An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

• A.A Certificate profile with a trusted root CA.
• B.An Authentication profile with the allow list of users.
• C.An Interface Management profile with HTTP and HTTPS enabled.
• D.An SSL/TLS Service profile with a certificate assigned.

Comment: *

Name: *

Email: *

Verification: *

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

• A.XML API
• B.Port Mapping
• C.Client Probing
• D.Server Monitoring

Comment: *

Name: *

Email: *

Verification: *

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?

• A.It matches to the New App-IDs downloaded in the last 90 days.
• B.It matches to the New App-IDs in the most recently installed content releases.
• C.It matches to the New App-IDs downloaded in the last 30 days.
• D.It matches to the New App-IDs installed since the last time the firewall was rebooted.

Correct Answer: B

Explanation
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments. References: Monitor New App-IDs

Comment: *

Name: *

Email: *

Verification: *

Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

• A.App Scope
• B.ACC
• C.Session Browser
• D.System Logs

Comment: *

Name: *

Email: *

Verification: *

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

• A.NAT Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Server
  Destination IP: 172.16.15.10
  Source Translation: Static IP / 172.16.15.1
  Security Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Trust
  Destination IP: 172.16.15.10
  Application: ssh
• B.NAT Rule:
  Source Zone: Trust
  Source IP: 192.168.15.0/24
  Destination Zone: Trust
  Destination IP: 192.168.15.1
  Destination Translation: Static IP / 172.16.15.10
  Security Rule:
  Source Zone: Trust
  Source IP: 192.168.15.0/24
  Destination Zone: Server
  Destination IP: 172.16.15.10
  Application: ssh
• C.NAT Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Trust
  Destination IP: 192.168.15.1
  Destination Translation: Static IP /172.16.15.10
  Security Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Server
  Destination IP: 172.16.15.10
  Application: ssh
• D.NAT Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Server
  Destination IP: 172.16.15.10
  Source Translation: dynamic-ip-and-port / ethernet1/4
  Security Rule:
  Source Zone: Trust
  Source IP: Any
  Destination Zone: Server
  Destination IP: 172.16.15.10
  Application: ssh

Comment: *

Name: *

Email: *

Verification: *