An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can provide a solution?
A. Application Groups
B. Policy Optimizer
C. Test Policy Match
D. Config Audit
The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured?
A. With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.
B. With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings.
C. With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings.
D. With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding
Which protocol is natively supported by GlobalProtect Clientless VPN?
A. HTP
B. SSH
C. HTTPS
D. RDP
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
A. Data Patterns within Objects > Custom Objects
B. Custom Log Format within Device Server Profiles> Syslog
C. Built-in Actions within Objects > Log Forwarding Profile
D. Logging and Reporting Settings within Device > Setup > Management
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
A. Phase 1 and Phase 2 SAs are synchronized over HA3 links.
B. Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
D. Phase 1 SAs are synchronized over HA1 links.
Explanation: In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
A. show routing protocol bgp summary
B. show routing protocol bgp rib-out
C. show routing protocol bgp state
D. show routing protocol bgp peer
An engineer has been given approval to upgrade their environment to the latest version of
PAN-OS.
The environment consists of both physical and virtual firewalls, a virtual Panorama, and
virtual log collectors.
What is the recommended order of operational steps when upgrading?
A. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
B. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
C. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
D. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
Explanation: When planning an upgrade in an environment that includes Panorama,
firewalls, and log collectors, it's crucial to follow the recommended sequence to ensure
compatibility and minimize disruptions. Palo Alto Networks recommends the following
order:
Upgrade Panorama: Start with Panorama because it's the central management
platform. Upgrading Panorama first ensures that it's compatible with the new PANOS
versions that the managed devices (firewalls and log collectors) will be
upgraded to. Panorama must be able to support the new versions for it to manage
and monitor the devices effectively.
Upgrade the log collectors: Next, upgrade the log collectors. Since log collectors
work closely with Panorama to aggregate and store logs from the firewalls, they
should be upgraded after Panorama to ensure compatibility. Upgrading the log
collectors ensures they can handle the log formats and features introduced in the
new PAN-OS version.
Upgrade the firewalls: Finally, upgrade the firewalls. The firewalls are the last
components to be upgraded to ensure that they remain compatible with the
management and log collection infrastructure. Upgrading the firewalls last
minimizes the risk of compatibility issues with Panorama and log collectors.
This sequence ensures that all components are compatible and that the management and logging infrastructure can fully support the firewalls running the latest PAN-OS version.
An administrator needs to identify which NAT policy is being used for internet traffic. From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
A. Click Session Browser and review the session details.
B. Click Traffic view and review the information in the detailed log view.
C. Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
D. Click App Scope > Network Monitor and filter the report for NAT rules.
Explanation: Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1. The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
A. Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings
C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings
D. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90. When firewall-01 is rebooted, is there any action taken by the firewalls?
A. No - Neither firewall takes any action because firewall-01 cannot be rebooted when configured with device priority of 90.
B. No - Neither firewall takes any action because firewall-02 is already the active-primary member.
C. Yes - Firewall-02 takes over as the active-primary firewall; firewall-01 takes over as the active-primary member after it becomes functional.
D. Yes - Firewall-02 takes over as the active-primary firewall; firewall-02 remains the active-primary member after firewall-01 becomes functional.
| Page 11 out of 33 Pages |
| Previous |
Copyright © - All Rights Reserved