When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
Correct Answer: C,D
Explanation https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisit According to the Palo Alto Networks documentation1, an active/active high availability pair requires four links to communicate and synchronize state information: HA1, HA2, HA3, and HSCI. HA1 and HA2 are the same as in active/passive mode, where HA1 is used for control plane synchronization and HA2 is used for data plane synchronization. However, in active/active mode, there are two additional links: HA3: This link is used for session setup synchronization between the two firewalls. It allows the firewalls to share information about new sessions that they create, so that they can forward packets for the same session if needed. HSCI: This link is used for session owner synchronization between the two firewalls. It allows the firewalls to determine which firewall is responsible for processing packets for a given session. Both HA3 and HSCI links can use either a dedicated interface or a subinterface. Therefore, the correct answer is C and D. The other options are not valid links for an active/active high availability pair: HSCI-C: This option is not a valid link name. HSCI stands for High-Speed Chassis Interconnect, which is a physical cable that connects two firewalls in a chassis-based system. It is not related to active/active high availability. Console Backup: This option is not a valid link name. Console backup is a feature that allows accessing the console port of a firewall remotely through another firewall in an HA pair. It is not related to active/active high availability. References: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activeactive-ha/configure-ac
Question 297
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all.
Which two events trigger the operation of automatic commit recovery? (Choose two.)
Correct Answer: B,D
Automated commit recovery is enabled by default, allowing the managed firewalls to locally test the configuration pushed from Panorama to verify that the new changes do not break the connection between Panorama and the managed firewall. If the committed configuration breaks the connection between Panorama and a managed firewall then the firewall automatically fails the commit and the configuration is reverted to the previous running configuration and the Shared Policy or Template Status (Panorama Managed Devices Summary) gets out of sync depending on which configuration objects were pushed. Additionally, the managed firewalls test their connection to Panorama every 60 minutes and if a managed firewall detects that it can no longer successfully connect to Panorama then it reverts its configuration to the previous running configuration. https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administer- panorama/enable-automated-commit-recovery
Question 299
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?
Correct Answer: D
Step 1: Configure a DoS Protection profile for flood protection. 1. Select Objects > Security Profiles > DoS Protection and Add a profile Name. 2. Select Classified as the Type. 3. For Flood Protection, select the check boxes for all of the following types of flood protection: SYN Flood UDP Flood ICMP Flood ICMPv6 Flood Other IP Flood Step 2: Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic. This step include: (Optional) For Destination Address, select Any or enter the IP address of the device you want to protect. https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/configure-dos-protection-against-flooding-of-new-sessions
Question 300
Match each GlobalProtect component to the purpose of that component
