Question No. 1

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram

a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?

AOnly Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before updating the firewalls

BPanorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.

CPanorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.

DOnly Panorama must be patched to the PAN-OS version before updating the firewalls

Show Answer

Correct Answer: B

Question No. 2

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

ACommand line > debug dataplane packet-diag clear filter-marked-session all

BIn the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

CCommand line> debug dataplane packet-diag clear filter all

DIn the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select 'exclude'

Show Answer

Correct Answer: C

Question No. 3

Refer to the exhibit.

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

AThe firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

BThe firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

CThe firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

DThe firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Show Answer

Correct Answer: A

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'

Question No. 4

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.