Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

• A.Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
• B.Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
• C.Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution
• D.Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Comment: *

Name: *

Email: *

Verification: *

Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

• A.Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
• B.Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
• C.Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• D.Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
• E.Untrust (Any) to DMZ (1.1.1.100), SSH -Allow

Comment: *

Name: *

Email: *

Verification: *

Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

• A.VeriSign > Palo Alto Networks > Symantec
• B.Symantec > VeriSign > Palo Alto Networks
• C.Palo Alto Networks > Symantec > VeriSign
• D.VeriSign > Symantec > Palo Alto Networks

Comment: *

Name: *

Email: *

Verification: *

What are three types of Decryption Policy rules? (Choose three.)

• A.SSL Inbound Inspection
• B.SSH Proxy
• C.SSL Forward Proxy
• D.Decryption Broker
• E.Decryption Mirror

Comment: *

Name: *

Email: *

Verification: *

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?

• A.1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
  2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to
  10.0.0.10/32 and source translation set to none.
  3. Place (NAT-Rule-1) above (NAT-Rule-2).
• B.1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
  2. Check the box for negate option to negate this IP subnet from NAT translation.
• C.1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
  2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to
  10.0.0.10/32 and source translation set to none.
  3. Place (NAT-Rule-2) above (NAT-Rule-1).
• D.1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
  2. Check the box for negate option to negate this IP from the NAT translation.

Comment: *

Name: *

Email: *

Verification: *