Exam Flashcards
On the Next Generation firewall, DNS sinkhole allows administration to quickly identify infected host on the network using DNS traffic.
True
What two interface types on the Next Generation firewall provide support for Network Address Translation?
Layer 3 and Virtual Wire
Which URL filtering security profile action logs the category to the URL filtering log?
Alert
Which is the correct URL matching order on a Palo Alto Networks Next Generation Firewall?
Block, Allow, Custom URL, External
Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.
False
In which stage of the Cyber Attack Lifecycle model do attackers gain access “inside” an organization and activate attack code on the victim’s host and ultimately take control of the target machine?
Exploitation
What type of interface allows the Next Generation firewall to provide switching between two or more networks?
Layer 2
Which Next Generation FW configuration type has settings active on the firewall?
Running
In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?
5 Minutes
What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?
Application-default
Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology?
Virtual Wire
When creating an application filter, which of the following is true?
They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter
On the Next Generation firewall, what type of security profile detects infected files being transferred with the application.
Anti-Virus
What should be configured as the destination zone on the original packet tab of the NAT Policy rule in the Next Generation firewall?
Untrust-L3
On the Next Generation firewall, If there is a NAT policy, there must also be a security policy.
True
Which Palo Alto Networks Next Generation Firewall URL Category Action sends a response page to the user’s browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log?
Override
A “continue” action can be configured on the following security profiles in the Next Generation firewalls
URL Filtering and File Blocking
What is the benefit of enabling the “passive DNS monitoring” checkbox on the Next Generation firewall?
- Improved malware detection in Wildfire
- Improved DNS based command and control
signatures - Improved PAN DB malware detection
Which Next Generation Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option.
Safe Search Enforcement
What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall?
Filter the data filtering logs for the user’s traffic and the name of the PDF file.
Without a Wildfire subscription, which of the following les can be submitted by the Next Generation Firewall to the hosted Wild re virtualized sandbox?
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
Which of the following services are enabled on the
Next Generation firewall MGT interface by default
HTTPS, SSH, Telnet
Traffic protection from external locations where the egress point is the perimeter is commonly referred to as “North-South” traffic.
True
What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?
Application Command Center (ACC)
Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
deviceadmin
What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)?
Network Traffic,
Threat Activity,
Blocked Activity
What is the maximum size of .EXE files uploaded from the Next Generation firewall to Wildfire?
Configuration up to 10 megabytes
Which NGFW security policy rule applies to all
matching traffic within the specified source zones?
Intrazone
Which built-in role on the Next Generation firewall is the same as superuser except for creation of administration accounts?
deviceadmin
To properly configure DOS protection to limit the number of sessions individually from specific source IPS you would configure a DOS Protection rule with the following characteristics
Action: Protect, Classified
Profile with “Resources Protection” configured, and
Classified Address with “source-ip-only” configured
Which Next Generation VM Series Model requires a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity?
VM-500
Which of the following is a routing protocol supported in a Next Generation firewall
RIPV2
In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
Four or Five
Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall?
Application Identification (App-ID) Content Identification (Content-ID) User Identification (User-ID)
In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.
True
On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.
True
When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal?
Change
Security policy rules on the Next Generation Firewall specify a source and a destination interface
False
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule?
Dynamic IP and Port
Which command will reset a next generation firewall to its factory default settings if you know the admin account password?
request system private-data-reset
All of the interfaces on a Next Generation Firewall must be of the same interface type.
False
In addition to routing to other network devices, virtual routers on the Next Generation Firewall can route to other virtual routers.
True
Which feature can be configured with an IPv6 address?
Static Route
Which Next Generation Firewall feature
protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information
Aperture
Traffic going to a public IP address is being translated by a Next Generation firewall to an Internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server.
The server public IP
What component of the Next Generation Firewall will protect from port scans?
Zone Protection
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption profile in decryption policy
What is default setting for “Action” in a decryption policy rule?
No-decrypt
Which type of Next Generation Firewall decryption
inspects SSL traffic between an internal host and
an external web server?
SSL Forward Proxy
When SSL encrypted traffic first arrives at the Next
Generation Firewall, which technology initially
identifies the application as web-browsing?
App-ID
On the Next Generation Firewall, which is the first configuration step for SSL Forward Proxy
decryption?
Forward Trust Certificate
Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers?
SSL Inbound Inspection
In the Next Generation Firewall, even if the Decryption policy rule action is “no-decrypt,” the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.
True
What is the prerequisite for configuring a pair of Next Generation firewalls in an Active/Passive High Availability (HA) pair?
The firewalls must have the same set of licenses
The firewalls in an HA pair can be assigned a Device Priority value to indicate a preference for which firewall should assume the active role. If you need to designate a specific firewall in the HA pair as the active firewall, you must enable the preemptive behavior on both the firewalls and assign a Device Priority value for each firewall. The Firewall with which Device Priority value is designated as the higher priority and active firewall?
Lower
During which Palo Alto Networks Active/Passive Firewall Sate is normal traffic discarded?
Passive
During the Palo Alto Networks Active/Passive HA Pair Start-Up, the firewall remains in the INITIAL state after boot-up until it discovers a peer and negotiations begin. After how long of a timeout does the firewall become ACTIVE if HA negotiation has not started?
60-seconds
Which Palo Alto Networks High Availability configuration is not designed to increase throughput?
Active/Active
What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down?
Link monitoring
To enable High Availability on a Palo Alto Networks device, both firewalls must be the same model.
True
In which Palo Alto Networks GlobalProtect client connection method does the user explicitly initiate the connection?
On-demand
Which Palo Alto Networks GlobalProtect component is responsible for coordinating communications and interaction between all other GlobalProtect components?
Portal
Which Palo Alto Networks GlobalProtect deployment component provides security enforcement for traffic from GlobalProtect agents and applications?
Gateway
On a Palo Alto Networks Firewall, what is the maximum number of IPsec tunnels that can be associated with a tunnel interface?
10
What three basic requirements are necessary to create a VPN in the Next Generation firewall
Create the tunnel interface, Configure he IPSec tunnel, Add a static route
In the Palo Alto Networks GlobalProtect connection sequence, there is direct communication among gateways or between gateways and portals.
False
Virtual Private Networks (VPNs) allow systems to connect securely over public networks as if they were connecting over a Local Area Network (LAN).
True
In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?
Global
What feature on the Next Generation firewall can be used to identify, in real time, the application staking up the most bandwidth?
Application Command Center (ACC)
What are the three pre-defined tabs in the Next Generation firewall Application Command Center(ACC)?
Network Traffic, Threat Activity, Blocked Activity
In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF?
Group
On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic?
6514
What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent?
System logs and the indicator light under the User-ID Agent settings in the firewall
For the Palo Alto Networks Next Generation Firewall to access a Global Catalog server, LDAP must be set to communicate with which port?
3268
Which Palo alto Networks User-ID component runs on Microsoft and Citrix terminal servers?
Palo Alto Networks Terminal Services agent
Which User-ID component and mapping method is recommended for web clients that do not use the domain server?
Captive Portal
Which port does the Palo Alto Networks Windows-based User-ID agent use by default?
TCP port 5007
What options are available for selecting users for a security policy on the Next Generation firewall?
Pre-logon, Known-user, Unknown-user
The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.
True
On the Next Generation firewall, what type of security profile detects infected files being transferred with the application.
Anti-Virus
Which Wildfire verdict includes viruses, worms, trojans, remote access tools, rootkits, and botnets?
Malware
Which CLI command is used to verify successful file uploads to Wildfire?
debug wildfire upload-log show
Which WildFire verdict indicates no security threat but might display obtrusive behavior?
Grayware
If a file type is matched in the File Blocking Profile and Wildfire Analysis Profile, and if the File Blocking Profile action is set to “block,” then the file is not forwarded to WildFire.
True
Without a Wildfire subscription, which of the following files can be submitted by the Next Generation Firewall to the hosted Wildfire virtualized sandbox?
PE Files Only
What are two sources of information for determining whether the Next Generation firewall has been successful in communicating with an external User-ID Agent?
System Logs and the indicator light under the User-ID Agent settings in the firewall
Which Palo alto Networks User-ID component runs on Microsoft and Citrix terminal servers?
Palo Alto Networks Terminal Services agent
Which is the 3rd message used to acquire a certificate using the Public Key Infrastructure (PKI) Certificate Signing Request (CSR) process?
Applicant sends signed information and public key
What is default setting for “Action” in a decryption policy rule?
None
In the Public Key Infrastructure (PKI) hierarchy, what does the issuing Certificate Authority (CA) use to prevent tampering of the hash value and other critical information in the certificate?
Private Key Encryption
Which type of patch management technology has one or more servers that perform network scanning of each host to be patched and determine what patches each host needs?
Agentless Scanning
Which type of monitoring technologies for patch management monitor local network traffic to identify applications (and in some cases, operating systems) that are in need of patching?
Passive Network Monitoring
A security control assessment is the testing and/or evaluation of the management, operational, and technical security controls on a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
True