Palo Alto PCNSE NGFW Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Sharing of on-prem Active Directory (AD) groups to other branches via the Cloud offers which two benefits? (Choose two.) A. Enables customers to download groups and users from their on-prem AD to other branches via cloud. B. Removes the complexity of managing multiple connections to AD. C. Allows for setup and configuration to be done in hours. D. Allows other vendors write access into AD via the Cloud Identity Engine.

AB

The components of the Cloud Identity Engine deployment vary based on which two of the following factors? (Choose two.) A. whether the Cloud Identity Engine is accessing an on-premises directory (Active Directory) B. whether the Cloud Identity Engine is accessing a cloud-based directory (Azure Active Directory) C. whether the number of IdPs exceeds 100 D. whether the number of user groups exceeds 10,000

AB

To set up the Cloud Identity Engine, which two required tasks will you need to perform? (Choose two.) A. Log in to the Cloud Identity Engine app on the hub to generate a certificate to authenticate the agent and the Cloud Identity Engine. B. Associate the Cloud Identity Engine with Palo Alto Networks apps to select which apps can use your directory information. C. Restart PAN-OS to force a reboot. D. Register your cloud-identity security service with the technical assistance center (TAC).

AB

What are two benefits of tagging? (Choose two.) A. filtering views B. grouping rules C. filtering actions D. report grouping

AB

What are two challenges that administrators commonly run into during the upgrade process? A. too many steps B. not enough time C. too many active users D. not enough administrators

AB

Which two actions do you need to perform to use the Cloud Identity Engine with an on-premises Active Directory? (Choose two.) A. Install the Cloud Identity agent on a Windows server (the agent host) and configure it to connect to your Active Directory and the Cloud Identity Engine. B. Access the Cloud Identity Engine app on the hub so you can manage your Cloud Identity Engine instances and Cloud Identity agents. C. Map your user IP addresses to user groups. D. Set your system clock to the GMT time zone.

AB

Which two activities are part of the cyberattack lifecycle reconnaissance stage? (Choose two.) A. port scans B. social engineering C. RAT installation D. establish C2

AB

Which two firewall features display information using widgets? (Choose two.) A. Dashboard B. ACC C. botnet report D. Traffic log

AB

Which two of the following statements about the Cloud Identity Engine are true? (Choose two.) A. It simplifies Zero Trust with easy-to-deploy user identity and access across all locations. B. It is a cloud-native identity synchronization and authentication service—providing a single secure user identity across Palo Alto Networks on-prem and cloud product lines. C. It authenticates and authorizes all users and computers in a Windows domain type network. D. It is a secure identity cloud that links all your apps, logins, and devices into a unified digital fabric.

AB

Logs can be forwarded to which three external storage locations? (Choose three.) A. Panorama B. syslog C. email server D. SFTP server E. cloud server

ABC

The Palo Alto Networks Cybersecurity Portfolio focuses on which three principle technologies? (Choose three.) A. securing the cloud B. securing operations response C. securing third-party application access D. securing the enterprise E. securing the internet of things

ABD

What are three available options in the AAC by default to enable administrators to perform deep traffic and network analysis? (Choose three.) A. Networks B. Threat C. Restricted D. Tunnel E. IPsec VPN

ABD

What are three benefits of Aggregate Ethernet? (Choose three.) A. redundancy B. increased bandwidth C. reduced packet loss D. load balancing E. mixing of interface types

ABD

Which three of the following are challenges enterprises face in verifying users and enforcing identity-based security? (Choose three.) A. Fragmentation of identities, and difficulty in ensuring consistent application of identity-based security controls, has created a significant barrier to adopting Zero Trust. B. Setting up on-prem IdPs provides the necessary network security capabilities to achieve Zero Trust. C. Integration of APIs for end-user authentication through authentication policies. D. Configuring, maintaining, and synchronizing network security with multiple IdPs can be time-consuming and resource-intensive. E. Adding administrative users and configuring network access lists.

ABD

In IKE Phase 1, which three mode settings are available? (Choose three.) A. auto B. main C. passive D. network E. aggressive

ABE

Which two items are encrypted using the firewall master key? (Choose two.) A. local user passwords B. public key C. private key D. digital certificates

AC

Dynamic Address Group and dynamic user group creation involves which three common steps? (Choose three.) A. creation of a tag B. assignment of a tag in the Log Forwarding Profile C. use of the User-ID feature D. application on Security policies E. assignment of a Security Profile

ACD

Security Profiles and Content-ID offer protection from which three threat categories? (Choose three.) A. Payload B. Sinkhole C. IP-based D. DNS-based E. URL

ACD

Which three new PA-Series platforms are designed for the branch office? (Choose three.) A. PA-440 B. PA-4550 C. PA-460 D. PA-450 E. PA-5450

ACD

Which three statements about the automated correlation engine are correct? (Choose three.) A. It uses correlation objects as input. B. It is available only in Panorama. C. It detects possible infected hosts. D. It outputs correlation events. E. It requires Cortex Data Lake.

ACD

What are three benefits that customers receive with the Cloud Identity Engine? (Choose three.) A. Enable identity across the infrastructure. Configure once and CIE pulls incremental directory information automatically on consistent intervals. No additional changes required for additional IdPs (authentication). B. Guarantee compliance to all legal and regulatory requirements, thus reducing the auditing strain incurred on other departments within the organization. C. It is maintenance-free - No need to make changes on your infrastructure as identity providers make changes. All changes by identity providers, e.g., any updates by identity providers or changes in authentication protocols of directories do not require additional configuration on each firewall, management, endpoints. D. Easily identify and verify all IP addresses across the infrastructure and achieve Zero Trust. E. With minimal effort, enable and secure identity irrespective of whether they are using on-prem, cloud hybrid, or multicloud identity sources (IdPs).

ACE

Which three items are valid choices when the Source User field is configured in a Security policy rule? (Choose three.) A. unknown B. none C. known-user D. all E. any

ACE

When creating a custom admin role, which four types of privileges can be defined? (Choose four.) A. Command Line B. Panorama C. XML API D. Java API E. REST API F. WebUI

ACEF

Which two Palo Alto Networks subscriptions services are required for IoT security? (Choose two.) A. Cortex Data Lake B. Cortex XDR C. Device Security D. IoT Security

AD

Which three statements about the predefined reports are correct? (Choose three.) A. They are generated daily by default. B. They are emailed daily to users. C. They are customizable. D. There are more than 40 predefined reports. E. They are grouped in five categories.

ADE

All firewall platforms running PAN-OS 10.0 support enforcement of IoT Security policy. A. true B. false

B

At which location do you access the online BPA tool? A. Palo Alto Networks homepage B. Customer Support Portal C. LIVEcommunity D. Tech Support

B

From which device should you begin to troubleshoot IPsec VPN connection issues? A. initiator B. responder C. network sniffer D. router

B

Palo Alto Networks was the first next-generation firewall vendor to enable identity-based security by A. referencing users' IP addresses. B. leveraging user-based policies. C. blocking abnormal user behavior. D. using group information to grant individual permissions.

B

True or False? The predefined log format cannot be changed for both syslog and email server forwarding. A. true B. false

B

True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile. A. true B. false

B

True or false? Palo Alto Networks recommends the software to be upgraded to the latest release. A. True B. False

B

What is the application database that Palo Alto Networks uses along with App-ID to identify applications? A. appid.com B. applipedia.com C. cyberpedia.com D. SaaS-apps.com

B

What is the authentication component of the Cloud Identity Engine? A. OKTA B. SAML C. Azure D. Active Directory

B

What is the name of a tool that creates highly available and customizable attacks? A. Cobalt Attack B. Cobalt Strike C. Cobalt Threats D. Cobalt C2 Toolkit

B

What is used on each side of a tunnel to identify the traffic that will be sent across the tunnel? A. peer list B. proxy ID C. tunnel ID D. tunnel interface

B

What percentage of malware campaigns are expected to use some type of encryption? A. 60 percent B. 70 percent C. 85 percent D. 95 percent

B

When were dependency checks performed in previous versions of PAN-OS? A. before installation B. after installation C. during installation D. beginning of installation

B

Which IPsec protocol negotiates the password algorithm? A. Authentication Header B. Internet Key Exchange C. Diffie-Hellman Exchange D. Encapsulation Security Payload

B

Which ML-Powered NGFW is optimized to meet the requirements for distributed enterprise branch offices? A. PA-220 B. PA-400 C. PA-3200 D. PA-5450

B

Which phase of the migration process would you use to add application-based rules above the corresponding port-based rules? A. Phase 1 B. Phase 2 C. Phase 3 D. Phase 4

B

Which profile specifies protocols and algorithms for identification, authentication, and encryption for Phase 2? A. IKE Crypto B. IPsec Crypto C. IKE Gateway D. IPsec Tunnel

B

Which protection method can be used to mitigate single-session DoS attacks? A. DoS Protection policy B. packet buffer protection C. Zone Protection Profile D. DoS Protection Profile

B

Which protocol offers improved security, performance, and privacy benefits over the previous versions? A. TLS 1.2 B. TLS 1.3 C. SSL 3.0 D. PCT 1.0

B

Which tool enables you to migrate existing rules from a legacy firewall to a Palo Alto Networks Next-Generation Firewall? A. Policy Optimizer B. Expedition C. Best Practice Assessment D. IronSkillet

B

A policy rule recommendation first must be activated in the IoT Security app before it can be imported into the firewall. A. true B. false

A

Advanced URL Filtering uses which existing configuration setting? A. URL filtering B. Malicious DB C. WildFire D. URL-ID

A

The Cloud Identity Engine allows you to write Security policy based on which two things? A. users and groups B. users and privileges C. domain and access D. priority and level

A

To authenticate users, what do Google, Azure and Okta need configured in the Cloud Identity Engine? A. a SAML 2.0-based identity provider (IdP) B. an on-prem Active Directory C. Security policies D. user-to-IP mappings

A

True or False: Extra consideration should be given when determining whether to enable logging. A. True B. False

A

True or False: The Best Practice Assessment Tool output sometimes will suggest actions that are irrelevant or may prove to have detrimental consequences. A. True B. False

A

True or false: IKE Phase 1 is concerned with authenticating the endpoints; IKE Phase 2 is concerned with data traffic that crosses the tunnel. A. True B. False

A

True or false: The Palo Alto Networks firewall sets up a route-based VPN for which the firewall makes a routing decision based on the destination IP address. A. True B. False

A

True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses. A. true B. false

A

True or false? Authentication policy enables you to authenticate end users before they can access services and applications. A. true B. false

A

True or false? Identity providers (IdPs) are typically cloud-hosted services and often operate with single sign-on (SSO) providers to authenticate users. A. true B. false

A

True or false? When you create a static route for the VPN, no next hop IP address is required. A. true B. false

A

True or false? You do not need to install or configure a Cloud Identity agent to collect attributes from a cloud-based directory. A. True B. False

A

What is required to enable Network Packet Broker? A. SSL Forward Proxy decryption B. WildFire subscription C. proxy disabled D. forward encryption enabled

A

What triggers Security policy rule match in the Policy Optimizer's No App Specified window? A. "any" in the Application column B. "Allow" in the Action column C. "unknown" in the Application column D. "application-default" in the Service column

A

When are brand-new application signatures released by Palo Alto Networks? A. once per month B. as soon as possible C. with each PAN-OS software update D. once per week

A

Which IPsec protocol provides data integrity but not encryption? A. Authentication Header B. Internet Key Exchange C. Diffie-Hellman Exchange D. Encapsulation Security Payload

A

Which Level of Device Classification identifies the industry in which the device operates? A. First Level B. Second Level C. Third Level D. Fourth Level

A

Which VM-Series firewall does NOT currently support Device-ID? A. VM-50 B. VM-100 C. VM-300 D. VM-500

A

Which is not a valid URL filtering action? A. deny B. allow C. continue D. override

A

Which method is available to perform a BPA? A. Expedition Tool B. Customer Support Portal C. Create Support Ticket D. NGFW

A

Which option is a valid URL filtering action? A. allow B. deny C. stop D. forward

A

Which option is a valid Vulnerability action? A. alert B. deny C. return D. inform

A

Which profile specifies protocols and algorithms for identification, authentication, and encryption for Phase 1 negotiations? A. IKE Crypto B. IPsec Crypto C. IKE Gateway D. IPsec Tunnel

A

Which step of the cyberattack lifecycle is used by an attacker to carefully plan their attacks? A. reconnaissance B. weaponization C. delivery D. exploitation

A

Which type of interface is a subinterface? A. logical Layer 3 B. logical Layer 2 C. tap D. VWire

A

Which user mapping method is recommended for a high-security environment? A. GlobalProtect B. Client Probing C. Server Monitoring D. Session Monitoring

A

You should activate your Cortex Data Lake subscription before you activate your IoT subscription. A. true B. false

A

The Cloud Identity Engine allows you to write security policy based on which two of the following? (Choose two.) A. IP addresses B. users C. groups D. IP/port pairs

BC

Which two actions affect all of the widgets in the Application Command Center? (Choose two.) A. setting a local filter B. setting a global filter C. selecting a time range D. setting a global search

BC

Which two protocols does Advanced Threat Prevention use to prevent unknown C2 traffic? (Choose two.) A. known tcp B. SSL C. HTTP D. known udp

BC

Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.) A. protocol-based attacks B. sensitive data exfiltration C. malware introduction D. denial-of-service attacks

BC

Which three of the following are Zero Touch approaches? (Choose three.) A. Microsoft Azure B. Google BeyondCorp C. Gartner CARTA D. Amazon Web Services E. Forrester Zero Trust

BCE

The Cloud Identity Engine empowers organizations to move toward Zero Trust by enabling them to do which two of the following? (Choose two.) A. Consistently authenticate and authorize their users when in central locations. B. Accurately enforce security decisions for all their users at all times, with assured synchronization of all identity-related data in the cloud. C. Accelerate their transition to cloud-based identity, knowing that their network security infrastructure never needs to be updated. D. Save time in deployment and management of identity-based controls on their network security infrastructure.

BD

What are two available methods in which to perform a BPA? (Choose two.) A. Next-Generation Firewall B. online via a web interface portal C. create support ticket D. Expedition tool

BD

Which two protections for DNS Record Attacks were added in Nebula? (Choose two.) A. Domain Squatting B. Wildcard DNS C. Dangling DNS D. CNAME Cloaking

BD

Which two statements are true about tags? (Choose two.) A. Can be used only on Security policies. B. Can be used to filter the ruleset. C. A single tag cannot be used on multiple policies. D. Tag enforcement for the rules can be made mandatory.

BD

At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS attacks? A. application identification B. content inspection C. ingress D. slowpath

C

At which step of the User-ID roadmap would you employ a IP-to-user mapping strategy? A. Understand your environment B. Identify IP-user mapping strategies for visibility C. Implement user visibility D. Implement identity-based policies

C

Each tunnel interface can support a maximum of how many IPsec tunnels? A. 1 B. 5 C. 10 D. 20

C

Firewall evaluation of the configuration of which object is optional during the external authentication process? A. Authentication Profile B. authentication enforcement object C. Authentication Sequence D. Authentication policy

C

In which firewall configuration component can you use an EDL of type Domain List? A. Antivirus Profile B. Security policy C. Anti-Spyware Profile D. URL Filtering Profile

C

Organizations that have not enabled User-ID for visibility create Security policies based on which of the following? A. port B. protocol C. IP address D. MAC address

C

Palo Alto Networks recommends the default-paloalto-dns signature action be set to: A. alert B. block C. sinkhole D. allow

C

Palo Alto Networks suggests keeping your PAN-OS version within how many minor versions of the major lines? A. one B. two C. three D. four

C

Sinkhole events are recorded in which log? A. URL Filtering B. Data Filtering C. Threat D. WildFire Submissions

C

Traditional App-ID only delivers new applications once per ___________? A. day B. week C. month D. year

C

What could a SOC analyst use to trigger selective actions on the firewall that will be enforced immediately? A. Zero Trust B. identity-based policies C. dynamic user groups D. multi-factor authentication

C

What do phishing sites often rely on before phishing content is served? A. Web crawlers B. URL databases C. user interaction D. evasive techniques

C

What is the maximum character length for gateway and tunnel names? A. 31 B. 52 C. 63 D. 100

C

What is the maximum number of agents that you can add for data redistribution? A. 10 B. 50 C. 100 D. 250

C

What is the maximum number of data processor cards that can be installed in the PA-5450 firewall? A. 2 B. 3 C. 5 D. 6

C

What is the result of performing a firewall Commit operation? A. The saved configuration becomes the loaded configuration. B. The loaded configuration becomes the candidate configuration. C. The candidate configuration becomes the running configuration. D. The candidate configuration becomes the saved configuration.

C

When committing changes to a firewall, what is the result of clicking the Preview Changes link? A. shows any error messages that would appear during a commit B. lists the individual settings for which you are committing changes C. compares the candidate configuration to the running configuration D. displays any unresolved application dependencies

C

When you are configuring domain credential filtering, the User-ID agent should be installed on which type of Active Directory server? A. Global Catalog Server B. PDC Emulator C. read-only domain controller D. Member Server

C

Which categorization takes precedence if there is a verdict mismatch in Advanced URL Filtering? A. first match B. last match C. most severe D. least severe

C

Which feature does not require a valid threat subscription license? A. Anti-Spyware B. Vulnerability Protection C. DoS Protection Profile D. Antivirus

C

Which of the following were authentication challenges faced by customers before the Cloud Identity Engine solution? A. Ping, Okta, AuthO, and SAML were not supported in most environments. B. There was significantly less configuration to firewalls, management, and endpoints. C. Every identity provider had to be added to all firewalls, management, and endpoints. D. Any changes by identity providers needed to be configured on the firewalls.

C

Which option helps the firewall admin to track all rule changes? A. Tag B. Description C. Audit Comment D. Rule Name

C

Which protocol is used by the OpenConfig plugin for configuration management? A. gCON B. gNOI C. gNMI D. gPAN

C

Which protocol is used by the OpenConfig plugin for operational services? A. gPAN B. gNMI C. gNOI D. gRCP

C

Which subscription is required to enable the App-ID Cloud Engine? A. Global Protect gateway B. WildFire C. SaaS Security Inline D. Threat Prevention

C

The Network Packet Broker is supported on which two Palo Alto Networks firewalls? (Choose two.) A. PA-800 B. VM-100 C. VM-300 D. PA-5200

CD

Which two options are true regarding a VPN tunnel interface? (Choose two.) A. The tunnel interface always requires an IP address. B. The interface name "tunnel" can be renamed to anything you want, up to 20 characters in length. C. A tunnel interface is a logical Layer 3 interface. D. The tunnel interface must be added to a Layer 3 security zone.

CD

Which two options can be applied to a Security policy? (Choose two.) A. Zone Protection Profile B. DoS Protection Profile C. Security Profile Group D. Antivirus Profile

CD

How are Security policies defined in the Cloud Identity Engine? A. based on IP addresses​ B. based on mail addresses C. based on MAC addresses​ D. based on users and groups​

D

The Cloud Identity Engine provides Palo Alto Networks apps and services with which type of access to your directory information for user visibility and policy enforcement? A. write B. edit-only C. administrative D. read-only

D

Which ID is the subinterface number analagous to? A. Ethernet ID B. SD-WAN Interface ID C. Ethernet Aggregate ID D. VLAN ID

D

Which IPsec protocol provides both data integrity and encryption? A. Authentication Header B. Internet Key Exchange C. Diffie-Hellman Exchange D. Encapsulation Security Payload

D

Which authentication method is not a local authentication method? A. local user database authentication B. local authentication without a database C. local certificate authority D. local domain authentication

D

True or false? Data Filtering profile packet captures are prohibited unless you configure a data protection password. A. true B. false

A

True or false? Data Loss and Compliance checks stop the loss of sensitive data such as personally identifiable information (PII) and intellectual property (IP). A. True B. False

A

True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware. A. true B. false

A

True or false? Server Profiles define connections that the firewall can make to external servers. A. true B. false

A

True or false? Service routes can be used to configure an in-band port to access external services. A. true B. false

A

True or false? The Antivirus, Anti-Spyware, and Vulnerability Protection profiles use signatures received in content updates to detect malware in allowed traffic. A. true B. false

A

True or false? The IoT Security app approach starts by identifying and classifying the devices in your network. A. True B. False

A

True or false? The SSL forward untrust certificate should not be trusted by the client but should still be a CA certificate. A. true B. false

A

True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted. A. true B. false

A

True or false? To register a hardware firewall, you will need the firewall's serial number. A. true B. false

A

You can customize the list of logs that are aggregated into the Unified log. A. true B. false

A

True or false? User-ID enables security teams to define policy rules on firewalls to safely enable applications and control access based on users or groups of users. A. True B. False

A

True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy. A. true B. false

A

Which time frame within the decryption rollout is considered the most critical and is the time when you eliminate most problems and move to your user base? A. days 0-30 B. days 30-90 C. days 90-180 D. days 180-240

A

Which tool provides a simple workflow to migrate your legacy or port-based Security policy rulebase to an App-ID-based rulebase? A. Policy Optimizer B. Expedition C. Best Practice Assessment D. IronSkillet

A

n the web interface, what is signified when a text box is highlighted in red? A. The value in the text box is required. B. The value in the text box is controlled by Panorama. C. The value in the text box is optional. D. The value in the text box is an error.

A

True or false? Content-ID inspection is possible for custom application traffic that is identified by an Application Override rule, but only if the custom application's Parent App is based on a non-custom application. A. true B. false

A

True or false? Content-ID inspection is possible for a custom application only if you define a Parent App for the custom application and the Parent App is a non-custom App-ID application. A. true B. false

A

True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile. A. true B. false

A

True or false? Certificate-based authentication replaces all other forms of either local or external authentication. A. true B. false

A

When you configure to activate Cloud Identity Engine, what required information do you need to provide? (Choose three.) A. Company account B. Name C. Description D. Region E. Zone

ABD

Which three MGT port configuration settings must be configured before you can remotely access the web interface? (Choose three.) A. netmask B. default gateway C. hostname D. DNS server E. IP address

ABE

Which two firewall objects can be configured to forward firewall logs to external destinations? (Choose two.) A. security zone B. network interface C. Security policy rule D. Application Override rule

AC

Which three log files can you add columns to view the metadata for source and destination devices? (Choose three.) A. Traffic B. GlobalProtect C. URL Filtering D. User-ID E. Decryption

ACE

Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application? A. web-browsing B. ssl C. unknown-udp D. unknown-tcp

B

SNMP GET requests to a firewall return operational statistics, and SNMP SET requests update the firewall configuration. A. true B. false

B

True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first. A. true B. false

B

True or false? The running configuration consists of configuration changes in progress but not active on the firewall. A. true B. false

B

True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database. A. true B. false

B

True or false? You must define a custom signature for a custom application that is identified by an Application Override rule. A. true B. false

B

True or false? You must deploy the Windows-based User-ID agent to collect IP address-to-username mappings from a Windows AD domain controller. A. true B. false

B

Which WildFire verdict might indicate obtrusive behavior but not a security threat? A. Phishing B. Grayware C. Benign D. Malware

B

Which statement is true regarding User-ID and Security policy rules? A. The Source IP and Source User fields cannot be used in the same policy. B. Users can be used in policy rules only if they are known by the firewall. C. The Source User field can match only users, not groups. D. If the user associated with an IP address cannot be determined, all traffic from that address will be dropped.

B

Which typical application use can be a gray area on whether the application should be enabled or blocked? A. sanctioned B. tolerated C. unsanctioned

B

What are the two attributes of the dedicated out-of-band network management port in Palo Alto Networks firewalls? (Choose two.) A. supports only SSH connections B. labeled MGT by default C. requires a static, non-DHCP network configuration D. cannot be configured as a standard traffic port

BD

In which three locations can you configure the firewall to use an EDL? (Choose three.) A. DoS Protection Profile B. URL Filtering Profile C. Antivirus Profile D. Anti-Spyware Profile E. Security policy

BDE

Which item is the name of an object that dynamically identifies and associates applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? A. application B. application profile C. application filter D. application group

C

Which of the following identifies and prevents corporate computer and internet usage policy violations? A. Threat B. Inside Behavior C. Phishing and Credential Attacks D. Data Loss and Compliance Check

C

Which Level of Device Classification classifies the device based on the vendor and model? A. First Level B. Second Level C. Third Level D. Fourth Level

C

Which firewall configuration component is used to block access to known-bad IP addresses? A. NAT policy B. IP Security Profile C. Security policy D. Vulnerability Protection Profile

C

Which two port numbers would be used when an LDAP Server Profile is configured? (Choose two.) A. 49 B. 1812 C. 636 D. 389

CD

Which two separate firewall planes comprise the PAN-OS architecture? (Choose two.) A. HA plane B. signature processing plane C. data plane D. management (control) plane E. routing plane

CD

Which two statements are true regarding the candidate configuration? (Choose two.) A. It controls the current operation of the firewall. B. It always contains the factory default configuration. C. It contains possible changes to the current configuration. D. It can be reverted to the current configuration.

CD

In a Data Filtering profile, which three types of numbers are included in the predefined patterns? (Choose three.) A. driver's license B. passport C. bank routing D. Social Security E. credit card

CDE

Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription? A. JAR B. APK C. PDF D. EXE

D

Which object cannot be segmented using virtual systems on a firewall? A. network security zone B. data plane interface C. administrative access D. MGT interface

D

Which policy configuration can an administrator enable to allow Cisco VoIP devices to access only the required applications? A. Control the attack surface B. Decrypt based on device C. Track a device across the network D. Allow access based on device identity

D

Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile? A. packet-based and protocol-based B. session limits C. reconnaissance D. flood

D

Which two statements are true regarding User-ID and firewall configuration? (Choose two.) A. The User-ID agent must be installed on the domain controller. B. Communications between the firewall and the User-ID agent are sent over an encrypted SSL connection. C. The firewall needs to have information for every User-ID agent to which it will connect. D. NetBIOS is the only client probing method supported by the User-ID agent.

BC

To collect attributes from your Active Directory and synchronize them with the Cloud Identity Engine, which three versions of TLS encryption is supported? (Choose three.) A. TLS 1.0 B. TLS 1.1 C. TLS 1.2 D. TLS 1.3 E. TLS 1.4

BCD

Which three configuration tasks for Device-ID are performed at the firewall? (Choose three.) A. Activate the Cortex Data Lake instance. B. Enable Device-ID per zone. C. Configure a Log Forwarding Profile. D. Enable EALs. E. Activate the IoT Security app.

BCD

Which four secondary authentication vendors are supported by the firewall? (Choose four.) A. Vasco Identikey B. Duo v2 C. Okta Adaptive D. PingID E. RSA SecurID Access

BCDE

Global user authentication is supported by which three authentication services? (Choose three.) A. Certificate B. RADIUS C. SAML D. LDAP E. TACACS+

BCE


Ensembles d'études connexes

Study Questions for Maternal Health Final Exam

View Set

2. Upper Cross Syndrome and Postural Distortions

View Set

Examples of Conduction, Convection, and Radiation

View Set