NEW QUESTION 1
During the packet flow process, which two processes are performed in application identification? (Choose two.)

• A. Pattern based application identification
• B. Application override policy match
• C. Application changed from content inspection
• D. Session application identified.

Answer: BD

NEW QUESTION 2
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem?

• A. No Zone has been configured on Ethernet 1/4.
• B. Interface Ethernet 1/1 is in Virtual Wire Mode.
• C. DNS has not been properly configured on the firewall.
• D. DNS has not been properly configured on the host.

Answer: A

NEW QUESTION 3
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

• A. View the System logs and look for the error messages about BGP.
• B. Perform a traffic pcap on the NGFW to see any BGP problems.
• C. View the Runtime Stats and look for problems with BGP configuration.
• D. View the ACC tab to isolate routing issues.

Answer: CD

NEW QUESTION 4
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

• A. View Runtime Stats in the virtual router.
• B. View System logs.
• C. Add a redistribution profile to forward as BGP updates.
• D. Perform a traffic pcap at the routing stage.

Answer: AC

NEW QUESTION 5
What must be used in Security Policy Rule that contain addresses where NAT policy applies?

• A. Pre-NAT addresse and Pre-NAT zones
• B. Post-NAT addresse and Post-Nat zones
• C. Pre-NAT addresse and Post-Nat zones
• D. Post-Nat addresses and Pre-NAT zones

Answer: C

NEW QUESTION 6
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
✑ Users outside the company are in the "Untrust-L3" zone
✑ The web server physically resides in the "Trust-L3" zone.
✑ Web server public IP address: 23.54.6.10
✑ Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

• A. Untrust-L3 for both Source and Destination zone
• B. Destination IP of 192.168.1.10
• C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
• D. Destination IP of 23.54.6.10

Answer: CD

NEW QUESTION 7
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

• A. Configure ECMP to handle matching NAT traffic
• B. Configure a NAT Policy rule with Dynamic IP and Port
• C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option
• D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Answer: C

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

NEW QUESTION 8
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across USP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Answer: C

NEW QUESTION 9
Which three options are available when creating a security profile? (Choose three)

• A. Anti-Malware
• B. File Blocking
• C. Url Filtering
• D. IDS/ISP
• E. Threat Prevention
• F. Antivirus

Answer: ABF

NEW QUESTION 10
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

• A. Virtual Wire
• B. Loopback
• C. Layer 3
• D. Tunnel

Answer: BC

NEW QUESTION 11
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

• A. The firewall does not have an active WildFire subscription.
• B. The engineer's account does not have permission to view WildFire Submissions.
• C. A policy is blocking WildFire Submission traffic.
• D. Though WildFire is working, there are currently no WildFire Submissions log entries.

Answer: B

NEW QUESTION 12
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
•DMZ zone: DMZ-L3
•Public zone: Untrust-L3
•Guest zone: Guest-L3
•Web server zone: Trust-L3
•Public IP address (Untrust-L3): 1.1.1.1
•Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

• A. Untrust-L3
• B. DMZ-L3
• C. Guest-L3
• D. Trust-L3

Answer: A

NEW QUESTION 13
Which three options are supported in HA Lite? (Choose three.)

• A. Virtual link
• B. Active/passive deployment
• C. Synchronization of IPsec security associations
• D. Configuration synchronization
• E. Session synchronization

Answer: BCD

NEW QUESTION 14
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

• A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
• B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
• C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
• D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Answer: B

NEW QUESTION 15
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

• A. Application Override policy.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Custom Service object.

Answer: BC

NEW QUESTION 16
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

• A. When configuring Certificate Profiles
• B. When configuring GlobalProtect portal
• C. When configuring User Activity Reports
• D. When configuring Antivirus Dynamic Updates

Answer: D

NEW QUESTION 17
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

• A. Disable SNMP on the management interface.
• B. Application override of SSL application.
• C. Disable logging at session start in Security policies.
• D. Disable predefined reports.
• E. Reduce the traffic being decrypted by the firewall.

Answer: CDE

NEW QUESTION 18
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

• A. VM-100
• B. VM-200
• C. VM-1000-HV
• D. VM-300

Answer: C

NEW QUESTION 19
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

• A. ms log
• B. authd log
• C. System log
• D. Traffic log
• E. dp-monitor .log

Answer: BC