PCNSA Flashcards by pontus ekberg

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?

A. management
B. network processing
C. data
D. security processing

How well did you know this?

Not at all

Perfectly

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

Chat & Download is denied because it doesn’t match the base application.

How well did you know this?

Not at all

Perfectly

How many zones can an interface be assigned with a Palo Alto Networks firewall?

A. two
B. three
C. four
D. one

How well did you know this?

Not at all

Perfectly

Which dataplane layer provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces

How well did you know this?

Not at all

Perfectly

Which option shows the attributes that are selectable when setting up application filters?

A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology

How well did you know this?

Not at all

Perfectly

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List

A D

How well did you know this?

Not at all

Perfectly

Which two statements are correct about App-ID content updates? (Choose two.)

A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.

A D

How well did you know this?

Not at all

Perfectly

Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?

A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent

How well did you know this?

Not at all

Perfectly

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

How well did you know this?

Not at all

Perfectly

Which statement is true regarding a Best Practice Assessment?

A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

How well did you know this?

Not at all

Perfectly

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A. on either the data plane or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.

How well did you know this?

Not at all

Perfectly

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A. Translation Type
B. Interface
C. Address Type
D. IP Address

How well did you know this?

Not at all

Perfectly

Which interface does not require a MAC or IP address?

A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback

How well did you know this?

Not at all

Perfectly

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days

How well did you know this?

Not at all

Perfectly

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Select and Place:
* select zones form the list of available items
* assign interfaces as needed
* select network tab
* specify zone name
* select add
* specify zone type

Select network tab
Select zones from the list of available items
Select add
Specify zone name
specify zone type
Assign interfaces as needed

How well did you know this?

Not at all

Perfectly

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy

A D

How well did you know this?

Not at all

Perfectly

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?

A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option

How well did you know this?

Not at all

Perfectly

Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)

A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email

B C

How well did you know this?

Not at all

Perfectly

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links

How well did you know this?

Not at all

Perfectly

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect “IP to-user” mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A. syslog
B. RADIUS
C. UID redistribution
D. XFF header

How well did you know this?

Not at all

Perfectly

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies

B C

Key words “detect” and “prevent”

How well did you know this?

Not at all

Perfectly

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation

How well did you know this?

Not at all

Perfectly

Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4

How well did you know this?

Not at all

Perfectly

On which port will SSH be allowed if nothing is specified in the security policy?

A. 80
B. 53
C. 22
D. 23

How well did you know this?

Not at all

Perfectly

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone. Complete the security policy to ensure only Telnet is allowed. Security Policy: Source Zone: Internal to DMZ Zone ____________ services "Application defaults", and action = Allow **A**. Destination IP: 192.168.1.123/24 **B**. Application = "Telnet" **C**. Log Forwarding **D**. USER-ID = "Allow users in Trusted"

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall? **A**. Threat Prevention **B**. WildFire **C**. Antivirus **D**. URL Filtering

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile? **A**. domain controller **B**. TACACS+ **C**. LDAP **D**. RADIUS

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping? **A**. Layer 2 **B**. Tap **C**. Layer 3 **D**. Virtual Wire

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account? **A**. Root **B**. Dynamic **C**. Role-based **D**. Superuser

Which administrator type utilizes predefined roles for a local administrator account? **A**. Superuser **B**. Role-based **C**. Dynamic **D**. Device administrator

Which two security profile types can be attached to a security policy? (Choose two.) **A**. antivirus **B**. DDoS protection **C**. threat **D**. vulnerability

A D

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop. Which security profile feature could have been used to prevent the communication with the CnC server? **A**. Create an anti-spyware profile and enable DNS Sinkhole **B**. Create an antivirus profile and enable DNS Sinkhole **C**. Create a URL filtering profile and block the DNS Sinkhole category **D**. Create a security policy and enable DNS Sinkhole

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers? **A**. Active Directory monitoring **B**. Windows session monitoring **C**. Windows client probing **D**. domain controller monitoring

Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.) **A**. Security policy rules are attached to Security Profiles. **B**. Security Profiles are attached to Security policy rules. **C**. Security Profiles should be used only on allowed traffic. **D**. Security policy rules inspect but do not block traffic. **E**. Security policy rules can block or allow traffic.

B C E

Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone? **A**. global **B**. intrazone **C**. interzone **D**. universal

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways? **A**. GlobalProtect **B**. AutoFocus **C**. Aperture **D**. Panorama

Which two statements are correct regarding multiple static default routes when they are configured to a firewall (Choose two.) **A**. Path monitoring does not determine if route is useable. **B**. Route with highest metric is actively used. **C**. Path monitoring determines if route is useable. **D**. Route with lowest metric is actively used.

C D

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine. **A**. Exploitation **B**. Installation **C**. Reconnaissance **D**. Act on Objective

Which file is used to save the running configuration with a Palo Alto Networks firewall? **A**. running-config.xml **B**. run-config.xml **C**. running-configuration.xml **D**. run-configuration.xml

Which Palo Alto Networks component provides consolidated policy creation and centralized management? **A**. GlobalProtect **B**. Panorama **C**. Prisma SaaS **D**. AutoFocus

Which statement is true regarding a Prevention Posture Assessment? **A**. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories **B**. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture **C**. It provides a percentage of adoption for each assessment area **D**. It performs over 200 security checks on Panorama/firewall for the assessment

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.) **A**. User identification **B**. Filtration protection **C**. Vulnerability protection **D**. Antivirus **E**. Application identification **F**. Anti-spyware

A C D E F

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn't want to unblock the gambling URL category. Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.) **A**. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow. **B**. Manually remove powerball.com from the gambling URL category. **C**. Add * .powerball.com to the allow list **D**. Create a custom URL category called PowerBall and add * .powerball.com to the category and set the action to allow.

C D

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information? **A**. Aperture **B**. AutoFocus **C**. Panorama **D**. GlobalProtect

A - finns ej kvar

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server. Which security profile components will detect and prevent this threat after the firewall's signature database has been updated? **A**. antivirus profile applied to outbound security policies **B**. data filtering profile applied to inbound security policies **C**. data filtering profile applied to outbound security policies **D**. vulnerability profile applied to inbound security policies

Which update option is not available to administrators? **A**. New Spyware Notifications **B**. New URLs **C**. New Application Signatures **D**. New Malicious Domains **E**. New Antivirus Signatures

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make? **A**. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH **B**. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH **C**. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address **D**. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

How often does WildFire release dynamic updates? **A**. every 5 minutes **B**. every 15 minutes **C**. every 60 minutes **D**. every 30 minutes

A | Kräver WildFire Subscription. Utan är det en gång per 24 timmar.

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures? **A**. every 30 minutes **B**. every 5 minutes **C**. every 24 hours **D**. every 1 minute

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks? **A**. Windows-based agent on a domain controller **B**. Captive Portal **C**. Citrix terminal server agent with adequate data-plane resources **D**. PAN-OS integrated agent

Arrange the correct order that the URL classifications are processed within the system. * PAN-DB cloud * External Dynamic Lists * Custom URL Categories * Block List * Downloaded PAN-DB file * Allow Lists

1. Block List 2. Allow Lists 3. Custom URL categories 4. External Dynamic Lists 5. Downloaded PAN-DB fil 6. PAN-DB cloud

What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account? **A**. authentication sequence **B**. LDAP server profile **C**. authentication server list **D**. authentication list profile

Which Security Profile mitigates attacks based on packet count? **A**. zone protection profile **B**. URL filtering profile **C**. antivirus profile **D**. vulnerability profile

Which interface type uses virtual routers and routing protocols? **A**. Tap **B**. Layer3 **C**. Virtual Wire **D**. Layer2

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL? **A**. Override **B**. Allow **C**. Block **D**. Continue

An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall? **A**. NAT policy with internal zone and internet zone specified **B**. post-NAT policy with external source and any destination address **C**. NAT policy with no internal or internet zone selected **D**. pre-NAT policy with external source and any destination address

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP addresses? **A**. DoS protection **B**. URL filtering **C**. packet buffering **D**. anti-spyware

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.) **A**. Layer-ID **B**. User-ID **C**. QoS-ID **D**. App-ID

B D

Which path is used to save and load a configuration with a Palo Alto Networks firewall? **A**. Device>Setup>Services **B**. Device>Setup>Management **C**. Device>Setup>Operations **D**. Device>Setup>Interfaces

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures? **A**. Review Policies **B**. Review Apps **C**. Pre-analyze **D**. Review App Matches

How do you reset the hit count on a Security policy rule? **A**. Select a Security policy rule, and then select Hit Count > Reset. **B**. Reboot the data-plane. **C**. First disable and then re-enable the rule. **D**. Type the CLI command reset hitcount .

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall? **A**. Management **B**. High Availability **C**. Aggregate **D**. Aggregation

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones? **A**. intrazone **B**. interzone **C**. universal **D**. global

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL? **A**. EDL in URL Filtering Profile **B**. Custom URL category in URL Filtering Profile **C**. Custom URL category in Security policy rule **D**. PAN-DB URL category in URL Filtering Profile

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment? **A**. north-south **B**. inbound **C**. outbound **D**. east-west

D | Zero trust focus on internal traffic, particularly east-west.

Which protocol is used to map usernames to user groups when User-ID is configured? **A**. TACACS+ **B**. SAML **C**. LDAP **D**. RADIUS

Which definition describes the guiding principle of the zero-trust architecture? **A**. trust, but verify **B**. always connect and verify **C**. never trust, never connect **D**. never trust, always verify

In which profile should you configure the DNS Security feature? **A**. Anti-Spyware Profile **B**. Zone Protection Profile **C**. Antivirus Profile **D**. URL Filtering Profile

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.) **A**. GlobalProtect agent **B**. XML API **C**. User-ID Windows-based agent **D**. log forwarding auto-tagging

B D

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane? **A**. virtual router **B**. Admin Role profile **C**. DNS proxy **D**. service route

C or D

Which component provides network security for mobile endpoints by inspecting traffic routed through gateways? **A**. Prisma SaaS **B**. GlobalProtect **C**. AutoFocus **D**. Panorama

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile? **A**. TACACS+ **B**. RADIUS **C**. LDAP **D**. SAML

Which operations are allowed when working with App-ID application tags? Choose two **A**. Predefined tags may be deleted. **B**. Predefined tags may be augmented by custom tags. **C**. Predefined tags may be modified. **D**. Predefined tags may be updated by WildFire dynamic updates.

B D

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized. Which User-ID agent is sufficient in your network? **A**. Windows-based agent deployed on each domain controller **B**. PAN-OS integrated agent deployed on the firewall **C**. Citrix terminal server agent deployed on the network **D**. Windows-based agent deployed on the internal network a domain member

B While A could work it is unnecessary in this case since B is more efficient for a single-floor setup.

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions? **A**. Role-based **B**. Multi-Factor Authentication **C**. Dynamic **D**. SAML

Which statement is true regarding a Heatmap report? **A**. When guided by authorized sales engineer, it helps determine the areas of greatest security risk **B**. It runs only on firewalls. **C**. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. **D**. It provides a percentage of adoption for each assessment area.

Access to which feature requires the PAN-OS Filtering license? **A**. PAN-DB database **B**. DNS Security **C**. Custom URL categories **D**. URL external dynamic lists

Which action results in the firewall blocking network traffic without notifying the sender? **A**. Drop **B**. Deny **C**. Reset Server **D**. Reset Client

What do Dynamic User Groups help you to do? **A**. create a policy that provides auto-remediation for anomalous user behavior and malicious activity **B**. create a dynamic list of firewall administrators **C**. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity **D**. create a policy that provides auto-sizing for anomalous user behavior and malicious activity

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones? **A**. global **B**. intrazone **C**. interzone **D**. universal

Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane? **A**. Kerberos user **B**. SAML user **C**. local database user **D**. local user

D | "local user" is not one of the authentication profiles

Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures? **A**. Review App Matches **B**. Review Apps **C**. Pre-analyze **D**. Review Policies

Which type of firewall configuration contains in-progress configuration changes? **A**. backup **B**. candidate **C**. running **D**. committed

Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.) **A**. hostname **B**. netmask **C**. default gateway **D**. auto-negotiation **E**. IP address

B C E

What is an advantage for using application tags? **A**. They are helpful during the creation of new zones. **B**. They help content updates automate policy updates. **C**. They help with the creation of interfaces. **D**. They help with the design of IP address allocations in DHCP.

At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update? **A**. after clicking Check Now in the Dynamic Update window **B**. after committing the firewall configuration **C**. after installing the update **D**. after downloading the update

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server. Which Security Profile detects and prevents this threat from establishing a command-and-control connection? **A**. Vulnerability Protection Profile applied to outbound Security policy rules. **B**. Anti-Spyware Profile applied to outbound security policies. **C**. Antivirus Profile applied to outbound Security policy rules **D**. Data Filtering Profile applied to outbound Security policy rules.

B | Specifically designed to detect and block spyware including C2C

Which statement is true regarding a Best Practice Assessment? **A**. It runs only on firewalls. **B**. It shows how current configuration compares to Palo Alto Networks recommendations. **C**. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities. **D**. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

B | BPA asses the current setup and compares it to recommended best practice

Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and scanning files for sensitive information? **A**. Prisma SaaS **B**. AutoFocus **C**. Panorama **D**. GlobalProtect

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero? **A**. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules **B**. Reboot the firewall **C**. Use the Reset Rule Hit Counter > All Rules option **D**. Use the CLI enter the command reset rules all

You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application. Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database? **A**. Data Filtering Profile applied to outbound Security policy rules **B**. Antivirus Profile applied to outbound Security policy rules **C**. Data Filtering Profile applied to inbound Security policy rules **D**. Vulnerability Protection Profile applied to inbound Security policy rules

Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components? (Choose two.) **A**. Network Processing Engine **B**. Policy Engine **C**. Parallel Processing Hardware **D**. Single Stream-based Engine

C D

An administrator is reviewing another administrator's Security policy log settings. Which log setting configuration is consistent with best practices for normal traffic? **A**. Log at Session Start and Log at Session End both enabled **B**. Log at Session Start enabled, Log at Session End disabled **C**. Log at Session Start disabled, Log at Session End enabled **D**. Log at Session Start and Log at Session End both disabled

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic? **A**. URL filtering **B**. vulnerability protection **C**. anti-spyware **D**. antivirus

Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific website. How can file uploading/downloading be restricted for the website while permitting general browsing access to that website? **A**. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES. **B**. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile. **C**. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES. **D**. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password? **A**. authorization **B**. continue **C**. authentication **D**. override

D | Override allows users to access a blocked site after entering credent...

How are Application Filters or Application Groups used in firewall policy? **A**. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group. **B**. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group. **C**. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group. **D**. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.

Which tab would an administrator click to create an address object? **A**. Objects **B**. Monitor **C**. Device **D**. Policies

An administrator wishes to follow best practices for logging traffic that traverses the firewall. Which log setting is correct? **A**. Enable Log at Session Start **B**. Disable all logging **C**. Enable Log at both Session Start and End **D**. Enable Log at Session End

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.) **A**. QoS profile **B**. DoS Protection profile **C**. Zone Protection profile **D**. DoS Protection policy

B C

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs. What is the correct process to enable this logging? **A**. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK. **B**. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK. **C**. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK. **D**. This rule has traffic logging enabled by default; no further action is required.

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1. What changes are required on VR-1 to route traffic between two interfaces on the NGFW? **A**. Add static routes to route between the two interfaces **B**. Add interfaces to the virtual router **C**. Add zones attached to interfaces to the virtual router **D**. Enable the redistribution profile to redistribute connected routes

An administrator wants to prevent users from submitting corporate credentials in a phishing attack. Which Security profile should be applied? **A**. antivirus **B**. anti-spyware **C**. URL-filtering **D**. vulnerability protection

Which two rule types allow the administrator to modify the destination zone? (Choose two.) **A**. interzone **B**. shadowed **C**. intrazone **D**. universal

A D | Interzone and universal both matches traffic between zones

What is the main function of Policy Optimizer? **A**. reduce load on the management plane by highlighting combinable security rules **B**. migrate other firewall vendors security rules to Palo Alto Networks configuration **C**. eliminate Log at Session Start security rules **D**. convert port-based security rules to application-based security rules

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic. Which statement accurately describes how the firewall will apply an action to matching traffic? **A**. If it is a block rule, then Security Profile action is applied last. **B**. If it is an allow rule, then the Security policy rule is applied last. **C**. If it is a block rule, then the Security policy rule action is applied last. **D**. If it is an allowed rule, then the Security Profile action is applied last.

Which Security profile can you apply to protect against malware such as worms and Trojans? **A**. antivirus **B**. data filtering **C**. vulnerability protection **D**. anti-spyware

Which license is required to use the Palo Alto Networks built-in IP address EDLs? **A**. DNS Security **B**. Threat Prevention **C**. WildFire **D**. SD-Wan

Which statement is true about Panorama managed devices? **A**. Panorama automatically removes local configuration locks after a commit from Panorama. **B**. Local configuration locks prohibit Security policy changes for a Panorama managed device. **C**. Security policy rules configured on local firewalls always take precedence. **D**. Local configuration locks can be manually unlocked from Panorama.

A Security Profile can block or allow traffic at which point? **A**. on either the data plane or the management plane **B**. after it is matched to a Security policy rule that allows or blocks traffic **C**. after it is matched to a Security policy rule that allows traffic **D**. before it is matched to a Security policy rule

Place the following steps in the packet processing order of operations from first to last. * Content inspection * QOS shaping applied * Security policy lookup * DoS protection

1. DoS protection 2. Security policy lookup 3. content inspection 4. QOS shaping applied

Which type of address object is "10.5.1.1/0.127.248.2"? **A**. IP netmask **B**. IP subnet **C**. IP wildcard mask **D**. IP range

Which component is a building block in a Security policy rule? **A**. decryption profile **B**. destination interface **C**. timeout (min) **D**. application

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available. Which security policy action causes this? **A**. Reset server **B**. Reset both **C**. Deny **D**. Drop

Selecting the option to revert firewall changes will replace what settings? **A**. the candidate configuration with settings from the running configuration **B**. dynamic update scheduler settings **C**. the running configuration with settings from the candidate configuration **D**. the device state with settings from another configuration

An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop. If the application's default deny action is reset-both, what action does the firewall take? **A**. It silently drops the traffic. **B**. It silently drops the traffic and sends an ICMP unreachable code. **C**. It sends a TCP reset to the server-side device. **D**. It sends a TCP reset to the client-side and server-side devices.

A | The rule states that it will not process the profile since action is dro

Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.) **A**. SAML 2.0 **B**. Kerberos **C**. TACACS **D**. TACACS+ **E**. SAML 1.0

A B D

Which objects would be useful for combining several services that are often defined together? **A**. application filters **B**. service groups **C**. shared service objects **D**. application groups

Which rule type is appropriate for matching traffic both within and between the source and destination zones? **A**. interzone **B**. shadowed **C**. intrazone **D**. universal

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code "communication with the destination is administratively prohibited". Which security policy action causes this? **A**. Drop **B**. Drop, send ICMP Unreachable **C**. Reset both **D**. Reset server

You receive notification about new malware that infects hosts through malicious files transferred by FTP. Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database? **A**. URL Filtering profile applied to inbound Security policy rules. **B**. Data Filtering profile applied to outbound Security policy rules. **C**. Antivirus profile applied to inbound Security policy rules. **D**. Vulnerability Protection profile applied to outbound Security policy rules.

An administrator wants to prevent access to media content websites that are risky. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.) **A**. recreation-and-hobbies **B**. streaming-media **C**. known-risk **D**. high-risk

B D

Which dynamic update type includes updated anti-spyware signatures? **A**. PAN-DB **B**. Applications and Threats **C**. GlobalProtect Data File **D**. Antivirus

An administrator would like to silently drop traffic from the internet to a ftp server. Which Security policy action should the administrator select? **A**. Drop **B**. Deny **C**. Block **D**. Reset-server

Which object would an administrator create to block access to all high-risk applications? **A**. HIP profile **B**. Vulnerability Protection profile **C**. application group **D**. application filter

D | Can dynamically block all applications that are classified as high-risk

Which option is part of the content inspection process? **A**. Packet forwarding process **B**. IPsec tunnel encryption **C**. SSL Proxy re-encrypt **D**. Packet egress process

C | part of the overall content inspection process for secure traffic

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time? **A**. Disable automatic updates during weekdays **B**. Automatically download and install but with the disable new applications option used **C**. Automatically download only and then install Applications and Threats later, after the administrator approves the update **D**. Configure the option for Threshold

D | Mest för att det ska hända av sig själv (Schedule)

What must be considered with regards to content updates deployed from Panorama? **A**. Content update schedulers need to be configured separately per device group. **B**. Panorama can only install up to five content versions of the same type for potential rollback scenarios. **C**. A PAN-OS upgrade resets all scheduler configurations for content updates. **D**. Panorama can only download one content update at a time for content updates of the same type.

During the packet flow process, which two processes are performed in application identification? (Choose two.) **A**. pattern based application identification **B**. application override policy match **C**. session application identified **D**. application changed from content inspection

A B

What does an administrator use to validate whether a session is matching an expected NAT policy? **A**. system log **B**. test command **C**. threat log **D**. config audit

What is the purpose of the automated commit recovery feature? **A**. It reverts the Panorama configuration. **B**. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama. **C**. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change. **D**. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates? **A**. by minute **B**. hourly **C**. daily **D**. weekly

Place the steps in the correct order of operations: * Security profile enforcement * decryption * zone protection * App-ID

1. zone protection 2. decryption 3. security profile enforcement 4. App-ID

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP addresses list? **A**. destination address **B**. source address **C**. destination zone **D**. source zone

B | "block traffic FROM IP addresses"

URL categories can be used as match criteria on which two policy types? (Choose two.) **A**. authentication **B**. decryption **C**. application override **D**. NAT

A B

Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws? **A**. URL filtering **B**. vulnerability protection **C**. file blocking **D**. anti-spyware

What action will inform end users when their access to Internet content is being restricted? **A**. Create a custom URL Category object with notifications enabled. **B**. Publish monitoring data for Security policy deny logs. **C**. Ensure that the site access setting for all URL sites is set to alert. **D**. Enable Response Pages on the interface providing Internet access.

What is a recommended consideration when deploying content updates to the firewall from Panorama? **A**. Before deploying content updates, always check content release version compatibility. **B**. Content updates for firewall A/P HA pairs can only be pushed to the active firewall. **C**. Content updates for firewall A/A HA pairs need a defined master device. **D**. After deploying content updates, perform a commit and push to Panorama.

Which information is included in device state other than the local configuration? **A**. uncommitted changes **B**. audit logs to provide information of administrative account changes **C**. system logs to provide information of PAN-OS changes **D**. device group and template settings pushed from Panorama

What is the difference between: * interzone * intrazone * universal

* **interzone** is for traffic between zones * **intrazone** is for traffic within zones * **universal** is for both traffic within and between zones

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration. What should the administrator do? **A**. change the logging action on the rule **B**. review the System Log **C**. refresh the Traffic Log **D**. tune your Traffic Log filter to include the dates

A | Typically is not configured to log this traffic as default

When is the content inspection performed in the packet flow process? **A**. after the application has been identified **B**. after the SSL Proxy re-encrypts the packet **C**. before the packet forwarding process **D**. before session lookup

A | content inspection happens after the application has been identified

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update? **A**. check now **B**. review policies **C**. test policy match **D**. download

When creating a custom URL category object, which is a valid type? **A**. domain match **B**. host names **C**. wildcard **D**. category match

D | The valid types are Category match and URL List

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access? **A**. 80 **B**. 8443 **C**. 4443 **D**. 443

**C** The GlobalProtect Portal can be accessed by going to the IP address of the designated interface using https on port 443. The WebUI on the same interface can be accessed by going to the interface's IP address using https on port 4443. The port for WebUI management is changed because the tcp/443 socket used by GlobalProtect takes precedence

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control (RBAC)? (Choose two.) **A**. SAML **B**. TACACS+ **C**. LDAP **D**. Kerberos

A B | C & D does not support authorization, only authentication.

Which administrative management services can be configured to access a management interface? **A**. HTTPS, HTTP, CLI, API **B**. HTTPS, SSH, telnet, SNMP **C**. SSH, telnet, HTTP, HTTPS **D**. HTTP, CLI, SNMP, HTTPS

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently used by attackers to distribute illegal or unethical material? **A**. Palo Alto Networks C&G IP Addresses **B**. Palo Alto Networks High Risk IP Addresses **C**. Palo Alto Networks Known Malicious IP Addresses **D**. Palo Alto Networks Bulletproof IP Addresses

Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP Addresses list? **A**. source address **B**. destination address **C**. source zone **D**. destination zone

Which three filter columns are available when setting up an Application Filter? (Choose three.) **A**. Parent App **B**. Category **C**. Risk **D**. Standard Ports **E**. Subcategory

B C E

Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites? **A**. reconnaissance **B**. delivery **C**. installation **D**. exploitation

A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware. The malware caused the laptop to begin infiltrating corporate data. Which Security Profile feature could have been used to detect the malware on the laptop? **A**. DNS Sinkhole **B**. WildFire Analysis **C**. Antivirus **D**. DoS Protection

B | Key word is "unknown malware", AV detects known malware.

What must be configured before setting up Credential Phishing Prevention? **A**. Threat Prevention **B**. Anti Phishing Block Page **C**. User-ID **D**. Anti Phishing profiles

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures? **A**. block **B**. sinkhole **C**. allow **D**. alert

Which statement best describes a common use of Policy Optimizer? **A**. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that exist. Admins can then manually enable policies they want to keep and delete ones they want to remove. **B**. Policy Optimizer can display which Security policies have not been used in the last 90 days. **C**. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications. **D**. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

An address object of type IP Wildcard Mask can be referenced in which part of the configuration? **A**. Security policy rule **B**. ACC global fitter **C**. NAT address pool **D**. external dynamic list

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-control server. Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control connection? **A**. Anti-Spyware Profile **B**. Data Filtering Profile **C**. Antivirus Profile **D**. Vulnerability Protection Profile

Which Palo Alto Networks component provides consolidated policy creation? **A**. Policy Optimizer **B**. Prisma SaaS **C**. GlobalProtect **D**. Panorama

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone. The administrator does not want to allow traffic between the DMZ and LAN zones. Which Security policy rule type should they use? **A**. interzone **B**. intrazone **C**. default **D**. universal

According to best practices, how frequently should WildFire updates he made to perimeter firewalls? **A**. every 10 minutes **B**. every minute **C**. every 5 minutes **D**. in real time

Which solution is a viable option to capture user identification when Active Directory is not in use? **A**. Cloud identity Engine **B**. Directory Sync Service **C**. group mapping **D**. Authentication Portal

D | ABC has to do with active directory

What allows a security administrator to preview the Security policy rules that match new application signatures? **A**. Policy Optimizer--New App Viewer **B**. Dynamic Updates--Review App **C**. Review Release Notes **D**. Dynamic Updates--Review Policies

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID? **A**. Configure a Primary Employee ID number for user-based Security policies. **B**. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389. **C**. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL. **D**. Configure a frequency schedule to clear group mapping cache.

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains. Which type of single, unified engine will get this result? **A**. Content ID **B**. App-ID **C**. Security Processing Engine **D**. User-ID

Which action would an administrator take to ensure that a service object will be available only to the selected device group? **A**. ensure that disable override is selected **B**. uncheck the shared option **C**. ensure that disable override is cleared **D**. create the service object in the specific template

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from telemetry? **A**. Palo Alto Networks High-Risk IP Addresses **B**. Palo Alto Networks Known Malicious IP Addresses **C**. Palo Alto Networks C&C IP Addresses **D**. Palo Alto Networks Bulletproof IP Addresses

An administrator would like to determine the default deny action for the application dns-over-https. Which action would yield the information? **A**. View the application details in beacon.paloaltonetworks.com **B**. Check the action for the Security policy matching that traffic **C**. Check the action for the decoder in the antivirus profile **D**. View the application details in Objects > Applications

Access to which feature requires a URL Filtering license? **A**. PAN-DB database **B**. External dynamic lists **C**. DNS Security **D**. Custom URL categories

What is the main function of the Test Policy Match function? **A**. ensure that policy rules are not shadowing other policy rules **B**. confirm that rules meet or exceed the Best Practice Assessment recommendations **C**. confirm that policy rules in the configuration are allowing donning the correct traffic **D**. verify that policy rules from Expedition are valid

Which attribute can a dynamic address group use as a filtering condition to determine its membership? **A**. subnet mask **B**. tag **C**. IP address **D**. wildcard mask

What are the three DNS Security categories available to control DNS traffic? (Choose three.) **A**. Parked Domains **B**. Spyware Domains **C**. Vulnerability Domains **D**. Phishing Domains **E**. Malware Domains

B D E

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.) **A**. firewall logs **B**. custom API scripts **C**. Security Information and Event Management Systems (SIEMS), such as Splunk **D**. biometric scanning results from iOS devices **E**. DNS Security service

A B C | Also Cortex XSOAR

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones: 1. trust for internal networks 2. untrust to the internet Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.) **A**. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic **B**. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application **C**. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application **D**. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

A D

What are the four methods used to access the NGFW

* web interface * CLI * Panorama * XML API

To gain access to the firewall for the first time, what are the four required information you must provide?

* IP address * Netmask * Default gateway * Domain Name System | DHCP will provide this information automatically

What is the route to configure DNS or NTP in the web interface?

Device > Setup > Services > Services gear icon

What is a service route?

It's an alternative to access external services as DNS via the MGT interface. Instead you configure a regular data plane interface to route the traffic to said service.

What is a "role based" administrator

Custom rules (admins) you can configure for more granular access controll over the functional areas of the web interface, CLI and XML API.

What is a "dynamic role" administrator

Built in roles that provide access to the firewall.

Name the 6 differenta dynamic role types

* Superuser * Superuser (read only) * Device admin * Device admin (read only) * Virtual system admin * Virtual system admin (read only)

Which dynamic admin type has the most access to the firewall

Superuser

What is the path to manage configurations?

Device > Setup > Operations

What are the 5 different configuration states?

* Revert * Save * Load * Export * Import

What option restores the last saved candidate configuration?

Revert

Which option creates a candidate configuration snapshot that **does not** overwrite the default snapshot?

Save named configuration snapshot

Which option creates a candidate configuration snapshot that **does** overwrite the default snapshot?

Save candidate configuration

What option overwrites the current candidate configuration with one of the following: * Custom-named candidate configuarion snapshot * Custom-named running configuration (imported) * Current running configuration

Load named configuration snapshot

What does "Load configuration version" do?

Overwrites the current candidate configuration with a previous version of the running configuration.

What does the "Export named configuration snapshot" do?

Exports the current running configuration, a candidate configuration snapshot or a previously imported configuration.

What option exports more then just the running configuration?

Export device state, it includes: * Device group * Template settings pushed from Panorama if applicable. * Certificate information * List of sattelites and authentication information | Last 2 only if it's set up as a GlobalProtect portal.

What does "Import named configurations snapshot" do?

Imports a running or candidate configuration as an XML file from any network location such as a host computer.

What does "Import device state" do?

Imports the state information file exported from a firewall.

What is the evaluation order of policies?

1. Shared pre-rules 2. Device group pre-rules 3. Local firewall rules 4. Device group post-rules 5. Shared post-rules 6. Default rules

What is a common pre-rule?

Block specific URL categories or allow DNS traffic for all the users.

What is a common post-rule?

Deny access to traffic based on the App-ID signatures, User-ID information or service.

What does the default rules handle?

They specify how PAN-OS handles traffic that doesn't match any other rule. | For example the Intrazone and Interzone default rule.

How often are Antivirus signatures updated?

Daily

How often are new and modified applications updated?

New every month Modified every week

How often are Applications and Threats updated?

New every month Modified every week

How often are PAN-DB updated?

Every 5-10 minutes

How often is WildFire updated?

Every minute |24-48 hours without subscription.

True or false, and interface can belong to multiple zones.

False

True or false, a zone can have multiple interfaces of the same type assigned to it.

True

How many external zones can a virtual system have?

one

What are the four types of address objects?

* IP Netmask * IP Range * IP Wildcard Mask * FQDN

What does the EDL file contain?

* IP addresses * URLs * Domains

Which license is required to obtain the built-in EDLs of Palo Alto Networks?

Threat Prevention

What rule only allows traffic between two different zones?

Interzone

What rule only allows traffic within the same zone?

Intrazone

What is Universal traffic rule?

A rule that applies to all the matching interzone and intrazone traffic.

Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.) **A.** Parallel processing **B.** Application **C.** Data **D.** Control

C D

Which object cannot be segmented using virtual systems on a firewall? **A**. Administrative access **B**. MGT interface **C**. Network security zone **D**. Data plane interface

Which series of firewalls is a high-performance physical appliance solution? **A**. ION-Series **B**. PA-Series **C**. CN-Series **D**. VM-Series

Which Strata product provides centralized firewall management and logging? **A**. Panorama **B**. GlobalProtect **C**. WildFire **D**. Prisma Access

True or false? The CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series firewalls.

True

What is the factory default IP address for PA-Series Firewalls?

192.168.1.1/24

What are the two attributes of the dedicated out-of-band network management port in Palo Alto Networks firewalls? (Choose two.) **A**. Requires a static, non-DHCP network configuration **B**. Labeled MGT by default **C**. Supports only SSH connections **D**. Cannot be configured as a standard traffic port

B D

True or false? To register a hardware firewall, you will need the firewall’s serial number.

True

In the web interface, what is signified when a text box is highlighted in red? **A**. The value in the text box is controlled by Panorama **B**. The value in the text box is required **C**. The value in the text box is optional **D**. The value in the text box is an error

True or false? Service routes can be used to configure an in-band port to access external services.

True

Which two statements are true regarding the candidate configuration? (Choose two.) **A**. It contains possible changes to the current configuration. **B**. It controls the current operation of the firewall. **C**. It can be reverted to the current configuration. **D**. It always contains the factory default configuration.

A C

When changes to a firewall are committed, what is the result of clicking the Preview Changes link? **A**. Lists the individual settings for which you are committing changes **B**. Compares the candidate configuration to the running configuration **C**. Shows any error messages that would appear during a commit **D**. Displays any unresolved application dependencies

True or false? The running configuration consists of configuration changes in progress but not active on the firewall.

False

Which three types of privileges can be defined when a custom admin role is created? (Choose three.) **A**. Java API **B**. WebUI **C**. REST API **D**. XML API **E**. Panorama

B C D

Global user authentication is supported by which three authentication services? (Choose three.) **A**. SAML **B**. TACACS+ **C**. RADIUS **D**. LDAP **E**. Certificate

A B C

True or false? Server Profiles define connections that the firewall can make to external servers.

True

True or false? Certificate-based authentication replaces all other forms of either local or external authentication.

True

Which feature allows an administrator to configure a firewall to authenticate a user by checking TACACS+ and then LDAP? A. Authentication sequence B. Admin role C. Authentication profile D. Multi-Factor authentication

What feature allows an administrator to access a firewall without providing a password? **A**. Multi-Factor authentication **B**. Certificate-based authentication **C**. Authentication profile **D**. Authentication sequence

Which two activities are part of the cyberattack lifecycle reconnaissance stage? (Choose two.) **A**. establish C2 **B**. social engineering **C**. RAT installation **D**. port scans

B D

Which two characteristics are common among commodity threats? (Choose two.) **A**. They often are used as part of an APT. **B**. They are pervasive. **C**. They pose little risk. **D**. They are easy to detect.

A B

At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS attacks? **A**. slowpath **B**. content inspection **C**. application identification **D**. ingress

Which two routing protocols are supported on a virtual router? (Choose two.) **A**. IGRP **B**. OSPF **C**. EGP **D**. BGP

B D

Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) **A**. tap **B**. FC **C**. Layer 3 **D**. FCoE **E**. virtual wire

A C E

Which two firewall interface types can be added to a Layer 3-type security zone? (Choose two.) **A**. tunnel **B**. virtual wire **C**. tap **D**. loopback

A D

Which type of firewall interface enables passive monitoring of network traffic? **A**. virtual wire **B**. tap **C**. loopback **D**. tunnel

True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.

True

When a virtual system is used on a firewall, which object cannot be segmented? **A**. data plane interface **B**. MGT interface **C**. network security zone **D**. administrative access

Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.) **A**. application **B**. control **C**. data **D**. parallel processing

B C

What is the result of clicking the Preview Changes link when committing changes to a firewall? **A**. shows any error messages that would appear during a commit **B**. lists the individual settings for which you are committing changes **C**. compares the candidate configuration to the running configuration **D**. displays any unresolved application dependencies

Regarding the candidate configuration, which two statements are true? (Choose two.) **A**. It can be reverted to the current configuration. **B**. It controls the current operation of the firewall. **C**. It contains possible changes to the current configuration. **D**. It always contains the factory default configuration.

A C

Before a firewall can connect to Panorama, which piece of information do you need to enter in the firewall? **A**. serial number of the firewall **B**. serial number of Panorama **C**. IP address of Panorama **D**. authorization number of Panorama

Before Panorama can connect and manage a firewall, which piece of information about the firewall do you need to enter into Panorama? **A**. IP address **B**. serial number **C**. login credentials **D**. authorization number

Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) **A**. FC **B**. Layer3 **C**. FCoE **D**. Tap **E**. Virtual wire

B D E

Which two statements are true regarding the candidate configuration? (Choose two.) **A**. It controls the current operation of the firewall. **B**. It can be reverted to the current configuration. **C**. It contains possible changes to the current configuration. **D**. It always contains the factory default configuration.

B C

Which two configuration elements can be configured for managed firewalls by using templates in Panorama? (Choose two.) **A**. Network **B**. Device **C**. Objects **D**. Policies

A B

In Panorama, can you use the same template in different template stacks? **A**. no **B**. yes, if there are no other templates in the stack **C**. yes, regardless of other templates in the stack **D**. yes, if no conflicting values are in other templates within the stack

What will Panorama do if two templates in the same template stack have different values for the same setting? **A**. generate an error at commit **B**. ignore the value in both templates **C**. use the value from the lowest template in the stack **D**. use the value from the highest template in the stack

Which device group in Panorama is automatically created and cannot be deleted? **A**. Default Group **B**. Shared Group **C**. Inheritance Group **D**. Template Group

When you create the first device group in Panorama, which two tabs are added to the user interface? (Choose two.) **A**. Policies **B**. Network **C**. Device **D**. Objects

A D

Which option should you select to prevent modifications to an object within descendant device groups? **A**. Disable Shared Group **B**. Disable inheritance **C**. Disable override **D**. Disable virtual systems

Which information is needed to register a Panorama Physical appliance in the Customer Support Portal? **A**. management IP address **B**. FQDN logical name **C**. serial number of Panorama **D**. customer ID and Panorama name

Which type of Security policy rule is the default rule type? **A**. default **B**. universal **C**. intrazone **D**. interzone

Which action in a Security policy rule results in traffic being silently rejected? **A**. deny **B**. drop **C**. reset server **D**. reset client

In a Palo Alto Networks Security policy rule, which two items are required match criteria? (Choose two.) **A**. destination address **B**. destination zone **C**. source zone **D**. destination port

B C

Which NAT translation type uses NAT oversubscription? **A**. static **B**. dynamic IP **C**. dynamic IP and port **D**. dynamic IP with session distribution

At which stage in the flow logic is NAT applied to packets traversing the data plane? **A**. Ingress **B**. Security Processing (fastpath) **C**. App-ID Engine **D**. Egress

At which stage in the flow logic does the firewall attempt to match a packet to an existing flow? **A**. Ingress **B**. Security Processing (fastpath) **C**. App-ID Engine **D**. Egress

As recorded in the session tables, which three state are considered to be “stable” session states (Choose three.) **A**. Opening **B**. Active **C**. Free **D**. Init **E**. Discard

B D E

Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which two applications? (Choose two.) A. unknown-tcp B. unknown-udp C. ssl D. web-browsing

C D

How often are new application signatures released by Palo Alto Networks? **A**. as soon as possible **B**. once per week **C**. once per month **D**. with each PAN-OS software update

C | Updated App-IDs is every week

Based on application attributes that you define (Category, Subcategory, Technology, Risk, and Characteristic), which item is the name of an object that dynamically identifies and associates applications? **A**. application **B**. application filter **C**. application group **D**. application profile

What triggers a Security policy rule match in the Policy Optimizer’s No App Specified window? **A**. “any” in the Application column **B**. “Allow” in the Action column **C**. “application-default” in the Service column **D**. “unknown” in the Application column

Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? **A**. continue response page **B**. CVE number **C**. Data Filtering log entry **D**. DNS Sinkhole

To which item are Zone Protection Profiles applied? **A**. egress ports **B**. ingress ports **C**. Address Groups **D**. Security policy rules

What is required for a Security Profile attached to a Security policy rule to be successfully evaluated? **A**. the Security policy rule matches, and the traffic is set to “allow” **B**. the Security policy rule matches, and the traffic is set to “deny” **C**. the App-ID signature matches, and the traffic is set to “allow” **D**. the App-ID signature matches, and the traffic is set to “deny”

Which statement is true regarding Safe Search Enforcement? **A**. Safe search is a web server setting. **B**. Safe search is a web browser setting. **C**. Safe search is a desktop setting. **D**. Safe search is a laptop setting.

Which action would not be recorded in a URL Filtering log? A. alert B. allow C. continue D. override

Which Security Profile is designed to help mitigate unknown threats? **A**. Antivirus **B**. Anti-Spyware **C**. Vulnerability Protection **D**. WildFire Analysis

Sinkhole events are recorded in which log? **A**. Threat **B**. URL Filtering **C**. WildFire Submissions **D**. Data Filtering