Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 26

To allow the firewall to communicate with the User-ID agent, you need to configure a custom service route for the UID Agent23. A custom service route allows you to specify which interface and source IP address the firewall uses to connect to a specific destination service. By default, the firewall uses its management interface for services such as User-ID, but you can override this behavior by creating a custom service route.

To configure a custom service route for the UID Agent, you need to do the following steps:

Go to Device > Setup > Services and click Service Route Configuration.

In the Service column, select User-ID Agent from the drop-down list.

In the Interface column, select an interface that can reach the User-ID agent server from the dropdown list.

In the Source Address column, select an IP address that belongs to that interface from the drop-down list.

Click OK and Commit your changes.

The correct answer is C. Create a custom service route for UID Agent

The log type that will help the engineer verify whether packet buffer protection was activated is Threat Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious activity on the network. These logs contain information about the source, destination, and type of threat detected. They also contain information about the packet buffer protection that was activated in response to the detected threat. This information can help the engineer verify that packet buffer protection was activated and determine which actions were taken in response to the detected threat. Packet buffer protection is a feature that prevents packet buffer exhaustion by dropping packets, discarding sessions, or blocking source IP addresses when the packet buffer utilization exceeds a certain threshold. The firewall records these events in the threat log with different threat IDs andnames1. The system log also records an alert event when the packet buffer congestion reaches thealert threshold2. The other types of logs do not show packet buffer protection events. Reference: 1:https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection 2: https://docs.paloaltonetworks.com/pan-os/10- 2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields

To enable split-tunneling by access route, destination domain, and application, you need to configure a split tunnel based on the domain and application on your GlobalProtect gateway2. This allows you to specify which domains and applications are included or excluded from the VPN tunnel.

These three methods are examples of multi-factor authentication that can be used to authenticate access to the firewall. A one-time password is a code that is generated by an authentication app or sent by email or SMS and expires after a single use. A user certificate is a digital credential that is issued by a trusted authority and stored on the user's device. SMS is a text message that is sent tothe user's phone number with a code or a link to verify their identity1. The other methods are notsupported by the firewall for multi-factor authentication. Voice and fingerprint are biometric factorsthat require special hardware and software to capture and analyze. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi- factor-authentication

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dosprotection/zone-defense/packet-buffer-protection

Example output:

> show system state filter-pretty sys.s1.p1.phy

sys.s1.p1.phy: {

link-partner: { },

media: CAT5,

type: Ethernet,

}

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha- timers

Decryption Broker is a feature that allows you to use a Palo Alto Networks firewall as a decryption broker for other security devices in your network1. It works by decrypting traffic on one interface and forwarding it to another interface where it can be inspected by other devices before being reencrypted and sent to its destination2. The firewall acts as a transparent bridge between the two interfaces and does not change the source or destination IP addresses of the traffic2.

To configure Decryption Broker, you need to assign decryption forwarding interfaces (DFIs) to the virtual router that routes the traffic that you want to inspect. The DFIs are used to forward decrypted traffic from one interface to another in a security chain3. A security chain is a set of devices that perform different security functions on the same traffic flow3. You can have multiple security chains for different types of traffic or different segments of your network3.

The reason why you need to assign DFIs to the virtual router that routes the traffic is because Decryption Broker uses routing tables to determine which DFI belongs to which security chain and how to forward traffic between them2. If you assign DFIs to a different virtual router than the one that routes the traffic, Decryption Broker will not be able to find them or forward traffic correctly2.