Palo Alto
What are the 6 Available actions for traffic that matches an Antivirus Profile?
allow: Permits the traffic without logging
alert: Generates a log entry and allows the traffic
drop: Discards the traffic and generates a log entry
reset-client: For TCP, resets the client-side connection. For UDP, drops the connection.
reset-server: For TCP, resets the server-side connection. For UDP, drops the connection.
reset-both: For TCP, resets the connection on the client and server. For UDP, drops the connection.
Which two firewall objects can be configured to forward firewall logs to external destinations? (Choose two.)
Security zone
Network interface
Security Policy Rule
Application Override rule
The correct answer was “Security zone, Security Policy Rule”.
True or False: If the Application Block Page is enabled and a Security policy rule denies a web-based application, then a browser-based response page is displayed.
True
Which two items describe configuration conditions that enable the firewall to generate Traffic log entries? (Choose two.)
Traffic must be decrypted by the firewall.
Traffic is allowed by a Security policy rule.
The matching Security policy rule must enable logging.
The matching Security policy rule must have an attached Security Profile.
The correct answer was “Traffic is allowed by a Security policy rule; The matching Security policy rule must enable logging.”.
Which two log types require a configured Security Profile to generate log entries? (Choose two.)
Traffic
Threat
System
Data Filtering
Threat, Data Filtering
Which three firewall web interface tools enable you to specify a time period for the displayed application and threat data? (Choose three.)
ACC
logs
Dashboard
predefined reports
Security policy
ACC, logs, predefined reports
What is Panorama?
This provides centralized monitoring and management of multiple Palo Alto Networks next-generation firewalls.
Explain Basic deployment.
This includes direct log collection to the platform, and also provides configuration management in Panorama mode. In this deployment, Panorama performs device management and log collection.
Explain Distributed deployment.
In this deployment, log collection is directed to dedicated Panorama management appliance platforms, called Log Collectors.
M-600 appliance
This appliance is suitable for large scale FW deployments and can manage up to 5000 FWs in management only mode.
M-500 appliance
This appliance is suitable for data center deployments. It supports 10GB/sec throughput on ethernet 4 and ethernet 5 interfaces.
The physical Panorama appliance (such as an M-500) can operate in what three modes?
1) Panorama mode
2) Log Collector mode
3) Management Only mode
What is Panorama mode?
In this mode the appliance can manage devices and collect logs from managed devices.
True or False: On a fresh install of 8.1, Legacy mode no longer is available.
True
What is the default mode for a Panorama virtual appliance?
Panorama mode is the default.
True or False: Serial numbers, initially, are not provided on virtual Panorama platforms
True
How do you generate a serial number?
These should be generated using the Palo Alto Networks Customer Support Portal.
What is the function of the serial number?
This acts as a unique ID for the Panorama platform and enables automatic license and software updates from Palo Alto Networks.
What does the Cloud Services plugin enable?
This enables the use of Cortex Data Lake and GlobalProtect cloud service.
What does the Interconnect plugin enable?
This plugin enables you to manage large-scale FW deployments. It can be used to set up a two-tier Panorama deployment for a horizontal scale-out architecture.
How does Network segmentation improve security of MGT?
This is improved by off-loading services to other interfaces.
What is shown in the Commit Scope pane?
This pane provides a summary of the changes queued in the candidate configuration.
What does “Validate to Commit” perform?
This commit performs a trial commit. This means that you do a complete validation process while not merging any live data with the running configuration.
True or False: All commits are recorded in a config log, and the description entered during a commit is included in this log.
True
What must happen to change the configurations on the managed firewalls of a Panorama Appliance?
Any changes committed to the Panorama appliance must then be “Pushed to Devices” to have any changes committed to those devices.
What is the function of the “Validate Device Group Push” and “Validate Template Push” ?
These functions are used to execute a commit process on templates or device groups without actually pushing data to devices. They do a full validation of the data intended for the push to identify any potential configuration issues.
What are the two Last commit states?
1) Out of Sync- new configuration data for this managed device is queued in Panorama for this push.
2) In Sync
True or False: Panorama can execute only one commit at a given time.
True: However, administrators can queue multiple commits that are executed one after the other on a first- come, first served basis.
Define Running Configuration
This is the current state of the committed configuration.
Define Candidate configuration.
This a copy of the running configuration plus any changes you have made since the last commit.
Define version.
This a specific configuration that has been stored on the firewall or Panorama.
Define Snapshot.
This a copy of the configuration (candidate or running) at a particular point of time. The FW or Panorama exports the configuration as XML file with a specified name.
Define Bundly.
This is the latest versions of the running configuration of Panorama and all managed devices.
What happens after you commit on a local firewall?
After this, the local firewall sends a backup of its running configuration to Panorama.
True or False: A Panorama virtual appliance in the cloud can manage only firewalls in the cloud.
False:
True or False: To register a Panorama physical appliance in the Customer Support Portal, you need the serial number of Panorama.
True
True or False: If you have multiple Ethernet interfaces on a Panorama physical appliance, typically eth1 and eth2 interfaces are used to connect Log Collectors to Panorama.
False
What are the three steps in adding managed devices to Panorama?
1) Configure the new firewall to connect Panorama
2) Add the firewall’s serial number to Panorama
3) Commit all changes
What function in Panorama alleviates some pressure with having to create a new Master Key before the current Master Key expires?
Panorama allows you to configure the master key to auto renew with the same master key for a specified number of days.
What are the migration phases of an existing firewall migrating into Panorama? (Not sure about this flashcard)
1) Determine the versions of PAN-OS software on Panorama and the candidate firewall.
2) Panorama must be running the same or later version software as that of the firewall.
3) Plan the device group hierarchy and template deployment.
4) Identify any configuration that needs to be managed locally
5) Normalize zone names
What two steps are necessary in migrating an HA Peers to Panorama Management?
1) Disable the automatic configuration synchronization between the HA partners.
2) Add each firewall to Panorama as a managed device.
What information is needed to configure a new firewall to connect to a Panorama appliance?
The IP address of the Panorama appliance is needed for this.
True or False: From Panorama, you can deactivate the license on one device so that it can be used on another device.
True
What are templates?
These are data objects created deliberately by a Panorama administrator to hold the settings for managed devices that are found under the “Network” and “Device” tabs of a firewall’s web interface.
How many layers can a template stack hold?
8 layers
Name 6 characteristics of a Template Stack
1) It is an ordered list of templates
2) settings are pushed to the managed device
3) templates can be re-used in multiple stacks
4) A firewall is assigned to one template stack
5) can contain a maximum of eight templates
6) Panorama can support up to 1024 template stacks
True or False: A template cannot be pushed to a device: it must be part of a template stack to be pushed to a device.
True
What are the most common template stack design strategies?
1) By firewall functionality
2) Geographic location
3) Other Political Boundaries within your organization
What does the template variable, $Inside_IP, store?
This variable stores the IP addresses of the firewalls
What salient features are included in Template variables?
1) For reusability and minimize configuration duplication and to reduce inconsistencies across devices
2) to replace device-specific information such as IPs, IP ranges, FQDN, interfaces in IKE and HA
3) they may be defined in templates or stacks
4) stacks can reference template variables
5) the value can be different in two template stacks
6)a mapping between the variables and the values for each device is maintained in Panorama
7) max variables per template is 4096
8) Max variables per stack is 8192
9)
True or False: If all the template variables in a template stack are not resolved to their values, the Panorama commit operation fails.
True
What are Device groups?
These are data objects created manually by a Panorama administrator to hold the settings for managed devices that are found under the Policies and Objects tabs of a firewall’s web interface.
How are device groups similar to templates?
These are similar in that, once created, they also are assigned to firewalls.
True or False: Firewalls belong to one device group or to a device group hierarchy.
What is the maximum number of device group levels that can be created?
Four levels is the max
What are higher level device groups called?
These device groups are called Ancestors
To what does the device group descendants refer?
Device groups at lower levels are called this.
True or False: Lower level device groups do not as with templates inherit the settings of higher-level groups.
False: Lower levels do inherit the settings of the higher group.
Device groups provide what?
These provide a centralized configuration and control over policies and objects.
Which level prevails in a conflict between levels?
The lower level definition prevails.
True or False: Panorama still manages each firewall in an HA pair as an independent firewall, and Panorama sends settings toe each firewall.
True
Explain the structure of Policies.
Policies provided by Panorama assume the top and the bottom of the overall policy list, with any local firewall policies inserted in the middle. The first and last policies have the most power during evaluations.
How are policies evaluated?
These are evaluated from the top down. Thus, the Panorama policies will get the first and last view of the traffic.
What tools are available to a superuser to require a description, audit comment, or tag when a rule in the policy rule base is created or edited?
The Rule Tag and Description Enforcement tools or features enable a superuser to require these.
True or False: If a duplicated object is in device groups, the lower-level device group in the inheritance tree will override the higher-level device group object.
True
What is the max number of device groups?
1024 is the max number of these.
When you create the first device group in Panorama, Which two tabs are added to the user interface?
Policies and Objects
In the policy rule hierarchy, what is the order of execution for the first three policy rules?
Shared Pre-Policies
Device Group Hierarchy Pre-Policies
Local Firewall Policies
True or False: Before you can archive rule changes, you need to configure policy rule-base settings to require audit comment on policies.
True
What is the function of the Access domain?
This restricts what the administrator can do, and where. They are the specification of which device groups, templates, and managed firewalls an administrative account can access.
Access domains are relevant to what only?
These are relevant to device group and template admin accounts only
What do Change control locks allow?
These allow administrators to lock specific configuration sections for their exclusive use, which avoids any potential collision with other administrator editing.
True or False: Panorama allows two administrators to simultaneously edit the same candidate configuration.
True
True or False: Administrators can have two different admin roles and they can be used to log in to two different domains.
True
True or False: The commit lock is available to gain exclusive access to the Panorama commit operation.
True
True or False: Creation of a Password Profile is a mandatory seep when an administrator account is created.
False
What are some design considerations for log storage?
1) Ingestion- How many logs per second are you forwarding to the Panorama appliance? This is the aggregate log forwarding rate for all managed devices
2) Storage- How much do you need?
3) Retention- How long do you need them?
4) Tolerance for loss of logs- Do you need redundancy? How much log loss can you tolerate?
5) Deployment considerations- Do you want to won and manage your log storage on-premises?
What does Cortex Data Lake provide?
This provides cloud-based, centralized log storage and aggregation for you on-premises and virtual (private cloud and public cloud) firewalls.
What functionality does the Cortex Data Lake provide?
1) Isolation- Data is isolated to avoid any cross-contamination for the data of other customers.
2) Redundancy- Multiple copies of your log database are stored. Each log is stored in two databases and replicated three times. Giving you 6 copies of your logs.
3) Regionalization- Logging facilities are in the Americas and Europe. You choose where to forward your data.
4) Scalability
True or False: To enable redundancy in log collector groups, physical log collectors must be able to communicate with less than 25ms of latency.
True
What are the three methods to determine the log rate?
1) If you have a third-party logging solution, get the log count for a full day and divide it by 86,400 (# of seconds in a day). Repeat for several days including non-business.
2) Use data from an evaluation device.
3) Use the Device Log Forwarding table
What is the equation for log storage capacity?
[(log/sec x 86,400 sec) x number of days] x avg log size in bytes
all over
1,099,511,627,776 bytes/ TB
How many log collectors can be in each collector group?
16 Log collectors are allowed
What is the only external service to which Cortex Data Lake can forward logs?
The Syslog external service is the only service to which this can forward logs.
At what rate does high-speed log forwarding need to be enabled?
A rate of 120,000 LPS is the rate when this needs to be enabled.
True or False: You can export Panorama logs to a CSV file, but you cannot import the CSV file back into Panorama.
True
By what two sources can reports and displays on Panorama be populated?
1) Panorama local data
2) Remote device data
What is Panorama local data?
Data forwarded from the firewalls.
Data received after querying dedicated Log Collectors or Cortex Data Lake
This source is recommended for faster performance.
What is Remote device data?
Data that is stored on a firewall but that can be accessed through remote query from Panorama.
Explain a Summary database
These databases are available for Application Statistics, Threat, Traffic, Tunnel Inspection, and URL Filtering logs. The firewall aggregates the detailed logs every 15 minutes.
How can detailed Traffic log data from managed firewalls be displayed on a Panorama appliance?
Configure firewalls to forward detailed traffic events to Panorama.
What configuration activity allows summary log data to flow to Panorama?
Configure a firewall to be managed by Panorama.
Application Command Center data is updated at which frequency?
Every 15 minutes
Panorama Interconnect
Is a new interconnect plugin that enables a central Panorama controller instance to manage multiple Panorama nodes. A max 64 nodes can be managed, so this configuration can support 64,000 firewalls centrally managed by Panorama.
True or False: You cannot migrate the logs because the log format on the Pano virtual appliance is incompatible with that on M-Series appliances.
True
True or False: HA pairs do not need to be identical Panorama platforms with identical licensing and capacities.
False: They do need to be identical
If an HA pair individual appliances are in physically different locations, than what is recommended in terms of transfer of information.
It is recommended you enable encryption.
What is the Monitor Hold Time in reference to HA pairs?
This is the number of milliseconds that a Panorama primary appliance can be in a nonfunctional state before becoming passive. This value is applied when heartbeat or hello messages are missed.
What interface encrypts communication between HA peers?
The MGT interface is responsible for this.
What ports are utilized in HA connectivity with and without encryption enabled?
Encryption enabled = port 28
Encryption not enabled = port 28769 or 28260
Download the full exam pdf here https://learnexams.com/search/study?query=