TEST A

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?. management. network processing. data. security processing.

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days. Based on the information, how is the SuperApp traffic affected after the 30 days have passed?. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application. No impact because the apps were automatically downloaded and installed. No impact because the firewall automatically adds the rules to the App-ID interface. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications.

How many zones can an interface be assigned with a Palo Alto Networks firewall?. two. three. four. one.

Which two configuration settings shown are not the default? (Choose two.). Enable Security Log. Server Log Monitor Frequency (sec). Enable Session. Enable Probing.

Which data plane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?. Signature Matching. Network Processing. Security Processing. Data Interfaces.

Which option shows the attributes that are selectable when setting up application filters?. Category, Subcategory, Technology, and Characteristic. Category, Subcategory, Technology, Risk, and Characteristic. Name, Category, Technology, Risk, and Characteristic. Category, Subcategory, Risk, Standard Ports, and Technology.

Actions can be set for which two items in a URL filtering security profile? (Choose two.). Block List. Custom URL Categories. PAN-DB URL Categories. Allow List.

Which two statements are correct about App-ID content updates? (Choose two.). Updated application content might change how Security policy rules are enforced. After an application content update, new applications must be manually classified prior to use. Existing security policy rules are not affected by application content updates. After an application content update, new applications are automatically identified and classified.

Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?. Windows session monitoring. passive server monitoring using the Windows-based agent. Captive Portal. passive server monitoring using a PAN-OS integrated User-ID agent.

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory. Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the business-systems category. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office.

Which statement is true regarding a Best Practice Assessment?. The BPA tool can be run only on firewalls. It provides a percentage of adoption for each assessment data. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?. intrazone-default. Deny Google. allowed-security services. interzone-default.

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________. on either the data place or the management plane. after it is matched by a security policy rule that allows traffic. before it is matched to a Security policy rule. after it is matched by a security policy rule that allows or blocks traffic.

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?. Translation Type. Interface. Address Type. IP Address.

Which interface does not require a MAC or IP address?. Virtual Wire. Layer3. Layer2. Loopback.

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?. Rule Usage Filter > No App Specified. Rule Usage Filter >Hit Count > Unused in 30 days. Rule Usage Filter > Unused Apps. Rule Usage Filter > Hit Count > Unused in 90 days.

Order the steps needed to create a new security zone with a Palo Alto Networks firewall. Select Zones from the list of available items. Select Network tab. Specify Zone Name. Specify Zone Type. Assign interfaces as needed. Select Add.

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.). An implicit dependency does not require the dependent application to be added in the security policy. An implicit dependency requires the dependent application to be added in the security policy. An explicit dependency does not require the dependent application to be added in the security policy. An explicit dependency requires the dependent application to be added in the security policy.

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping. What is the quickest way to reset the hit counter to zero in all the security policy rules?. At the CLI enter the command reset rules and press Enter. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule. Reboot the firewall. Use the Reset Rule Hit Counter > All Rules option.

Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.). facebook. facebook-chat. facebook-base. facebook-email.

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?. Windows-based agent deployed on the internal network. PAN-OS integrated agent deployed on the internal network. Citrix terminal server deployed on the internal network. Windows-based agent deployed on each of the WAN Links.

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP `"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures. Given the scenario, choose the option for sending IP-to-user mappings to the NGFW. syslog. RADIUS. UID redistribution. XFF headers.

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.). vulnerability protection profile applied to outbound security policies. anti-spyware profile applied to outbound security policies. antivirus profile applied to outbound security policies. URL filtering profile applied to outbound security policies.

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?. Delivery. Reconnaissance. Command and Control. Exploitation.

Identify the correct order to configure the PAN-OS integrated USER-ID agent. 3. add the service account to monitor the server(s) 2. define the address of the servers to be monitored on the firewall 4. commit the configuration, and verify agent connection status 1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent. 2-3-4-1. 1-4-3-2. 3-1-2-4. 1-3-2-4.

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone. Complete the security policy to ensure only Telnet is allowed. Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow. Destination IP: 192.168.1.123/24. Application = "Telnet". Log Forwarding. USER-ID = "Allow users in Trusted".

Based on the security policy rules shown, ssh will be allowed on which port?. 80. 53. 22. 23.

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?. Threat Prevention. WildFire. Antivirus. URL Filtering.

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?. branch office traffic. north-south traffic. perimeter traffic. east-west traffic.

Given the topology, which zone type should zone A and zone B to be configured with?. Layer3. Tap. Layer2. Virtual Wire.

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?. domain controller. TACACS+. LDAP. RADIUS.

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?. Layer 2. Tap. Layer 3. Virtual Wire.

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?. Root. Dynamic. Role-based. Superuser.

Which administrator type utilizes predefined roles for a local administrator account?. Superuser. Role-based. Dynamic. Device administrator.

Which two security profile types can be attached to a security policy? (Choose two.). antivirus. DDoS protection. threat. vulnerability.

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop. Which security profile feature could have been used to prevent the communication with the CnC server?. Create an anti-spyware profile and enable DNS Sinkhole. Create an antivirus profile and enable DNS Sinkhole. Create a URL filtering profile and block the DNS Sinkhole category. Create a security policy and enable DNS Sinkhole.

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?. Active Directory monitoring. Windows session monitoring. Windows client probing. domain controller monitoring.

Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.). Security policy rules are attached to Security Profiles. Security Profiles are attached to Security policy rules. Security Profiles should be used only on allowed traffic. Security policy rules inspect but do not block traffic. Security policy rules can block or allow traffic.

Given the image, which two options are true about the Security policy rules. (Choose two.). The Allow-Office-Programs rule is using an Application Filter. In the Allow-FTP policy, FTP is allowed using App-ID. The Allow-Office-Programs rule is using an Application Group. The Allow-Social-Media rule allows all of Facebook's functions.

Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?. global. intrazone. interzone. universal.

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?. GlobalProtect. AutoFocus. Aperture. Panorama.

Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.). Path monitoring does not determine if route is useable. Route with highest metric is actively used. Path monitoring determines if route is useable. Route with lowest metric is actively used.

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine. Exploitation. Installation. Reconnaissance. Act on Objective.

Which file is used to save the running configuration with a Palo Alto Networks firewall?. running-config.xml. run-config.xm. running-configuration.xml. run-configuration.xml.

In the example security policy shown, which two websites would be blocked? (Choose two.). LinkedIn. Facebook. YouTube. Amazon.

Which Palo Alto Networks component provides consolidated policy creation and centralized management?. GlobalProtect. Panorama. Prisma SaaS. AutoFocus.

Which statement is true regarding a Prevention Posture Assessment?. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. It provides a percentage of adoption for each assessment area. It performs over 200 security checks on Panorama/firewall for the assessment.

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.). User identification. Filtration protection. Vulnerability protection. Antivirus. Application identification. Anti-spyware.

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn't want to unblock the gambling URL category. Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.). Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow. Manually remove powerball.com from the gambling URL category. Add *.powerball.com to the allow list. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?. Aperture. AutoFocus. Panorama. GlobalProtect.

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server. Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?. antivirus profile applied to outbound security policies. data filtering profile applied to inbound security policies. data filtering profile applied to outbound security policies. vulnerability profile applied to inbound security policies.

Which update option is not available to administrators?. New Spyware Notifications. New URLs. New Application Signatures. New Malicious Domains. New Antivirus Signatures.

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin.

How often does WildFire release dynamic updates?. every 5 minutes. every 15 minutes. every 60 minutes. every 30 minutes.

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?. every 30 minutes. every 5 minutes. every 24 hours. every 1 minute.

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?. Windows-based agent on a domain controller. Captive Portal. Citrix terminal server agent with adequate data-plane resources. PAN-OS integrated agent.

Arrange the correct order that the URL classifications are processed within the system. Select and Place: First. Second. Third. Fourth. Fifth. Sixth.

What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?. authentication sequence. LDAP server profile. authentication server list. authentication list profile.

Which Security Profile mitigates attacks based on packet count?. zone protection profile. URL filtering profile. antivirus profile. vulnerability profile.

Which interface type uses virtual routers and routing protocols?. Tap. Layer3. Virtual Wire. Layer2.

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?. Override. Allow. Block. Continue.

An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall?. NAT policy with internal zone and internet zone specified. post-NAT policy with external source and any destination address. post-NAT policy with external source and any destination address. pre-NAT policy with external source and any destination address.

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP addresses?. DoS protection. URL filtering. packet buffering. anti-spyware.

Which path in PAN-OS 9.0 displays the list of port-based security policy rules?. Policies> Security> Rule Usage> No App Specified. Policies> Security> Rule Usage> Port only specified. Policies> Security> Rule Usage> Port-based Rules. Policies> Security> Rule Usage> Unused Apps.

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.). Layer-ID. User-ID. QoS-ID. App-ID.

Which path is used to save and load a configuration with a Palo Alto Networks firewall?. Device>Setup>Services. Device>Setup>Management. Device>Setup>Operations. Device>Setup>Interfaces.

Match the network device with the correct User-ID technology. Select and Place: Microsoft Exchange. Linux authentication. Windows clients. Citrix client.

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?. Review Policies. Review Apps. Pre-analyze. Review App Matches.

Match the Cyber-Attack Lifecycle stage to its correct description. reconnaissance. installation. command and control. act on the objective.

An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ or Untrust zones. The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where the source and destination zones are VPN. Which Security policy rule type should they use?. Interzone. Universal. Intrazone. Default.

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to `any`. There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to `all`. Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?. Active. Passive. Active-Secondary. Non-functional.

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?. Windows-based agent deployed on each domain controller. PAN-OS integrated agent deployed on the firewall. a syslog listener. Citrix terminal server agent deployed on the network.

Which statement best describes the Automated Commit Recovery feature?. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails. It restores the running configuration on a firewall if the last configuration commit fails. It restores the running configuration on a firewall and Panorama if the last configuration commit fails. It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?. There is insufficient application data after the TCP connection was established. The TCP connection was terminated without identifying any application data. The TCP connection did not fully establish. The client sent a TCP segment with the PUSH flag set.

Match the Palo Alto Networks Security Operating Platform architecture to its description. Select and Place: Threat Intelligence Cloud. Next-Generation Firewall. Advanced Endpoint Protection.

Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.). GlobalProtect. Panorama. Aperture. AutoFocus.