Palo Alto
A ______ ____ Blocks other admins from committing the candidate configuration. Whereas a _________ ____ blocks other admins from changing the candidate configuration.
A [Commit Lock] Blocks other admins from committing the candidate configuration. Whereas a [Config Lock] blocks other admins from changing the candidate configuration.
Configuration changes made but not committed are stored in the: Select one: a. Candidate Config b. Snapshot Config c. Running Config d. Version config
Candidate Config
A Zone Protection Profile is applied to egress traffic. Select one: True False
False
A session can consist of only 1 flow, either Client to Server or Server to Client but not both. Select one: True False
False
Administrator created rules must be placed between the Intrazone-Default rule and the Interzone-Default rule. Select one: True False
False
All of the interfaces on a Next Generation firewall must be of the same interface type. Select one: True False
False
By default, for blocked web-based applications a response page is displayed in the user's browser.
False
Destination NAT changes a private address and its source port into a public address and new source port for packets leaving your network. Select one: True False
False
For security purposes, palo alto networks firewalls must have logging turned on for all security rules. Select one: True False
False
On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.
False
The strength of the Palo Alto Networks firewall is its Multi-Pass Parallel Processing (MP3) engine.
False
Traditional firewalls identify applications using packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. Select one: True False
False
True or False, An interface can be assigned to multiple zones. Select one: True False
False
True or False, Tap interfaces do not need to be assigned to a zone. Select one: True False
False
Which of the following is not a zone type on the Next Generation firewall? Select one: a. Tap b. Virtual Wire c. Internal d. Layer3 e. Layer2
Internal
Which NGFW security policy rule applies to all matching traffic within the specified source zones? Select one: a. Intrazone b. Universal c. Default d. Interzone
Intra-zone
Match each rule type with the appropriate definition (Intrazone, Interzone, Universal) This type of rule applies to all matching traffic only if the traffic is going from and to the same zone. This type of rule applies to all matching traffic only if the traffic is going between two different zones. This type of rule applies to all matching traffic going to and from either the same zone or different zone.
Intra-zone Inter-zone Universal
Select the implicit rules on the Next Generation firewall that are applied to traffic that fails to match any administrator defined security policies. Select one or more: a. Inter-zone traffic is allowed b. Inter-zone traffic is denied c. Intra-zone traffic is denied d. Intra-zone traffic is allowed
Intra-zone traffic is allowed Inter-zone traffic is denied
Which interface is used to access external services (such as the update servers) by default? Select one: a. MGMT b. None, one must be assigned during the initial setup c. Ethernet1/1 d. Console
MGMT
Match the definition with the appropriate security policy rule Action: Sends TCP reset to the traffic initiator device Blocks traffic and does not send a TCP reset The default action Blocks traffic, and usually sends a TCP reset
Reset Client Drop Allow Deny
Match the definition with the appropriate security policy rule Action: (Reset Client, Reset Server, Drop, Deny, Allow) Sends TCP reset to the traffic initiator device Blocks traffic and does not send a TCP reset Blocks traffic, and usually sends a TCP reset The default action.
Reset Client Drop Deny Allow
Match the statement with the appropriate NAT type. Commonly used for private (internal) users to access the public internet (outbound traffic). Used to provide hosts on the public (external) network access to private (internal) servers.
Source NAT Destination NAT
Which three statements are true regarding the candidate configuration? (Choose three.) Select one or more: a. Choosing Commit updates the running configuration with the contents of the candidate configuration. b. You can revert the candidate configuration to the running configuration c. You can roll back the candidate configuration by pressing the Undo button d. Clicking Save creates a copy of the current candidate configuration
The correct answers are: You can revert the candidate configuration to the running configuration, Clicking Save creates a copy of the current candidate configuration, Choosing Commit updates the running configuration with the contents of the candidate configuration.
A major issue with perimeter security at both the ingress and egress points on the network is the false assumption that the internal network traffic taking place within the internal network can be trusted. Select one: True False
True
During the lifetime of a session the application can change. Select one: True False
True
In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic. Select one: True False
True
In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers. Select one: True False
True
Multiple administrator accounts can be configured on a single Next Generation firewall. Select one: True False
True
On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released. Select one: True False
True
On the Next Generation firewall, if there is a NAT policy - there must also be a security policy. Select one: True False
True
Palo Alto Networks next generation firewalls detect known and unknown threats, including those within encrypted traffic, using intelligence generated across many thousands of customer deployments.
True
Policy rules may be enforced on only specific days and time periods. Select one: True False
True
Service objects are used to limit ports that applications can use. Select one: True False
True
The Interzone-default and the Intrazone default rules can be modified? Select one: True False
True
The Revert command overwrites the current candidate configuration file with a copy of the running config file. Select one: True False
True
Traffic matching against the Security policy does not include traffic originating from the management interface of the firewall Select one: True False
True
True or False, multiple interfaces on the firewall can be assigned to the same zone. Select one: True False
True
True or False. Traffic from external networks (such as the internet) flowing to an internal host (such as a web server) is commonly referred to as "North-South" traffic.
True
Which of the following apply to virtual systems (vsys) Select one or more: a. A vsys consists of a set of physical and logical interfaces and subinterfaces, virtual routers, and security zones b. Vsys are supported on both physical and virtual appliances c. A vsys allows multiple customers or departments to share a physical firewall as though they each had their own private firewall. d. a virtual system (vsys) is typically used to divide a physical firewall into multiple virtual firewalls.
a. A vsys consists of a set of physical and logical interfaces and subinterfaces, virtual routers, and security zones c. A vsys allows multiple customers or departments to share a physical firewall as though they each had their own private firewall. d. a virtual system (vsys) is typically used to divide a physical firewall into multiple virtual firewalls.
Which four items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall? Select one or more: a. Application b. Destination Zone c. Port Number d. Source Zone e. Destination User
a. Application b. Destination Zone c. Port Number d. Source Zone
Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall? Select one or more: a. Application Identification (App-ID) b. Group Identification (Group-ID) c. Threat Identification (Threat-ID) d. Content Identification (Content-ID) e. User Identification (User-ID)
a. Application Identification (App-ID) d. Content Identification (Content-ID) e. User Identification (User-ID)
What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application? Select one: a. Application-default b. Application-custom c. Application-dependent d. Application-implicit
a. Application-default
What is the minimum information that has to be provided when creating a new security policy rule? (Select all that apply) Select one or more: a. Destination Zone b. Rule Name c. Source Zone d. App-ID e. Source IP Address f. User Name g. Destination IP Address
a. Destination Zone b. Rule Name c. Source Zone
In which stage of the Cyber Attack Lifecycle model do attackers gain access "inside" an organization and activate attack code on the victim's host and ultimately take control of the target machine? Select one: a. Exploitation b. Command and Control c. Weaponization and Delivery d. Reconnaissance
a. Exploitation
Which of the following statements regarding Address objects that use FQDNs are true? Select one or more: a. FQDNs are ideal when wanting to reference an public server on the internet whose IP address may change over time. b. Resolved FQDNs are refreshed after their DNS time-to-live value has expired. c. FQDNs must be manually resolved by the administrator prior to committing the candidate config file. d. The FQDNs are resolved by the firewall
a. FQDNs are ideal when wanting to reference an public server on the internet whose IP address may change over time. b. Resolved FQDNs are refreshed after their DNS time-to-live value has expired. d. The FQDNs are resolved by the firewall
What two interface types on the Next Generation firewall provide support for Network Address Translation? Select one or more: a. Layer 3 b. Virtual Wire c. Tap d. Layer2 e. HA
a. Layer 3 b. Virtual Wire
What are two options for resetting a Palo Alto Network Firewall to factory configuration? Select one or more: a. Logged in as admin, at the CLI prompt enter: request system private-data-reset b. From WebUI, navigate to device->setup, click on commands tab, click on: Perform Factory Reset, Accept warning. c. From the console port, type maint during bootup, choose: Reset to Factory Default d. Logged in as admin, at the CLI prompt enter: request system factory-default-reset
a. Logged in as admin, at the CLI prompt enter: request system private-data-reset c. From the console port, type maint during bootup, choose: Reset to Factory Default
Which of the following are true of security policy rules? Select one or more: a. Rules in the policy are evaluated from top to bottom b. Rules in the policy are evaluated from bottom to top c. Further rules are not evaluated after a rule match d. Further rules are evaluated after a rule match incase a better match is found
a. Rules in the policy are evaluated from top to bottom c. Further rules are not evaluated after a rule match
Which of the following processes are performed on the Data Plane? (Choose 3) Select one or more: a. Security Processing b. Signature Matching c. Network Processing d. Log and Report Processing
a. Security Processing b. Signature Matching c. Network Processing
What are some of the major differences between a VM-50 firewall and a VM-700 firewall? Select one or more: a. The VM-700 offers approximately 80 times the firewall throughput as the VM-50 b. The VM-50 offers double the amount of sessions per second as the VM-700 c. The Threat prevention throughput of the VM-700 is approximately 80 times the firewall throughput as the VM-50 d. The physical size of the VM-50 firewall is less than 1/2 that of the VM-700
a. The VM-700 offers approximately 80 times the firewall throughput as the VM-50 c. The Threat prevention throughput of the VM-700 is approximately 80 times the firewall throughput as the VM-50
Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology? Select one: a. Virtual Wire b. Layer 3 c. Layer 2 d. Tap
a. Virtual Wire
Which of the following are ways of accessing firewall management? Select one or more: a. Web Interface b. SSH/Console CLI c. Rest XML API d. GlobalProtect Client Application e. Panorama
a. Web Interface b. SSH/Console CLI c. Rest XML API e. Panorama
Which of the following offers protection against most common floods, reconnaissance attacks, other packet-based attacks, and the use of non-IP protocols? Select one: a. Zone Protection Profiles b. GlobalProtect Policies c. Wildfire Profiles d. App-ID Profiles
a. Zone Protection Profiles
What is the name of the file that is created when an administrator uses the Save Candidate Configuration option? Select one: a. .savefile.xml b. .snapshot.xml c. .candidate.xml d. Whatever the administrator wants as long as there are no spaces in the name.
b. .snapshot.xml
What is the default IP address for the Management interface on a new Palo Alto Networks physical firewall appliance? Select one: a. 172.16.0.1/28 b. 192.168.1.1/24 c. There isn't one since the IP address is assigned by DHCP d. 10.1.1.1/16
b. 192.168.1.1/24
Which of the following are key components of App-ID Select one or more: a. Requires a subscription b. Always On c.Enables organizations to establish policies to manage application usage based on users and devices d.NGFW Foundational Element e.Identifies application traffic, regardless of port number
b. Always On c.Enables organizations to establish policies to manage application usage based on users and devices d.NGFW Foundational Element e.Identifies application traffic, regardless of port number
What Palo Alto Networks technology makes it difficult for evasive applications (such as bittorrent) to pass through the firewall using the ports intended for applications that are allowed to pass through the firewall? Select one: a. Content-ID b. App-ID c. IPS d. Anti-Spyware
b. App-ID
Which of the following is an object that dynamically groups applications based on application attributes that you select from the App-ID database Select one: a. Custom Application b. Application Filter c. Application Dependency d. Application Group
b. Application Filter
Configuration, Logging, and report functions are performed on the: Select one: a. Signature Plane b. Control Plane (Management) c. Network Plane d. Data Plane
b. Control Plane (Management)
Which of the following is not a zone type on the Next Generation firewall? Select one: a. Layer2 b. Internal c. Layer3 d. Tap e. Virtual Wire
b. Internal
Which of the following are true of security policy rules? Select one or more: a. Rules in the policy are evaluated from bottom to top b. Rules in the policy are evaluated from top to bottom c. Further rules are not evaluated after a rule match d. Further rules are evaluated after a rule match incase a better match is found
b. Rules in the policy are evaluated from top to bottom c. Further rules are not evaluated after a rule match
When setting up a NAT rule that will allow internal clients access to the internet, What should be configured as the Destination Zone on the Original Packet tab of the NAT Policy rule? Select one: a. The Internal Zone b. The Internet Zone c. None d. Any
b. The Internet Zone
What are the four major technologies Palo Alto Networks App-ID uses to help identify applications? Select one or more: a. Content-ID Signature Match b. Unknown protocol decoder c. Known protocol decoders d. Application signatures e. Protocol decryption
b. Unknown protocol decoder c. Known protocol decoders d. Application signatures e. Protocol decryption
Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems? Select one: a. Custom role b. deviceadmin c. superuser d. vsysadmin
b. deviceadmin
Which built-in role on the Next Generation firewall is the same as superuser except for creation of administrative accounts? Select one: a. vsysadmin b. deviceadmin c. devicereader d. sysadmin
b. deviceadmin
What is the minimum number of physical interfaces that a Tap mode use? Select one: a. 5 b. 3 c. 1 d. 2 e. 4
c. 1
The export command allows you to save which of the following files off of the firewall? Select one: a. Running configuration b. Candidate configuration c. A saved configuration snapshot d. Log Files
c. A saved configuration snapshot
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall? Select one: a. Static IP b. Dynamic IP c. Dynamic IP and Port d. Bi-Directional
c. Dynamic IP and Port
Using the PAN-OS WebUI Annette has made substantial changes but is not ready to commit them. How can she prevent those changes from being lost if the firewall is shut down? Select one: a. She does not need to do anything. Her changes are written to the Running configuration file and will survive reboot. b. She needs to use the "Export Configuration Version" c. She should use the "Save Named Configuration Snapshot" option d. She does not need to do anything. Her changes are written to the Candidate configuration file and will survive reboot.
c. She should use the "Save Named Configuration Snapshot" option
While creating a new security rule you notice that the Usage tab does not appear. Why not? Select one: a. You need to turn on the Usage option by selecting: view menu->options->Enable Usage b. The usage tab will not appear unless the full management license has been purchased c. The Usage tab will not be available until after the rule has been created. d. You need to turn on the Usage option by selecting: Options->View Menu->Enable Usage
c. The Usage tab will not be available until after the rule has been created.
Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the Security policy use as the destination IP in order to allow traffic to the server? Select one: a. The firewall Management port IP b. The server private IP c. The server public IP d. The firewall gateway IP
c. The server public IP
These are created and assigned to a Security policy rule when the rule is created. They help to provide a complete audit trail that captures the entire operational history of a rule. Select one: a. CPUIDs b. Rule Names c. UUIDs d. Descriptive IDs e. Rule Numbers
c. UUIDs
Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall? Select one or more: a. Threat Identification (Threat-ID) b. Group Identification (Group-ID) c. User Identification (User-ID) d. Application Identification (App-ID) e. Content Identification (Content-ID)
c. User Identification (User-ID) d. Application Identification (App-ID) e. Content Identification (Content-ID)
Palo Alto Networks next generation firewalls are available as cloud delivered services and in which two other formats? Select one or more: a. Wildfire Appliances b. Container Appliances c. Virtual Appliances d. Physical Appliances
c. Virtual Appliances d. Physical Appliances
Which of the following statements are true regarding tags? Select one or more: a. Tags are used to determine membership in a Static Address Group. b. You can only assign one tag per object. c. With PAN-OS 9.0 (and above) you can require that all policy rules have tags assigned to them. d. Tags are used to determine membership in a Dynamic Address Group.
c. With PAN-OS 9.0 (and above) you can require that all policy rules have tags assigned to them. d. Tags are used to determine membership in a Dynamic Address Group.
Configuration, Logging, and report functions are performed on the: Select one: a. Network Plane b. Data Plane c. Signature Plane d. Control Plane (Management)
d. Control Plane (Management)
What would be required to update PAN-OS from version 9.0.0 to 9.1.6? Select one: a. Download and install all of the following: PAN-OS 9.0.0, 9.1.0, 9.1.6 b. Download all versions found between Pan-OS 9.0.0 and Pan-OS 9.1.6 and install only PAN-OS 9.1.6 c. Download and install version 9.1.6 only d. Download both base version 9.1.0 and version 9.1.6 to the firewall but only install version 9.1.6
d. Download both base version 9.1.0 and version 9.1.6 to the firewall but only install version 9.1.6
Which of the following statements are true regarding Interzone traffic processing on the firewall? Select one: a. If you don't make a rule to Allow the traffic, the firewall by default will deny it. b. Interzone Traffic is never processed by the firewall. c. If you don't make a rule to block the traffic, the firewall by default will allow it. d. If you don't make a rule to Allow the traffic, the firewall by default will drop it.
d. If you don't make a rule to Allow the traffic, the firewall by default will drop it.
Which of the following statements are true regarding Intrazone Traffic attempting to pass through the firewall? Select one: a. If you don't make a rule to Allow the traffic, the firewall by default will deny it. b. If you don't make a rule to Allow the traffic, the firewall by default will drop it. c. Intrazone Traffic is never processed by the firewall. d. If you don't make a rule to block the traffic, the firewall by default will allow it.
d. If you don't make a rule to block the traffic, the firewall by default will allow it.
On the application detail page what shows additional applications that an application requires. However, the firewall will support these applications without the need for a policy created to allow them. Select one: a. Explicitly Uses b. Characteristics c. Container d. Implicitly Uses
d. Implicitly Uses
Which of the following is a routing protocol supported in a Next Generation firewall? Select one: a. IGRP b. ISIS c. EIGRP d. RIPV2
d. RIPV2
Which of the following is a routing protocol supported in a Next Generation firewall? Select one: a. ISIS b. IGRP c. EIGRP d. RIPV2
d. RIPV2
Using the scheduling option a security policy rule has been created to allow FTP file transfers between the hours of 1:00 pm and 4:00 pm. A large file download via FTP is initiated at 3:59pm and does not complete before 4:00 pm. What is the result? Select one: a. The existing FTP session would be paused and the transfer would be allowed to complete at 1:00pm the next day. b. The original transfer would not be allowed to begin since the file size would make completion before the 4:00 pm deadline not possible. c. The existing FTP session would be blocked and the transfer would not be allowed to complete. d. The existing FTP session would not be blocked and the transfer would be allowed to complete.
d. The existing FTP session would not be blocked and the transfer would be allowed to complete.
When creating an application filter, which of the following is true? Select one: a. Future applications that meet the match criteria of the filter will have to be manually added b. They are called dynamic because they automatically adapt to new IP addresses c. Individual viruses may be used as a filter match criteria d. They are dynamic because they will automatically include new applications from an application signature update if the new application's type is matches the filter
d. They are dynamic because they will automatically include new applications from an application signature update if the new application's type is matches the filter
Which command will reset a next generation firewall to its factory default settings if you know the admin account password? Select one: a. reload b. reset system settings c. reset startup-config d. request system private-data-reset
d. request system private-data-reset
How many physical interfaces does an active vWire require? Select one: a. 5 b. 4 c. 3 d. 1 e. 2
e. 2
Which of the following Palo Alto Networks Security Operating Platform components provides centralized management and reporting? Select one: a. Aperture b. GlobalProtect c. AutoFocus d. MineMeld e. Panorama
e. Panorama
