Paloalto Networks academy Questions and Answers

1. Which two actions affect all of the widgets in the Application Command Center?

If you choose an in choice your question score will be deducted

setting a global filter 

setting a time range 

setting a local filter

setting a global search

2. What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?

deviceadmin

 

vsysadmin

superuser

Custom role

3. Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?

data filtering log entry

DNS SInkhole 

continue response page

CVE Number

4. How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?

unknown-tcp

insufficient-data 

incomplete

not-applicable

5. When creating an application filter, which of the following is true?

They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter

Excessive bandwidth may be used as a filter match criteria

They are used by malware

They are called dynamic because they automatically adapt to new IP addresses

6. What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?

Application-custom

Application-implicit

Application-dependent

Application-default

7. Which type of attack promises an item or goods that hackers use to entice victims for login credentials to a particular site?

Baiting

 

Pretexting

Tailgating

Phishing

8. What is default setting for "Action" in a decryption policy rule?

None

 

Decrypt

No-decrypt

Any

9. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?

Two 

Three 

One 

Four or five

10. In the Palo Alto Networks Application Command Centre (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?

Local

Universal

Global

Group

11. Which feature can be configured with an IPv6 address?

a. Static Route

DHCP Server

BGP

RIPv2

12. What type of interface allows the Next Generation firewall to provide switching between two or more networks?

Tap

Layer3

Virtual Wire

Layer2

13. What two interface types on the Next Generation firewall provide support for Network Address Translation?

a. Layer 3

HA

Layer2

Tap

e. Virtual Wire

14. What should be configured as the destination zone on the original packet tab of the NAT Policy rule in the Next Generation firewall?

a. Untrust-L3

Trust-L3

Any

DMZ-L3

15. Which routing protocol is supported in the Next Generation firewall platform?

ISIS

RSTP

BGP

RIPV1

16. Which statement is not true regarding Safe Search Enforcement?

Safe search is a best effort setting 

Safe search is a web browser setting

Safe search is a web server setting

Safe search works only in conjunction with credential submission websites

17. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?

The server private IP

The firewall Management port IP

c. The server public IP

The firewall gateway IP

18. Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall?

Static IP

 

Dynamic IP and Port

Bi-Directional

Dynamic IP

19. What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent?

System and authentication logs

Traffic and Authentication Logs

System logs and the indicator light under the User-ID Agent settings in the firewall

System logs and authentication lights on the chassis

20. What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?

superuser

Custom role

deviceadmin

vsysadmin

21. Which CLI command is used to verify successful file uploads to WildFire?

debug wildfire upload-log

debug wildfire download-log show

debug wildfire upload-log show

debug wildfire upload-threat show

22. Which is the  URL matching order on a Palo Alto Networks Next Generation Firewall?

Allow, Block, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud

Block, Allow, Custom URL, External Dynamic, PAN-DB Download, PAN-DB Cloud, PAN-DB Cache

Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud

Block, Allow, External Dynamic, Custom URL, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud

23. Which Next Generation Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. 

Aperture

GlobalProtect

Panorama

AutoFocus

24. Which Next Generation Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option.

HTTP Header Logging

User Credential Detection

Safe Search Enforcement

Log Container Page Only

25. Which Next Generation FW configuration type has settings active on the firewall?

Candidate 

Running 

Legacy 

Startup 

26. Which of the following is not a zone type on the Next Generation firewall?

Layer3

Virtual Wire

Internal

Layer2

e. Tap

27. Which Palo Alto Networks Cortex technology prevents malware, blocks exploits, and analyzes suspicious patterns through behavioral threat protection?

XDR

AutoFocus

XSOAR

Data Lake

28. Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall?

Static IP

Bi-Directional

Dynamic IP

Dynamic IP and Port

29. Which type of attack can be mitigated by deploying strong encryption services on your network?

Denial of Service

Spoofing

Eavesdropping

Sniffer

30. Which type of IDPS technique includes agents that often include a host-based firewall that can restrict incoming and outgoing traffic for each application on the system, preventing unauthorized access and acceptable use policy violations (e.g., use of inappropriate external services)?

Filesystem Monitoring

Code Analysis

Network Traffic Analysis

Network Traffic Filtering

31. Which URL filtering security profile action logs the category to the URL filtering log?

Default

Allow

Log

Alert

32. Which User-ID component and mapping method is recommended for web clients that do not use the domain server?

XML API

GlobalProtect

Terminal Services agent

Captive Portal

33. Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?

EXE

APK

JAR 

PDF

34

Which WildFire verdict might indicate obtrusive behavior but not a security threat?

grayware 

benign

malware

phishing

35. A Zone Protection Profile is applied to which item?

Egress Ports

Security Policy Rules 

Address Groups

Ingress Ports

36

Which of the following is not a zone type on the Next Generation firewall?

Virtual Wire

Internal

Layer2

Layer3

e. Tap

37. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.

False

38. On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.

True

39. Destination NAT changes a private address/port into a public address/port for packets leaving your network.

False

40. On the Next Generation firewall, DNS sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic.

True

 41. True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.

True

42. All of the interfaces on a Next Generation firewall must be of the same interface type.

False

43. In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.

True

44. On the Next Generation firewall, if there is a NAT policy - there must also be a security policy.

True 

45. The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.

True 

46. In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers.

True

47. An interface in Virtual Wire mode on a Next Generation firewall does not require an IP address.

True

1. A "continue" action can be configured on the following security profiles in the Next Generation firewall:

Select one:

a. URL Filtering

b. URL Filtering, File Blocking, and Data Filtering

c. URL Filtering and File Blocking

d. URL Filtering and Antivirus

2. Which three methods does App-ID use to identify network traffic?

Choose the 3 correct choices.

If you choose an incorrect choice your question score will be deducted.

Select one or more:
heuristics 

application filter match
URL category
signatures 

protocol decoders 

 

3. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?

Select one:

a. One 

b. Four or five

c. Two 

d. Three 

4. Which type of audit trail may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager.

Select one:

a. Application-Level

b. User-Level

c. System-Level

d. Device-Level

5. What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent?

Select one:

a. System logs and the indicator light under the User-ID Agent settings in the firewall

b. Traffic and Authentication Logs

c. System logs and authentication lights on the chassis

d. System and authentication logs

6. Network traffic matches an “allow” rule in the Security policy, but the attached File Blocking Profile is configured with a “block” action. To which two locations will the traffic be logged? 

Choose the 2 correct choices.

If you choose an incorrect choice your question score will be deducted.

Select one or more:

Alarms Log

Data Filtering Log 

Traffic Log 

Threat Log

7. Which two statements are true regarding User-ID and firewall configuration?

Choose the 2 correct choices.

If you choose an incorrect choice your question score will be deducted

Select one or more:

The USER-ID agent must be installed on the domain controller

Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection 

NETBIOS is the only client-probing method supported by the USER-ID agent

The firewall needs to have information for every USER-ID agent for which it will connect 

8. For the Palo Alto Networks Next Generation Firewall to access a Global Catalog server, LDAP must be set to communicate with which port?

Select one:

a. 3268

b. 636

c. 443

d. 389

9. In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?

Select one:

a. One 

b. Three 

c. Two 

d. Four or five

10. In a Next Generation Firewall, what is not considered part of the 6 flow lookup tuples performed on a packet?

Select one:

a. Source and destination IP addresses

b. Layer2 and loopback address

c. Protocol and security zone

d. Source and destination ports

11. In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?

Select one:

a. 30 Minutes

b. 5 Minutes

c. 1 Hour

d. 15 Minutes

12. In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF?

Select one:

a. Botnet

b. Predefined

c. Group

d. PDF Summary

13. Through which type of attack does a hacker assume your identity to intercept and read messages?

Select one:

a. Compromised Key

b. Application Layer

c. Man-In-The-Middle

d. Data Modification

14. Which of the following services are enabled on the Next Generation firewall MGT interface by default?

Select one or more:

a. Telnet

b. HTTPS

c. HTTP

d. SSH

15. On a Palo Alto Networks Firewall, what is the maximum number of IPsec tunnels that can be associated with a tunnel interface?

Select one:

a. 5

b. 10

c. 7

d. 2

16. On the Next Generation firewall, what type of security profile detects infected files being transferred with the application?

Select one:

a. URL Filtering

b. Anti-Virus

c. WildFire Analysis

d. File Blocking

e. Vulnerability Protection

17. In a Next Generation Firewall, what is not considered part of the 6 flow lookup tuples performed on a packet?

Select one:

a. Source and destination ports

b. Protocol and security zone

c. Source and destination IP addresses

d. Layer2 and loopback address

18.

Which statement about the predefined reports is not correct?

Select one:

a.

They are grouped in 5 categories

b.

They are emailed daily to users 

c.

There are more than 40 predefined reports

d.

They are generated daily by default

19. What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall?

Select one:

a. Filter the data filtering logs for the user's traffic and the name of the PDF file

b. Filter the traffic logs for all traffic from the user that resulted in a deny action

c. Filter the session browser for all sessions from a user with the application adobe

d. Filter the system log for failed download messages

20. Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall?

Select one or more:

a. User Identification (User-ID)

b. Threat Identification (Threat-ID)

c. Group Identification (Group-ID)

d. Content Identification (Content-ID)

e. Application Identification (App-ID)

21. Which item is not a valid choice when the Source User field is configured in a Security policy rule?

Select one:

a.

any

b.

unknown

c.

known-user

d.

all 

22. Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server?

Select one:

a. The server public IP

b. The firewall gateway IP

c. The firewall Management port IP

d. The server private IP

23. A "continue" action can be configured on the following security profiles in the Next Generation firewall:

Select one:

a. URL Filtering and File Blocking

b. URL Filtering

c. URL Filtering and Antivirus

d. URL Filtering, File Blocking, and Data Filtering

24. Partially correct

Mark 0.33 out of 1.00

What options are available for selecting users for a security policy on the Next Generation firewall?

Select one or more:

a. Known-user

b. Unknown-user

c. Pre-logon

d. Unselect-user

25. What component of the Next Generation Firewall will protect from port scans?

Select one:

a. DOS Protection

b. Zone protection

c. Vulnerability protection

d. Anti-Virus Protection

26. What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down?

Select one:

a. Heartbeat polling

b. Preemption

c. Link monitoring

d. SNMP polling

27. What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down?

Select one:

a. Preemption

b. Heartbeat polling

c. SNMP polling

d. Link monitoring

28. What Next Generation firewall virtual platform is specifically meant for use with VMWare NSX?

Select one:

a. VM-200

b. VM-1000

c. VM-100

d. VM-300

29. What type of interface allows the Next Generation firewall to provide switching between two or more networks?

Select one:

a. Layer2

b. Tap

c. Virtual Wire

d. Layer3

30. Which command will reset a next generation firewall to its factory default settings if you know the admin account password?

Select one:

a. reset system settings

b. request system private-data-reset

c. reset startup-config 

d. reload

31. Which Palo Alto Networks Next Generation Firewall URL Category Action sends a response page to the user’s browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log?

Select one:

a. block

b. override

c. alert

d. continue

32. Which phase of the Internet Key Exchange (IKE) is concerned with authenticating the endpoints?

Select one:

a. Phase 1

b. Phase 4

c. Phase 3

d. Phase 2

33. Which routing protocol is supported in the Next Generation firewall platform?

Select one:

a. RSTP

b. BGP

c. RIPV1

d. ISIS

34. Which type of social engineering attack involves hackers who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find? These attackers offer IT assistance to each and every one of their victims. 

Select one:

a. Phishing

b. Quid Pro Quo

c. Baiting

d. Pretexting

35. Which URL filtering security profile action logs the category to the URL filtering log?

Select one:

a. Log

b. Default

c. Alert

d. Allow

36. Which WildFire verdict indicates no security threat but might display obtrusive behavior?

Select one:

a. Phishing

b. Malware

c. Benign

d. Grayware

37. Which two firewall features display information using widgets? 

Choose the 2 correct choices.

If you choose an incorrect choice your question score will be deducted

Select one or more:

a.

ACC 

b.

Botnet report

c.

Dashboard 

d.

Traffic log

 

38. True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.

39. True or false? A URL Filtering license is not required to define and use custom URL categories.

 

40. True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.

41. The Office of Management and Budget (OMB) defines Personally Identifiable Information (PII) as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

 

True 

The correct answer is 'True'.

42. True or false? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to “allow.”

 

 

Comments