Exam Domain 1 - Plan Flashcards
1
Q
1. Which component of the integrated Palo Alto Networks security solution limits network attached workstation access to a corporate mainframe? A. threat intelligence cloud B. advanced endpoint protection C. next-generation firewall D. tunnel inspection
A
C. next-generation firewall
2
Q
2. Which Palo Alto Networks product is designed primarily to provide threat context with deeper information about attacks? A. Prisma Cloud B. WildFire C. AutoFocus D. Threat Prevention
A
C. AutoFocus
3
Q
- Which Palo Alto Networks product is designed primarily to provide normalization of threat
intelligence feeds with the potential for automated response?
A. MineMeld
B. WildFire
C. AutoFocus
D. Threat Prevention
A
A. MineMeld
4
Q
4. Which Palo Alto Networks product is designed primarily to prevent endpoints from successfully running malware programs? A. GlobalProtect B. Cortex XDR – Analytics C. Cortex XDR D. Prisma Cloud
A
C. Cortex XDR
5
Q
5. The Palo Alto Networks Cortex Data Lake can accept logging data from which two products? (Choose two.) A. Cortex XDR B. next-generation firewalls C. Prisma SaaS D. MineMeld E. AutoFocus
A
A. Cortex XDR
B. next-generation firewalls
6
Q
6. Which Palo Alto Networks product is a cloud-based storage service designed to hold log information? A. Prisma Cloud B. Cortex XDR C. next-generation firewall D. Cortex Data Lake
A
D. Cortex Data Lake
7
Q
7. Which product is an example of an application designed to analyze Cortex Data Lake information? A. Cortex XDR – Analytics B. Prisma Cloud C. Cortex XDR – Automated Response D. AutoFocus
A
A. Cortex XDR – Analytics
8
Q
8. A potential customer says it wants to maximize the threat detection capability of its next generation firewall. Which three additional services should it consider implementing to enhance its firewall’s capability to detect threats? (Choose three.) A. Cortex XDR B. WildFire C. URL Filtering D. Expedition E. DNS Security
A
B. WildFire
C. URL Filtering
E. DNS Security
9
Q
- A VM-Series virtual firewall differs from a physical Palo Alto Networks firewall in which way?
A. A VM-Series firewall cannot be managed by Panorama.
B. A VM-Series firewall supports fewer traffic interface types.
C. A VM-Series firewall cannot terminate VPN site-to-site tunnels.
D. A VM-Series firewall cannot use dynamic routing protocols.
A
B. A VM-Series firewall supports fewer traffic interface types.
10
Q
10. Which product would best secure east-west traffic within a public cloud implementation? A. Prisma Cloud B. MineMeld C. VM-Series firewall D. Cortex
A
C. VM-Series firewall
11
Q
- Why would you recommend an active/active firewall pair instead of an active/passive firewall pair?
A. Active/active is the preferred solution when the firewall pair is behind a load balancer that randomizes routing, thus requiring both firewalls to be active.
B. Active/active usually is the preferred solution because it allows for more bandwidth while both firewalls are up.
C. Active/active is the preferred solution when the PA-7000 Series is used. Use active/passive with the PA-5200 Series or smaller form factors.
D. Active/active is the preferred solution when the PA-5200 Series or smaller form factors are used. Use active/passive with the PA-7000 Series.
A
A. Active/active is the preferred solution when the firewall pair is behind a load balancer that randomizes routing, thus requiring both firewalls to be active.
12
Q
- Which two events can trigger an HA pair failover event? (Choose two.)
A. An HA1 cable is disconnected from one of the firewalls.
B. A dynamic update fails to download and install.
C. The firewall fails to ping a path-monitored destination address successfully.
D. OSPF implemented on the firewall determines that an available route is now down.
E. RIP implemented on the firewall determines that an available route is now down.
A
A. An HA1 cable is disconnected from one of the firewalls.
C. The firewall fails to ping a path-monitored destination address successfully.
13
Q
13. Which two firewall features support floating IP addresses in an active/active HA pair? (Choose two.) A. data-plane traffic interfaces B. source NAT C. VPN endpoints D. loopback interfaces E. management port
A
B. source NAT
C. VPN endpoints
14
Q
- How are firewalls configurations in an active/passive HA pair synchronized if the firewalls are not under Panorama control?
A. An administrator commits the changes to one, then commits them to the partner, at which time the changes are sent to the other.
B. An administrator pushes the configuration file to both firewalls, then commits them.
C. An administrator commits changes to one, which automatically synchronizes with the other.
D. An administrator schedules an automatic sync frequency in the firewall configurations.
A
C. An administrator commits changes to one, which automatically synchronizes with the
other.
15
Q
- In which two ways is an active/passive HA pair configured in virtual firewalls deployed in any public clouds? (Choose two.)
A. The virtual firewalls are deployed in a cloud “scale set” with a cloud-supplied load
balancer in front to detect and manage failover.
B. The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to the firewall’s HA settings.
C. Virtual firewalls use PAN-OS HA configuration combined with appropriate cloud deployments of interfaces for HA use.
D. The virtual firewalls use an HA Compatibility module for the appropriate cloud technology
A
A. The virtual firewalls are deployed in a cloud “scale set” with a cloud-supplied load
balancer in front to detect and manage failover.
B. The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to
the firewall’s HA settings.
16
Q
16. Without having to make network address configuration changes, you would use which type of network interface to insert a Palo Alto Networks firewall in front of a legacy port-based firewall to collect application information from incoming network traffic? A. VLAN B. tunnel C. tap D. virtual wire E. Layer 2 F. Layer 3
A
D. virtual wire
17
Q
17. Which type of interface do you use to connect Layer 2 and Layer 3 interfaces? A. VLAN B. tunnel C. tap D. virtual wire E. Layer 2 F. Layer 3
A
A. VLAN
18
Q
18. Which three types of interfaces can the firewall’s management web interface be bound to? (Choose three.) A. VLAN B. tunnel C. tap D. virtual wire E. Layer 2 F. Layer 3
A
A. VLAN
B. tunnel
F. Layer 3
19
Q
19. Which three types of interfaces connect to a virtual router? (Choose three.) A. VLAN B. tunnel C. tap D. virtual wire E. Layer 2 F. Layer 3
A
A. VLAN
B. tunnel
F. Layer 3
20
Q
20. Which dynamic routing protocol is not supported by the Palo Alto Networks firewall? A. RIP B. OSPF C. OSPFv3 D. IGRP E. BGP
A
D. IGRP
21
Q
- Which action is not compatible with aggregate interface configuration?
A. aggregating 18 Layer 3 interfaces
B. aggregating four virtual wire interfaces
C. aggregating interfaces in an HA pair
D. aggregating two 10Gbps optical and two 10Gbps copper Ethernet ports
A
A. aggregating 18 Layer 3 interfaces
22
Q
- In a Panorama environment, how do you create and view enterprise-wide reports that include data from all managed firewalls?
A. Run Panorama reports normally. Firewall summary reporting information is gathered
automatically once the firewalls are managed by Panorama.
B. Configure log forwarding on the managed firewalls to forward logs to Panorama using
syslog formatting.
C. Run custom Panorama reports and select remote logs as the information source.
D. Run custom Panorama reports and select log collector as the information source.
A
A. Run Panorama reports normally. Firewall summary reporting information is gathered automatically once the firewalls are managed by Panorama.
23
Q
- What must you configure to guarantee duplication of log data on Log Collectors?
A. Log Collector settings to include “Replicate Data”
B. Panorama HA settings to include “Duplicate Logs”
C. Log Collector settings to include “Enable log redundancy”
D. log forwarding settings of firewalls for two Log Collector destinations
A
C. Log Collector settings to include “Enable log redundancy”
24
Q
24. Which three devices can be used as Log Collectors? (Choose three.) A. Virtual Panorama B. PA-220R C. M-600 D. M-200 E. VM-300LC
A
A. Virtual Panorama
C. M-600
D. M-200
25
25. Which statement is true regarding Log Collecting in a Panorama HA pair?
A. Both Panoramas cannot be configured to collect logs.
B. Log collecting is handled by the active HA Panorama until a failover occurs.
C. Both Panoramas collect independent logging traffic and are not affected by failover.
D. Both Panoramas receive the same logging traffic and synchronize in case of HA failover.
C. Both Panoramas collect independent logging traffic and are not affected by failover.
26
26. How are log retention periods on Palo Alto Networks firewalls increased?
A. add storage to any firewall model
B. increase the allocation for overall log storage within the firewall
C. turn on log compression
D. forward logs to external Log Collectors
D. forward logs to external Log Collectors
27
27. How do you access, and view firewall log data sent to the Cortex Data Lake?
A. direct viewing and searching with the Cortex gateway
B. Panorama using a Log Collector configuration for access
C. reporting in a firewall using a “remote data source” configuration
D. reporting in a firewall equipped with a “Remote Logging” plugin
B. Panorama using a Log Collector configuration for access
28
28. Log retention is increased when a Dedicated Log Collector is used to collect logs from firewalls in which two ways? (Choose two.)
A. turning on “Log Compression” in the Log Collector
B. adding storage capacity to the Log Collector
C. enabling “Log Storage Sharing” between the Log Collector and Panorama
D. adding Log Collectors to the Log Collector Group
B. adding storage capacity to the Log Collector
D. adding Log Collectors to the Log Collector Group
29
29. The Security policy for all of a customer’s remote offices is the same, but different offices have different firewall models. If the remote offices are managed by Panorama, how might the offices share device groups and templates?
A. same device group and same template stack
B. same device group, different template stacks
C. different device groups, same template stack
D. different device groups and different template stacks
B. same device group, different template stacks
30
30. A Panorama template stack contains two templates and one configuration setting has a
different value in each template. When Panorama pushes the template stack to the managed firewalls, which setting value will the firewalls receive?
A. value from the top template of the stack
B. value from the bottom template in the stack
C. value from the template designated as the parent
D. value an administrator selects from the two available values
A. value from the top template of the stack
31
31. Which two firewall settings are stored in Panorama templates? (Choose two.)
A. custom Application-ID signatures
B. Server Profile for an external LDAP server
C. services definitions
D. DoS Protection Profiles
E. data-plane interface configurations
B. Server Profile for an external LDAP server
E. data-plane interface configurations
32
32. Where in Panorama do you enter Security policy rules to ensure that your new rules will take
precedence over locally entered rule?
A. Security policy rules with a targeted firewall
B. default rules section of Security policy rules
C. pre-rules section of Security policy rules
D. post-rules section of Security policy rules
C. pre-rules section of Security policy rules
33
33. In Panorama, how would you make changes to a Security policy rule for a specific firewall?
A. log in to Panorama, clone the rule, modify the clone, and add a target firewall to the
new rule
B. select the rule, click the override button, and enter the changes
C. create a new locally defined Security policy rule that is placed higher in the rule list than
the rule to be overridden
D. log in to Panorama and modify the original rule
A. log in to Panorama, clone the rule, modify the clone, and add a target firewall to the
new rule
34
```
34. Which three firewall settings are stored in Panorama device groups? (Choose three.)
A. User Identification configuration
B. custom Application-ID signatures
C. services definitions
D. DoS Protection Profiles
E. data-plane interface configurations
F. Zone Protection Profiles
G. Server Profile for an external LDAP server
```
B. custom Application-ID signatures
C. services definitions
D. DoS Protection Profiles
35
35. Which part of a VM-Series firewall should be updated to provide maximum feature support for a public cloud?
A. latest PAN-OS update
B. latest VM-Series plugin
C. capacity license for the target public cloud.
D. latest dynamic updates appropriate for the implemented PAN-OS version
B. latest VM-Series plugin
36
```
36. Which two types of firewall interfaces are most likely to be supported in public cloud
deployments? (Choose two.)
A. tap
B. virtual wire
C. Layer 3
D. tunnel
E. aggregate Ethernet
```
C. Layer 3
| D. tunnel
37
37. From where can you buy and download a VM-Series virtual firewall appliance for a public
cloud deployment?
A. Palo Alto Networks Support Portal
B. cloud vendor’s “Solution Marketplace”
C. Using the download link supplied on the same site as the license server
D. Palo Alto Networks Product Download portal
B. cloud vendor’s “Solution Marketplace”
38
38. Which two conditions must be met to manage Palo Alto Networks firewalls deployed in multiple cloud environments from a central Panorama? (Choose two.)
A. The Panorama and firewall must be able to communicate.
B. The Panorama must be licensed for each cloud environment containing managed firewalls.
C. The firewalls must have the latest VM-Series plugin installed.
D. The firewalls and Panorama must be running the same version of PAN-OS software.
E. Firewalls must be running a version of PAN-OS software equal to or less that that on Panorama.
A. The Panorama and firewall must be able to communicate.
E. Firewalls must be running a version of PAN-OS software equal to or less that that on Panorama.
39
39. A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single vCenter.
How many firewall VMs are needed to implement micro-segmentation?
A. one
B. four
C. five
D. 20
C. five
40
40. When you deploy the Palo Alto Networks NGFW on NSX, packets coming to an application VM
from VMs running on different hardware go through which modules?
A. network, vSwitch, NSX firewall, Palo Alto Networks NGFW, application VM
B. network, vSwitch, Palo Alto Networks NGFW, NSX firewall, application VM
C. network, vSwitch, NSX firewall, Palo Alto Networks NGFW, NSX firewall, application
VM
D. vSwitch, network, Palo Alto Networks NGFW, NSX firewall, application VM
C. network, vSwitch, NSX firewall, Palo Alto Networks NGFW, NSX firewall, application VM
41
```
41. Which option shows the interface types that ESXi supports in the VM-Series firewalls?
A. tap, Layer 2, Layer 3, virtual wire
B. Layer 3 only
C. tap, Layer 2, Layer 3
D. Layer 3, virtual wire
```
A. tap, Layer 2, Layer 3, virtual wire
42
42. To configure multi-factor authentication for users accessing services through the firewall,
which three configuration pieces need to be addressed? (Choose three.)
A. GlobalProtect Portal
B. Captive Portal
C. Authentication Enforcement Profile
D. Authentication Profile
E. Response pages
B. Captive Portal
C. Authentication Enforcement Profile
D. Authentication Profile
43
```
43. Which firewall configuration component is used to configure access to an external
authentication service?
A. Local User Database
B. Server Profiles
C. VM Information source
D. admin roles
E. Authentication policy rules
```
B. Server Profiles
44
44. Which two firewall functions are reserved only for administrators assigned the superuser
dynamic role? (Choose two.)
A. managing certificates
B. managing firewall admin accounts
C. editing the management interface settings
D. creating virtual systems within a firewall
E. accessing the configuration mode of the CLI
B. managing firewall admin accounts
D. creating virtual systems within a firewall
45
45. A Palo Alto Networks firewall can obtain a certificate for its internal use through which three methods? (Choose three.)
A. import a certificate file generated by an external CA
B. reference an externally stored certificate by a URL configured in an SSL/TLS Service
Profile
C. generate a certificate directly by manually entering certificate data
D. obtain a certificate from an SCEP server using an SCEP Profile
E. importing a certificate from an external CA by using an Authentication Profile
A. import a certificate file generated by an external CA
C. generate a certificate directly by manually entering certificate data
D. obtain a certificate from an SCEP server using an SCEP Profile
46
46. Which two resources must be available to successfully run certificate validation tests on a
certificate received from an external source? (Choose two.)
A. Root Certificate of the issuing CA
B. public key for the received certificate
C. OCSP connection address
D. existing Certificate Profile that matches the received certificate’s CA identity
A. Root Certificate of the issuing CA
C. OCSP connection address
47
```
47. The firewall uses which information to determine which interface to use for a packet’s egress?
A. manually configured static routes
B. routing information base (RIB)
C. appropriate Redistribution Profile
D. ECMP destination monitoring results
```
B. routing information base (RIB)
48
```
48. A legacy virtual router can use a Redistribution Profile to share routes between which three routing protocols? (Choose three.)
A. static routes
B. IGRP
C. RIP
D. OSPF
E. multicast
```
A. static routes
C. RIP
D. OSPF
49
49. How does a firewall determine which route to use when its RIB is populated with multiple routes to the same location, but the routes were added by different routing protocol?
A. according to the following precedence of route type: static, RIP, OSPF, BGP
B. using the virtual router’s FIB
C. using the associated route’s metric and choosing the lowest value
D. using the route’s administrative distance and choosing the lowest value
D. using the route’s administrative distance and choosing the lowest value
50
50. For which two reasons are denial-of-service protections applied by zone? (Choose two.)
A. because denial-of-service protections are applied early in the processing, before much
information is known about the connection but when the ingress interface already is
known
B. because denial-of-service protections are applied only when manually turned on to
avoid quota overload (which would make denial of service easier)
C. because denial-of-service protections can depend on only the zone, and never on port
numbers or IP addresses
D. because denial-of-service protections on a Layer 3 interface are different from the denialof-
service protections available on a Layer 2 interface and interfaces on virtual wires
A. because denial-of-service protections are applied early in the processing, before much
information is known about the connection but when the ingress interface already is
known
B. because denial-of-service protections are applied only when manually turned on to
avoid quota overload (which would make denial of service easier)
51
```
51. SYN flood protection provides flood protection from which protocol?
A. UDP
B. TCP
C. ICMP
D. GRE
```
B. TCP
52
```
52. To which two protocols does port scan reconnaissance protection apply? (Choose two.)
A. UDP
B. TCP
C. GRE
D. ICMP
E. IPX
```
A. UDP
| B. TCP
53
```
53. In which two places do you configure flood protection? (Choose two.)
A. DoS Protection Profile
B. QoS Profile
C. Zone Protection Profile
D. SYN Protection Profile
E. XOFF Profile
```
A. DoS Protection Profile
C. Zone Protection Profile
54
```
54. Which two firewall features should be used to provide tailored DoS protection to a specific address? (Choose two.)
A. Zone Protection Profiles
B. virtual routers
C. Server Profiles
D. DoS policy rules
E. DoS Protection Profiles
```
D. DoS policy rules
| E. DoS Protection Profiles
55
```
55. Which feature is not negatively affected by the lack of a Decryption policy?
A. antivirus
B. App-ID
C. file blocking
D. network address translation
```
D. network address translation
56
56. How can the next-generation firewall inform web browsers that a web server’s certificate is from an unknown CA?
A. show a “the certificate is untrusted, are you SURE you want to go there” response page
before accessing the website
B. relay the untrusted certificate directly to the browser
C. have two certificates in the firewall, one used for sites whose original certificate is
trusted, and the other for sites whose original certificate is untrusted
D. have two certificate authority certificates in the firewall, one used to produce
certificates for sites whose original certificate is trusted and the other used for
certificates for sites whose original certificate is untrusted
D. have two certificate authority certificates in the firewall, one used to produce
certificates for sites whose original certificate is trusted and the other used for certificates for sites whose original certificate is untrusted
57
57. Which two firewall features can be used to support an organization’s requirement of
decrypting and recording all encrypted traffic? (Choose two.)
A. Decryption Broker
B. Policy Based Forwarding
C. Default Router setting of Forward Cleartext
D. Interface setting of Decryption Port Mirroring
E. Decryption policy rule action set to Forward Cleartext
1.17
A. Decryption Broker
D. Interface setting of Decryption Port Mirroring
58
58. An App-ID used in an Application Override policy rule should have which characteristic?
A. existing App-ID that uses the same decoder
B. new App-ID with no signature information
C. new App-ID with the “custom” property set to yes
D. any existing App-ID with compatible characteristics
B. new App-ID with no signature information
59
```
59. Which type of identification is disabled by Application Override?
A. Protocol-ID
B. User-ID
C. Content-ID
D. URL Filtering
```
C. Content-ID
60
60. Application Override is triggered by which configuration setting?
A. Custom App-ID
B. Application Override policy rule
C. Application Override definition in Custom Objects
D. Application Filters
B. Application Override policy rule
61
```
61. Which configuration must be made on the firewall before it can read User-ID-to-IP-address mapping tables from external source?
A. Group Mapping Settings
B. Server Monitoring
C. Captive Portal
D. User-ID Agents
```
D. User-ID Agents
62
62. For an external device to consume a local User-ID-to-IP-address mapping table, which data is used for authentication between the devices?
A. the source device’s Data Redistribution Collector Name and Pre-Shared Key
B. User-ID agent’s Server Monitor Account information
C. administrators account information on the source device with the User-ID role set
D. certificates added to the User-ID agent configuration
A. the source device’s Data Redistribution Collector Name and Pre-Shared Key
63
```
63. User-ID-to-IP-address mapping tables can be read by which product or service?
A. Cortex XDR
B. Panorama Log Collector
C. AutoFocus
D. Prisma Cloud
```
B. Panorama Log Collector
64
64. When will a firewall check for the presence of bootstrap volume?
A. each time it cold-boots
B. each time it boots from a factory default state
C. when a firewall is started in maintenance mode
D. each time it warm-boots
B. each time it boots from a factory default state
65
```
65. Where in the bootstrap volume directories is a required dynamic update file?
A. /config
B. /license
C. /software
D. /content
```
D. /content
66
66. Can a firewall’s PAN-OS software be updated by the bootstrap process?
A. Yes, by including a copy of the desired PAN-OS software in the /software folder of the
bootstrap volume.
B. Yes, by including a copy of the desired PAN-OS software in the /content folder of the
bootstrap volume.
C. No, it must be updated by an administrator after the firewall starts.
D. No, the firewall must be licensed first.
A. Yes, by including a copy of the desired PAN-OS software in the /software folder of the
bootstrap volume.
