examen

Match the Palo Alto Networks Security Operating Platform architecture to its description. Select and Place: Threat Intelligence Cloud. Next-Generation Firewall. Advanced Endpoint Protection.

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?. management. network processing. data. security processing.

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days. Based on the information, how is the SuperApp traffic affected after the 30 days have passed?. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application. No impact because the apps were automatically downloaded and installed. No impact because the firewall automatically adds the rules to the App-ID interface. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications.

How many zones can an interface be assigned with a Palo Alto Networks firewall?. two. three. four. one.

Which two configuration settings shown are not the default? (Choose two.). Enable Security Log. Server Log Monitor Frequency (sec). Enable Session. Enable Probing.

Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?. Signature Matching. Network Processing. Security Processing. Data Interfaces.

Which option shows the attributes that are selectable when setting up application filters?. Category, Subcategory, Technology, and Characteristic. Category, Subcategory, Technology, Risk, and Characteristic. Name, Category, Technology, Risk, and Characteristic. Category, Subcategory, Risk, Standard Ports, and Technology.

Actions can be set for which two items in a URL filtering security profile? (Choose two.). Block List. Custom URL Categories. PAN-DB URL Categories. Allow List.

DRAG DROP - Match the Cyber-Attack Lifecycle stage to its correct description. Select and Place: Reconnaissance. installation. Command and Control. Act on the Objective.

Actions can be set for which two items in a URL filtering security profile? (Choose two.). Updated application content might change how Security policy rules are enforced. After an application content update, new applications must be manually classified prior to use. Existing security policy rules are not affected by application content updates. After an application content update, new applications are automatically identified and classified.

Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?. Windows session monitoring. passive server monitoring using the Windows-based agent. Captive Portal. passive server monitoring using a PAN-OS integrated User-ID agent.

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory. Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the business-systems category. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office.

Which statement is true regarding a Best Practice Assessment?. The BPA tool can be run only on firewalls. It provides a percentage of adoption for each assessment area. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?. intrazone-default. Deny Google. allowed-security services. interzone-default.

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________. on either the data place or the management plane. after it is matched by a security policy rule that allows traffic. before it is matched to a Security policy rule. after it is matched by a security policy rule that allows or blocks traffic.

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?. Translation Type. Interface. Address Type. IP Address.

Which interface does not require a MAC or IP address?. Virtual Wire. Layer3. Layer2. Loopback.

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?. Rule Usage Filter > No App Specified. Rule Usage Filter >Hit Count > Unused in 30 days. Rule Usage Filter > Unused Apps. Rule Usage Filter > Hit Count > Unused in 90 days.

Order the steps needed to create a new security zone with a Palo Alto Networks firewall. Select and Place: Step 1. Step 2. Step 3. Step 4. Step 5. Step 6.

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.). An implicit dependency does not require the dependent application to be added in the security policy. An implicit dependency requires the dependent application to be added in the security policy. An explicit dependency does not require the dependent application to be added in the security policy. An explicit dependency requires the dependent application to be added in the security policy.

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping. What is the quickest way to reset the hit counter to zero in all the security policy rules?. At the CLI enter the command reset rules and press Enter. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule. Reboot the firewall. Use the Reset Rule Hit Counter > All Rules option.

Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.). facebook. facebook-chat. facebook-base. facebook-email.

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?. Windows-based agent deployed on the internal network. PAN-OS integrated agent deployed on the internal network. Citrix terminal server deployed on the internal network. Windows-based agent deployed on each of the WAN Links.

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP `"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures. Given the scenario, choose the option for sending IP-to-user mappings to the NGFW. syslog. RADIUS. UID redistribution. XFF headers.

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.). vulnerability protection profile applied to outbound security policies. anti-spyware profile applied to outbound security policies. antivirus profile applied to outbound security policies. URL filtering profile applied to outbound security policies.

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?. Delivery. Reconnaissance. Command and Control. Exploitation.

Identify the correct order to configure the PAN-OS integrated USER-ID agent. 1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent 2. define the address of the servers to be monitored on the firewall 3. add the service account to monitor the server(s) 4. commit the configuration, and verify agent connection status. 2-3-4-1. 1-4-3-2. 3-1-2-4. 1-3-2-4.

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone. Complete the security policy to ensure only Telnet is allowed. Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow. Destination IP: 192.168.1.123/24. Application = "Telnet". Log Forwarding. USER-ID = "Allow users in Trusted".

Based on the security policy rules shown, ssh will be allowed on which port?. 80. 53. 22. 23.

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?. Threat Prevention. WildFire. Antivirus. URL Filtering.

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?. branch office traffic. north-south traffic. perimeter traffic. east-west traffic.

Given the topology, which zone type should zone A and zone B to be configured with?. Layer3. Tap. Layer2. Virtual Wire.

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?. domain controller. TACACS+. LDAP. RADIUS.

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?. Layer 2. Tap. Layer 3. Virtual Wire.

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?. Root. Dynamic. Role-based. Superuser.

Which administrator type utilizes predefined roles for a local administrator account?. Superuser. Role-based. Dynamic. Device administrator.

Which two security profile types can be attached to a security policy? (Choose two.). antivirus. DDoS protection. threat. vulnerability.

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop. Which security profile feature could have been used to prevent the communication with the CnC server?. Create an anti-spyware profile and enable DNS Sinkhole. Create an antivirus profile and enable DNS Sinkhole. Create a URL filtering profile and block the DNS Sinkhole category. Create a security policy and enable DNS Sinkhole.

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?. Active Directory monitoring. Windows session monitoring. Windows client probing. domain controller monitoring.

Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.). Security policy rules are attached to Security Profiles. Security Profiles are attached to Security policy rules. Security Profiles should be used only on allowed traffic. Security policy rules inspect but do not block traffic. Security policy rules can block or allow traffic.

Given the image, which two options are true about the Security policy rules. (Choose two.). The Allow Office Programs rule is using an Application Filter. In the Allow FTP to web server rule, FTP is allowed using App-ID. The Allow Office Programs rule is using an Application Group. In the Allow Social Networking rule, allows all of Facebook's functions.

Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?. global. intrazone. interzone. universal.

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?. GlobalProtect. AutoFocus. Aperture. Panorama.

Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.). Path monitoring does not determine if route is useable. Route with highest metric is actively used. Path monitoring determines if route is useable. Route with lowest metric is actively used.

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine. Exploitation. Installation. Reconnaissance. Act on Objective.

Which file is used to save the running configuration with a Palo Alto Networks firewall?. running-config.xml. run-config.xml. running-configuration.xml. run-configuration.xml.

In the example security policy shown, which two websites would be blocked? (Choose two.). LinkedIn. Facebook. YouTube. Amazon.

Which Palo Alto Networks component provides consolidated policy creation and centralized management?. GlobalProtect. Panorama. Prisma SaaS. AutoFocus.

Which statement is true regarding a Prevention Posture Assessment?. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. It provides a percentage of adoption for each assessment area. It performs over 200 security checks on Panorama/firewall for the assessment.

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.). User identification. Filtration protection. Vulnerability protection. Antivirus. Application identification. Anti-spyware.

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn't want to unblock the gambling URL category. Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.). Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow. Manually remove powerball.com from the gambling URL category. Add *.powerball.com to the allow list. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?. Aperture. AutoFocus. Panorama. GlobalProtect.

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server. Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?. antivirus profile applied to outbound security policies. data filtering profile applied to inbound security policies. data filtering profile applied to outbound security policies. vulnerability profile applied to inbound security policies.

Which update option is not available to administrators?. New Spyware Notifications. New URLs. New Application Signatures. New Malicious Domains. New Antivirus Signatures.

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin.

How often does WildFire release dynamic updates?. in realtime. every 5 minutes. every 15 minutes. every 30 minutes.

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?. every 30 minutes. every 5 minutes. every 24 hours. every 1 minute.

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?. Windows-based agent on a domain controller. Captive Portal. Citrix terminal server agent with adequate data-plane resources. PAN-OS integrated agent.

DRAG DROP - Arrange the correct order that the URL classifications are processed within the system. Select and Place: first. second. third. fourth. fifth. sixth.

What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?. authentication sequence. LDAP server profile. authentication server list. authentication list profile.

Which Security Profile mitigates attacks based on packet count?. zone protection profile. URL filtering profile. antivirus profile. vulnerability profile.

Which interface type uses virtual routers and routing protocols?. Tap. Layer3. Virtual Wire. Layer2.

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?. Override. Allow. Block. Continue.

An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall?. NAT policy with internal zone and internet zone specified. post-NAT policy with external source and any destination address. NAT policy with no internal or internet zone selected. pre-NAT policy with external source and any destination address.

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP addresses?. DoS protection. URL filtering. packet buffering. anti-spyware.

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.). Layer-ID. User-ID. QoS-ID. App-ID.

Which path is used to save and load a configuration with a Palo Alto Networks firewall?. Device>Setup>Services. Device>Setup>Management. Device>Setup>Operations. Device>Setup>Interfaces.

DRAG DROP - Match the network device with the correct User-ID technology. Select and Place. Microsoft exchange. Linux authentication. Windows Clients. Citrix Clients.

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?. Review Policies. Review Apps. Pre-analyze. Review App Matches.

How do you reset the hit count on a Security policy rule?. Select a Security policy rule, and then select Hit Count > Reset. Reboot the data-plane. First disable and then re-enable the rule. Type the CLI command reset hitcount <POLICY-NAME>.

Given the topology, which zone type should you configure for firewall interface E1/1?. Tap. Tunnel. Virtual Wire. Layer3.

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?. Management. High Availability. Aggregate. Aggregation.

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?. intrazone. interzone. universal. global.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?. EDL in URL Filtering Profile. Custom URL category in URL Filtering Profile. Custom URL category in Security policy rule. PAN-DB URL category in URL Filtering Profile.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?. EDL in URL Filtering Profile. Custom URL category in URL Filtering Profile. Custom URL category in Security policy rule. PAN-DB URL category in URL Filtering Profile.

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?. north-south. inbound. outbound. east-west.

Which protocol is used to map usernames to user groups when User-ID is configured?. TACACS+. SAML. LDAP. RADIUS.

Which definition describes the guiding principle of the zero-trust architecture?. trust, but verify. always connect and verify. never trust, never connect. never trust, always verify.

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security policy rules that permits only this type of access. Source Zone: Internal - Destination Zone: DMZ Zone - Application: _________? Service: ____________?. Service = application-default. Service = service-telnet. Application = Telnet. Application = any.

In which profile should you configure the DNS Security feature?. Anti-Spyware Profile. Zone Protection Profile. Antivirus Profile. URL Filtering Profile.

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.). GlobalProtect agent. XML API. User-ID Windows-based agent. log forwarding auto-tagging.

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data. Which security profile feature could have been used to prevent the communication with the command-and-control server?. Create an anti-spyware profile and enable DNS Sinkhole feature. Create an antivirus profile and enable its DNS Sinkhole feature. Create a URL filtering profile and block the DNS Sinkhole URL category. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?. virtual router. Admin Role profile. DNS proxy. service route.

Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?. Prisma SaaS. GlobalProtect. AutoFocus. Panorama.

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?. TACACS+. RADIUS. LDAP. SAML.

Which operations are allowed when working with App-ID application tags?. Predefined tags may be deleted. Predefined tags may be augmented by custom tags. Predefined tags may be modified. Predefined tags may be updated by WildFire dynamic updates.

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized. Which User-ID agent is sufficient in your network?. Windows-based agent deployed on each domain controller. PAN-OS integrated agent deployed on the firewall. Citrix terminal server agent deployed on the network. Windows-based agent deployed on the internal network a domain member.

Which statement is true about a URL Filtering Profile’s continue password?. There is a password per session. There is a password per firewall administrator account. There is a single, per-firewall password. There is a password per website.

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?. Role-based. Multi-Factor Authentication. Dynamic. SAML.

Which statement is true regarding a Heatmap report?. When guided by authorized sales engineer, it helps determine the areas of greatest security risk. It runs only on firewalls. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. It provides a percentage of adoption for each assessment area.

Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the policy rule?. Apps Allowed. Service. Name. Apps Seen.

Access to which feature requires the PAN-OS Filtering license?. PAN-DB database. DNS Security. Custom URL categories. URL external dynamic lists.

Based on the screenshot, what is the purpose of the Included Groups?. They are groups that are imported from RADIUS authentication servers. They are the only groups visible based on the firewall's credentials. They contain only the users you allow to manage the firewall. They are used to map users to groups.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?. The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.

Which action results in the firewall blocking network traffic without notifying the sender?. Drop. Deny. Reset Server. Reset Client.

What do Dynamic User Groups help you to do?. create a policy that provides auto-remediation for anomalous user behavior and malicious activity. create a dynamic list of firewall administrators. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity. create a policy that provides auto-sizing for anomalous user behavior and malicious activity.

Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?. Review App Matches. Review Apps. Pre-analyze. Review Policies.

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?. interzone-default. internal-inside-dmz. inside-portal. egress-outside.

Which type of firewall configuration contains in-progress configuration changes?. backup. candidate. running. committed.

Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.). hostname. netmask. default gateway. auto-negotiation. IP address.

What is an advantage for using application tags?. They are helpful during the creation of new zones. They help content updates automate policy updates. They help with the creation of interfaces. They help with the design of IP address allocations in DHCP.

At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?. after clicking Check Now in the Dynamic Update window. after committing the firewall configuration. after installing the update. after downloading the update.

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server. Which Security Profile detects and prevents this threat from establishing a command-and-control connection?. Vulnerability Protection Profile applied to outbound Security policy rules. Anti-Spyware Profile applied to outbound security policies. Antivirus Profile applied to outbound Security policy rules. Data Filtering Profile applied to outbound Security policy rules.

Which two statements are true regardi ng the candidate configuration? (Choose two.). It controls the current operation of the firewall. It contains possible change s to the current configuration. It can be reverted to the current configuration. It always contains the factory default configuration.

True or false? The running config uration consists of configuration ch anges in progress but not active on the firewall. true. false.

When committing changes to a firewall, what is the result of clicking the Preview Changes link?. shows any error messages that would appear during a commit. lists the individual settings for which you are committing changes. compares the candidate configuration to the running configuration. displays any unresolved application dependencies.

True or false? The Export operations transfer configurations as XML-formatted files from the firewall. true. false.

When creating a custom admin role, which four types of privileges can be defined? (Choose four.). WebUI. Panorama. REST API. Command Line. Java API. XML API.

True or false? Server Profiles de fine connections that the firewa ll can make to external servers. true. false.

Global user authentication is supported by which three authentication services? (Choose three.). SAML. LDAP. RADIUS. Certificate. TACACS +.

True or false? Certificate-based authentication replaces all other forms of either local or external authentication. true. false.

Which two items are supported routing protocols on a virtual router? (Choose two.). OSPF. IGRP. EGP. BGP.

Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.). FC. Layer3. FCoE. Tap. Virtual wire.

Which two firewall interface types can be adde d to a Layer3-type security zone? (Choose two.). Tunnel. Virtual wire. Tap. Loopback.

Which type of firewall interface enables passive monitoring of network traffic?. Virtual wire. Tap. Loopback. Tunnel.

True or false? A Layer 3 interface can be configured as a dual-stack with IPv4 and IPv6 addresses. true. false.

Which two items are required to match criteria in a Palo Alto Networks S ecurity policy rule? (Choose two.). source zone. destination zone. destination address. destination port.

Which type of Security policy rule is the default rule type?. intrazone. interzone. universal. default.

Which action in a Security policy rule results in traffic being silently rejected?. deny. drop. reset server. reset client.

True or false? Logging on intrazone-default and inte rzone-default Security polic y rules is enabled by default. true. false.

NAT oversubscription is used in conj unction with which NAT translation type?. static. dynamic IP. dynamic IP and port. dynamic IP with session distribution.

Which source NAT type changes the course IP address while leaving the source port unchanged?. Static IP. Dynamic IP. Dynamic IP and port.

When configuring a destination NAT Security policy, what destination address would you use?. address of the web server. address of the egress firewall interface. address of the ingress firewall interface.

True or false? Source NAT is commonly used fo r private users to access the public internet. true. false.

Which three methods does App-ID use to identify network traffic? (Choose three.). signatures. protocol decoders. heuristics. URL category. application filter match.

How would App-ID label TCP traffic when the thre e-way handshake completes but not enough data is sent to identify an application?. not-applicable. incomplete. insufficient-data. unknown-tcp.

True or false? When migration is done from another vendor’s firewall to a Palo Alto Networks firewall, a best practice is always to migrate the existing Security policy. true. false.

True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware. true. false.

When an Applications and Threats content update is performed, which is the earliest point you can review the impact of new application signatures on existing policies?. after clicking Check Now. after download. after install. after commit.

Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?. data filtering log entry. continue response page. DNS sinkhole. CVE number.

True or false? A Security Profile a ttached to a Security policy rule is ev aluated only if the Security policy rule matches traffic and the rule action is set to “allow.”. true. false.

A Zone Protection Profile is applied to which item?. ingress ports. Security policy rules. egress ports. Address Groups.

Network traffic matches an “allow” rule in the Security policy, but the attached File Blocking Profile is configured with a “block” action. To which two locations will the traffic be logged? (Choose two.). Threat log. Traffic log. Data Filtering log. Alarms log.

Which profile type is designed to protect against reconnaissance attacks such as host sweeps and port scans?. Ant-Spyware. Data Filtering. Zone Protection. DoS Protection.

Which URL Filtering Profile action will result in a user being interactively prompted for a password?. alert. allow. continue. override.

According to best practices, which two URL filtering categories should be blocked in most URL Filtering Profiles? (Choose two.). high-risk. medium-risk. new-registered-domain. adult.

Which three statements are true regarding Safe Search Enforcement? (Choose three.). Safe search is a web server setting. Safe search is a web browser setting. Safe search is a best-effort setting. Safe search is designed to block violent web content. Safe search works only in conjunc tion with credential submission websites.

True or false? A URL Filtering license is not re quired to define and use custom URL categories. true. false.

Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?. PDF. JAR. APK. EXE.

Which WildFire verdict might indicate obtrusive behavior but not a security threat?. benign. grayware. malware. phishing.

True or false? When a malicious file or link is de tected in an email, WildFire can update antivirus signatures in the PAN-DB database. true. false.

Assume you have a WildFire subscription. Which file state or condition might result in a file not being analyzed by WildFire?. executable file signed by a trusted signer. file size limit exceeded. file already has WildFire hash. file located in a JAR or RAR archive.

Which two statements are true regarding User-ID and firewall configuration? (Choose two). Communications between the firewall and the User-ID agent are sent over an encrypted SSL Connection. The firewall needs to have information for every User-ID agent to which it will connect. NetBIOS is the only client probing method supported by the User-ID agent. The User-ID agent must be installed on the domain controller.

Which three items are valid choices when configuring the Source User field in a security policy rule (choose three.). all. known-user. any. unknown. none.

You must deploy the Windows-based User-ID agent to collect IP address-to-username mappings from a Windows AD domain controller. true. false.

Which statement is true regarding User-ID and Security Policy rules?. If the user associated with an IP address cannot be determined, all traffic from that address will be dropped. The Source User field can match only users, not groups. The Source IP and Sourch User fields cannot be used in the same policy. Users can be used in policy rules only if they are known by the firewall.

Which two types of activities does SSL/TLS decryp tion by the firewall helps to block? (Choose two.). malware introduction. denial-of-service attacks. sensitive data exfiltration. protocol-based attacks.

True or false? CRL is consulted first if OCSP and CRL are configured on a firewall. true. false.

Which type of firewall decryption requires the admin istrator to import a server certificate and a private key into the firewall?. SSH decryption. SSH tunnel decryption. SSL Forward Proxy decryption. SSL Inbound Inspection decryption.

True or false? The SSL forward untrust certificate shoul d not be trusted by the client but should still be a CA certificate. true. false.

True or false? The firewall can still check for expired or untrusted certificates even if the SSL traffic is not decrypted. true. false.

Which two actions affect all of the widgets in the Application Command Center? (Choose two.). setting a local filter. setting a global filter. setting a global search. selecting a time range.

Which two firewall features to display information using widgets? (Choose two.). ACC. Dashboard. Traffic log. botnet report.

True or false? You can customize the list of logs that are aggregated into the Unified log. true. false.

Which three statements about the automated co rrelation engine are co rrect? (Choose three.). It detects possible infected hosts. It is available only in Panorama. It uses correlation objects as input. It outputs correlation events. It requires Cortex Data Lake.

True or false? SNMP GET requests a firewall return operational statistics, and SNMP SET requests update the firewall configuration. true. false.

Which three statements about the predefined reports are correct? (Choose three. There are more than 40 predefined reports. They are generated daily by default. They are grouped into five categories. They are grouped into seven categories. There are minus than 40 predefined reports.

Which operation is used by a GlobalProtect client to determine whether it should connect to an internal or external gateway?. reverse DNS lookup. user selection during agent startup. IP address of the client system. GlobalProtect agent starting in online or offline mode.

The GlobalProtect agent is available in which two formats? (Choose two.). dmg. exe. msi. pkg.

True or false? If a GlobalProtect agent fails to establish an IPsec connection, the connection type will fall back to SSL-VPN. true. false.

Which GlobalProtect component provides the manageme nt functions for the GlobalProtect infrastructure?. agent. internal gateway. external gateway. portal.