:path>
• B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
• C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
• D. download mgmt.-pcapExplanation:

Answer: C

Explanation: Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/ta-p/55415

NEW QUESTION 9
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

• A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
• B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
• C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
• D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>test security-policy-match source

Answer: A

Explanation: test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy- Applies-to-a-Traffic-Flow/ta-p/53693

NEW QUESTION 10
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

• A. Log
• B. Alert
• C. Allow
• D. Default

Answer: B

NEW QUESTION 11
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

• A. Panorama virtual appliance on ESX(i) only
• B. M-500
• C. M-100 with Panorama installed
• D. M-100

Answer: BC

Explanation: (httpHYPERLINK "https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and- Design-Guide/ta-p/72181"s://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing- and-Design-Guide/ta-p/72181)

NEW QUESTION 12
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose
two)

• A. Vulnerability Object
• B. DoS Protection Profile
• C. Data Filtering Profile
• D. Zone Protection Profile

Answer: BD

NEW QUESTION 13
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

• A. application: web-browsing; service: application-default
• B. application: web-browsing; service: service-https
• C. application: ssl; service: any
• D. application: web-browsing; service: (custom with destination TCP port 8080)

Answer: A

NEW QUESTION 14
What is the purpose of the firewall decryption broker?

• A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
• B. Force decryption of previously unknown cipher suites
• C. Inspection traffic within IPsec tunnel
• D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools

Answer: A

NEW QUESTION 15
Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?

• A. Untrust (any) to Untrust (10. 1.1. 100), web browsing – Allow
• B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow
• C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing – Allow
• D. Untrust (any) to DMZ (10. 1. 1. 100), web browsing – Allow

Answer: B

NEW QUESTION 16
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

• A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
• D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Answer: C