Palo Alto

Ace your homework & exams now with Quizwiz!

The Gartner Magic Quadrant for Network Firewalls rates company's: Select one: a. Regulatory Compliance / Intellectual Properties b. Growth Potential / Profitability c. Ability to Execute / Completeness of Vision

Ability to Execute / Completeness of Vision

To properly configure DOS protection to limit the number of sessions individually from specific source IPS you would configure a DOS Protection rule with the following characteristics:

Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured

Which URL filtering security profile action logs the category to the URL filtering log? Select one: a. Alert b. Allow c. Log d. Default

Alert

When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing? Select one: a. User-ID b. App-ID c. Encryption-ID d. Content-ID

App-ID

What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Select one: a. Quality of Service Log b. Quality of Service Statistics c. Application Command Center (ACC) d. Applications Report

Application Command Center (ACC)

What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Select one: a. Quality of Service Statistics b. Application Command Center (ACC) c. Applications Report d. Quality of Service Log

Application Command Center (ACC)

What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Select one: a. Quality of Service Statistics b. Quality of Service Log c. Application Command Center (ACC) d. Applications Report

Application Command Center (ACC)

What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application? Select one: a. Application-default b. Application-implicit c. Application-dependent d. Application-custom

Application-default

When creating PAN-OS firewall administrator accounts, which configuration step is required for Non-Local Administrators, but not for Local Administrators? Select one: a. Directory Services Replication b. Authentication Sequence c. Authentication Profile d. API Interface

Authentication Profile

Which type of firewall license or subscription provides a graphical analysis of firewall traffic logs and identifies potential risks to your network by using threat intelligence from a portal? Select one: a. GlobalProtect b. AutoFocus c. WildFire d. Threat Prevention

AutoFocus

What is the recommended maximum default size of PE - executable - files forwarded from the Next Generation firewall to Wildfire? Select one: a. 16 megabytes b. Configurable up to 2 megabytes c. Always 2 megabytes d. Configurable up to 10 megabytes

16 megabytes

On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic? Select one: a. 6514 b. 443 c. 8080 d. 514

514

On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic? Select one: a. 6514 b. 443 c. 8080 d. 514

514

Select the answer that completes this sentence. DIPP source NAT will support a maximum of about ______________ concurrent sessions on each IP address configured within the NAT pool. Select one: a. 64,000 b. 250 c. 16,300 d. 8100

64,000

For guidance on continuing to deploy the security platform features to address your network security needs, review the PAN-OS Administrator's Guide section titled ______________________________________________. Select one: a. Set Up a Basic Security Policy b. Best Practices for Completing the Firewall Deployment c. Register the Firewall d. Best Practices for Securing Administrative Access

Best Practices for Completing the Firewall Deployment

Which is the correct URL matching order on a Palo Alto Networks Next Generation Firewall?

Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud

What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Choose the 3 correct choices. If you choose an incorrect choice your question score will be deducted. Select one or more: a. Application Traffic b. Blocked Activity c. Network Traffic d. Threat Activity

Blocked Activity Network Traffic Threat Activity

Which attribute is associated with the dedicated out-of-band network management port in Palo Alto Networks firewalls? Select one: a. Supports DHCP only b. Cannot be configured as a standard traffic port c. Supports only SSH connections d. Requires a static, non-DHCP network configuration

Cannot be configured as a standard traffic port

Which User-ID component and mapping method is recommended for web clients that do not use the domain server? Select one: a. XML API b. Captive Portal c. Terminal Services agent d. GlobalProtect

Captive Portal

When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal? Select one: a. Change b. Addition c. None d. Deletion

Change

When making changes to configuration settings on the PAN-OS firewall, which of the following options lists the individual changes for which you are committing changes: Select one: a. Preview Changes for all b. Change Summary c. Validate Commit d. Preview Changes for selected administrators.

Change Summary

Which Palo Alto Networks Prisma technology provides continuous security monitoring, compliance validation, and cloud storage security capabilities across multi-cloud environments. In addition, you can simplify security operations through effective threat protections enhanced with comprehensive cloud context? Select one: a. Compliance b. Cloud c. Access d. SaaS

Cloud

Which two statements are true regarding User-ID and firewall configuration?

Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection The firewall needs to have information for every USER-ID agent for which it will connect

When committing changes to a firewall, what is the result of clicking the Preview Changes link? Select one: a. Compares the candidate configuration to the running configuration b. Lists the individual settings for which you are committing changes c. Displays any unresolved application dependencies d. Shows any error messages that would appear during a commit

Compares the candidate configuration to the running configuration

Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? Select one: a. DNS SInkhole b. CVE Number c. continue response page d. data filtering log entry

DNS SInkhole

Which two firewall features display information using widgets? Choose the 2 correct choices. Select one or more: a. ACC b. Traffic log c. Dashboard d. Botnet report

Dashboar ACC

Network traffic matches an "allow" rule in the Security policy, but the attached File Blocking Profile is configured with a "block" action. To which two locations will the traffic be logged? Choose the 2 correct choices.

Data Filtering Log Traffic Log

Which feature can be configured to block sessions that the firewall cannot decrypt? Select one: a. Decryption profile in PBF b. Decryption profile in decryption policy c. Decryption profile in security profile d. Decryption profile in security policy

Decryption profile in decryption policy

Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?

EXE

Select True or False. Logging on intrazone-default and interzone-default Security policy rules is enabled by default.

False

Select True or False. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.

False

Select True or False. The running configuration consists of configuration changes in progress but not active on the firewall.

False

Select True or false. Service routes can be used to configure an in-band port to access external services.

False

True or false? SNMP GET requests to a firewall return operational statistics, and SNMP SET requests update the firewall configuration.

False

What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall? Select one: a. Filter the data filtering logs for the user's traffic and the name of the PDF file b. Filter the traffic logs for all traffic from the user that resulted in a deny action c. Filter the session browser for all sessions from a user with the application adobe d. Filter the system log for failed download messages

Filter the data filtering logs for the user's traffic and the name of the PDF fil

In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange? Select one: a. Three b. Two c. One d. Four or five

Four or five

In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display? Select one: a. Global b. Group c. Local d. Universal

Global

In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display? Select one: a. Global b. Universal c. Group d. Local

Global

Which Palo Alto Networks product for securing the enterprise extends the enterprise perimeter to remote offices and mobile users? Select one: a. GlobalProtect b. VM-Series c. WildFire d. Panorama

GlobalProtect

In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF? Select one: a. Predefined b. PDF Summary c. Group d. Botnet

Group

A Zone Protection Profile is applied to which item? Select one: a. Security Policy Rules b. Address Groups c. Ingress Ports d. Egress Ports

Ingress Ports

Which type of Security policy rule is the default rule type? Select one: a. Interzone b. Intrazone c. Universal d. Default

Interzone

Which NGFW security policy rule applies to all matching traffic within the specified source zones? Select one: a. Default b. Interzone c. Intrazone d. Universal

Intrazone

Which statement is true regarding the Palo Alto Networks Firewall candidate configuration? Select one: a. It can be reverted to the current configuration. b. It controls the current operation of the firewall. c. It always contains the factory default configuration. d. It does not control changes to the current configuration.

It can be reverted to the current configuration.

Which statement about the automated correlation engine is not correct? Select one: a. It outputs correlation events. no b. It uses correlation objects as input. no c. It is available only in Panorama d. It detects possible infected hosts.

It is available only in Panorama

Which series of Palo Alto Networks Next Generation Firewall offers two modes, Secure Mode, and Express Mode? Select one: a. K2 b. CN c. VS d. VM

K2

What is the method used to create a Zero Trust policy that answers the 'who, what, when, where, why and how' definition? a. Logging b. Never Trust - Always Verify c. Full Authentication d. Kipling

Kipling, Never Trust - Always Verify

Global user authentication is not supported by which authentication service? Select one: a. SAML b. LDAP c. RADIUS d. TACACS +

LDAP

What type of interface allows the Next Generation firewall to provide switching between two or more networks? Select one: a. Layer2 b. Virtual Wire c. Layer3 d. T

Layer2

Which of the following is NOT a PAN-OS Firewall Administrator Dynamic Role? Select one: a. Superuser b. Device administrator (read-only) c. Virtual system administrator d. Local only administrator

Local only administrator

Which object cannot be segmented using virtual systems on a firewall? Select one: a. Data Plane Interface b. Administrative Access c. MGT interface d. Network Security Zone

MGT interface

Which one of the following statements is true about NAT rules? Select one: a. The destination zone in the security rule is determined before the route lookup of the post-NAT destination IP address. b. NAT rules are applied after security policy rules. c. The addresses used in source NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). d. NAT rules provide address translation, while security policy rules allow or deny packets.

NAT rules provide address translation, while security policy rules allow or deny packets.

What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Choose the 3 correct choices. If you choose an incorrect choice your question score will be deducted. Select one or more: a. Network Traffic b. Blocked Activity c. Application Traffic d. Threat Activity

Network Traffic Threat Activity Blocked Activity

What is default setting for "Action" in a decryption policy rule? Select one: a. None b. No-decrypt c. Any d. Decrypt

None

When resetting the PAN-OS firewall to factory defaults, you can save all configuration settings and logs by performing the following: Select one: a. Selecting 'yes' when prompted b. Executing the CLI command when in maintenance mode: rebuild/FactoryReset c. Pressing Shift-C when prompted d. None of the above

None of the above

Which routing protocol is supported on a virtual router? Select one: a. OSPF b. EGP c. PPP d. IGRP

OSPF

Which series of firewall is a high-performance physical appliance solution? Select one: a. CN b. PA c. VM d. HA

PA

Without a Wildfire licensed subscription, which of the following files can be submitted by the Next Generation Firewall to the hosted Wildfire virtualized sandbox? Select one: a. PE files only b. MS Office doc/docx, xls/xlsx, and ppt/pptx files only c. PE and Java Applet only d. PDF files only

PE files only

When creating a custom admin role, which type of privileges cannot be defined? Select one: a. REST API b. WebUI c. Panorama d. Command Line e. XML API

Panorama

Which Strata product provides centralized firewall management and logging? Select one: a. GlobalProtect b. WildFire c. Prisma Access d. Panorama

Panorama

Which of the following is a routing protocol supported in a Next Generation firewall? Select one: a. EIGRP b. IGRP c. ISIS d. RIPV2

RIPV2

In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates? Select one: a. 15 Minutes b. 5 Minutes c. Real Time d. 1 Hour

Real Time

Which action in a Security policy rule results in traffic being silently rejected? Select one: a. Deny b. Drop c. Reset Server d. Reset Client

Reset Server

Which Next Generation FW configuration type has settings active on the firewall? Select one: a. Legacy b. Startup c. Running d. Candidate

Running

Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server? Select one: a. SSL Forward Proxy b. SSL Inbound Inspection c. SSL Outbound Inspection d. SSH

SSL Forward Proxy

Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers? Select one: a. SSL Inbound Inspection b. SSH c. SSL Forward Proxy d. SSL Outbound Inspection

SSL Inbound Inspection

Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall? Select one: a. SSH Decryption b. SSL Forward Proxy Decryption c. SSL Inbound Inspection Decryption d. SSH Tunnel Decryption

SSL Inbound Inspection Decryption

Which Next Generation Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option. Select one: a. Log Container Page Only b. HTTP Header Logging c. Safe Search Enforcement d. User Credential Detection

Safe Search Enforcement

Which statement is not true regarding Safe Search Enforcement? Select one: a. Safe search works only in conjunction with credential submission websites b. Safe search is a web browser setting c. Safe search is a best effort setting d. Safe search is a web server setting

Safe search works only in conjunction with credential submission websites

Which feature can be configured with an IPv6 address? Select one: a. BGP b. Static Route c. RIPv2 d. DHCP Server

Static Route

Which port does the Palo Alto Networks Windows-based User-ID agent use by default? Select one: a. TCP port 4125 b. TCP port 443 c. TCP port 80 d.TCP port 5007

TCP port 5007

Which type of firewall interface enables passive monitoring of network traffic? Select one: a. Tap b. Loopback c. Virtual wire d. Tunnel

Tap

When defining Security policy rules, why should you consider only the c2s flow direction, and define policy rules that allow or deny traffic from the source zone to the destination zone, that is, in the c2s direction?

The return s2c flow does not require a separate rule because the return traffic automatically is allowed

Traffic going to a public IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server? Select one: a. The firewall Management port IP b. The firewall gateway IP c. The server private IP d. The server public IP

The server public IP

In the web interface, what is signified when a text box is highlighted in red? Select one: a. The value in the text box is an error b. The value in the text box is optional c. The value in the text box is controlled by Panorama d. The value in the text box is required

The value in the text box is required

When creating an application filter, which of the following is true?

They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in the filter

Which statement about the predefined reports is not correct? Select one: a. They are emailed daily to users b. They are generated daily by default c. There are more than 40 predefined reports d. They are grouped in 5 categories

They are emailed daily to users

Which of the following are NOT traffic attributes or criteria that can be defined in a Security policy rule? Select one: a. Source / Destination zones b. Source user c. Traffic that does not pass through the firewall data plane d. URL Catgegory

Traffic that does not pass through the firewall data plane

Select True or False. A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.

True

Select True or False. All of the interfaces on a Next Generation firewall must be the same interface type.

True

Select True or False. By default, the firewall uses the management (MGT) interface to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus.

True

Select True or False. In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.

True

Select True or False. In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers.

True

Select True or False. On the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.

True

Select True or False. Security policy rules on the Next Generation firewall specify a source and a destination interface.

True

Select True or False. Server Profiles define connections that the firewall can make to external servers.

True

Select True or False. Traffic protection from external locations where the egress point is the perimeter is commonly referred to as "North-South" traffic.

True

The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.

True

True or False. In the Next Generation Firewall, even if the Decryption policy rule action is "no-decrypt," the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.

True

True or false? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "allow."

True

True or false? Certificate-based authentication replaces all other forms of either local or external authentication.

True

True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.

True

True or false? The SSL forward untrusted certificate should not be trusted by the client but should still be a CA certificate.

True

True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.

True

True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.

True

True or false? You can customize the list of logs that are aggregated into the Unified log.

True

True or False. If a file type is matched in the File Blocking Profile and WildFire Analysis Profile, and if the File Blocking Profile action is set to "block," then the file is not forwarded to WildFire.

Ture

A "continue" action can be configured on the following security profiles in the Next Generation firewall: Select one: a. URL Filtering and File Blocking b. URL Filtering, File Blocking, and Data Filtering c. URL Filtering and Antivirus d. URL Filtering

URL Filtering and File Blocking

Which statement is true regarding User-ID and Security policy rules? Select one: a. Users can be used in policy rules only if they are known by the firewall b. The Source IP and Source User fields cannot be used in the same policy. c. If the user associated with an IP address cannot be determined, all traffic from that address will be dropped. d. The Source User field can match only users, not groups.

Users can be used in policy rules only if they are known by the firewall

Which Palo Alto Networks Next Generation VM Series Model requires a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity? a. VM-700 b. VM-50 c. VM-100 d. VM-500

VM-500

Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology? Select one: a. Layer 3 b. Virtual Wire c. Layer 2 d. Tap

Virtual Wire

Which Palo Alto Networks Cortex technology prevents malware, blocks exploits, and analyzes suspicious patterns through behavioral threat protection? Select one: a. AutoFocus b. XDR c. Data Lake d. XSOAR

XDR

Which profile type is designed to protect against reconnaissance attacks such as host sweeps and port scans? Select one: a. DOS Protection b. Anti-Spyware c. Zone Protection d. Data Filtering

Zone Protection

What component of the Next Generation Firewall will protect from port scans? Select one: a. Anti-Virus Protection b. DOS Protection c. Zone protection d. Vulnerability protection

Zone protection

What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Select one or more: a. Threat Activity b. Network Traffic c. Blocked Activity d. Application Traffic

a. Threat Activity b. Network Traffic c. Blocked Activity

When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies? Select one: a. after download b. after commit c. after install d. after clicking Check Now

after download

Which item is not a valid choice when the Source User field is configured in a Security policy rule? Select one: a. all b. unknown c. any d. known-user

all

According to best practices, which two URL filtering categories should be blocked in most URL Filtering Profiles? Choose the 2 correct choices. If you choose an incorrect choice your question score will be deducted. Select one or more: a. adult b. high-risk c. new-registered-domain d. medium-risk

b. high-risk c. new-registered-domain

Which CLI command is used to verify successful file uploads to WildFire? Select one: a. debug wildfire upload-threat show b. debug wildfire upload-log show c. debug wildfire upload-log d. debug wildfire download-log show

debug wildfire upload-log show

Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems? Select one: a. deviceadmin b. vsysadmin c. superuser d. Custom role

deviceadmin

NGFW QoS policies can be configured to apply: Select one: a. data encryption b. forwarding for anti-virus screening c. either preferential treatment or bandwidth-limiting traffic rules d. third party authentication

either preferential treatment or bandwidth-limiting traffic rules

True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.

false

True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.

false

Assume you have a WildFire subscription. Which file state or condition would trigger a Wildfire file analysis? Select one: a. file already has WildFire hash b. file size limit exceeded c. executable file signed by trusted signer d. file located in a JAR or RAR archive

file located in a JAR or RAR archive

Which WildFire verdict might indicate obtrusive behavior but not a security threat? Select one: a. phishing b. benign c. grayware d. malware

grayware

How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application? Select one: a. unknown-tcp b. incomplete c. not-applicable d. insufficient-data

insufficient-data

A strength of the Palo Alto Networks firewall is: a. hardware consolidation - data and control plane processing is improved and performed in successive linear fasion b. increased buffering capability. c. its single-pass parallel processing (SP3) engine and software performs operations once per packet

its single-pass parallel processing (SP3) engine and software performs operations once per packet

Which two types of activities does SSL/TLS decryption on the firewall help to block? Choose the 2 correct choices. Select one or more: a. protocol-based attacks b. malware introduction c. denial-or-service attacks d. sensitive data exfiltration

malware introduction0 sensitive data exfiltration

Which Palo Alto Networks Next Generation Firewall URL Category Action sends a response page to the user's browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log? Select one: a. block b. continue c. alert d. override

override

Which URL Filtering Profile action will result in a user being interactively prompted for a password? Select one: a. allow b. alert c. continue d. override

override

Select the answer that best completes this sentence. Source NAT commonly is used for _________ users to access the ________ internet.

private, public

Which command will reset a next generation firewall to its factory default settings if you know the admin account password? Select one: a. request system private-data-reset b. reset startup-config c. reload d. reset system settings

request system private-data-reset

Which two actions affect all of the widgets in the Application Command Center? Choose the 2 correct choices. Select one or more: a. setting a global search b. setting a time range c. setting a local filter d. setting a global filter

setting a global filte setting a time range

Which three methods does App-ID use to identify network traffic?

signatures protocol decoders URL category

Which role-based privilege allows full access to the Palo Alto Networks firewall, including defining new administrator accounts and virtual systems? Select one: a. devicereader b. deviceadmin c. superuser d. superreader

superuser

The first important task of building a Zero Trust Architecture is to identify __________________. a. the protect surface b. traffic c. interdependencies d. microperimete

the protect surface

Select True or false. The CN-Series firewalls deliver the same capabilities as the PA-Series and VM-Series firewalls

true

True or false? A URL Filtering license is not required to define and use custom URL categories.

true


Related study sets

Chapter 14 Food Seasoning and Other Additives

View Set

Statistics Chapter 2: Frequency Distributions

View Set

FIN4504 - Exam 1 Multiple Choice

View Set