- Email support@dumps4free.com
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A. A self-signed Certificate Authority certificate generated by the firewall
B. A Machine Certificate for the firewall signed by the organization's PKI
C. A web server certificate signed by the organization's PKI
D. A subordinate Certificate Authority certificate signed by the organization's PKI
Explanation: Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
A. Financial, health, and government traffic categories
B. Known traffic categories
C. Known malicious IP space
D. Public-facing servers,
E. Less-trusted internal IP subnets
An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user. What configuration change is necessary to implement this troubleshooting solution for the user?
A. Enable SSL tunnel within the GlobalProtect gateway remote user's settings.
B. Modify the user's client to prioritize UDP traffic for GlobalProtect.
C. Enable SSL tunnel over TCP in a new agent configuration for the specific user.
D. Increase the user's VPN bandwidth allocation in the GlobalProtect settings.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
A. Set the passive link state to shutdown".
B. Disable config sync.
C. Disable the HA2 link.
D. Disable HA.
Explanation:
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a
feature that enables the firewalls in an HA pair to synchronize their configurations and
maintain consistency. However, when you import the configuration of an HA pair into
Panorama, you want to avoid any changes to the firewall configuration until you verify and
commit the imported configuration on Panorama. Therefore, you should disable config sync
before importing the configuration, and re-enable it after committing the changes on
Panorama12.
References: Migrate a Firewall HA Pair to Panorama Management, PCNSE
Study Guide (page 50)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A. Proxy IDs
B. GRE Encapsulation
C. Tunnel Monitor
D. ToS Header
| Page 14 out of 59 Pages |
| Previous |