CISA4370 PALO ALTO

2. Which four options are possible WildFire analysis verdicts? (Choose four.) a. Benign b. Grayware c. Malware d. Phishing e. Spyware

2. a, b, c, d

2. Which two planes are found in Palo Alto Networks single-pass platform architecture? (Choose two.) a. control b. single pass c. data d. parallel processing

2. a, c

2. Which three types of traffic flow across the HA Control link? (Choose three.) a. configuration synchronization b. session synchronization c. heartbeats d. hellos

2. a, c, d

2. True or false? When the firewall is configured to inspect SSL traffic going to an internal server for which the firewall has the private key, it functions as a forward proxy. a. true b. false

2. b (false)

2. Which three statements are true regarding the candidate configuration? (Choose three.) a. You can roll back the candidate configuration by pressing the Undo button. b. You can revert the candidate configuration to the running configuration. c. Clicking Save creates a copy of the current candidate configuration. d. Choosing Commit updates the running configuration with the contents of the candidate configuration.

2. b, c, d

2. The GlobalProtect client is available in which two formats? (Choose two.) a. dmg b. exe c. msi d. pkg

2. b, d

2. Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) a. FC b. Layer 3 c. FCoE d. Tap e. Virtual Wire

2. b, d, e

2. Which of the three types of Security policy rules that can be created is the default rule type? a. intrazone b. interzone c. universal

2. c

3. Zone Protection Profiles are applied to which item? a. ingress ports b. Security policy rules c. egress ports d. Address Groups

3. a

3. True or false? A Report Group must be sent as a scheduled email. It cannot be downloaded directly. a. true b. false

3. a (true)

3. True or false? Firewall administrator accounts can be individualized for user needs, granting or restricting permissions as appropriate? a. true b. false

3. a (true)

3. True or false? If a GlobalProtect agent fails to establish an IPsec connection, the connection type will fall back to SSL-VPN. a. true b. false

3. a (true)

3. True or false? Intrazone traffic is allowed by default but interzone traffic is blocked by default. a. true b. false

3. a (true)

3. True or false? The strength of the Palo Alto Networks firewall is its Single-Pass Parallel Processing (SP3) engine. a. true b. false

3. a (true)

3. True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures and the PAN-DB database. a. true b. false

3. a (true)

3. What are two methods of certificate revocation? (Choose two.) a. CRL b. OCSP c. IKE d. SSH

3. a, b

3. On a firewall with dedicated HA ports, which option describes the function of the HA2 port? a. Control link b. Data link c. Heartbeat link d. Management link

3. b

3. True or false? The intrazone-default and interzone-default rules cannot be modified. a. true b. false

3. b (false)

3. Which two options are true regarding a VPN tunnel interface? (Choose two.) a. The tunnel interface always requires an IP address. b. A tunnel interface is a logical Layer 3 interface. c. The tunnel interface must be added to a Layer 3 security zone. d. The interface name "tunnel" can be renamed to anything you want, up to 20 characters in length.

3. b, c

3. Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application? a. unknown-tcp b. unknown-udp c. web-browsing

3. c

4. A SaaS application that you formally approve for use on your network is which type of application? a. sanctioned b. production c. unsanctioned d. service

4. a

4. True or false? A Backup Control link helps prevent split-brain operation in a firewall HA cluster. a. true b. false

4. a (true)

4. True or false? IPsec is a set of protocols used to set up a secure tunnel for the VPN traffic. a. true b. false

4. a (true)

4. True or false? The Antivirus Security Profile defines actions to be taken if an infected file is detected as part of an application. a. true b. false

4. a (true)

4. True or false? When the firewall is configured to decrypt SSL traffic going to external sites, it functions as a forward proxy. a. true b. false

4. a (true)

4. Which three attributes are true regarding a Virtual Wire (vwire) interface? (Choose three.) a. sometimes called a Bump in the Wire or Transparent In-Line b. no support for routing or device management c. supports NAT, Content-ID, and User-ID d. supports SSL Decrypt Inbound traffic only

4. a, b, c

4. Which three statements are true regarding App-ID? (Choose three.) a. It addresses the traffic classification limitations of traditional firewalls. b. It is the Palo Alto Networks traffic classification mechanism. c. It uses multiple identification mechanisms to determine the exact identity of applications traversing the network. d. It still is in the developmental stage and is not yet released.

4. a, b, c

4. Which three statements are true regarding a GlobalProtect Gateway? (Choose three.) a. Provides security enforcement for traffic from GlobalProtect clients. b. Requires a tunnel interface for external clients. c. Tunnel interfaces are optional for internal gateways. d. Authenticates users against a Server Profile.

4. a, b, c

4. Firewall administration can be done using which four interfaces? (Choose four.) a. web interface b. Panorama c. command line interface d. Java API e. XML API

4. a, b, c, e

4. Which three file types can be sent to WildFire without a WildFire license? (Choose three.) a. dll b. exe c. pdf d. scr e. xml

4. a, b, d

4. Which three items are names of valid source NAT translation types? (Choose three.) a. dynamic IP b. dynamic IP/Port c. port forwarding d. static

4. a, b, d

4. Which new firewall model was introduced with PAN-OS 8.1 with double the data-plane memory? a. PA-5260 b. PA-5270 c. PA-5280 d. PA-5290

4. c

5. True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses. a. true b. false

5. a (true)

5. True or false? Application groups can contain applications, filters, or other application groups. a. true b. false

5. a (true)

5. True or false? Service routes can be used to configure an in-band port to access external services. a. true b. false

5. a (true)

5. Which are four failure detection methods in a firewall HA cluster? (Choose four.) a. heartbeats and hellos b. internal health checks c. link groups d. path groups e. polling

5. a, b, c, d

5. When the firewall detects that a session has been broken as a result of the decryption process, it will cache the session information and will not attempt to decrypt the next session to the same server. How many hours does this cache entry persist? a. 8 b. 12 c. 18 d. 24

5. b

5. True or false? Each Anti-Spyware Security Profile contains one master rule to handle all types of threats. a. true b. false

5. b (false)

5. True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by default. a. true b. false

5. b (false)

5. For which type of functionality can a GlobalProtect Gateway map IP addresses to the user? a. App-ID b. Content-ID c. User-ID

5. c

1. Which item is the name of an object that dynamically groups applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? a. application b. application filter c. application group d. Application Profile

1. b

1. Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? a. Data Filtering log entry b. continue response page c. DNS sinkhole d. CVE number

1. c

2. A log can be exported to which format? a. CSV b. PDF c. PPT d. XLS

2. a

2. True or false? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "Allow." a. true b. false

2. a (true)

2. True or false? In Palo Alto Networks terms, an application is a specific program or feature that can be detected, monitored, and blocked if necessary. a. true b. false

2. a (true)

2. True or false? When you create a static route for the VPN, no next hop IP address is required. a. true b. false

2. a (true)

1. Which four items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall? (Choose four.) a. Source Zone b. Username c. DNS Domain d. URL e. Application

1. a, b, d, e

1. Which four attributes describe an active/passive HA firewall configuration? (Choose four.) a. only one firewall actively processes traffic b. primarily designed to support asymmetric routing c. no increase in session capacity d. no increase in throughput e. supports Virtual Wire, Layer 2, and Layer 3 deployments

1. a, c, d, e

1. Which four models are the Palo Alto Networks next-generation firewall models? (Choose four.) a. PA-200 Series b. PA-2000 Series c. PA-300 Series d. PA-3200 Series e. PA-400 Series f. PA-5000 Series g. PA-7000 Series

1. a, d, f, g

1. The GlobalProtect client will connect to either an internal gateway or an external gateway based on its location (inside or outside of the corporate network). This location determination is based on the result of which option? a. reverse DNS lookup b. user selection during agent startup c. IP address of the client system d. whether the user starts the client in online or offline mode

1. a

1. Palo Alto Networks firewalls are built with a dedicated out-of-band management port that has which three attributes? (Choose three.) a. Labeled MGT by default. b. Passes only management traffic for the device and cannot be configured as a standard traffic port. c. Administrators use the out-of-band management port for direct connectivity to the management plane of the firewall. d. Cannot be configured to use DHCP.

1. a, b, c

1. Which three options are aspects of the basic requirements to create a VPN in a PAN-OS release? (Choose three.) a. add a static route to the virtual router b. create the tunnel interface c. configure the IPsec tunnel d. identify proxy ID errors

1. a, b, c

1. Virtual routers provide support for static routing and dynamic routing using which three protocols? (Choose three.) a. OSPF b. RIPv2 c. EGP d. BGP

1. a, b, d

1. Which three attributes are true regarding WildFire? (Choose three.) a. Identifies threats by signatures, which are available for download by Palo Alto Networks firewalls in as little as 5 minutes. b. Provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors. c. Triggered by "block" or "forward" actions in a File Blocking Security Profile d. Uploads files for analysis to a WildFire solution maintained in the

1. a, b, d

1. Which three statements are true regarding a public key infrastructure? (Choose three.) a. solves the problem of secure identification of public keys b. uses digital certificates to verify key owners c. relies on the manual distribution of shared keys d. has root and intermediate certificate authorities

1. a, b, d

1. Logs can be forwarded to which four of the following Remote Logging Destinations? (Choose four.) a. Email b. Syslog c. Common access log d. Panorama e. SNMP

1. a, b, d, e