NEW QUESTION 1
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

• A. Client Probing
• B. Terminal Services agent
• C. GlobalProtect
• D. Syslog Monitoring

Answer: C

NEW QUESTION 2
A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

NEW QUESTION 3
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

• A. Option A
• B. Option B
• C. Option C
• D. Option D
• E. Option E

Answer: B

NEW QUESTION 4
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS® software
would help in this case?

• A. Application override
• B. Redistribution of user mappings
• C. Virtual Wire mode
• D. Content inspection

Answer: B

NEW QUESTION 5
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

• A. Use the import option to pull logs into Panorama.
• B. A CLI command will forward the pre-existing logs to Panorama.
• C. Use the ACC to consolidate pre-existing logs.
• D. The log database will need to exported form the firewalls and manually imported intoPanorama.

Answer: B

NEW QUESTION 6
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

• A. Configure ECMP to handle matching NAT traffic
• B. Configure a NAT Policy rule with Dynamic IP and Port
• C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option
• D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Answer: C

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

NEW QUESTION 7
Which event will happen if an administrator uses an Application Override Policy?

• A. Threat-ID processing time is decreased.
• B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
• C. The application name assigned to the traffic by the security rule is written to the Traffic log.
• D. App-ID processing time is increased.

Answer: B

NEW QUESTION 8
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

• A. test panoramas-connect 10.10.10.5
• B. show panoramas-status
• C. show arp all I match 10.10.10.5
• D. topdump filter "host 10.10.10.5
• E. debug dataplane packet-diag set capture on

Answer: BD

NEW QUESTION 9
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

• A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
• B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
• C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
• D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

NEW QUESTION 10
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

• A. Security policy
• B. Decryption policy
• C. Authentication policy
• D. Application Override policy

Answer: C

NEW QUESTION 11
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

• A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
• D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Answer: C

NEW QUESTION 12
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

• A. A report can be created that identifies unclassified traffic on the network.
• B. Different security profiles can be applied to traffic matching rules 2 and 3.
• C. Rule 2 and 3 apply to traffic on different ports.
• D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Answer: BD

NEW QUESTION 13
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

• A. Preconfigured GlobalProtect satellite
• B. Preconfigured GlobalProtect client
• C. Preconfigured PIsec tunnels
• D. Preconfigured PPTP Tunnels

Answer: A

NEW QUESTION 14
An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications.
QoS natively integrates with which feature to provide service quality?

• A. Port Inspection
• B. Certificate revocation
• C. Content-ID
• D. App-ID

Answer: D

NEW QUESTION 15
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

• A. WildFire updates
• B. NAT
• C. NTP
• D. antivirus
• E. File blocking

Answer: ABC

NEW QUESTION 16
During the packet flow process, which two processes are performed in application identification? (Choose two.)

• A. Pattern based application identification
• B. Application override policy match
• C. Application changed from content inspection
• D. Session application identified.

Answer: BD