Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Flashy Certs > PCNSA > Flashcards

PCNSA Flashcards

1
Q

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?

A. management
B. network processing
C. data
D. security processing

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

A

A

Chat & Download is denied because it doesn’t match the base application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How many zones can an interface be assigned with a Palo Alto Networks firewall?

A. two
B. three
C. four
D. one

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which dataplane layer provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which option shows the attributes that are selectable when setting up application filters?

A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List

A

A D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which two statements are correct about App-ID content updates? (Choose two.)

A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.

A

A D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?

A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which statement is true regarding a Best Practice Assessment?

A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A. on either the data plane or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A. Translation Type
B. Interface
C. Address Type
D. IP Address

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which interface does not require a MAC or IP address?

A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Select and Place:
* select zones form the list of available items
* assign interfaces as needed
* select network tab
* specify zone name
* select add
* specify zone type

A
  1. Select network tab
  2. Select zones from the list of available items
  3. Select add
  4. Specify zone name
  5. specify zone type
  6. Assign interfaces as needed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy

A

A D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?

A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)

A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email

A

B C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect “IP to-user” mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A. syslog
B. RADIUS
C. UID redistribution
D. XFF header

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies

A

B C

Key words “detect” and “prevent”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

On which port will SSH be allowed if nothing is specified in the security policy?

A. 80
B. 53
C. 22
D. 23

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone ____________ services “Application defaults”, and action = Allow

A. Destination IP: 192.168.1.123/24
B. Application = “Telnet”
C. Log Forwarding
D. USER-ID = “Allow users in Trusted”

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

A. domain controller
B. TACACS+
C. LDAP
D. RADIUS

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

A. Root
B. Dynamic
C. Role-based
D. Superuser

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which administrator type utilizes predefined roles for a local administrator account?

A. Superuser
B. Role-based
C. Dynamic
D. Device administrator

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which two security profile types can be attached to a security policy? (Choose two.)

A. antivirus
B. DDoS protection
C. threat
D. vulnerability

A

A D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.
Which security profile feature could have been used to prevent the communication with the CnC server?

A. Create an anti-spyware profile and enable DNS Sinkhole
B. Create an antivirus profile and enable DNS Sinkhole
C. Create a URL filtering profile and block the DNS Sinkhole category
D. Create a security policy and enable DNS Sinkhole

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

A. Active Directory monitoring
B. Windows session monitoring
C. Windows client probing
D. domain controller monitoring

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.)

A. Security policy rules are attached to Security Profiles.
B. Security Profiles are attached to Security policy rules.
C. Security Profiles should be used only on allowed traffic.
D. Security policy rules inspect but do not block traffic.
E. Security policy rules can block or allow traffic.

A

B C E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

A. global
B. intrazone
C. interzone
D. universal

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which two statements are correct regarding multiple static default routes when they are configured to a firewall (Choose two.)

A. Path monitoring does not determine if route is useable.
B. Route with highest metric is actively used.
C. Path monitoring determines if route is useable.
D. Route with lowest metric is actively used.

A

C D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.

A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which file is used to save the running configuration with a Palo Alto Networks firewall?

A. running-config.xml
B. run-config.xml
C. running-configuration.xml
D. run-configuration.xml

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which Palo Alto Networks component provides consolidated policy creation and centralized management?

A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which statement is true regarding a Prevention Posture Assessment?

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware

A

A C D E F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.
B. Manually remove powerball.com from the gambling URL category.
C. Add * .powerball.com to the allow list
D. Create a custom URL category called PowerBall and add * .powerball.com to the category and set the action to allow.

A

C D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect

A

A - finns ej kvar

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall’s signature database has been updated?

A. antivirus profile applied to outbound security policies
B. data filtering profile applied to inbound security policies
C. data filtering profile applied to outbound security policies
D. vulnerability profile applied to inbound security policies

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which update option is not available to administrators?

A. New Spyware Notifications
B. New URLs
C. New Application Signatures
D. New Malicious Domains
E. New Antivirus Signatures

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

How often does WildFire release dynamic updates?

A. every 5 minutes
B. every 15 minutes
C. every 60 minutes
D. every 30 minutes

A

A

Kräver WildFire Subscription. Utan är det en gång per 24 timmar.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?

A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall’s management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

A. Windows-based agent on a domain controller
B. Captive Portal
C. Citrix terminal server agent with adequate data-plane resources
D. PAN-OS integrated agent

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Arrange the correct order that the URL classifications are processed within the system.
* PAN-DB cloud
* External Dynamic Lists
* Custom URL Categories
* Block List
* Downloaded PAN-DB file
* Allow Lists

A
  1. Block List
  2. Allow Lists
  3. Custom URL categories
  4. External Dynamic Lists
  5. Downloaded PAN-DB fil
  6. PAN-DB cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?

A. authentication sequence
B. LDAP server profile
C. authentication server list
D. authentication list profile

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which Security Profile mitigates attacks based on packet count?

A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Which interface type uses virtual routers and routing protocols?

A. Tap
B. Layer3
C. Virtual Wire
D. Layer2

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

A. Override
B. Allow
C. Block
D. Continue

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

An internal host needs to connect through the firewall using source NAT to servers of the internet.
Which policy is required to enable source NAT on the firewall?

A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet’s source and destination IP addresses?

A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID

A

B D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

How do you reset the hit count on a Security policy rule?

A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount <POLICY-NAME>.</POLICY-NAME>

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

A. Management
B. High Availability
C. Aggregate
D. Aggregation

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

A. intrazone
B. interzone
C. universal
D. global

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?

A. EDL in URL Filtering Profile
B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?

A. north-south
B. inbound
C. outbound
D. east-west

A

D

Zero trust focus on internal traffic, particularly east-west.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Which protocol is used to map usernames to user groups when User-ID is configured?

A. TACACS+
B. SAML
C. LDAP
D. RADIUS

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which definition describes the guiding principle of the zero-trust architecture?

A. trust, but verify
B. always connect and verify
C. never trust, never connect
D. never trust, always verify

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

In which profile should you configure the DNS Security feature?

A. Anti-Spyware Profile
B. Zone Protection Profile
C. Antivirus Profile
D. URL Filtering Profile

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A. GlobalProtect agent
B. XML API
C. User-ID Windows-based agent
D. log forwarding auto-tagging

A

B D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

A. virtual router
B. Admin Role profile
C. DNS proxy
D. service route

A

C or D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?

A. Prisma SaaS
B. GlobalProtect
C. AutoFocus
D. Panorama

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?

A. TACACS+
B. RADIUS
C. LDAP
D. SAML

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Which operations are allowed when working with App-ID application tags? Choose two

A. Predefined tags may be deleted.
B. Predefined tags may be augmented by custom tags.
C. Predefined tags may be modified.
D. Predefined tags may be updated by WildFire dynamic updates.

A

B D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall’s management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?

A. Windows-based agent deployed on each domain controller
B. PAN-OS integrated agent deployed on the firewall
C. Citrix terminal server agent deployed on the network
D. Windows-based agent deployed on the internal network a domain member

A

B

While A could work it is unnecessary in this case since B is more efficient for a single-floor setup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?

A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which statement is true regarding a Heatmap report?

A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk
B. It runs only on firewalls.
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
D. It provides a percentage of adoption for each assessment area.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Access to which feature requires the PAN-OS Filtering license?

A. PAN-DB database
B. DNS Security
C. Custom URL categories
D. URL external dynamic lists

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Which action results in the firewall blocking network traffic without notifying the sender?

A. Drop
B. Deny
C. Reset Server
D. Reset Client

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What do Dynamic User Groups help you to do?

A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
B. create a dynamic list of firewall administrators
C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

A. global
B. intrazone
C. interzone
D. universal

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall’s data plane?

A. Kerberos user
B. SAML user
C. local database user
D. local user

A

D

“local user” is not one of the authentication profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?

A. Review App Matches
B. Review Apps
C. Pre-analyze
D. Review Policies

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Which type of firewall configuration contains in-progress configuration changes?

A. backup
B. candidate
C. running
D. committed

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.)

A. hostname
B. netmask
C. default gateway
D. auto-negotiation
E. IP address

A

B C E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What is an advantage for using application tags?

A. They are helpful during the creation of new zones.
B. They help content updates automate policy updates.
C. They help with the creation of interfaces.
D. They help with the design of IP address allocations in DHCP.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?

A. after clicking Check Now in the Dynamic Update window
B. after committing the firewall configuration
C. after installing the update
D. after downloading the update

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server.
Which Security Profile detects and prevents this threat from establishing a command-and-control connection?

A. Vulnerability Protection Profile applied to outbound Security policy rules.
B. Anti-Spyware Profile applied to outbound security policies.
C. Antivirus Profile applied to outbound Security policy rules
D. Data Filtering Profile applied to outbound Security policy rules.

A

B

Specifically designed to detect and block spyware including C2C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Which statement is true regarding a Best Practice Assessment?

A. It runs only on firewalls.
B. It shows how current configuration compares to Palo Alto Networks recommendations.
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

A

B

BPA asses the current setup and compares it to recommended best practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and scanning files for sensitive information?

A. Prisma SaaS
B. AutoFocus
C. Panorama
D. GlobalProtect

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?

A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
B. Reboot the firewall
C. Use the Reset Rule Hit Counter > All Rules option
D. Use the CLI enter the command reset rules all

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall’s threat signature database?

A. Data Filtering Profile applied to outbound Security policy rules
B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to inbound Security policy rules
D. Vulnerability Protection Profile applied to inbound Security policy rules

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components? (Choose two.)

A. Network Processing Engine
B. Policy Engine
C. Parallel Processing Hardware
D. Single Stream-based Engine

A

C D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

An administrator is reviewing another administrator’s Security policy log settings.
Which log setting configuration is consistent with best practices for normal traffic?

A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start enabled, Log at Session End disabled
C. Log at Session Start disabled, Log at Session End enabled
D. Log at Session Start and Log at Session End both disabled

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

A. URL filtering
B. vulnerability protection
C. anti-spyware
D. antivirus

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Assume a custom URL Category Object of NO-FILES has been created to identify a specific website.
How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

A. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES.
B. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile.
C. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES.
D. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

A. authorization
B. continue
C. authentication
D. override

A

D

Override allows users to access a blocked site after entering credent…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

How are Application Filters or Application Groups used in firewall policy?

A. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
B. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
C. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
D. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Which tab would an administrator click to create an address object?

A. Objects
B. Monitor
C. Device
D. Policies

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

An administrator wishes to follow best practices for logging traffic that traverses the firewall.
Which log setting is correct?

A. Enable Log at Session Start
B. Disable all logging
C. Enable Log at both Session Start and End
D. Enable Log at Session End

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)

A. QoS profile
B. DoS Protection profile
C. Zone Protection profile
D. DoS Protection policy

A

B C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.
What is the correct process to enable this logging?

A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

A. Add static routes to route between the two interfaces
B. Add interfaces to the virtual router
C. Add zones attached to interfaces to the virtual router
D. Enable the redistribution profile to redistribute connected routes

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.
Which Security profile should be applied?

A. antivirus
B. anti-spyware
C. URL-filtering
D. vulnerability protection

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Which two rule types allow the administrator to modify the destination zone? (Choose two.)

A. interzone
B. shadowed
C. intrazone
D. universal

A

A D

Interzone and universal both matches traffic between zones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What is the main function of Policy Optimizer?

A. reduce load on the management plane by highlighting combinable security rules
B. migrate other firewall vendors security rules to Palo Alto Networks configuration
C. eliminate Log at Session Start security rules
D. convert port-based security rules to application-based security rules

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?

A. If it is a block rule, then Security Profile action is applied last.
B. If it is an allow rule, then the Security policy rule is applied last.
C. If it is a block rule, then the Security policy rule action is applied last.
D. If it is an allowed rule, then the Security Profile action is applied last.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

Which Security profile can you apply to protect against malware such as worms and Trojans?

A. antivirus
B. data filtering
C. vulnerability protection
D. anti-spyware

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

Which license is required to use the Palo Alto Networks built-in IP address EDLs?

A. DNS Security
B. Threat Prevention
C. WildFire
D. SD-Wan

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Which statement is true about Panorama managed devices?

A. Panorama automatically removes local configuration locks after a commit from Panorama.
B. Local configuration locks prohibit Security policy changes for a Panorama managed device.
C. Security policy rules configured on local firewalls always take precedence.
D. Local configuration locks can be manually unlocked from Panorama.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

A Security Profile can block or allow traffic at which point?

A. on either the data plane or the management plane
B. after it is matched to a Security policy rule that allows or blocks traffic
C. after it is matched to a Security policy rule that allows traffic
D. before it is matched to a Security policy rule

A

C

112
Q

Place the following steps in the packet processing order of operations from first to last.

  • Content inspection
  • QOS shaping applied
  • Security policy lookup
  • DoS protection
A
  1. DoS protection
  2. Security policy lookup
  3. content inspection
  4. QOS shaping applied
113
Q

Which type of address object is “10.5.1.1/0.127.248.2”?

A. IP netmask
B. IP subnet
C. IP wildcard mask
D. IP range

A

C

114
Q

Which component is a building block in a Security policy rule?

A. decryption profile
B. destination interface
C. timeout (min)
D. application

A

D

115
Q

An administrator would like to use App-ID’s deny action for an application and would like that action updated with dynamic updates as new content becomes available.
Which security policy action causes this?

A. Reset server
B. Reset both
C. Deny
D. Drop

A

C

116
Q

Selecting the option to revert firewall changes will replace what settings?

A. the candidate configuration with settings from the running configuration
B. dynamic update scheduler settings
C. the running configuration with settings from the candidate configuration
D. the device state with settings from another configuration

A

D

117
Q

An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.
If the application’s default deny action is reset-both, what action does the firewall take?

A. It silently drops the traffic.
B. It silently drops the traffic and sends an ICMP unreachable code.
C. It sends a TCP reset to the server-side device.
D. It sends a TCP reset to the client-side and server-side devices.

A

A

The rule states that it will not process the profile since action is dro

118
Q

Which three types of authentication services can be used to authenticate user traffic flowing through the firewall’s data plane? (Choose three.)

A. SAML 2.0
B. Kerberos
C. TACACS
D. TACACS+
E. SAML 1.0

A

A B D

119
Q

Which objects would be useful for combining several services that are often defined together?

A. application filters
B. service groups
C. shared service objects
D. application groups

A

B

120
Q

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

A. interzone
B. shadowed
C. intrazone
D. universal

A

D

121
Q

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code
“communication with the destination is administratively prohibited”.
Which security policy action causes this?

A. Drop
B. Drop, send ICMP Unreachable
C. Reset both
D. Reset server

A

B

122
Q

You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Protection profile applied to outbound Security policy rules.

A

C

123
Q

An administrator wants to prevent access to media content websites that are risky.
Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

A. recreation-and-hobbies
B. streaming-media
C. known-risk
D. high-risk

A

B D

124
Q

Which dynamic update type includes updated anti-spyware signatures?

A. PAN-DB
B. Applications and Threats
C. GlobalProtect Data File
D. Antivirus

A

B

125
Q

An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?

A. Drop
B. Deny
C. Block
D. Reset-server

A

A

126
Q

Which object would an administrator create to block access to all high-risk applications?

A. HIP profile
B. Vulnerability Protection profile
C. application group
D. application filter

A

D

Can dynamically block all applications that are classified as high-risk

127
Q

Which option is part of the content inspection process?

A. Packet forwarding process
B. IPsec tunnel encryption
C. SSL Proxy re-encrypt
D. Packet egress process

A

C

part of the overall content inspection process for secure traffic

128
Q

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

A. Disable automatic updates during weekdays
B. Automatically download and install but with the disable new applications option used
C. Automatically download only and then install Applications and Threats later, after the administrator approves the update
D. Configure the option for Threshold

A

D

Mest för att det ska hända av sig själv (Schedule)

129
Q

What must be considered with regards to content updates deployed from Panorama?

A. Content update schedulers need to be configured separately per device group.
B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
C. A PAN-OS upgrade resets all scheduler configurations for content updates.
D. Panorama can only download one content update at a time for content updates of the same type.

A

D

130
Q

During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. pattern based application identification
B. application override policy match
C. session application identified
D. application changed from content inspection

A

A B

131
Q

What does an administrator use to validate whether a session is matching an expected NAT policy?

A. system log
B. test command
C. threat log
D. config audit

A

B

132
Q

What is the purpose of the automated commit recovery feature?

A. It reverts the Panorama configuration.
B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.
C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.
D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

A

C

133
Q

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

A. by minute
B. hourly
C. daily
D. weekly

A

C

134
Q

Place the steps in the correct order of operations:
* Security profile enforcement
* decryption
* zone protection
* App-ID

A
  1. zone protection
  2. decryption
  3. security profile enforcement
  4. App-ID
135
Q

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP addresses list?

A. destination address
B. source address
C. destination zone
D. source zone

A

B

“block traffic FROM IP addresses”

136
Q

URL categories can be used as match criteria on which two policy types? (Choose two.)

A. authentication
B. decryption
C. application override
D. NAT

A

A B

137
Q

Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws?

A. URL filtering
B. vulnerability protection
C. file blocking
D. anti-spyware

A

B

138
Q

What action will inform end users when their access to Internet content is being restricted?

A. Create a custom URL Category object with notifications enabled.
B. Publish monitoring data for Security policy deny logs.
C. Ensure that the site access setting for all URL sites is set to alert.
D. Enable Response Pages on the interface providing Internet access.

A

D

139
Q

What is a recommended consideration when deploying content updates to the firewall from Panorama?

A. Before deploying content updates, always check content release version compatibility.
B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
C. Content updates for firewall A/A HA pairs need a defined master device.
D. After deploying content updates, perform a commit and push to Panorama.

A

A

140
Q

Which information is included in device state other than the local configuration?

A. uncommitted changes
B. audit logs to provide information of administrative account changes
C. system logs to provide information of PAN-OS changes
D. device group and template settings pushed from Panorama

A

D

141
Q

What is the difference between:
* interzone
* intrazone
* universal

A
  • interzone is for traffic between zones
  • intrazone is for traffic within zones
  • universal is for both traffic within and between zones
142
Q

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.
What should the administrator do?

A. change the logging action on the rule
B. review the System Log
C. refresh the Traffic Log
D. tune your Traffic Log filter to include the dates

A

A

Typically is not configured to log this traffic as default

143
Q

When is the content inspection performed in the packet flow process?

A. after the application has been identified
B. after the SSL Proxy re-encrypts the packet
C. before the packet forwarding process
D. before session lookup

A

A

content inspection happens after the application has been identified

144
Q

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?

A. check now
B. review policies
C. test policy match
D. download

A

B

145
Q

When creating a custom URL category object, which is a valid type?

A. domain match
B. host names
C. wildcard
D. category match

A

D

The valid types are Category match and URL List

146
Q

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

A. 80
B. 8443
C. 4443
D. 443

A

C

The GlobalProtect Portal can be accessed by going to the IP address of the designated interface using https on port 443.

The WebUI on the same interface can be accessed by going to the interface’s IP address using https on port 4443. The port for WebUI management is changed because the tcp/443 socket used by GlobalProtect takes precedence

147
Q

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control (RBAC)? (Choose two.)

A. SAML
B. TACACS+
C. LDAP
D. Kerberos

A

A B

C & D does not support authorization, only authentication.

148
Q

Which administrative management services can be configured to access a management interface?

A. HTTPS, HTTP, CLI, API
B. HTTPS, SSH, telnet, SNMP
C. SSH, telnet, HTTP, HTTPS
D. HTTP, CLI, SNMP, HTTPS

A

C

149
Q

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently used by attackers to distribute illegal or unethical material?

A. Palo Alto Networks C&G IP Addresses
B. Palo Alto Networks High Risk IP Addresses
C. Palo Alto Networks Known Malicious IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses

A

D

150
Q

Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP Addresses list?

A. source address
B. destination address
C. source zone
D. destination zone

A

B

151
Q

Which three filter columns are available when setting up an Application Filter? (Choose three.)

A. Parent App
B. Category
C. Risk
D. Standard Ports
E. Subcategory

A

B C E

152
Q

Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?

A. reconnaissance
B. delivery
C. installation
D. exploitation

A

B

153
Q

A coworker found a USB labeled “confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware. The malware caused the laptop to begin infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?

A. DNS Sinkhole
B. WildFire Analysis
C. Antivirus
D. DoS Protection

A

B

Key word is “unknown malware”, AV detects known malware.

154
Q

What must be configured before setting up Credential Phishing Prevention?

A. Threat Prevention
B. Anti Phishing Block Page
C. User-ID
D. Anti Phishing profiles

A

C

155
Q

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

A. block
B. sinkhole
C. allow
D. alert

A

B

156
Q

Which statement best describes a common use of Policy Optimizer?

A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that exist. Admins can then manually enable policies they want to keep and delete ones they want to remove.
B. Policy Optimizer can display which Security policies have not been used in the last 90 days.
C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.
D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

A

B

157
Q

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

A. Security policy rule
B. ACC global fitter
C. NAT address pool
D. external dynamic list

A

A

158
Q

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-control server.
Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control connection?

A. Anti-Spyware Profile
B. Data Filtering Profile
C. Antivirus Profile
D. Vulnerability Protection Profile

A

A

159
Q

Which Palo Alto Networks component provides consolidated policy creation?

A. Policy Optimizer
B. Prisma SaaS
C. GlobalProtect
D. Panorama

A

D

160
Q

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?

A. interzone
B. intrazone
C. default
D. universal

A

B

161
Q

According to best practices, how frequently should WildFire updates he made to perimeter firewalls?

A. every 10 minutes
B. every minute
C. every 5 minutes
D. in real time

A

D

162
Q

Which solution is a viable option to capture user identification when Active Directory is not in use?

A. Cloud identity Engine
B. Directory Sync Service
C. group mapping
D. Authentication Portal

A

D

ABC has to do with active directory

163
Q

What allows a security administrator to preview the Security policy rules that match new application signatures?

A. Policy Optimizer–New App Viewer
B. Dynamic Updates–Review App
C. Review Release Notes
D. Dynamic Updates–Review Policies

A

D

164
Q

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?

A. Configure a Primary Employee ID number for user-based Security policies.
B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389.
C. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL.
D. Configure a frequency schedule to clear group mapping cache.

A

C

165
Q

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.
Which type of single, unified engine will get this result?

A. Content ID
B. App-ID
C. Security Processing Engine
D. User-ID

A

A

166
Q

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.
Which type of single, unified engine will get this result?

A. Content ID
B. App-ID
C. Security Processing Engine
D. User-ID

A

A

167
Q

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

A. ensure that disable override is selected
B. uncheck the shared option
C. ensure that disable override is cleared
D. create the service object in the specific template

A

B

168
Q

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from telemetry?

A. Palo Alto Networks High-Risk IP Addresses
B. Palo Alto Networks Known Malicious IP Addresses
C. Palo Alto Networks C&C IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses

A

B

169
Q

An administrator would like to determine the default deny action for the application dns-over-https.
Which action would yield the information?

A. View the application details in beacon.paloaltonetworks.com
B. Check the action for the Security policy matching that traffic
C. Check the action for the decoder in the antivirus profile
D. View the application details in Objects > Applications

A

D

170
Q

Access to which feature requires a URL Filtering license?

A. PAN-DB database
B. External dynamic lists
C. DNS Security
D. Custom URL categories

A

A

171
Q

What is the main function of the Test Policy Match function?

A. ensure that policy rules are not shadowing other policy rules
B. confirm that rules meet or exceed the Best Practice Assessment recommendations
C. confirm that policy rules in the configuration are allowing donning the correct traffic
D. verify that policy rules from Expedition are valid

A

C

172
Q

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

A. subnet mask
B. tag
C. IP address
D. wildcard mask

A

B

173
Q

What are the three DNS Security categories available to control DNS traffic? (Choose three.)

A. Parked Domains
B. Spyware Domains
C. Vulnerability Domains
D. Phishing Domains
E. Malware Domains

A

B D E

174
Q

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

A. firewall logs
B. custom API scripts
C. Security Information and Event Management Systems (SIEMS), such as Splunk
D. biometric scanning results from iOS devices
E. DNS Security service

A

A B C

Also Cortex XSOAR

175
Q

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.)

A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic
B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application
C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application
D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

A

A D

176
Q

What are the four methods used to access the NGFW

A
  • web interface
  • CLI
  • Panorama
  • XML API
177
Q

To gain access to the firewall for the first time, what are the four required information you must provide?

A
  • IP address
  • Netmask
  • Default gateway
  • Domain Name System

DHCP will provide this information automatically

178
Q

What is the route to configure DNS or NTP in the web interface?

A

Device > Setup > Services > Services gear icon

179
Q

What is a service route?

A

It’s an alternative to access external services as DNS via the MGT interface. Instead you configure a regular data plane interface to route the traffic to said service.

180
Q

What is a “role based” administrator

A

Custom rules (admins) you can configure for more granular access controll over the functional areas of the web interface, CLI and XML API.

181
Q

What is a “dynamic role” administrator

A

Built in roles that provide access to the firewall.

182
Q

Name the 6 differenta dynamic role types

A
  • Superuser
  • Superuser (read only)
  • Device admin
  • Device admin (read only)
  • Virtual system admin
  • Virtual system admin (read only)
183
Q

Which dynamic admin type has the most access to the firewall

A

Superuser

184
Q

What is the path to manage configurations?

A

Device >
Setup > Operations

185
Q

What are the 5 different configuration states?

A
  • Revert
  • Save
  • Load
  • Export
  • Import
186
Q

What option restores the last saved candidate configuration?

A

Revert

187
Q

Which option creates a candidate configuration snapshot that does not overwrite the default snapshot?

A

Save named configuration snapshot

188
Q

Which option creates a candidate configuration snapshot that does overwrite the default snapshot?

A

Save candidate configuration

189
Q

What option overwrites the current candidate configuration with one of the following:

  • Custom-named candidate configuarion snapshot
  • Custom-named running configuration (imported)
  • Current running configuration
A

Load named configuration snapshot

190
Q

What does “Load configuration version” do?

A

Overwrites the current candidate configuration with a previous version of the running configuration.

191
Q

What does the “Export named configuration snapshot” do?

A

Exports the current running configuration, a candidate configuration snapshot or a previously imported configuration.

192
Q

What option exports more then just the running configuration?

A

Export device state, it includes:
* Device group
* Template settings pushed from Panorama if applicable.
* Certificate information
* List of sattelites and authentication information

Last 2 only if it’s set up as a GlobalProtect portal.

193
Q
A
194
Q

What does “Import named configurations snapshot” do?

A

Imports a running or candidate configuration as an XML file from any network location such as a host computer.

195
Q

What does “Import device state” do?

A

Imports the state information file exported from a firewall.

196
Q

What is the evaluation order of policies?

A
  1. Shared pre-rules
  2. Device group pre-rules
  3. Local firewall rules
  4. Device group post-rules
  5. Shared post-rules
  6. Default rules
197
Q

What is a common pre-rule?

A

Block specific URL categories or allow DNS traffic for all the users.

198
Q

What is a common post-rule?

A

Deny access to traffic based on the App-ID signatures, User-ID information or service.

199
Q

What does the default rules handle?

A

They specify how PAN-OS handles traffic that doesn’t match any other rule.

For example the Intrazone and Interzone default rule.

200
Q

How often are Antivirus signatures updated?

A

Daily

201
Q

How often are new and modified applications updated?

A

New every month
Modified every week

202
Q

How often are Applications and Threats updated?

A

New every month
Modified every week

203
Q

How often are PAN-DB updated?

A

Every 5-10 minutes

204
Q

How often is WildFire updated?

A

Every minute

|24-48 hours without subscription.

205
Q
A
206
Q

True or false, and interface can belong to multiple zones.

A

False

207
Q

True or false, a zone can have multiple interfaces of the same type assigned to it.

A

True

208
Q

How many external zones can a virtual system have?

A

one

209
Q

What are the four types of address objects?

A
  • IP Netmask
  • IP Range
  • IP Wildcard Mask
  • FQDN
210
Q

What does the EDL file contain?

A
  • IP addresses
  • URLs
  • Domains
211
Q

Which license is required to obtain the built-in EDLs of Palo Alto Networks?

A

Threat Prevention

212
Q

What rule only allows traffic between two different zones?

A

Interzone

213
Q

What rule only allows traffic within the same zone?

A

Intrazone

214
Q

What is Universal traffic rule?

A

A rule that applies to all the matching interzone and intrazone traffic.

215
Q

Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.)

A. Parallel processing
B. Application
C. Data
D. Control

A

C D

216
Q

Which object cannot be segmented using virtual systems on a firewall?

A. Administrative access
B. MGT interface
C. Network security zone
D. Data plane interface

A

B

217
Q

Which series of firewalls is a high-performance physical appliance solution?

A. ION-Series
B. PA-Series
C. CN-Series
D. VM-Series

A

B

218
Q

Which Strata product provides centralized firewall management and logging?

A. Panorama
B. GlobalProtect
C. WildFire
D. Prisma Access

A

A

219
Q
A
220
Q

True or false? The CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series firewalls.

A

True

221
Q

What is the factory default IP address for PA-Series Firewalls?

A

192.168.1.1/24

222
Q

What are the two attributes of the dedicated out-of-band network management port in Palo Alto Networks firewalls? (Choose two.)

A. Requires a static, non-DHCP network configuration
B. Labeled MGT by default
C. Supports only SSH connections
D. Cannot be configured as a standard traffic port

A

B D

223
Q

True or false? To register a hardware firewall, you will need the firewall’s serial number.

A

True

224
Q

In the web interface, what is signified when a text box is highlighted in red?

A. The value in the text box is controlled by Panorama
B. The value in the text box is required
C. The value in the text box is optional
D. The value in the text box is an error

A

B

225
Q

True or false? Service routes can be used to configure an in-band port to access external services.

A

True

226
Q

Which two statements are true regarding the candidate configuration? (Choose two.)

A. It contains possible changes to the current configuration.
B. It controls the current operation of the firewall.
C. It can be reverted to the current configuration.
D. It always contains the factory default configuration.

A

A C

227
Q

When changes to a firewall are committed, what is the result of clicking the Preview Changes link?

A. Lists the individual settings for which you are committing changes
B. Compares the candidate configuration to the running configuration
C. Shows any error messages that would appear during a commit
D. Displays any unresolved application dependencies

A

B

228
Q

True or false? The running configuration consists of configuration changes in progress but not active on the firewall.

A

False

229
Q

Which three types of privileges can be defined when a custom admin role is created? (Choose three.)

A. Java API
B. WebUI
C. REST API
D. XML API
E. Panorama

A

B C D

230
Q

Global user authentication is supported by which three authentication services? (Choose three.)

A. SAML
B. TACACS+
C. RADIUS
D. LDAP
E. Certificate

A

A B C

231
Q

True or false? Server Profiles define connections that the firewall can make to external servers.

A

True

232
Q

True or false? Certificate-based authentication replaces all other forms of either local or external authentication.

A

True

233
Q

Which feature allows an administrator to configure a firewall to authenticate a user by checking TACACS+ and then LDAP?

A. Authentication sequence
B. Admin role
C. Authentication profile
D. Multi-Factor authentication

A

A

234
Q

What feature allows an administrator to access a firewall without providing a password?

A. Multi-Factor authentication
B. Certificate-based authentication
C. Authentication profile
D. Authentication sequence

A

B

235
Q

Which two activities are part of the cyberattack lifecycle reconnaissance stage? (Choose two.)

A. establish C2
B. social engineering
C. RAT installation
D. port scans

A

B D

236
Q

Which two characteristics are common among commodity threats? (Choose two.)

A. They often are used as part of an APT.
B. They are pervasive.
C. They pose little risk.
D. They are easy to detect.

A

A B

237
Q

At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS attacks?

A. slowpath
B. content inspection
C. application identification
D. ingress

A

D

238
Q

Which two routing protocols are supported on a virtual router? (Choose two.)

A. IGRP
B. OSPF
C. EGP
D. BGP

A

B D

239
Q

Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.)

A. tap
B. FC
C. Layer 3
D. FCoE
E. virtual wire

A

A C E

240
Q

Which two firewall interface types can be added to a Layer 3-type security zone? (Choose two.)

A. tunnel
B. virtual wire
C. tap
D. loopback

A

A D

241
Q

Which type of firewall interface enables passive monitoring of network traffic?

A. virtual wire
B. tap
C. loopback
D. tunnel

A

B

242
Q

True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.

A

True

243
Q

When a virtual system is used on a firewall, which object cannot be segmented?

A. data plane interface
B. MGT interface
C. network security zone
D. administrative access

A

B

244
Q

Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.)

A. application
B. control
C. data
D. parallel processing

A

B C

245
Q

What is the result of clicking the Preview Changes link when committing changes to a firewall?

A. shows any error messages that would appear during a commit
B. lists the individual settings for which you are committing changes
C. compares the candidate configuration to the running configuration
D. displays any unresolved application dependencies

A

C

246
Q

Regarding the candidate configuration, which two statements are true? (Choose two.)

A. It can be reverted to the current configuration.
B. It controls the current operation of the firewall.
C. It contains possible changes to the current configuration.
D. It always contains the factory default configuration.

A

A C

247
Q

Before a firewall can connect to Panorama, which piece of information do you need to enter in the firewall?

A. serial number of the firewall
B. serial number of Panorama
C. IP address of Panorama
D. authorization number of Panorama

A

C

248
Q

Before Panorama can connect and manage a firewall, which piece of information about the firewall do you need to enter into Panorama?

A. IP address
B. serial number
C. login credentials
D. authorization number

A

B

249
Q

Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.)

A. FC
B. Layer3
C. FCoE
D. Tap
E. Virtual wire

A

B D E

250
Q

Which two statements are true regarding the candidate configuration? (Choose two.)

A. It controls the current operation of the firewall.
B. It can be reverted to the current configuration.
C. It contains possible changes to the current configuration.
D. It always contains the factory default configuration.

A

B C

251
Q

Which two configuration elements can be configured for managed firewalls by using templates in Panorama? (Choose two.)

A. Network
B. Device
C. Objects
D. Policies

A

A B

252
Q

In Panorama, can you use the same template in different template stacks?

A. no
B. yes, if there are no other templates in the stack
C. yes, regardless of other templates in the stack
D. yes, if no conflicting values are in other templates within the stack

A

C

253
Q

What will Panorama do if two templates in the same template stack have different values for the same setting?

A. generate an error at commit
B. ignore the value in both templates
C. use the value from the lowest template in the stack
D. use the value from the highest template in the stack

A

D

254
Q

Which device group in Panorama is automatically created and cannot be deleted?

A. Default Group
B. Shared Group
C. Inheritance Group
D. Template Group

A

B

255
Q

When you create the first device group in Panorama, which two tabs are added to the user interface? (Choose two.)

A. Policies
B. Network
C. Device
D. Objects

A

A D

256
Q

Which option should you select to prevent modifications to an object within descendant device groups?

A. Disable Shared Group
B. Disable inheritance
C. Disable override
D. Disable virtual systems

A

B

257
Q

Which information is needed to register a Panorama Physical appliance in the Customer Support Portal?

A. management IP address
B. FQDN logical name
C. serial number of Panorama
D. customer ID and Panorama name

A

C

258
Q

Which type of Security policy rule is the default rule type?

A. default
B. universal
C. intrazone
D. interzone

A

B

259
Q

Which action in a Security policy rule results in traffic being silently rejected?

A. deny
B. drop
C. reset server
D. reset client

A

B

260
Q

In a Palo Alto Networks Security policy rule, which two items are required match criteria? (Choose two.)

A. destination address
B. destination zone
C. source zone
D. destination port

A

B C

261
Q

Which NAT translation type uses NAT oversubscription?

A. static
B. dynamic IP
C. dynamic IP and port
D. dynamic IP with session distribution

A

C

262
Q

At which stage in the flow logic is NAT applied to packets traversing the data plane?

A. Ingress
B. Security Processing (fastpath)
C. App-ID Engine
D. Egress

A

D

263
Q

At which stage in the flow logic does the firewall attempt to match a packet to an existing flow?

A. Ingress
B. Security Processing (fastpath)
C. App-ID Engine
D. Egress

A

B

264
Q

As recorded in the session tables, which three state are considered to be “stable” session states (Choose three.)

A. Opening
B. Active
C. Free
D. Init
E. Discard

A

B D E

265
Q

Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which two applications? (Choose two.)

A. unknown-tcp
B. unknown-udp
C. ssl
D. web-browsing

A

C D

266
Q

How often are new application signatures released by Palo Alto Networks?

A. as soon as possible
B. once per week
C. once per month
D. with each PAN-OS software update

A

C

Updated App-IDs is every week

267
Q

Based on application attributes that you define (Category, Subcategory, Technology, Risk, and Characteristic), which item is the name of an object that dynamically identifies and associates applications?

A. application
B. application filter
C. application group
D. application profile

A

B

268
Q

What triggers a Security policy rule match in the Policy Optimizer’s No App Specified window?

A. “any” in the Application column
B. “Allow” in the Action column
C. “application-default” in the Service column
D. “unknown” in the Application column

A

A

269
Q

Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?

A. continue response page
B. CVE number
C. Data Filtering log entry
D. DNS Sinkhole

A

D

270
Q

To which item are Zone Protection Profiles applied?

A. egress ports
B. ingress ports
C. Address Groups
D. Security policy rules

A

D

271
Q

What is required for a Security Profile attached to a Security policy rule to be successfully evaluated?

A. the Security policy rule matches, and the traffic is set to “allow”
B. the Security policy rule matches, and the traffic is set to “deny”
C. the App-ID signature matches, and the traffic is set to “allow”
D. the App-ID signature matches, and the traffic is set to “deny”

A

A

272
Q

Which statement is true regarding Safe Search Enforcement?

A. Safe search is a web server setting.
B. Safe search is a web browser setting.
C. Safe search is a desktop setting.
D. Safe search is a laptop setting.

A

B

272
Q

Which action would not be recorded in a URL Filtering log?

A. alert
B. allow
C. continue
D. override

A

B

273
Q

Which Security Profile is designed to help mitigate unknown threats?

A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. WildFire Analysis

A

D

274
Q

Sinkhole events are recorded in which log?

A. Threat
B. URL Filtering
C. WildFire Submissions
D. Data Filtering

A

A

Flashy Certs (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions