Palo Alto Modules 8-14
Which User-ID component and mapping method is recommended for web clients that do not use the domain server?
Captive Portal
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption profile in decryption policy
Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?
EXE
Select True or False. On the Next Generation firewall, application groups are always automatically updated when new applications are added to the App-ID database.
False
True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
False
True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.
False
What action will show whether a downloaded PDF file from a user has been blocked by a security profile on the Next Generation firewall?
Filter the data filtering logs for the user's traffic and the name of the PDF file
In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange?
Four or five
In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?
Global
Which statement about the automated correlation engine is not correct?
It is available only in Panorama
What is default setting for "Action" in a decryption policy rule?
None
In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?
Real Time
Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server?
SSL Forward Proxy
Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers?
SSL Inbound Inspection
Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?
SSL Inbound Inspection Decryption
Which Next Generation Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option.
Safe Search Enforcement
Which statement is not true regarding Safe Search Enforcement?
Safe search works only in conjunction with credential submission websites
Which port does the Palo Alto Networks Windows-based User-ID agent use by default?
TCP port 5007
When creating an application filter, which of the following is true?
They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in the filter
The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement.
True
True or False. If a file type is matched in the File Blocking Profile and WildFire Analysis Profile, and if the File Blocking Profile action is set to "block," then the file is not forwarded to WildFire.
True
True or False. In the Next Generation Firewall, even if the Decryption policy rule action is "no-decrypt," the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.
True
True or false? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "allow."
True
True or false? A URL Filtering license is not required to define and use custom URL categories.
True
True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware.
True
True or false? The SSL forward untrusted certificate should not be trusted by the client but should still be a CA certificate.
True
True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.
True
True or false? You can customize the list of logs that are aggregated into the Unified log.
True
A "continue" action can be configured on the following security profiles in the Next Generation firewall:
URL Filtering and File Blocking
Which statement is true regarding User-ID and Security policy rules?
Users can be used in policy rules only if they are known by the firewall
Without a Wildfire licensed subscription, which of the following files can be submitted by the Next Generation Firewall to the hosted Wildfire virtualized sandbox?
PE files only
What component of the Next Generation Firewall will protect from port scans?
Zone protection
Network traffic matches an "allow" rule in the Security policy, but the attached File Blocking Profile is configured with a "block" action. To which two locations will the traffic be logged? Choose the 2 correct choices.
a. Data Filtering Log b. Traffic Log
Which statement about the predefined reports is not correct?
a. They are emailed daily to users
Which item is not a valid choice when the Source User field is configured in a Security policy rule?
all
Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?
b. DNS Slnkhole
A Zone Protection Profile is applied to which item?
a. Ingress Ports
Which profile type is designed to protect against reconnaissance attacks such as host sweeps and port scans?
a. Zone Protection
According to best practices, which two URL filtering categories should be blocked in most URL Filtering Profiles? Choose the 2 correct choices.
a. new-registered-domain c. high-risk
Which three methods does App-ID use to identify network traffic? Choose the 3 correct choices.
a. protocol decoders c. heuristics d. signatures
What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Choose the 3 correct choices.
a. Threat Activity b. Blocked Activity c. Network Traffic
Which two types of activities does SSL/TLS decryption on the firewall help to block? Choose the 2 correct choices.
a. sensitive data exfiltration c. malware introduction
When an Applications and Threats content update is performed, which is the earliest point where you can review the impact of new application signatures on existing policies?
after download
Which two firewall features display information using widgets? Choose the 2 correct choices.
c. ACC d. Dashboard
Which two statements are true regarding User-ID and firewall configuration? Choose the 2 correct choices.
c. The firewall needs to have information for every USER-ID agent for which it will connect d. Communication between the firewall and USER-ID agent are sent over an encrypted SSL connection
Which two actions affect all of the widgets in the Application Command Center? Choose the 2 correct choices.
c. setting a time range d. setting a global filter
Which URL filtering security profile action logs the category to the URL filtering log?
d. Alert
Which URL Filtering Profile action will result in a user being interactively prompted for a password?
d. override
Which is the correct URL matching order on a Palo Alto Networks Next Generation Firewall?
d. Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
Which CLI command is used to verify successful file uploads to WildFire?
debug wildfire upload-log show
Assume you have a WildFire subscription. Which file state or condition would trigger a Wildfire file analysis?
file located in a JAR or RAR archive
Which WildFire verdict might indicate obtrusive behavior but not a security threat?
grayware
How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is sent to identify an application?
insufficient-data
Which Palo Alto Networks Next Generation Firewall URL Category Action sends a response page to the user's browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log?
override
On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic?
514
True or false? SNMP GET requests to a firewall return operational statistics, and SNMP SET requests update the firewall configuration.
False
True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy.
True
When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing?
App-ID
What is the recommended maximum default size of PE - executable - files forwarded from the Next Generation firewall to Wildfire?
16 megabytes
To properly configure DOS protection to limit the number of sessions individually from specific source IPS you would configure a DOS Protection rule with the following characteristics:
Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured
What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?
Application Command Center (ACC)
What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application?
Application-default
