Configuring a pair of devices into an Active/Active HA pair provides support for:
- A . Higher session count
- B . Redundant Virtual Routers
- C . Asymmetric routing environments
- D . Lower fail-over times
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration.
These changes may be undone by Device > Setup > Operations > Configuration Management>….and then what operation?
- A . Revert to Running Configuration
- B . Revert to last Saved Configuration
- C . Load Configuration Version
- D . Import Named Configuration Snapshot
A company has a Palo Alto Networks firewall with a single VSYS that has both locally defined rules as well as shared and device-group rules pushed from Panorama.
In what order are the policies evaluated?
A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information:
Users outside the company are in the "Untrust-L3" zone. The web server physically resides in the "Trust-L3" zone. Web server public IP address: 1.1.1.1
Web server private IP address: 192.168.1.10
Which NAT Policy rule will allow users outside the company to access the web server?
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Wildfire may be used for identifying which of the following types of traffic?
- A . URL content
- B . DHCP
- C . DNS
- D . Viruses
In PAN-OS 5.0, how is Wildfire enabled?
- A . Via the "Forward" and "Continue and Forward" File-Blocking actions
- B . A custom file blocking action must be enabled for all PDF and PE type files
- C . Wildfire is automatically enabled with a valid URL-Filtering license
- D . Via the URL-Filtering "Continue" Action.
The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
- A . Application Command Center (ACC)
- B . QoS Statistics
- C . QoS Log
- D . Applications Report
A
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Which two steps are required to make Microsoft Active Directory users appear in the firewall’s traffic log? Choose 2 answers
- A . Enable User-ID on the zone object for the source zone.
- B . Enable User-ID on the zone object for the destination zone.
- C . Configure a RADIUS server profile to point to a domain controller.
- D . Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions.
- E . Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions.
Administrative Alarms can be enabled for which of the following except?
- A . Certificate Expirations
- B . Security Violation Thresholds
- C . Security Policy Tags
- D . Traffic Log capacity
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day?
- A . Monitor->Session Browser
- B . Monitor->App Scope->Summary
- C . Objects->Applications->web-browsing
- D . ACC->Application
D
Explanation:
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment?
- A . HA3 is used for session synchronization
- B . The HA3 link is used to transfer Layer 7 information
- C . HA3 is used to handle asymmetric routing
- D . HA3 is the control link
Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall?
- A . So that information can be pulled from other network resources for User-ID
- B . To allow the firewall to push UserID information to a Network Access Control (NAC) device.
- C . To permit sys logging of User Identification events
When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on:
- A . Post-NAT addresses
- B . The same zones used in the NAT rules
- C . Pre-NAT addresses
- D . None of the above
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the following election settings:
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state. Firewall 5050B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is back online?
- A . Both firewalls are active (split brain)
- B . Firewall 5050-B
- C . Firewall 5050-A
- D . It could be either firewall
B
Explanation:
Reference: https://live.paloaltonetworks.com/docs/DOC-2926
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers
- A . Application Identification (App-ID)
- B . Group Identification (Group-ID)
- C . User Identification (User-ID)
- D . Threat Identification (Threat-ID)
- E . Content Identification (Content-ID)
A, C, E
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/whitepapers/single-pass-parallel-processing-architecture.pdf page 5
In an Anti-Virus profile, changing the action to “Block” for IMAP or POP decoders will result in the following:
- A . The connection from the server will be reset
- B . The Anti-virus profile will behave as if “Alert” had been specified for the action
- C . The traffic will be dropped by the firewall
- D . Error 541 being sent back to the server
Subsequent to the installation of new licenses, the firewall must be rebooted
- A . True
- B . False
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer
- A . To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine
- B . To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine
- C . To load balance GlobalProtect client connections to GlobalProtect Gateways
- D . None of the above
Can multiple administrator accounts be configured on a single firewall?
- A . Yes
- B . No
Taking into account only the information in the screenshot above, answer the following question.
In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply.
- A . Security policy from trust zone to Internet zone that allows ping
- B . Create the appropriate routes in the default virtual router
- C . Security policy from Internet zone to trust zone that allows ping
- D . Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall.
Which method will show the global counters associated with the traffic after configuring the appropriate packet filters?
- A . From the CLI, issue the show counter interface command for the egress interface.
- B . From the GUI, select "Show global counters" under the Monitor tab.
- C . From the CLI, issue the show counter global filter packet-filter yes command.
- D . From the CLI, issue the show counter interface command for the ingress interface.
C
Explanation:
Reference: https://live.paloaltonetworks.com/docs/DOC-7971
Which feature can be configured with an IPv6 address?
- A . Static Route
- B . RIPv2
- C . DHCP Server
- D . BGP
A
Explanation:
Reference: https://live.paloaltonetworks.com/docs/DOC-5493
When creating an application filter, which of the following is true?
- A . They are used by malware
- B . Excessive bandwidth may be used as a filter match criteria
- C . They are called dynamic because they automatically adapt to new IP addresses
- D . They are called dynamic because they will automatically include new applications from an application signature update if the new application’s type is included in the filter
Which statement accurately reflects the functionality of using regions as objects in Security policies?
- A . Predefined regions are provided for countries, not but not for cities. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region.
- B . The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. These custom regions can be used in the "Source User" field of the Security Policies.
- C . Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set up custom regions.
- D . The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. Both predefined regions and custom regions can be used in the "Source User" field.
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
- A . Configuring a corresponding HA4 interface
- B . Configuring HA3 as an Aggregate Ethernet bundle
- C . Configuring multiple HA3 interfaces
- D . Configuring HA3 in a redundant group
A Palo Alto Networks firewall has the following interface configuration;
Hosts are directly connected on the following interfaces:
Ethernet 1/6 – Host IP 192.168.62.2
Ethernet 1/3 – Host IP 10.46.40.63
The security administrator is investigating why ICMP traffic between the hosts is not working.
She first ensures that ail traffic is allowed between zones based on the following security policy rule:
The routing table of the firewall shows the following output:
Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to communicate based on this information?
- A . Change the Management Profile.
- B . Change the security policy to explicitly allow ICMP on this interface.
- C . Change the configured zone to DMZ.
- D . Change the Virtual Router setting to VR1.
What can cause missing SSL packets when performing a packet capture on data plane interfaces?
- A . There is a hardware problem with the offloading FPGA on the management plane.
- B . The missing packets are offloaded to the management plane CPU.
- C . The packets are hardware offloaded to the offload processor on the data plane.
- D . The packets are not captured because they are encrypted.
C
Explanation:
Reference: https://live.paloaltonetworks.com/docs/DOC-8621
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
- A . Multi-Core Security Processor
- B . Signature Match Processor
- C . Network Processor
- D . Protocol Decoder Processor
- E . Management Processor
A,B,C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/whitepapers/single-pass-parallel-processing-architecture.pdf page 8
What happens at the point of Threat Prevention license expiration?
- A . Threat Prevention no longer updated; existing database still effective
- B . Threat Prevention is no longer used; applicable traffic is allowed
- C . Threat Prevention no longer used; applicable traffic is blocked
- D . Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule
Wildfire may be used for identifying which of the following types of traffic?
- A . Malware
- B . DNS
- C . DHCP
- D . URL Content
A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for WildFire updates?
- A . Every 24 hours
- B . Every 30 minutes
- C . Every 15 minutes
- D . Every 1 hour
- E . Every 5 minutes
C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11
After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal authentication page when they launch their web browsers.
How can this be corrected?
- A . Ensure that all users in the Trust Zone are using NTLM-capable browsers
- B . Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the Trust Zone.
- C . Confirm that Captive Portal Timeout value is not set below 2 seconds
- D . Enable "Redirect " as the Mode type in the Captive Portal Settings
As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest method of mapping network users that do not sign into LDAP.
Which information source would allow reliable User ID mapping for these users, requiring the least amount of configuration?
- A . WMI Query
- B . Exchange CAS Security Logs
- C . Captive Portal
- D . Active Directory Security Logs
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted?
- A . Ensure that the Service column is defined as "application-default" for this security rule. This will automatically include the implicit web-browsing application dependency.
- B . Create a subsequent rule which blocks all other traffic
- C . When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be processed by the Security policy, allowing only Facebook to be accessed. Any other applications can be permitted in subsequent rules.
- D . No other configuration is required on the part of the administrator, since implicit application dependencies will be added automaticaly.
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs: pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
- A . Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
- B . Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
- C . Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
- D . Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
C
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/vpns/interpret-vpn-errormessages.html
Which best describes how Palo Alto Networks firewall rules are applied to a session?
- A . last match applied
- B . first match applied
- C . all matches applied
- D . most specific match applied
It is discovered that WebandNetTrends Unlimited’s new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic.
Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? Choose 2 answers
- A . A custom application, with a name properly describing the new web server s purpose
- B . A custom application and an application override policy that assigns traffic going to and from the web server to the custom application
- C . An application override policy that assigns the new web server traffic to the built-in application "webbrowsing"
- D . A custom application with content and threat detection enabled, which includes a signature, identifying the new web server s traffic
Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator?
- A . Terminal Server Agent
- B . An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
- C . A User-ID agent, with the "Use for NTLM Authentication" option enabled.
- D . XML API for User-ID Agent
Users can be authenticated serially to multiple authentication servers by configuring:
- A . Multiple RADIUS Servers sharing a VSA configuration
- B . Authentication Sequence
- C . Authentication Profile
- D . A custom Administrator Profile
Enabling "Highlight Unsused Rules" in the Security policy window will:
- A . Hightlight all rules that did not immmediately match traffic.
- B . Hightlight all rules that did not match traffic since the rule was created or since last reboot of the firewall
- C . Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit.
- D . Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes
Which of the following must be enabled in order for UserID to function?
- A . Captive Portal Policies must be enabled.
- B . UserID must be enabled for the source zone of the traffic that is to be identified.
- C . Captive Portal must be enabled.
- D . Security Policies must have the UserID option enabled.
What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PAN-DB)?
- A . The "Log Container Page Only" option can be employed in a URL-Filtering policy to reduce the number of logging events.
- B . URL-Filtering can now be employed as a match condition in Security policy
- C . IP-Based Threat Exceptions can now be driven by custom URL categories
- D . Daily database downloads for updates are no longer required as devices stay in-sync with the cloud.
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with nonstandard syslog servers?
- A . Enable support for non-standard syslog messages under device management.
- B . Select a non-standard syslog server profile.
- C . Create a custom log format under the syslog server profile.
- D . Check the custom-format checkbox in the syslog server profile.
C
Explanation:
Reference: https://live.paloaltonetworks.com/docs/DOC-2021 Page 16 of PDF available there.
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
- A . Security, NAT, Policy-Based Forwarding
- B . Intrazone, Interzone, Global
- C . Intrazone, Interzone, Universal
- D . Application, User, Content
C
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs.
What could be the problem?
- A . The firewall is not licensed for logging to this Panorama device.
- B . Panorama is not licensed to receive logs from this particular firewall.
- C . None of the firewall’s policies have been assigned a Log Forwarding profile.
- D . A Server Profile has not been configured for logging to this Panorama device.
WildFire Analysis Reports are available for the following Operating Systems (select all that apply)
- A . Windows XP
- B . Windows 7
- C . Windows 8
- D . Mac OS-X
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
- A . Zone Protection Policy with UDP Flood Protection
- B . Classified DoS Protection Policy using destination IP only with a Protect action
- C . QoS Policy to throttle traffic below maximum limit
- D . Security Policy rule to deny traffic to the IP address and port that is under attack
B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
- A . Zone Protection Policy with UDP Flood Protection
- B . Classified DoS Protection Policy using destination IP only with a Protect action
- C . QoS Policy to throttle traffic below maximum limit
- D . Security Policy rule to deny traffic to the IP address and port that is under attack
B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
- A . Zone Protection Policy with UDP Flood Protection
- B . Classified DoS Protection Policy using destination IP only with a Protect action
- C . QoS Policy to throttle traffic below maximum limit
- D . Security Policy rule to deny traffic to the IP address and port that is under attack
B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
- A . Zone Protection Policy with UDP Flood Protection
- B . Classified DoS Protection Policy using destination IP only with a Protect action
- C . QoS Policy to throttle traffic below maximum limit
- D . Security Policy rule to deny traffic to the IP address and port that is under attack
B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
The URL gatewayl.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server. This Gateway configuration will have which two outcomes? Choose 2 answers
- A . Clients outside the network will be able to connect to the external gateway Gateway1.
- B . Clients inside the network will be able to connect to the internal gateway Gateway1.
- C . Clients outside the network will NOT be able to connect to the external gateway Gateway1.
- D . Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Which of the following describes the sequence of the Global Protect agent connecting to a Gateway?
- A . The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the fastest SSL response time
- B . The agent connects to the closest Gateway and sends the HIP report to the portal
- C . The agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PING response time
- D . The agent connects to the portal and randomly establishes a connection to the first available gateway
A network administrator uses Panorama to push security policies to managed firewalls at branch offices.
Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these policies?
- A . Implicit Rules
- B . Post Rules
- C . Default Rules
- D . Pre Rules
The "Disable Server Return Inspection" option on a security profile:
- A . Can only be configured in Tap Mode
- B . Should only be enabled on security policies allowing traffic to a trusted server.
- C . Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
- D . Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet
What is the default setting for ‘Action’ in a Decryption Policy’s rule?
- A . No-decrypt
- B . Decrypt
- C . Any
- D . None
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
- A . Virtual Wire
- B . Loopback
- C . Tunnel
- D . Layer3
B,D
Explanation:
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page 10
The following can be configured as a next hop in a Static Route:
- A . A Policy-Based Forwarding Rule
- B . Virtual System
- C . A Dynamic Routing Protocol
- D . Virtual Router
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
- A . VLAN
- B . Vwire
- C . Security Profile
- D . Virtual Router
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
- A . Allow
- B . Alert
- C . Log
- D . Default
B
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/configure-urlfiltering.html
When a user logs in via Captive Portal, their user information can be checked against:
- A . Terminal Server Agent
- B . Security Logs
- C . XML API
- D . Radius
When configuring Admin Roles for Web UI access, what are the available access levels?
- A . Enable and Disable only
- B . None, Superuser, Device Administrator
- C . Allow and Deny only
- D . Enable, Read-Only and Disable
Which of the following objects cannot use User-ID as a match criteria?
- A . Security Policies
- B . QoS
- C . Policy Based Forwarding
- D . DoS Protection
- E . None of the above
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
- A . Filter the Session Browser for all sessions from the user with the application "adobe".
- B . Filter the System log for "Download Failed" messages.
- C . Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
- D . Filter the Data Filtering logs for the user’s traffic and the name of the PDF file.
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers
- A . Threat Prevention
- B . App-ID
- C . URL Filtering
- D . PAN-OS
- E . GlobalProtect Data File
A,E
Explanation:
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html