1.Which statement best describes the use of Policy Optimizer?

A. Policy Optimizer can display which Security policies have not been used in the last 90 days

B. Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have
unused applications

C. Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected
D. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-
ID Security policy for every Layer 4 policy that exists Admins can then manually enable policies
they want to keep and delete ones they want to remove

Answer: B

5.An administrator would like to determine the default deny action for the application dns-
over-https Which action would yield the information?

A. View the application details in beacon paloaltonetworks.com

B. Check the action for the Security policy matching that traffic

C. Check the action for the decoder in the antivirus profile

D. View the application details in Objects > Applications

Answer: B

NEW QUESTION 9 Which two Palo Alto Networks security management tools provide a
consolidated creation of policies, centralized management and centralized threat
intelligence. (Choose two.)

A. GlobalProtect

B. Panorama

C. Aperture

D. AutoFocus

Answer: BD

NEW QUESTION: An administrator would like to determine the default deny action for the
application dns-over-https Which action would yield the information?

A. View the application details in beacon paloaltonetworks.com

B. Check the action for the Security policy matching that traffic

C. Check the action for the decoder in the antivirus profile

D. View the application details in Objects > Applications

Answer: B
QUESTION3: A security administrator has configured App-ID updates to be automatically
downloaded and installed. The company is currently using an application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled
SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

ANSWER:

A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer
matches the SuperApp-base application

QUESTION 8: Actions can be set for which two items in a URL filtering security profile? (Choose
two.)

ANSWER:

 B. Custom URL Categories

 C. PAN-DB URL Categories

QUESTION 10: Which two statements are correct about App-ID content updates? (Choose
two.)

ANSWER: 

A. Updated application content might change how Security policy rules are enforced.

D. After an application content update, new applications are automatically identified and
classified

QUESTION 15: Choose the option that correctly completes this statement. A Security Profile can
block or allow traffic ____________.

ANSWER:

B. after it is matched by a security policy rule that allows traffic.

QUESTION 39: Which user mapping method could be used to discover user IDs in an environment
with multiple Windows domain controllers?

ANSWER:

D: domain controller monitoring

ANSWER:

B: Security Profiles are attached to Security policy rules

C. Security Profiles should be used only on allowed traffic

E. Security policy rules can block or allow traffic

QUESTION 41: Given the image, which two options are true about the Security policy rules.
(Choose two.)

A. The Allow-Office-Programs rule is using an Application Filter

D. The Allow-Social-Media rule allows all of Facebook's functions.

QUESTION53: An administrator receives a global notification for a new malware that infects
hosts. The infection will result in the infected host attempting to contact and command-and-
control (C2) server.
Which security profile components will detect and prevent this threat after the firewall's signature
database has been updated?

ANSWER:

A. antivirus profile applied to outbound security policies

QUESTION66:

Which path in PAN-OS 9.0 displays the list of port-based security policy rules?

ANSWER:

A. Policies> Security> Rule Usage> No App Specified

QUESTION75: Four configuration choices are listed, and each could be used to block access to a
specific URL. If you configured each choice to block the same URL then which choice would be the
last to block access to the URL?

ANSWER:

D. PAN-DB URL category in URL Filtering Profile

QUESTION81: Which two statements are true for the DNS Security service introduced in PAN-OS
version 9.0? (Choose two.)

ANSWER:
  B. It eliminates the need for dynamic DNS updates.

D. It removes the 100K limit for DNS entries for the downloaded DNS updates

QUESTION82; Which two features can be used to tag a username so that it is included in a
dynamic user group? (Choose two.)

ANSWER:

 B. XML API

 C. User-ID Windows-based agent

QUESTION83: The CFO found a malware infected USB drive in the parking lot, which when
inserted infected their corporate laptop. The malware contacted a known command- and-control
server, which caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the
command-and-control server?

ANSWER:

A. Create an anti-spyware profile and enable DNS Sinkhole feature

QUESTION84; You must configure which firewall feature to enable a data-plane interface to
submit DNS queries on behalf of the control plane?

ANSWER:

D. service route 

QUESTION85: Which component provides network security for mobile endpoints by inspecting
traffic routed through gateways?

ANSWER:

B. GlobalProtect

QUETION87: Which operations are allowed when working with App-ID application tags?

ANSWER:

B. Predefined tags may be augmented by custom tags

QUETION88: Your company occupies one floor in a single building. You have two Active Directory
domain controllers on a single network. The firewall's management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?

ANSWER:

 B. PAN-OS integrated agent deployed on the firewall

ANSWER:

D. Apps Seen

QUESTION94: Based on the graphic, which statement accurately describes the output shown in
the Server Monitoring panel?

ANSWER:

A. The User-ID agent is connected to a domain controller labeled lab-client

QUESTION97: Which type of security policy rule will match traffic that flows between the Outside
zone and inside zone, but would not match traffic that flows within the zones?

ANSWR:

C. interzone

QUESTION100: Which type of administrator account cannot be used to authenticate user traffic
flowing through the firewall's data plane?

ANSWER:

D. local user 

QUESTION115: You receive notification about new malware that is being used to attack hosts.
The malware exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall's
threat signature database?

ANSWER:

D. Vulnerability Protection Profile applied to inbound Security policy rules

QUESTION111: Which method allows the employees to access the PowerBall Lottery
website but without unblocking access to the “gambling” URL category?

ANSWER:

D. Create a custom URL category, add *.powerball.com to it and allow it in the

QUESTION126: An administrator would like to see the traffic that matches the
interzone-default rule in the traffic logs.
What is the correct process to enable this logging?

ANSWER:
 A. Select the interzone-default rule and click Override; on the Actions tab,
select Log at Session End and click OK.

QUESTION152: An administrator wants to prevent access to media content websites

ANSWER:

B. streaming-media

C. known-risk

QUESTION 269

What are three valid ways to map an IP address to a username? (Choose three.)

A. using the XML API

B. DHCP Relay logs

C. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

D. usernames inserted inside HTTP Headers

E. WildFire verdict reports

Answer: ACD

QUESTION 270

Which object would an administrator create to enable access to all applications in the office-
programs subcategory?

A. application filter

B. URL category

C. HIP profile

D. application group

Answer: A

QUESTION 272

Which statement is true regarding NAT rules?

A. Static NAT rules have precedence over other forms of NAT.

B. Translation of the IP address and port occurs before security processing.

C. NAT rules are processed in order from top to bottom.

D. Firewall supports NAT on Layer 3 interfaces only.

QUESTION 274

An administrator is reviewing the Security policy rules shown in the screenshot below. Which
statement is correct about

the information displayed?

A. Eleven rules use the "Infrastructure* tag.

B. The view Rulebase as Groups is checked.

C. There are seven Security policy rules on this firewall.

D. Highlight Unused Rules is checked.

Answer: B

QUESTION 276

What are two valid selections within an Antivirus profile? (Choose two.)

A. deny

B. drop

C. default

D. block-ip

Answer: BC

QUESTION 277

An administrator wants to create a NAT policy to allow multiple source IP addresses to be

IP address. What is the most appropriate NAT policy to achieve this?

A. Dynamic IP and Port

B. Dynamic IP

C. Static IP
D. Destination

Answer: A

QUESTION 279

What is a function of application tags?

A. creation of new zones

B. application prioritization

C. automated referenced applications in a policy

D. IP address allocations in DHCP

Answer: C

QUESTION 280

What are three Palo Alto Networks best practices when implementing the DNS Security Service?
(Choose three.)

A. Implement a threat intel program.

B. Configure a URL Filtering profile.

C. Train your staff to be security aware.

D. Rely on a DNS resolver.

E. Plan for mobile-employee risk

Answer: ABD

QUESTION 257

Which action would an administrator take to ensure that a service object will be available only to
the selected device

group?

A. create the service object in the specific template

B. uncheck the shared option

C. ensure that disable override is selected

D. ensure that disable override is cleared

Answer: D