1. Which two actions affect all of the widgets in the Application Command Center?
If you choose an in choice your question score will be deducted
setting a global filter
setting a time range
setting a local filter
setting a global search
2. What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
deviceadmin
vsysadmin
superuser
Custom role
3. Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?
data filtering log entry
DNS SInkhole
continue response page
CVE Number
4. How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?
unknown-tcp
insufficient-data
incomplete
not-applicable
5. When creating an application filter, which of the following is true?
They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter
Excessive bandwidth may be used as a filter match criteria
They are used by malware
They are called dynamic because they automatically adapt to new IP addresses
6. What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?
Application-custom
Application-implicit
Application-dependent
Application-default
7. Which type of attack promises an item or goods that hackers use to entice victims for login credentials to a particular site?
Baiting
Pretexting
Tailgating
Phishing
8. What is default setting for "Action" in a decryption policy rule?
None
Decrypt
No-decrypt
Any
9. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
Two
Three
One
Four or five
10. In the Palo Alto Networks Application Command Centre (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?
Local
Universal
Global
Group
11. Which feature can be configured with an IPv6 address?
a. Static Route
DHCP Server
BGP
RIPv2
12. What type of interface allows the Next Generation firewall to provide switching between two or more networks?
Tap
Layer3
Virtual Wire
Layer2
13. What two interface types on the Next Generation firewall provide support for Network Address Translation?
a. Layer 3
HA
Layer2
Tap
e. Virtual Wire
14. What should be configured as the destination zone on the original packet tab of the NAT Policy rule in the Next Generation firewall?
a. Untrust-L3
Trust-L3
Any
DMZ-L3
15. Which routing protocol is supported in the Next Generation firewall platform?
ISIS
RSTP
BGP
RIPV1
16. Which statement is not true regarding Safe Search Enforcement?
Safe search is a best effort setting
Safe search is a web browser setting
Safe search is a web server setting
Safe search works only in conjunction with credential submission websites
17. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?
The server private IP
The firewall Management port IP
c. The server public IP
The firewall gateway IP
18. Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall?
Static IP
Dynamic IP and Port
Bi-Directional
Dynamic IP
19. What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent?
System and authentication logs
Traffic and Authentication Logs
System logs and the indicator light under the User-ID Agent settings in the firewall
System logs and authentication lights on the chassis
20. What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
superuser
Custom role
deviceadmin
vsysadmin
21. Which CLI command is used to verify successful file uploads to WildFire?
debug wildfire upload-log
debug wildfire download-log show
debug wildfire upload-log show
debug wildfire upload-threat show
22. Which is the URL matching order on a Palo Alto Networks Next Generation Firewall?
Allow, Block, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
Block, Allow, Custom URL, External Dynamic, PAN-DB Download, PAN-DB Cloud, PAN-DB Cache
Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
Block, Allow, External Dynamic, Custom URL, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
23. Which Next Generation Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information.
Aperture
GlobalProtect
Panorama
AutoFocus
24. Which Next Generation Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option.
HTTP Header Logging
User Credential Detection
Safe Search Enforcement
Log Container Page Only
25. Which Next Generation FW configuration type has settings active on the firewall?
Candidate
Running
Legacy
Startup
26. Which of the following is not a zone type on the Next Generation firewall?
Layer3
Virtual Wire
Internal
Layer2
e. Tap
27. Which Palo Alto Networks Cortex technology prevents malware, blocks exploits, and analyzes suspicious patterns through behavioral threat protection?
XDR
AutoFocus
XSOAR
Data Lake
28. Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall?
Static IP
Bi-Directional
Dynamic IP
Dynamic IP and Port
29. Which type of attack can be mitigated by deploying strong encryption services on your network?
Denial of Service
Spoofing
Eavesdropping
Sniffer
30. Which type of IDPS technique includes agents that often include a host-based firewall that can restrict incoming and outgoing traffic for each application on the system, preventing unauthorized access and acceptable use policy violations (e.g., use of inappropriate external services)?
Filesystem Monitoring
Code Analysis
Network Traffic Analysis
Network Traffic Filtering
31. Which URL filtering security profile action logs the category to the URL filtering log?
Default
Allow
Log
Alert
32. Which User-ID component and mapping method is recommended for web clients that do not use the domain server?
XML API
GlobalProtect
Terminal Services agent
Captive Portal
33. Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?
EXE
APK
JAR
34
Which WildFire verdict might indicate obtrusive behavior but not a security threat?
grayware
benign
malware
phishing
35. A Zone Protection Profile is applied to which item?
Egress Ports
Security Policy Rules
Address Groups
Ingress Ports
36
Which of the following is not a zone type on the Next Generation firewall?
Virtual Wire
Internal
Layer2
Layer3
e. Tap
37. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.
False
38. On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.
True
39. Destination NAT changes a private address/port into a public address/port for packets leaving your network.
False
40. On the Next Generation firewall, DNS sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic.
True
41. True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.
True
42. All of the interfaces on a Next Generation firewall must be of the same interface type.
False
43. In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.
True
44. On the Next Generation firewall, if there is a NAT policy - there must also be a security policy.
True
45. The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.
True
46. In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers.
True
47. An interface in Virtual Wire mode on a Next Generation firewall does not require an IP address.
True
1. A "continue" action can be configured on the following security profiles in the Next Generation firewall:
Select one:
a. URL Filtering
b. URL Filtering, File Blocking, and Data Filtering
c. URL Filtering and File Blocking
d. URL Filtering and Antivirus
2. Which three methods does App-ID use to identify network traffic?
Choose the 3 correct choices.
If you choose an incorrect choice your question score will be deducted.
Select one or more:
heuristics
application filter match
URL category
signatures
protocol decoders
3. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
Select one:
a. One
b. Four or five
c. Two
d. Three
4. Which type of audit trail may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager.
Select one:
a. Application-Level
b. User-Level
c. System-Level
d. Device-Level
5. What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent?
Select one:
a. System logs and the indicator light under the User-ID Agent settings in the firewall
b. Traffic and Authentication Logs
c. System logs and authentication lights on the chassis
d. System and authentication logs
6. Network traffic matches an “allow” rule in the Security policy, but the attached File Blocking Profile is configured with a “block” action. To which two locations will the traffic be logged?
Choose the 2 correct choices.
If you choose an incorrect choice your question score will be deducted.
Select one or more:
Alarms Log
Data Filtering Log
Traffic Log
Threat Log
7. Which two statements are true regarding User-ID and firewall configuration?
Choose the 2 correct choices.
If you choose an incorrect choice your question score will be deducted
Select one or more:
The USER-ID agent must be installed on the domain controller
Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection
NETBIOS is the only client-probing method supported by the USER-ID agent
The firewall needs to have information for every USER-ID agent for which it will connect
8. For the Palo Alto Networks Next Generation Firewall to access a Global Catalog server, LDAP must be set to communicate with which port?
Select one:
a. 3268
b. 636
c. 443
d. 389
9. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
Select one:
a. One
b. Three
c. Two
d. Four or five
10. In a Next Generation Firewall, what is not considered part of the 6 flow lookup tuples performed on a packet?
Select one:
a. Source and destination IP addresses
b. Layer2 and loopback address
c. Protocol and security zone
d. Source and destination ports
11. In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?
Select one:
a. 30 Minutes
b. 5 Minutes
c. 1 Hour
d. 15 Minutes
12. In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF?
Select one:
a. Botnet
b. Predefined
c. Group
d. PDF Summary
13. Through which type of attack does a hacker assume your identity to intercept and read messages?
Select one:
a. Compromised Key
b. Application Layer
c. Man-In-The-Middle
d. Data Modification
14. Which of the following services are enabled on the Next Generation firewall MGT interface by default?
Select one or more:
a. Telnet
b. HTTPS
c. HTTP
d. SSH
15. On a Palo Alto Networks Firewall, what is the maximum number of IPsec tunnels that can be associated with a tunnel interface?
Select one:
a. 5
b. 10
c. 7
d. 2
16. On the Next Generation firewall, what type of security profile detects infected files being transferred with the application?
Select one:
a. URL Filtering
b. Anti-Virus
c. WildFire Analysis
d. File Blocking
e. Vulnerability Protection
17. In a Next Generation Firewall, what is not considered part of the 6 flow lookup tuples performed on a packet?
Select one:
a. Source and destination ports
b. Protocol and security zone
c. Source and destination IP addresses
d. Layer2 and loopback address
18.
Which statement about the predefined reports is not correct?
Select one:
a.
They are grouped in 5 categories
b.
They are emailed daily to users
c.
There are more than 40 predefined reports
d.
They are generated daily by default
19. What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall?
Select one:
a. Filter the data filtering logs for the user's traffic and the name of the PDF file
b. Filter the traffic logs for all traffic from the user that resulted in a deny action
c. Filter the session browser for all sessions from a user with the application adobe
d. Filter the system log for failed download messages
20. Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall?
Select one or more:
a. User Identification (User-ID)
b. Threat Identification (Threat-ID)
c. Group Identification (Group-ID)
d. Content Identification (Content-ID)
e. Application Identification (App-ID)
21. Which item is not a valid choice when the Source User field is configured in a Security policy rule?
Select one:
a.
any
b.
unknown
c.
known-user
d.
all
22. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?
Select one:
a. The server public IP
b. The firewall gateway IP
c. The firewall Management port IP
d. The server private IP
23. A "continue" action can be configured on the following security profiles in the Next Generation firewall:
Select one:
a. URL Filtering and File Blocking
b. URL Filtering
c. URL Filtering and Antivirus
d. URL Filtering, File Blocking, and Data Filtering
24. Partially correct
Mark 0.33 out of 1.00
What options are available for selecting users for a security policy on the Next Generation firewall?
Select one or more:
a. Known-user
b. Unknown-user
c. Pre-logon
d. Unselect-user
25. What component of the Next Generation Firewall will protect from port scans?
Select one:
a. DOS Protection
b. Zone protection
c. Vulnerability protection
d. Anti-Virus Protection
26. What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down?
Select one:
a. Heartbeat polling
b. Preemption
c. Link monitoring
d. SNMP polling
27. What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down?
Select one:
a. Preemption
b. Heartbeat polling
c. SNMP polling
d. Link monitoring
28. What Next Generation firewall virtual platform is specifically meant for use with VMWare NSX?
Select one:
a. VM-200
b. VM-1000
c. VM-100
d. VM-300
29. What type of interface allows the Next Generation firewall to provide switching between two or more networks?
Select one:
a. Layer2
b. Tap
c. Virtual Wire
d. Layer3
30. Which command will reset a next generation firewall to its factory default settings if you know the admin account password?
Select one:
a. reset system settings
b. request system private-data-reset
c. reset startup-config
d. reload
31. Which Palo Alto Networks Next Generation Firewall URL Category Action sends a response page to the user’s browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log?
Select one:
a. block
b. override
c. alert
d. continue
32. Which phase of the Internet Key Exchange (IKE) is concerned with authenticating the endpoints?
Select one:
a. Phase 1
b. Phase 4
c. Phase 3
d. Phase 2
33. Which routing protocol is supported in the Next Generation firewall platform?
Select one:
a. RSTP
b. BGP
c. RIPV1
d. ISIS
34. Which type of social engineering attack involves hackers who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find? These attackers offer IT assistance to each and every one of their victims.
Select one:
a. Phishing
b. Quid Pro Quo
c. Baiting
d. Pretexting
35. Which URL filtering security profile action logs the category to the URL filtering log?
Select one:
a. Log
b. Default
c. Alert
d. Allow
36. Which WildFire verdict indicates no security threat but might display obtrusive behavior?
Select one:
a. Phishing
b. Malware
c. Benign
d. Grayware
37. Which two firewall features display information using widgets?
Choose the 2 correct choices.
If you choose an incorrect choice your question score will be deducted
Select one or more:
a.
ACC
b.
Botnet report
c.
Dashboard
d.
Traffic log
38. True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.
39. True or false? A URL Filtering license is not required to define and use custom URL categories.
40. True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.
41. The Office of Management and Budget (OMB) defines Personally Identifiable Information (PII) as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
True
The correct answer is 'True'.
42. True or false? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to “allow.”
Comments