Palo Alto Panorama Questions
At which stage in the flow logic is NAT applied to packets traversing the data plane? A. Ingress B. Security Processing (fastpath) C. App-ID Engine D. Content-ID Engine
B
At which stage in the flow logic is NAT applied to packets traversing the data plane? A. Ingress B. Security Processing (fastpath) C. App-ID Engine D. Egress
B
Based on application attributes that you define (Category, Subcategory, Technology, Risk, and Characteristic), which item is the name of an object that dynamically identifies and associates applications? A. application B. application filter C. application group D. application profile
B
Before Panorama can connect and manage a firewall, which piece of information about the firewall do you need to enter into Panorama? A. IP address B. serial number C. login credentials D. authorization number
B
Before a firewall can connect to Panorama, which piece of information do you need to enter in the firewall? A. serial number of the firewall B. IP address of Panorama C. serial number of Panorama D. authorization number of Panorama
B
To which item are Zone Protection Profiles applied? A. egress ports B. ingress ports C. Address Groups D. Security policy rules
B
True or False. URLs always are matched to a PAN-DB URL category before they match a custom URL category. A. true B. false
B
True or False? A Panorama virtual appliance in the cloud can manage only firewalls in the cloud. A. true B. false
B
True or False? Each Anti-Spyware Security Profile contains one master rule to handle all types of threats. A. true B. false
B
True or False? Logging on intrazone-default and interzone-default Security policy rules is enabled by default. A. true B. false
B
True or False? The firewall mode (Virtual System/VPN/FIPS/CC) can be set by a template in Panorama and pushed to the firewall. A. true B. false
B
True or False? The intrazone-default and interzone-default rules cannot be modified. A. true B. false
B
What is the maximum number of device groups in Panorama? A. 4,096 B. 1,024 C. 512 D. no limit
B
When a VM-Series firewall is deployed in the cloud, which traffic characteristics is the firewall designed to protect? A. north-south and east-west B. east-west C. north-south D. data center traffic
B
When a virtual system is used on a firewall, which object cannot be segmented? A. data plane interface B. MGT interface C. network security zone D. administrative access
B
Which action in a Security policy rule results in traffic being silently rejected? A. deny B. drop C. reset server D. reset client
B
Which action would not be recorded in a URL Filtering log? A. alert B. allow C. continue D. override
B
Which device group in Panorama is automatically created and cannot be deleted? A. Default Group B. Shared Group C. Inheritance Group D. Template Group
B
Which of the three types of Security policy rules, that can be created, is the default rule type? A. common B. universal C. interzone D. interchange E. intrazone
B
Which statement is true regarding Safe Search Enforcement? A. Safe search is a web server setting. B. Safe search is a web browser setting. C. Safe search is a desktop setting. D. Safe search is a laptop setting.
B
Which type of Security policy rule is the default rule type? A. default B. universal C. intrazone D. interzone
B
In a Palo Alto Networks Security policy rule, which two items are required match criteria? (Choose two.) A. destination address B. destination zone C. source zone D. destination port
BC
Palo Alto Networks firewalls are built with a dedicated out-of-band management port that has which two attributes? (Choose two.) A. can be configured for SD-WAN B. passes only management traffic C. labeled MGT by default D. cannot be configured to use DHCP
BC
Which two planes are found in the Palo Alto Networks single-pass platform architecture? (Choose two.) A. application B. control C. data D. parallel processing
BC
Which two statements are true regarding the candidate configuration? (Choose two.) A. It controls the current operation of the firewall. B. It can be reverted to the current configuration. C. It contains possible changes to the current configuration. D. It always contains the factory default configuration.
BC
Which three items are names of valid source NAT translation types? (Choose three.) A. port linking B. dynamic IP C. static D. DHCP E. dynamic IP/port
BCE
Which two actions results in a URL Filtering log entry? (Choose two.) A. resume B. alert C. enhance D. block
BD
As recorded in the session tables, which three state are considered to be "stable" session states (Choose three.) A. Opening B. Active C. Free D. Init E. Discard
BDE
Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) A. FC B. Layer 3 C. FCoE D. Tap E. Virtual wire
BDE
How often are new application signatures released by Palo Alto Networks? A. as soon as possible B. once per week C. once per month D. with each PAN-OS software update
C
In Panorama, can you use the same template in different template stacks? A. no B. yes, if there are no other templates in the stack C. yes, regardless of other templates in the stack D. yes, if no conflicting values are in other templates within the stack
C
In the policy rule hierarchy, what is the order of execution for the first three policy rules? A. Local Firewall Policies, Device Group Hierarchy Post-Policies, and then Shared Post-Policies. B. There is no set order. C. Shared Pre-Policies, Device Group Hierarchy Pre-Policies, and then Local Firewall Policies. D. Device Group Hierarchy Post-Policies, Shared Post-Policies, and then Default Rules.
C
What is the result of clicking the Preview Changes link when committing changes to a firewall? A. shows any error messages that would appear during a commit B. lists the individual settings for which you are committing changes C. compares the candidate configuration to the running configuration D. displays any unresolved application dependencies
C
When you create the first device group in Panorama, which option shows the two tabs that are added to the user interface? A. Device and Objects B. Network and Device C. Policies and Objects D. Policies and Network
C
Which NAT translation type uses NAT oversubscription? A. static B. dynamic IP C. dynamic IP and port D. dynamic IP with session distribution
C
Which information is needed to register a Panorama Physical appliance in the Customer Support Portal? A. management IP address B. FQDN logical name C. serial number of Panorama D. customer ID and Panorama name
C
Which item is the name of an object that dynamically groups applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? A. application B. application group C. application filter D. application profile
C
Which option should you select to prevent modifications to an object within descendant device groups? A. Disable Shared Group B. Disable inheritance C. Disable override D. Disable virtual systems
C
Zone Protection Profiles are applied to which item? A. Address Groups B. Security policy rules C. ingress ports D. egress ports
C
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which two applications? (Choose two.) A. unknown-tcp B. unknown-udp C. ssl D. web-browsing
CD
Which two attributes are true regarding a Virtual Wire interface? (Choose two.) A. supports SSL Decrypt Inbound traffic only B. sometimes called a glitch in the Wire C. supports NAT, Content-ID, and User-ID D. no support for routing or device management
CD
Which two planes are found in Palo Alto Networks single-pass platform architecture? (Choose two.) A. parallel processing B. single pass C. data D. control
CD
Which two statements are true regarding the candidate configuration? (Choose two.) A. click revert now to modify candidate configuration to the running configuration. B. Roll back the candidate configuration by pressing the Undo button. C. Click Save creates a copy of the current candidate configuration. D. Choose Commit updates the running configuration with the E. contents of the candidate configuration.
CD
Which three states are considered to be "stable" session states as recorded in the session tables? (Choose three.) A. Free B. Opening C. Discard D. Init E. Active
CDE
A URL Filtering license is not required to define and use custom URL categories. A. true B. false
A
At which stage in the flow logic does the firewall attempt to match a packet to an existing flow? A. Ingress B. App-ID Engine C. Content-ID Engine D. Egress
A
At which stage in the flow logic does the firewall attempt to match a packet to an existing flow? A. Ingress B. Security Processing (fastpath) C. App-ID Engine D. Egress
A
Service routes can be used to configure an in-band port to access external services. A. true B. false
A
Sinkhole events are recorded in which log? A. Threat B. URL Filtering C. WildFire Submissions D. Data Filtering
A
The User Credential Detection tab can be used to block traffic when users submit their corporate credentials to a website. A. true B. false
A
True or False? A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "Allow." A. true B. false
A
True or False? Application groups can contain applications, filters, or other application groups. A. true B. false
A
True or False? Before you can archive rule changes, you need to configure policy rulebase settings to require audit comment on policies. A. true B. false
A
True or False? Firewall administrator accounts can be individualized for user needs, granting or restricting permissions as appropriate. A. true B. false
A
True or False? If a duplicated object is in device groups, the lower-level device group in the inheritance tree will override the higher-level device group object. A. true B. false
A
True or False? In Palo Alto Networks terms, an application is a specific program or feature that can be detected, monitored, and blocked if necessary. A. true B. false
A
True or False? Panorama maintains configurations of all managed firewalls and a configuration of itself. A. true B. false
A
True or False? The strength of the Palo Alto Networks firewall is its Single-Pass Parallel Processing (SP3) engine. A. true B. false
A
True or False? To register a Panorama physical appliance in the Customer Support Portal, you need the serial number of Panorama. A. true B. false
A
True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses. A. true B. false
A
True or false? Intrazone traffic is allowed by default but interzone traffic is blocked by default. A. true B. false
A
What is required for a Security Profile attached to a Security policy rule to be successfully evaluated? A. the Security policy rule matches, and the traffic is set to "allow" B. the Security policy rule matches, and the traffic is set to "deny" C. the App-ID signature matches, and the traffic is set to "allow" D. the App-ID signature matches, and the traffic is set to "deny"
A
What triggers a Security policy rule match in the Policy Optimizer's No App Specified window? A. "any" in the Application column B. "Allow" in the Action column C. "application-default" in the Service column D. "unknown" in the Application column
A
Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? A. DNS sinkhole B. Data Filtering log entry C. CVE number D. Continuous response page
A
Which two configuration elements can be configured for managed firewalls by using templates in Panorama? (Choose two.) A. Network B. Device C. Objects D. Policies
AB
Firewall administration can be done using which three interfaces? (Choose three.) A. command line interface B. web interface C. XML files D. Panorama E. Java API
ABD
Regarding the candidate configuration, which two statements are true? (Choose two.) A. It can be reverted to the current configuration. B. It controls the current operation of the firewall. C. It contains possible changes to the current configuration. D. It always contains the factory default configuration.
AC
Virtual routers provide support for static routing and dynamic routing using which two protocols? (Choose two.) A. BGP B. EGP C. OSPF D. RIPv1
AC
Which two statements are true regarding Safe Search Enforcement? (Choose two.) A. Safe search is a best-effort setting. B. Safe search is a policy setting. C. Safe search blocks sexually explicit content. D. Safe search is a web server setting.
AC
Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) A. Tap B. FC C. Layer 3 D. Virtual Wire E. FCoE
ACD
Which three statements are true regarding App-ID? (Choose three.) A. It is the Palo Alto Networks traffic classification mechanism. B. It still is in the developmental stage and is not yet released. C. It addresses the traffic classification limitations of traditional firewalls. D. It uses multiple identification mechanisms to determine the exact identity of applications traversing the network.
ACD
Re-order the steps so that they could be used to create and use a custom application with a custom signature. A. Capture application network traffic. B. Add the custom application to policy rules. C. Identify unique bit patterns in the traffic. D. Create the custom application with a signature.
ACDB
When you create the first device group in Panorama, which two tabs are added to the user interface? (Choose two.) A. Policies B. Network C. Device D. Objects
AD
Which three items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall? (Choose three.) A. Username B. DMZ C. DNS Domain D. Source Zone E. Application
ADE
What are the three Palo Alto Networks Next-Generation Firewall models? (Choose three.) A. PA-5000 Series B. PA-250 Series C. PA-400 Series D. PA-7000 Series E. PA-300 Series F. PA-3200 Series
ADF
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application? A. unknown-udp B. none of these C. unknown-tcp D. web-browsing
D
What is the maximum number of templates in a template stack? A. 4 B. 16 C. no limit D. 8
D
What will Panorama do if two templates in the same template stack have different values for the same setting? A. generate an error at commit B. ignore the value in both template C. use the value from the lowest template in the stack D. use the value from the highest template in the stack
D
What will Panorama do if two templates in the same template stack have different values for the same setting? A. generate an error at commit B. ignore the value in both templates C. use the value from the lowest template in the stack D. use the value from the highest template in the stack
D
Which Security Profile is designed to help mitigate unknown threats? A. Antivirus B. Anti-Spyware C. Vulnerability Protection D. WildFire Analysis
D
Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? A. continue response page B. CVE number C. Data Filtering log entry D. DNS Sinkhole
D
