Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

examout.co

What should an engineer consider when setting up the DNS proxy for web proxy?

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

A.

the 'Shared' device group

B.

template stacks

C.

a device group

D.

template variables

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?

A.

Configure a dynamic address group for the addresses to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these addresses when logs are generated in the threat log. Under Device > User Identification > Trusted Source Address, add the condition "NOT malicious."

B.

Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.

C.

Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the "Actions" tab in "Signature Policies," select "block-user."

D.

N/A

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

A.

Ensure Force Template Values is checked when pushing configuration.

B.

Push the Template first, then push Device Group to the newly managed firewall.

C.

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.

Push the Device Group first, then push Template to the newly managed firewall

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.2. Check the box for negate option to negate this IP from the NAT translation.

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?

A.

certificates

B.

profiles

C.

link state

D.

stateful firewall connection

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

A.

Lower the interface MTU value below 1500.

B.

Enable the Ignore IPv4 Don't Fragment (DF) setting.

C.

Change the subnet mask from /23 to /24.

D.

Adjust the TCP maximum segment size (MSS) value.

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)

A.

Custom application

B.

Source interface

C.

Schedule

D.

Source device