EXAM

Question 1

What is the LAST step of packet processing in the firewall?

Answer 1

checking Security Profiles

Question 2

Which interface type requires you to configure where the next hop is for various addresses?

Answer 2

Layer 3

Question 3

How do you enable the firewall to be managed through a data-plane interface?

Answer 3

You specify HTTPS in the Interface Management Profile, and then specify in the interface properties to use that profile

Question 4

Some devices managed by Panorama have their external interface on ethernet1/1, some on ethernet1/2. However, the zone definitions for the external zone are identical. What is the recommended solution in this case?

Answer 4

Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices. Use the same external zone definitions in both. Apply those two templates to the appropriate devices.

Question 5

In a Panorama managed environment, which two options show the correct order of policy evaluation? (Choose two.)

Answer 5

1. ) device group pre-rules, local firewall rules, device group post-rules,shared post-rules, intrazone-default, interzone-default
2. ). shared pre-rules, device group pre-rules, local firewall rules, intrazone-default, interzone-default

Question 6

When you deploy the Palo Alto Networks NGFW on NSX, how many virtual network interfaces does a VM-Series firewall need?

Answer 6

. three, one for traffic input, one for traffic output, and one for management traffic

Question 7

Which source of user information is NOT supported by the NGFW?

Answer 7

RACF

Question 8

What is the main mechanism of packet-based vulnerability attacks?

Answer 8

malformed packets that trigger software bugs when they are received

Question 9

Which method is not a PAN-OS software decryption method?

Answer 9

SSL Proxy

Question 10

What type of identification does an Application Override policy override?

Answer 10

App-ID

Question 11

Which two types of protocols can cause an insufficient data value in the Application field in the Traffic log? (Choose two.)

Answer 11

UDP & TCP

Question 12

Which three profile types are used to prevent malware executables from entering the network?

Answer 12

Anti-virus
WildFire Analysis
File Blocking

Question 13

Which user credential detection method does not require access to an external directory?

Answer 13

Certificate

Question 14

When destination NAT rules are configured, the associated security rule is matched using which parameters?

Answer 14

pre-NAT source zone and post-NAT destination zone

Question 15

What is the initial IP address for the management interface?

Answer 15

192.168.1.1

Question 16

In a new firewall, which port provides web interface access by default?

Answer 16

management port

Question 17

Which application requires you to import private keys?

Answer 17

SSL Inbound Inspection

Question 18

Under which conditions can two Layer 3 interfaces have the same IP address?

Answer 18

This feature is not supported.

Question 19

Which two protocols are supported for site-to-site VPNs? (Choose two.)

Answer 19

(AH) - Authentication Header

(ESP) - Encapsulating Security Payload

Question 20

GlobalProtect Portal is responsible for which two functions? (Choose two.)

Answer 20

1. ) authenticating (GP) GlobalProtect users

2. ) managing and updating (GP) GlobalProtect client configurations

Question 21

What is the preferred SYN flood defense action type?

Answer 21

SYN Cookies

Question 22

What would be a valid reason to allow non-SYN TCP packets at the start of a connection?

Answer 22

Load-balancing

Question 23

Where do you configure protection from malformed IP and TCP headers?

Answer 23

Zone Protection Profile

Question 24

Which parameter is not a valid criterion for the original packet in address translation?

Answer 24

application

Question 25

Which parameter in a Security policy rule do you use to apply a rule to traffic coming in from a specific interface?

Answer 25

source zone

Question 26

Where do you specify that certain URL categories are not to be decrypted?

Answer 26

Decryption policy

Question 27

Which two public cloud environments support pay-as-you-go (PAYG) firewall licensing? (Choose two.)

Answer 27

1. ) Microsoft Azure

2. ) Amazon AWS

Question 28

Which log type gets redirected in Device > Log Settings?

Answer 28

Config

Question 29

Which tab of the firewall web interface gives you a consolidated picture of the security situation and the top-level threats?

Answer 29

ACC

Question 30

A customer’s custom application uses SMTP (email) to transfer directory information, which needs to be filtered in a different manner from normal SMTP. How do you configure this filtering?

Answer 30

Create a custom signature and specify the SMTP fields that are different from normal SMTP use and patterns to identify when it is the custom application.

Question 31

Which kind of update requires a disruption in connectivity?

Answer 31

PAN-OS software

Question 32

Which dedicated High Availability port is used for which plane?

Answer 32

HA1 for the management plane, HA2 for the data plane

Question 33

Which two protocols can AutoFocus use to retrieve log information from an NGFW? (Choose two.)

Answer 33

1. ) HTTP

2. ) HTTPS

Question 34

. Palo Alto Networks publishes new applications at which approximate interval?

Answer 34

weekly

Question 35

Which type of device can receive the GlobalProtect data files content update?

Answer 35

firewall

Question 36

. In which log will you see evidence that an administrator cannot log in to the firewall?

Answer 36

system

Question 37

How do you reboot the firewall from the command line?

Answer 37

request restart system

Question 38

Where in the user interface do you configure how many packets to capture when the extended-capture option is selected in an Anti-Spyware Profile or Vulnerability Profile?

Answer 38

Capturing options for each capture file

Question 39

You are preparing a bootstrap template for use with a VM-Series firewall hosted in a public cloud. You don’t need to include the Content-ID files because the firewall will download the latest version when it is booted anyway. How do you configure the bootstrap’s content directory?

Answer 39

add an empty file to it named no-download

Question 40

Which format do you use for an AWS CloudFormation Template?

Answer 40

JSON

Question 41

In which order are Security policy rules from Panorama processed relative to local firewall policy rules?

Answer 41

Some rules are processed before the firewall’s local rules, some are processed after the local rules.

Question 42

Which statement is true about Security Profiles?

Answer 42

. They enable a specific type of threat scanning (e.g., Virus, Spyware).

Question 43

Which Captive Portal authentication method can be handled by the browser without affecting the user experience?

Answer 43

browser-challenge

Question 44

The firewall of a defense contractor is not connected to the internet. However, it is connected to the classified SIPRNet. The contractor is concerned about getting malware files through that network. Can this defense contractor use the WildFire service for protection?

Answer 44

. Yes, it can use a WF-500 appliance.

Question 45

How does the NGFW handle excess packets when there are QoS constraints?

Answer 45

It drops a percentage of them randomly

Question 46

Which function is performed by the management plane?

Answer 46

User-ID group lookups

Question 47

Which feature of the NGFW enables you to identify attempts to tunnel SSH over other ports?

Answer 47

App-ID

Question 48

What is the correct order of operations?

Answer 48

check allowed ports, decrypt (if traffic is encrypted and the policy specifies to decrypt it), check Security policy, check Security Profiles, re-encrypt traffic