Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

examout.co

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

A.

Create a no-decrypt Decryption Policy rule.

B.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

C.

Create a Dynamic Address Group for untrusted sites

D.

Create a Security Policy rule with vulnerability Security Profile attached.

E.

Enable the “Block sessions with untrusted issuers” setting.

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows

A.

Deploy the GlobalProtect as a lee data hub.

B.

Deploy Window User 0 agents on each domain controller.

C.

Deploys AILS integrated Use 10 agent on each vsys.

D.

Deploy a M.200 as a Users-ID collector.

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

A.

Configure a Captive Portal authentication policy that uses an authentication sequence.

B.

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

C.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

D.

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

A.

Firewalls which support policy-based VPNs.

B.

The remote device is a non-Palo Alto Networks firewall.

C.

Firewalls which support route-based VPNs.

D.

The remote device is a Palo Alto Networks firewall.