Pcnsa
Network Activity tab displays an overview of traffic and user activity on your network including? (choose three.) Top applications in use Hosts Resolving Malicious Domains Top users who generate traffic Most used security rules against which traffic matches occur Applications Using Non Standard Ports
-Top applications in use -Top users who generate traffic -Most used security rules against which traffic matches occur
The GlobalProtect client software is available in which two formats? (Choose two.) .msi .pkg .exe .rar
.msi .pkg
When the firewall detects that a session has been broken as a result of the process of decryption, the session information is cached and the next session is not decrypted from that host to the same website. There is no further attempt to decrypt the website for __________ after the first occurrence? 5 minutes 24 hours 30 minutes 12 hours
12 hours
During the first _____________ days of the migration process, the firewall should log enough traffic and application data to allow you to move through Phase 1 of the migration process? 7 days 15 days 10 days 30 days
30 days
On the next generation firewall, which is the standard UDP port for the transport of Syslog traffic? 443 514 8080 6514
514
In HA configuration how long will the firewall wait before it will become ACTIVE if there is no peer to start the negotiation? 60-seconds 5-minutes 200 milliseconds 30-seconds
60-seconds
On the next generation firewall, which is the default port for the transport of Syslog traffic? 8080 6514 514 443
6514
On the next generation firewall, which is the standard SSL port for the transport of Syslog traffic? 6514 514 8080 443
6514
A Virtual Wire object is capable of blocking or allowing traffic based on? MAC Physical address 802.1Q VLAN tag values IPv4 logical addresses IPv6 logical addresses
802.1Q VLAN tag values
In Active/Passive HA deployment what is synchronized through Data Link (HA2)? (select three.) Licenses ARP tables Forward tables Sessions
ARP tables Forward tables Sessions
What action allows file transfer, and generates a log entry in the Data Filter Log? Continue Alert Block Sinkhole
Alert
What is default action setting when configuring Security Policy Rule? Reset client Deny Drop Allow
Allow
Facebook-base requires web-browsing, to make sure Facebook-base will successfully communicate you have to? Web-browsing is allowed by default in PAN firewall App-ID database implicitly allows the parent application Create Security Policy Rule to allow web-browsing App-ID database needs to be updated
App-ID database implicitly allows the parent application
Why would an administrator add audit comments to the Security Policy Rule? Audit history of a Security Policy Rule Future reference in Security Policy Rule Logs can be audited in Security Policy Rule Required field in Security Policy Rule
Audit history of a Security Policy Rule
Which Next Generation Firewall feature is part of the Threat Intelligence Cloud and provides direct access to security operations and analysis teams to all of the threat intelligence Palo Alto Networks gathers from clients, open source feeds, and the Unit 42 threat research team Aperture Panorama Autofocus Global protect
Autofocus
When configuring a File Blocking Profile, what action you can set? (choose three.) Block Reset Both Reset Server Sinkhole Reset Client Alert Continue
Block Alert Continue
What User-ID Mapping is Recommendations for clients that do no use the domain server? Captive Portal User-ID agent: Client probing Syslog listener XML API Terminal Services agent GlobalProtect User-ID agent: Session monitoring
Captive Portal
Which Next Generation Firewall plane can be accessed from the console/mgt interface and provides configuration, logging, and reporting functions? Network Signature Data Security Control
Control
Standard service allows firewalls to automatically send unknown Windows Portable Executable or PE files for analysis. In Palo Alto Networks firewall with a Threat Prevention license Four Windows PE file types include EXE, SCR, FON and? CLASS JAR PDF DLL
DLL
Antivirus updated content is made available by Palo Alto Networks on the following schedule? 5 min Monthly Daily Weekly
Daily
Palo Alto Networks firewall with a Threat Prevention license signatures and protections are made available? within 5 minutes daily within 1 minutes weekly
Daily
Which pieces of information is NOT passed during IKE Phase 1? (Select all that apply.) Hashing algorithm Lifetime Symmetric Key Algorithm Diffie-Hellman key exchange Domain Name Authentication method
Domain Name
What is the maximum number of IPsec tunnels that each tunnel interface can have? Each tunnel interface can have a maximum of 10 IPsec tunnels Each tunnel interface can have a maximum of 100 IPsec tunnels Each tunnel interface can have a maximum of 2 IPsec tunnels Each tunnel interface can have a maximum of 1 IPsec tunnel
Each tunnel interface can have a maximum of 10 IPsec tunnels
What are two approaches to mitigate DoS attacks? (choose two) Security policy rules Protection End Host Protection Zone-Based Protection DNS Proxy protection
End Host Protection Zone-Based Protection
The WildFire Regional Clouds are in: (select all that apply). China Europe India Singapore Japan
Europe Singapore Japan
Which GlobalProtect gateway provides security enforcement and VPN access for remote users? External gateways Internal gateways Security policy GlobalProtect Portal
External gateways
True of False. The Palo Alto Networks firewall includes two predefined, read-only File Blocking Profiles?
False
True or False? Active/active configuration is specifically designed to serve environments that need symmetric routing.
False
True or False? Each WildFire cloud analyses samples and generates malware signatures and verdicts dependent to other WildFire clouds. False True
False
True or False? When configure HA on your Palo Alto Networks, firewalls can have different set of licenses.
False
True or false? An application filter is an object that statically groups applications based on the attributes of the application that you pick from the App-ID database.
False
True or false? Data Filtering Profiles are used to prevent sensitive, confidential and proprietary information from entering your network.
False
True or false? File blocking activity is logged to the Threat log.
False
True or false? SSL/TLS (commonly referred to simply as SSL) uses asymmetric only encryption.
False
True or false? The Palo Alto Networks firewall includes a predefined, read/write default Antivirus Security Profile.
False
True or false? When new applications are added to the App-ID database, application groups are always automatically updated.
False
When a firewall encounters a file, it will verify if the file is signed by a trusted signer. If the answer is yes, what is the next step that firewall will take? Firewall creates a hash number and sends to Wildfire for further analysis Firewall does not trust the signer and file is dropped. Firewall trusts that the file does not have hidden malware and allows the file to be delivered. Firewall creates a hash number for the file to see if the file already has been sent to WildFire.
Firewall trusts that the file does not have hidden malware and allows the file to be delivered.
In a TCP exchange how many packets does it take to identify the application? Three One Two Four or Five
Four or five
In the Application Command Center (ACC), which filter allows you to restrict the display to the data you are interested in right now and to remove irrelevant information from the current display? Global filter Universal filter Group filter Local filter
Global filter
What User-ID Mapping is Recommendations GlobalProtect VPN clients? User-ID agent: Session monitoring Terminal Services agent GlobalProtect Captive Portal XML API User-ID agent: Client probing Syslog listener
GlobalProtect
Connectivity in all parts of the GlobalProtect infrastructure is authenticated by using SSL certificates. Which two GlobalProtect Certificates are optional? GlobalProtect Gateway certificate GlobalProtect client certificate GlobalProtect Portal certificate Certificate authority (CA) certificate
GlobalProtect client certificate Certificate authority (CA) certificate
How do you know which Security policy is being used and how often? Rule monitor Action rule Hit count Rule usage
Hit count
In which phase of the IKE process would the data traffic be encapsulated? IKE Phase 1 IKE Phase 3 IKE Phase 2 Data is send in clear text always
IKE Phase 2
VM-Series firewalls starting with PAN-OS version 8.0, the MGT port is configured with?
IP address DHCP
You may use the Palo Alto Networks firewall to deploy two firewalls as a High Availability (HA) pair. When firewalls synchronize which of the following is NOT shared between peers? Share certificate IP address management interface Session information Policy configuration
IP address management interface
The PAN-OS DIPP NAT implementation supports oversubscription on some platforms. What is DIPP NAT Oversubscription?
Increase port numbers available for DIPP
To which item you apply Zone Protection Profiles? Egress ports Ingress ports DNS Proxy protection Security policy rules
Ingress ports
The user-ID agent is available in two forms: an integrated agent resident on the firewall or a Windows-based agent. Which agent type uses network bandwidth more efficiently? Windows-based agent Integrated agent resident on the firewall Both use bandwidth efficiently No bandwidth is used by agents
Integrated agent resident on the firewall
The GlobalProtect portal includes an IP address and a DNS hostname as part of the information passed on to the client connection request The agent performs a reverse lookup, on the IP address. Expected hostname is received as a response, to which GlobalProtect Gateway will client connect? External gateway Portal gateway Internal gateway None
Internal gateway
In which Security Policy rule type you can not define destination zone? Intrazone rule Zone-to-zone rule Universal rule Interzone rule
Intrazone rule
In Active/Passive deployment HA Control link is? Layer 1 link Layer 2 link Layer 3 link Layer 4 link
Layer 3 link
When encryption of traffic is enabled, looking at the OSI Model 7 Layers, which layers are encrypted? Layer 6 Presentation Layer 7 Application Layer 5 Session (TLS/SSL) Layer 2 Data Link (MAC Addresses) Layer 1 Physical (Hardware) Layer 4 Transport (Ports) Layer 3 Network (IP Addresses)
Layer 6 Presentation Layer 7 Application
What pieces of information are passed during IKE Phase 1? (Select all that apply.) Lifetime Diffie-Hellman key exchange Symmetric Key Algorithm Hashing algorithm Authentication method MAC address Domain Name
Lifetime Diffie-Hellman key exchange Symmetric Key Algorithm Hashing algorithm Authentication method
Why must you set up server monitoring for all individual domain controllers to catch all user logon events? Logs are not replicated between Domain Controllers Windows-based agent requirement PAN-OS integrated agent requirement NAC systems requirement
Logs are not replicated between Domain Controllers
In User-ID, Windows-based agent uses? WinRM MS-RPC WMI SNMP
MS-RPC
Before you can configure HA on your Palo Alto Networks firewalls, both firewalls must have? (select three.) Identical management IP address Matching Threat databases Up-to-date application Matching URL database
Matching Threat databases Up-to-date application Matching URL database
In which Next Generation Firewall feature metadata from all sources will be filtered, unduplicated, and unified, enabling security teams to determine a more actionable data set that has been enriched from multiple sources? Aperture Autofocus GlobalProtect MineMeld
MineMeld
If malware or phishing URLs are detected, WildFire can generate a new antivirus signature or add a URL to the PAN-DB Phishing URL category, how long before this update is available worldwide? 6 Hours 1 Week 24 Hours Minutes
Minutes
What version of Netflow the firewall can generate and export NetFlow records to an outside NetFlow collector? Net flow ver 1 Net flow ver 3 Net flow ver 5 Net flow ver 9
Net flow ver 9
Where should you install Windows-based agent? Panorama Domain Controller PAN Firewall One or more domain member
One or more domain member
Initial firewall configuration is achieved by connecting to the MGT port or to the firewall serial console port. This type of connection is called? In-band Direct In-direct Out-of-band
Out-of-band
In a single physical Palo Alto Networks firewall, Virtual Systems, or vsys, are separate logical firewall instances. In which firewall series, virtual systems (vsys) are NOT supported? PA-3x00 PA-5x00 PA-800 PA-7x00
PA-800
Logs can be forwarded to which four of the following Remote Logging Destinations? (Choose four.) Panorama DHCP Server Email SNMP manager Syslog/SIEM server
Panorama Email SNMP manager Syslog/SIEM server
Not all traffic should be decrypted. Depending on local rules and regulations, what traffic can not legally be decrypted? (select all that apply). Office records Privacy concerns Health records Financial records
Privacy concerns Health records Financial records
If WMI probing is enabled, what type of IP addresses will WMI probe? Private IP addresses APIPA addresses Loopback addresses Public IP addresses
Private IP addresses
If you know the admin account password, what command can be used to reset a firewall to its default factory settings?
Request system private-data-reset
What configuration is the actual configuration which controls the firewall operation? Service XML Candidate Running
Running
Which administrative management services and network services are enabled by default to access and manage the firewall through the MGT interface? SSH HTTP SNMP Ping Telnet HTTPS
SSH Ping HTTPS
GlobalProtect Clientless VPN offers secure remote access to popular enterprise web applications using HTML, HTML5, and JavaScript technologies. How will clients have access to the GlobalProtect client software? Http-enabled web browsers GlobalProtect Windows server software GlobalProtect Mac server software SSL-enabled web browsers
SSL-enabled web browsers
You may use the Palo Alto Networks firewall to deploy two firewalls as a High Availability (HA) pair. When firewalls synchronize which of the following is shared between peers? Application Command Center Session information Log data IP address management interface
Session information
DoS policy and DoS Profile protects: (choose two) Specific hosts Egress ports Destination zone Source zone
Specific hosts Destination zone
The Windows-based agent can be installed on 32-bit or 64-bit machines running Microsoft Windows Operating system XP SP3 or later. What TCP port will User-ID agent use to communicate with the firewall? UDP port 389 TCP port 389 UDP port 5007 TCP port 5007
TCP port 5007
What is Rule Shadowing? Bottom rule hides top rules Two rules are the same Default rules are applied The above rule hides rule beneath
The above rule hides rule beneath
The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. What four predefined tabs are included by default in the ACC? (Choose four.) Application Usage Threat Activity Blocked Activity Tunnel Activity Network Activity User Activity
Threat Activity Blocked Activity Tunnel Activity Network Activity
Application exceptions are usually configured when false positives occur. The configuration of specific application exemptions allows the firewall to pass on traffic that was previously blocked. What is used to identify specific application to be used as Application exceptions? IP address Threat ID Port Number Hint Count
Threat ID
Which are not Security Profiles Types? (Select two) Telemetry Antivirus Data Filtering File Blocking WildFire Analysis URL Filtering Anti-Spyware Vulnerability Protection Threat intelligence
Threat intelligence Telemetry
The default logging behavior is to log only at the end of the session. Why would an administrator enable logging at the start of the session? No login at the start of the session is possible Troubleshooting Disable logging at the end of session Required for SNMP logging
Troubleshooting
True or False? integrated agent is more suited for reading remote logs and the Windows-based agent is more suited for reading local logs.
True
True or false? No URL filtering license is necessary to define and use custom URL categories.
True
Which model of the Palo Alto Next Generation VM series needs a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity? VM-700 VM-100 VM-50 VM-500
VM-500
Before you can configure HA on your VM-Series firewalls, you need to make sure that VM machines have? VM-Series firewalls have same IP address management interface VM-Series firewalls have same number of CPU cores assigned to each peer VM-Series firewalls have same Application Command Center VM-Series firewalls have same log data
VM-Series firewalls have same number of CPU cores assigned to each peer
A network engineer clicks "Save candidate configuration" to save the configuration to memory to finish the configuration later. After the engineer continues editing and click "Save candidate configuration" again, the configuration that is saved in memory is overwritten. What type of memory is this saved configuration stored in? Read only Non-volatile memory Volatile memory Flash memory
Volatile memory
In which zone type the interface cannot be assigned?
Vwire Layer 3 Tunnel Tap Layer 2
Applications and Threats updated content is made available by Palo Alto Networks on the following schedule? Daily Monthly Weekly 5 min
Weekly
What license is required to have access to Antivirus Signatures content database available within 5 minutes? WildFire license No license is required Threat Prevention license URL Filtering license
WildFire license
A digital PKI certificate is a method of packaging and distributing public keys in a way that proves their owners' identity. Palo Alto Networks firewalls support __________ format certificates. X.507 X.508 X.506 X.509
X.509
Administrator plans to deploy GlobalProtect to its network using the latest Next Generation Palo Alto firewall. Will the administrator be successful in deploying GlobalProtect with only one firewall? GlobalProtect is compatible with Palo Alto. No. Because GlobalProtect is not supported on the latest Next Generation Palo Alto firewall. No. Because you need two firewalls GlobalProtect Portal firewall and GlobalProtect Gateway firewall. Yes. Because gateway and portal can be configured on the same firewall
Yes. Because gateway and portal can be configured on the same firewall
For file transfer applications, what six protocols are in default Antivirus Profile? (choose six). http/2 smtp ftp dhcp pop3 imap dns smb
http/2 smtp ftp pop3 smb
The GlobalProtect does not include host name and address pair as a response to the client, to which gateway will client attempt to connect first? Portal gateway internal gateway none external gateway
internal gateway
When you select users for a Security policy, which option you will use if you want to match a specific user or group identified by User-ID? any unknown pre-logon select known-user
select
In Route-Based Site-to-Site VPN Each tunnel is bound to a? physical interface serial interface tunnel interface loopback interface
tunnel interface
GlobalProtect supports three client connection methods? (choose three.) known user any users user-logon all users none pre-logon on-demand
user-logon pre-logon on-demand