CCNA Manage Monitor Operate Questions

6 of 81 questions · Page 2/2 · Manage Monitor Operate topic · Answers revealed

76
MCQeasy

An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?

A.URL Filtering Report
B.Application Report
C.Traffic Report
D.Threat Report
AnswerB

Application Report provides top applications by bandwidth.

Why this answer

The Application Report is designed to provide visibility into application usage, including bandwidth consumption, top applications, and application-level trends over a specified time period. This report type leverages the App-ID engine to classify traffic by application, regardless of port or protocol, making it the correct choice for identifying top applications by bandwidth usage.

Exam trap

The trap here is that candidates often confuse the Traffic Report (which shows raw byte counts) with application-level reporting, failing to realize that only the Application Report uses App-ID to break down bandwidth by application identity rather than by IP or port.

How to eliminate wrong answers

Option A is wrong because the URL Filtering Report focuses on web browsing activity based on URL categories and does not provide application-level bandwidth breakdowns. Option C is wrong because the Traffic Report shows raw traffic volume (bytes, packets, sessions) by source/destination or zone, but it does not natively aggregate or rank by application identity. Option D is wrong because the Threat Report is dedicated to security threats such as intrusions, malware, and vulnerabilities, not application bandwidth usage.

77
Matchingmedium

Match each Palo Alto Networks feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application identification and control

User and group mapping for policies

Threat prevention including IPS and antivirus

Cloud-based malware analysis

Remote access VPN and mobile security

Why these pairings

These are core features of Palo Alto Networks firewalls.

78
MCQhard

A firewall is configured with User-ID using the 'Server Monitoring' method via LDAP. The administrator notices that user-to-IP mappings are only being updated every 60 minutes instead of the configured 15-minute polling interval. The LDAP server is reachable and responds quickly. What configuration parameter is most likely causing the delayed update?

A.The firewall's 'Log Forwarding' profile is slowing down the User-ID process.
B.The 'User-ID' mapping aging time is set to 60 minutes.
C.The 'User-ID Agent' is configured with a 'Timeout' of 60 minutes.
D.The 'Server Monitoring' profile has a 'Retry Interval' set to 60 minutes.
AnswerB

The mapping aging time determines how often the mapping is refreshed; if longer than polling interval, it can override the polling interval.

Why this answer

The User-ID mapping aging time controls how long a user-to-IP mapping remains valid before it is considered stale and must be refreshed. If the aging time is set to 60 minutes, the firewall will not query the LDAP server for a new mapping until that timer expires, regardless of a shorter polling interval. This causes updates to appear only every 60 minutes, matching the symptom described.

Exam trap

The trap here is that candidates confuse the polling interval (how often the firewall checks LDAP) with the aging time (how long a mapping is kept before it must be refreshed), assuming a shorter polling interval always results in faster updates.

How to eliminate wrong answers

Option A is wrong because the Log Forwarding profile is used to send logs to external collectors and has no impact on the User-ID polling or mapping update frequency. Option C is wrong because the User-ID Agent timeout refers to how long the agent waits for a response from the firewall or domain controller, not the interval at which mappings are aged or refreshed. Option D is wrong because the Retry Interval in Server Monitoring defines how long to wait before retrying a failed LDAP query, not the period between successful polls or the aging of existing mappings.

79
Multi-Selectmedium

Which THREE of the following are valid actions that can be taken on a dynamic block list entry? (Choose three.)

Select 3 answers
A.Remove an IP address
B.Add an IP address
C.View the list of blocked IPs
D.Add a username to block
E.Convert a dynamic entry to a static entry
AnswersA, B, C

Entries can be removed manually.

Why this answer

Option A is correct because the dynamic block list in PAN-OS allows administrators to remove an IP address from the list using the 'delete' action via the CLI or API. This is a standard operation for managing entries that were automatically added by automated threat prevention features like WildFire or AutoFocus.

Exam trap

Palo Alto Networks often tests the misconception that the dynamic block list supports usernames or can convert entries to static, but the list is strictly IP-based and temporary by design.

80
Multi-Selecteasy

A systems administrator needs to configure log forwarding to an external syslog server for Security policies. Which two actions are required to achieve this? (Choose two.)

Select 2 answers
A.Create a syslog server profile under Device > Server Profiles > Syslog.
B.Create an SNMP trap profile under Device > Server Profiles > SNMP Trap.
C.Directly apply the syslog server profile to each Security policy rule.
D.Enable log forwarding under the firewall's Device > Setup > Logging and Reporting settings.
E.Create a Log Forwarding profile that references the syslog server profile and apply it to Security policy rules.
AnswersA, E

A syslog server profile is required to define the destination syslog server.

Why this answer

To forward logs to an external syslog server, you must first create a syslog server profile under Device > Server Profiles > Syslog (option A). Then, you need to create a Log Forwarding profile that references that server profile and apply it to the Security policy rules (option C). Options B, D, and E are incorrect because SNMP traps are for different purposes, you cannot apply a server profile directly to a rule, and there is no global log forwarding setting.

81
MCQeasy

The traffic log shows a threat severity 'medium' and the threat log shows action 'allow' for the same session. What is the most likely reason that the threat was allowed?

A.The security policy rule that matched this traffic is configured to allow the threat.
B.The action 'allow' in the threat log is misleading; the traffic was actually blocked.
C.The threat was not detected by the firewall.
D.The threat log does not record blocked threats.
AnswerA

The profile for that rule likely has an 'allow' action for this threat.

Why this answer

The threat log shows action 'allow' because the security policy rule that matched the session is configured with an action of 'allow'. When a threat is detected but the security rule permits the traffic, the firewall still allows the session to pass, and the threat is logged with the action taken by the rule. This is a common scenario where the firewall's threat prevention profile is set to 'alert' rather than 'block', or the rule's action overrides the threat action.

Exam trap

The trap here is that candidates assume the threat log action reflects the threat prevention profile's action (e.g., block), but it actually reflects the security policy rule's action, leading them to incorrectly think the threat was not detected or that the log is misleading.

How to eliminate wrong answers

Option B is wrong because the threat log action 'allow' accurately reflects that the firewall permitted the traffic; it is not misleading, as the firewall logs the actual action taken. Option C is wrong because the threat log entry itself confirms that the threat was detected (severity 'medium' is recorded), so the threat was indeed detected. Option D is wrong because the threat log does record blocked threats; if a threat were blocked, the action would show 'block' or 'reset-both', not 'allow'.

← PreviousPage 2 of 2 · 81 questions total

Ready to test yourself?

Try a timed practice session using only Manage Monitor Operate questions.