Study Guide PDF Q-Answers

Question 1

1. What is the last step of packet processing in the firewall?
A. check allowed ports
B. check Security Profiles
C. check Security policy
D. forwarding lookup

Answer 1

B. check Security Profiles

Question 2

2. Which interface type requires you to configure where the next hop is for various addresses?
A. tap
B. virtual wire
C. Layer 2
D. Layer 3

Answer 2

D. Layer 3

Question 3

3. How do you enable the firewall to be managed through a data-plane interface?
   A. You specify Web UI in the interface properties.
   B. You specify Management in the interface properties.
   C. You specify HTTPS in the Interface Management Profile, and then specify in the interface properties to use that profile.
   D. You specify Management in the Interface Management Profile, and then specify in the interface properties to use that profile.

Answer 3

C. You specify HTTPS in the Interface Management Profile, and then specify in the interface properties to use that profile.

Question 4

4. Some devices managed by Panorama have their external interface on ethernet1/1, some on ethernet1/2. However, the zone definitions for the external zone are identical. What is the recommended solution in this case?
   A. Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices. Use the same external zone definitions in both. Apply those two templates to the appropriate devices.
   B. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices, and one with the external zone definitions. Use those templates to create two template stacks, one with the ethernet1/1 and external zone, another with the ethernet1/2 and external zone. Apply those two template stacks to the appropriate devices.
   C. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices, and one with the external zone definitions. Apply the external zone template to all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can apply up to five templates per device).
   D. Create three template stacks: one for the ethernet1/1 devices, one for the ethernet1/2 devices, and one with the external zone definitions. Apply the external zone template to all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can apply up to five templates per device).

Answer 4

A. Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices. Use the same external zone definitions in both. Apply those two templates to the appropriate devices.

Question 5

5. In a Panorama managed environment, which two options show the correct order of policy evaluation? (Choose two.)
   A. device group pre-rules, shared pre-rules, local firewall rules, intrazone-default, interzone-default
   B. device group pre-rules, local firewall rules, shared post-rules, device group post-rules, intrazone-default, interzone-default
   C. device group pre-rules, local firewall rules, device group post-rules, shared post-rules, intrazone-default, interzone-default
   D. device group pre-rules, local firewall rules, intrazone-default, interzone-default, device group post-rules, shared post-rules
   E. shared pre-rules, device group pre-rules, local firewall rules, intrazone-default, interzone-default

Answer 5

C. device group pre-rules, local firewall rules, device group post-rules, shared post-rules, intrazone-default, interzone-default

E. shared pre-rules, device group pre-rules, local firewall rules, intrazone-default, interzone-default

Question 6

6. When you deploy the Palo Alto Networks NGFW on NSX, how many virtual network interfaces does a VM-Series firewall need?
   A. two, one for traffic input and output and one for management traffic
   B. four, two for traffic input and output and two for management traffic (for High Availability)
   C. three, one for traffic input, one for traffic output, and one for management traffic
   D. six, two for traffic input, two for traffic output, and two for management traffic (for High Availability)

Answer 6

C. three, one for traffic input, one for traffic output, and one for management traffic

Question 7

7. Which source of user information is not supported by the NGFW?
A. RACF
B. LDAP
C. Active Directory
D. SAML

Answer 7

A. RACF

Question 8

8. What is the main mechanism of packet-based vulnerability attacks?
   A. malformed packets that trigger software bugs when they are received
   B. excess packets that fill up buffers, thus preventing legitimate traffic from being processed
   C. packets that get responses that leak information about the system
   D. packets that either fill up buffers or get responses that leak information

Answer 8

A. malformed packets that trigger software bugs when they are received

Question 9

9. Which method is not a PAN-OS software decryption method?
A. SSH Proxy
B. SSL Proxy
C. SSL Forward Proxy
D. SSL Inbound Inspection

Answer 9

B. SSL Proxy

Question 10

10. What type of identification does an Application Override policy override?
A. App-ID
B. User-ID
C. Content-ID
D. Service

Answer 10

A. App-ID

Question 11

11. Which two types of protocols can cause an insufficient data value in the Application field in the Traffic log? (Choose two.)
A. UDP
B. TCP
C. ICMP
D. GRE
E. IGP

Answer 11

A. UDP

B. TCP

Question 12

12. Which three profile types are used to prevent malware executables from entering the network? (Choose three.)
A. Antivirus
B. Anti-Spyware
C. WildFire Analysis
D. File Blocking
E. Vulnerability Protection
F. Zone Protection

Answer 12

A. Antivirus

C. WildFire Analysis
D. File Blocking

Question 13

13. Which user credential detection method does not require access to an external directory?
A. group mapping
B. domain credential filter
C. LDAP
D. Certificate

Answer 13

D. Certificate

Question 14

14. Which object type has a property to specify whether it can transfer files?
A. Application
B. Service
C. User
D. User group

Answer 14

A. Application

Question 15

15. When destination NAT rules are configured, the associated security rule is matched using which parameters?
    A. pre-NAT source zone and post-NAT destination zone
    B. post-NAT source zone and pre-NAT destination zone
    C. pre-NAT source zone and post-NAT destination IP address
    E. post-NAT source zone and post-NAT destination zone

Answer 15

A. pre-NAT source zone and post-NAT destination zone

Question 16

16. What is the initial IP address for the management interface?
A. 10.0.0.1
B. 172.16.0.1
C. 192.168.1.1
D. 192.168.255.254

Answer 16

C. 192.168.1.1

Question 17

17. In a new firewall, which port provides web interface access by default?
A. data port #1
B. any data port
C. management port
D. console port

Answer 17

C. management port

Question 18

18. Which application requires you to import private keys? 
A. Captive Portal 
B. Forward Trust 
C. SSL Inbound Inspection 
D. SSL Exclude Certificate

Answer 18

C. SSL Inbound Inspection

Question 19

19. Under which conditions can two Layer 3 interfaces have the same IP address?
    A. They must be connected to a common VLAN object interface.
    B. They must be connected to the same Ethernet network through a switch. This configuration can be used only for High Availability.
    C. They must be connected to different virtual routers.
    D. They must be subinterfaces of the same physical interface.
    E. This feature is not supported.

Answer 19

E. This feature is not supported.

Question 20

20. Which two protocols are supported for site-to-site VPNs? (Choose two.) 
A. Authentication Header (AH) 
B. Secure Socket Layer (SSL) 
C. Encapsulating Security Payload (ESP) 
D. Transport Layer Security (TLS) 
E. Secure Shell (SSH)

Answer 20

A. Authentication Header (AH)

C. Encapsulating Security Payload (ESP)

Question 21

21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
    A. terminating SSL tunnels
    B. authenticating GlobalProtect users
    C. creating on-demand certificates to encrypt SSL
    D. managing and updating GlobalProtect client configurations
    E. managing GlobalProtect Gateway configurations

Answer 21

B. authenticating GlobalProtect users

D. managing and updating GlobalProtect client configurations

Question 22

22. What is the preferred SYN flood defense action type? 
A. Random Drop 
B. Random Early Drop 
C. SYN Proxy 
D. SYN Cookies

Answer 22

D. SYN Cookies

Question 23

23. What would be a valid reason to allow non-SYN TCP packets at the start of a connection?
    A. Such packets could happen legitimately in the case of asymmetric routing.
    B. Such packets could happen legitimately if there is load balancing across firewalls.
    C. Such packets could happen legitimately because of either asymmetric routing or load balancing across firewalls.
    D. Such packets could happen because of router bugs.

Answer 23

B. Such packets could happen legitimately if there is load balancing across firewalls.

Question 24

24. Where do you configure protection from malformed IP and TCP headers? 
A. DoS Profile 
B. QoS Profile 
C. Zone Protection Profile 
D. Application Profile

Answer 24

C. Zone Protection Profile

Question 25

25. Which parameter is "not" a valid criterion for the original packet in address translation? 
A. source zone 
B. application 
C. service 
D. destination address

Answer 25

B. application

Question 26

26. Which parameter in a Security policy rule do you use to apply a rule to traffic coming in from a specific interface? 
A. source zone 
B. source address 
C. user 
D. source interface

Answer 26

A. source zone

Question 27

27. Where do you specify that certain URL categories are not to be decrypted? 
A. certificate properties 
B. Decryption Profile 
C. Decryption policy 
D. Security policy

Answer 27

C. Decryption policy

Question 28

28. Where do you specify how the firewall should treat invalid certificates? 
A. certificate properties 
B. Decryption Profile 
C. Decryption policy 
D. Security policy

Answer 28

B. Decryption Profile

Question 29

29. Which two public cloud environments support pay-as-you-go (PAYG) firewall licensing? (Choose two.) 
A. Microsoft Azure 
B. Microsoft Hyper-V 
C. Amazon AWS 
D. VMware NSX 
E. VMware ESXi

Answer 29

A. Microsoft Azure

C. Amazon AWS

“a” holes charge

Question 30

30. Which log type gets redirected in Device > Log Settings? 
A. Config 
B. Traffic 
C. Threat 
D. WildFire Submission

Answer 30

A. Config

Question 31

31. Which tab of the firewall web interface gives you a consolidated picture of the security situation and the top-level threats? 
A. Dashboard 
B. ACC 
C. Monitor 
D. Devices

Answer 31

B. ACC

Question 32

32. A customer’s custom application uses SMTP (email) to transfer directory information, which needs to be filtered in a different manner from normal SMTP. How do you configure this filtering?
    A. You cannot do it with the NGFW. You need to manually configure a proxy.
    B. Create specific rules for the sources and destinations that run this application.
    C. Create a custom signature and specify the SMTP fields that are different from normal SMTP use and patterns to identify when it is the custom application.
    D. Create an Application Override policy and specify the sources and destinations that run this application.

Answer 32

C. Create a custom signature and specify the SMTP fields that are different from normal SMTP use and patterns to identify when it is the custom application.

Question 33

33. Which kind of update requires a disruption in connectivity?
    A. downloading the PAN-DB seed file
    B. dynamic content
    C. PAN-OS software
    D. WildFire subscription antivirus signatures

Answer 33

C. PAN-OS software

Question 34

34. Which dedicated High Availability port is used for which plane?
    A. HA1 for the data plane, HA2 for the management plane
    B. HA1 for the management plane, HA2 for the data plane
    C. MGT for the management plane; HA2 as a backup
    D. HA1 for the management plane, HA2 for the data plane in the 7000 Series

Answer 34

B. HA1 for the management plane, HA2 for the data plane

Question 35

35. Which two protocols can AutoFocus use to retrieve log information from an NGFW? (Choose two.)
    A. syslog
    B. Log transfer protocol, a Palo Alto Networks proprietary protocol
    C. HTTP
    D. HTTPS
    E. SNMP

Answer 35

C. HTTP

D. HTTPS

Question 36

36. Palo Alto Networks publishes new applications at which approximate interval? 
A. every 30 minutes 
B. hourly 
C. daily 
D. weekly

Answer 36

D. weekly

Question 37

37. Which type of device can receive the GlobalProtect data files content update? 
A. Log Collector 
B. firewall 
C. WildFire 
D. Antivirus

Answer 37

B. firewall

Question 38

38. In which log will you see evidence that an administrator cannot log in to the firewall? 
A. Traffic 
B. System 
C. Configuration 
D. Authentication

Answer 38

B. System

Question 39

39. How do you reboot the firewall from the command line? 
A. restart system 
B. reboot 
C. request restart system 
D. request reboot

Answer 39

C. request restart system

Question 40

40. Where in the user interface do you configure how many packets to capture when the extended-capture option is selected in an Anti-Spyware Profile or Vulnerability Profile?
    A. Device tab, as part of the Setup node
    B. Security Profiles, because the desired number of captured packets can vary between profiles
    C. as a default in the Device tab, as part of the Capture node. Then, exceptions can be configured in the Security Profiles
    D. Configure Capturing options for each defined capture file

Answer 40

D. Configure Capturing options for each defined capture file

!!!! located in device/setup Content-ID

Question 41

41. You are preparing a bootstrap template for use with a VM-Series firewall hosted in a public cloud. You don’t need to include the Content-ID files because the firewall will download the latest version when it is booted anyway. How do you configure the bootstrap’s content directory?
    A. leave it empty
    B. delete it
    C. rename it to content-null
    D. add an empty file to it named no-download

Answer 41

A. leave it empty

Question 42

42. Which format do you use for an AWS CloudFormation Template? 
A. XML 
B. CSV 
C. JSON 
D. JSON or XML

Answer 42

C. JSON

Question 43

43. In which order are Security policy rules from Panorama processed relative to local firewall policy rules?
    A. Local firewall policy rules are processed only during loss of Panorama connectivity.
    B. All Panorama rules are processed first.
    C. All local firewall policy rules are processed first.
    D. Some Panorama rules are processed before the firewall’s local rules, and some are processed after the local rules.

Answer 43

D. Some Panorama rules are processed before the firewall’s local rules, and some are processed after the local rules.

Question 44

44. Which statement is true about Security Profiles?
    A. They are evaluated from top down, with the first match processing the traffic.
    B. They are applied to all inbound traffic when they are enabled.
    C. They enable a specific type of threat scanning (e.g., Virus, Spyware).
    D. They can specify actions based on the username.

Answer 44

C. They enable a specific type of threat scanning (e.g., Virus, Spyware).

Question 45

45. Which Captive Portal authentication method can be handled by the browser without affecting the user experience? 
A. web-challenge 
B. browser-challenge 
C. web-form 
D. browser-form

Answer 45

B. browser-challenge

Question 46

46. The firewall of a defense contractor is not connected to the internet. However, it is connected to the classified SIPRNet. The contractor is concerned about getting malware files through that network. Can this defense contractor use the WildFire service for protection?
    A. No, because there is no network path to the WildFire cloud.
    B. No, because all SIPRNet files are encrypted.
    C. Yes, but only for PE-type file analysis.
    D. Yes, it can use a WF-500 appliance.

Answer 46

D. Yes, it can use a WF-500 appliance.

Question 47

47. How does the NGFW handle excess packets when there are QoS constraints?
    A. It buffers them until there is bandwidth to send them.
    B. It drops a percentage of them randomly.
    C. It replaces them with packets that tell the computer on the other side to slow down.
    D. It sends a portion instead of the whole packet.

Answer 47

B. It drops a percentage of them randomly.

Question 48

48. Which function is performed by the management plane? 
A. signature matching 
B. VPN encryption 
C. policy matching 
D. User-ID group lookups

Answer 48

D. User-ID group lookups

Question 49

49. Which User-ID IP address-to-username mapping method can be visible to users?
    A. Captive Portal
    B. monitoring Active Directory event logs
    C. monitoring print server event logs
    D. monitoring a Cisco WLAN controller

Answer 49

A. Captive Portal

Question 50

50. Which feature of the NGFW enables you to identify attempts to tunnel SSH over other ports? 
A. App-ID  	 
B. Content-ID 
C. User-ID 
D. SSH Forward Proxy

Answer 50

A. App-ID

db note- set service to “any”

Question 51

51. What is the correct order of operations?
    A. check allowed ports, decrypt (if traffic is encrypted and the policy specifies to decrypt it), check Security policy, check Security Profiles, re-encrypt traffic
    B. check allowed ports, decrypt (if traffic is encrypted and the policy specifies to decrypt it), check Security Profiles, check Security policy, re-encrypt traffic
    C. decrypt (if traffic is encrypted and the policy specifies to decrypt it), check allowed ports, check Security policy, re-encrypt traffic
    D. decrypt (if traffic is encrypted and the policy specifies to decrypt it), check allowed ports, check Security Profiles, check Security policy, re-encrypt traffic

Answer 51

A. check allowed ports, decrypt (if traffic is encrypted and the policy specifies to decrypt it), check Security policy, check Security Profiles, re-encrypt traffic