Knowledge Quiz 8b - Initial Firewall and Basic Interface Configurations
True or False. Traffic protection from external locations where the egress point is the perimeter is commonly referred to as "North-South" traffic. Select one: True False
True
When you change a configuration setting and click OK, the current or "candidate" configuration is updated, not the active or "running" configuration.
True
Which Next Generation Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. Select one: a. Aperture b. GlobalProtect c. Panorama d. AutoFocus
a. Aperture
Which Next Generation Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. a. Aperture b. GlobalProtect c. Panorama d. AutoFocus
a. Aperture****
What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Select one: a. Application Command Center (ACC) b. Quality of Service Statistics c. Applications Report d. Quality of Service Log
a. Application Command Center (ACC)
What is the maximum size of .EXE files uploaded from the Next Generation firewall to WIldfire? Select one: a. Configurable up to 10 megabytes b. Always 2 megabytes c. Configurable up to 2 megabytes d. Always 10 megabytes
a. Configurable up to 10 megabytes ****
In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange? Select one: a. Four or five b. Three c. Two d. One
a. Four or five
What is the benefit of enabling the "passive DNS monitoring" checkbox on the Next Generation firewall? Select one or more: a. Improved malware detection in Wildfire b. Improved PAN DB malware detection c. Improved anti-virus detection d. Improved DNS based command and control signatures
a. Improved malware detection in Wildfire b. Improved PAN DB malware detection d. Improved DNS based command and control signatures
Which of the following is a routing protocol supported in a Next Generation firewall? Select one: a. RIPV2 b. EIGRP c. ISIS d. IGRP
a. RIPV2
Which Next Generation FW configuration type has settings active on the firewall? Select one: a. Running b. Candidate c. Legacy d. Startup
a. Running
When creating an application filter, which of the following is true? Select one: a. They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in the filter b. They are used by malware c. Excessive bandwidth may be used as a filter match criteria d. They are called dynamic because they automatically adapt to new IP addresses
a. They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in the filter
Which three engines are built into the Single Pass Parallel Processing Architecture of the Next Generation firewall? Select one or more: a. User Identification (User-ID) b. Content Identification (Content-ID) c. Threat Identification (Threat-ID) d. Application Identification (App-ID) e. Group Identification (Group-ID)
a. User Identification (User-ID) b. Content Identification (Content-ID) d. Application Identification (App-ID)
What component of the Next Generation Firewall will protect from port scans? Select one: a. Zone protection b. DOS Protection c. Anti-Virus Protection d. Vulnerability protection
a. Zone protection
Which built-in role on the Next Generation firewall is the same as superuser except for creation of administrative accounts? Select one: a. deviceadmin b. vsysadmin c. sysadmin d. devicereader
a. deviceadmin
which built in role on the next generation firewall is the same as superuser except for creation of administrative accounts? a. deviceadmin b. vsysadmin c. sysadmin d. devicereader
a. deviceadmin****
To properly configure DOS protection to limit the number of sessions individually from specific source IPS you would configure a DOS Protection rule with the following characteristics: Select one: a. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured b. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured c. Action: Deny, Aggregate Profile with "Resources Protection" configured d. Action: Protect, Aggregate Profile with "Resources Protection" configured
b. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured****
Without a Wildfire subscription, which of the following files can be submitted by the Next Generation FIrewall to the hosted Wildfire virtualized sandbox? Select one: a. PDF files only b. PE and Java Applet only c. MS Office doc/docx, xls/xlsx, and ppt/pptx files only d. PE files only
c. MS Office doc/docx, xls/xlsx, and ppt/pptx files only ****
Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems? Select one: a. superuser b. Custom role c. deviceadmin d. vsysadmin
c. deviceadmin
Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems? a. superuser b. custom role c. deviceadmin d. vsysadmin
c. deviceadmin****
Which command will reset a next generation firewall to its factory default settings if you know the admin account password? Select one: a. reset system settings b. reload c. request system private-data-reset d. reset startup-config
c. request system private-data-reset
In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates? Select one: a. 30 Minutes b. 15 Minutes c. 1 Hour d. 5 Minutes
d. 5 Minutes ****
What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application? Select one: a. Application-dependent b. Application-implicit c. Application-custom d. Application-default
d. Application-default
What type of interface allows the Next Generation firewall to provide switching between two or more networks? Select one: a. Tap b. Layer3 c. Virtual Wire d. Layer2
d. Layer2
Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology? Select one: a. Layer 3 b. Tap c. Layer 2 d. Virtual Wire
d. Virtual Wire
What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?
deviceadmin
What built-in role on the Next Generation firewall is the same as superuser except for creation of administrative accounts?
deviceadmin
To configure an interface, access the ______ tab and then Interfaces within the WebUI.
*** NOT Objects*** *** NOT Device***
Which routing protocol is supported in the Next Generation firewall platform?
*** not RIPV1*** *** not ISIS***
What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall? Select one: a. Filter the traffic logs for all traffic from the user that resulted in a deny action b. Filter the data filtering logs for the user's traffic and the name of the PDF file c. Filter the session browser for all sessions from a user with the application adobe d. Filter the system log for failed download messages
b. Filter the data filtering logs for the user's traffic and the name of the PDF file ****
Which feature can be configured with an IPv6 address? Select one: a. BGP b. Static Route c. DHCP Server d. RIPv2
b. Static Route
Which Next Generation VM Series Model requires a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity? Select one: a. VM-700 b. VM-500 c. VM-100 d. VM-50
b. VM-500
On the Next Generation firewall, what type of security profile detects infected files being transferred with the application? Select one: a. Vulnerability Protection b. WildFire Analysis c. Anti-Virus d. URL Filtering e. File Blocking
c. Anti-Virus
On the Next Generation firewall, what type of security profile detects infected files being transferred with the application? a. Vulnerability Protection b. WildFire Analysis c. Anti-Virus d. URL Filtering e. File Blocking
c. Anti-Virus****
The PAN-OS DHCP server supports the following DHCP client options.
4/8 Option 135 (DNS Suffix) Dynamic updates to DNS server Option 70 (POP3 Server)
All of the interfaces on a Next Generation firewall must be of the same interface type. Select one: True False
False
Combines up to eight Ethernet interfaces using link aggregation.
Aggregate Interfaces
Dynamic Updates for Application and Threats, Antivirus, and URL filtering are issued on a Daily basis.
False
Activates a VM-Series Firewall.
Authorization Code
If an interface on the firewall is a client of an external DHCP server, the DHCP server configured on the Palo Alto Networks firewall cannot inherit information from the external DHCP server and send that DHCP information to its own clients.
False
Interzone traffic is allowed by default
False
When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal?
Change
Applies candidate configuration to running configuration.
Commit
On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database. Select one: True False
False
Blocks others from making changes to the firewall settings.
Config lock
The built-in sysadmin role allows all rights except for the creation of administrative accounts and virtual systems.
False
All of the interfaces on a Next Generation firewall must be of the same interface type.
False
Which of the following services are enabled on the Next Generation firewall MGT interface by default?
HTTPS SSH
Provide Layer 3 services like in-band management, GlobalProtect portal, and IPSec.
Loopback Interface
Dedicated out-of-band management Ethernet interface.
MGT Interface
Which of the following is a routing protocol supported in a Next Generation firewall?
RIPV2
Used to administer firewall through SSH, Telnet, or direct console access.
PAN-OS CLI
Supersedes forwarding information in a virtual router.
Policy-Based Forwarding
Virtual routers provide support for dynamic routing using the following routing protocols.
Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP)
What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Select one or more: a. Network Traffic b. Threat Activity c. Blocked Activity d. Application Traffic
Select one or more: a. Network Traffic b. Threat Activity c. Blocked Activity
Upgrades PAN-OS software to a new release.
Software Updates
Which Ethernet interface type allows traffic flows to be passively monitored across a network by way of a switch SPAN or mirror port?
TAP
An interface in Virtual Wire mode on a Next Generation firewall does not require an IP address.
True
In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.
True
In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic. Select one: True False
True
In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers.
True
In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers. Select one: True False
True
Layer 3 interfaces, including the MGT interface, can be configured as dual stack with IPv4 and IPv6 addresses.
True
Multiple administrator accounts can be configured on a single Next Generation firewall.
True
On the Next Generation firewall, DNS sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic. True False
True
On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released. Select one: True False
True
Used to administer firewall from a web browser.
WebUI