EMT Practice Test

1. Question Content...


Question List

Question1: All of the interfaces on a Palo Alto Networks device must be of the same interface type.

Question2: Which statement accurately reflects the functionality of using regions as objects in Security policies?

Question3: What is the function of the GlobalProtect Portal?

Question4: When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True?

Question5: An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?

Question6: What happens at the point of Threat Prevention license expiration?

Question7: How do you limit the amount of information recorded in the URL Content Filtering Logs?

Question8: An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.

Question9: Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User- ID?

Question10: What is the correct policy to most effectively block Skype?

Question11: When setting up GlobalProtect, what is the job of the GlobalProtect Portal?

Question12: Which of the following interfaces types will have a MAC address?

Question13: UserID is enabled in the configuration of:

Question14: As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?

Question15: Which of the following services are enabled on the MGT interface by default?

Question16: WildFire Analysis Reports are available for the following Operating Systems:

Question17: To create a custom signature object for an Application Override Policy, which of the following fields are mandatory?

Question18: With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a text value.

Question19: When configuring Security rules based on FQDN objects, which of the following statements are true?

Question20: As the Palo Alto Networks Administrator responsible for UserID, you need to enable mapping of network users that do not sign in using LDAP. Which information source would allow for reliable UserID mapping while requiring the least effort to configure?

Question21: Which of the Dynamic Updates listed below are issued on a daily basis?

Question22: In PANOS 6.0 and later, which of these items may be used as match criterion in a PolicyBased Forwarding Rule? (Choose three.)

Question23: Which local interface cannot be assigned to the IKE gateway?

Question24: Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

Question25: Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall?

Question26: Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox?

Question27: Select the implicit rules that are applied to traffic that fails to match any administrator defined Security Policies.

Question28: When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs?

Question29: When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.

Question30: What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

Question31: Which of the following is True of an application filter?

Question32: Wildfire may be used for identifying which of the following types of traffic?

Question33: What is the name of the debug save file for IPSec VPN tunnels?

Question34: Which fields can be altered in the default Vulnerability profile?

Question35: Which of the following is NOT a valid option for builtin CLI Admin roles?

Question36: Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?

Question37: What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator?

Question38: What is the size limitation of files manually uploaded to WildFire?

Question39: Which mode will allow a user to choose when they wish to connect to the Global Protect Network?

Question40: For correct routing to SSL VPN clients to occur, the following must be configured:

Question41: Which of the following facts about dynamic updates is correct?

Question42: When configuring Admin Roles for Web UI access, what are the available access levels?

Question43: In PAN-OS 5.0, how is Wildfire enabled?

Question44:
Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?

Question45:
Taking into account only the information in the screenshot above, answer the following question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured?

Question46: Which of the following CANNOT use the source user as a match criterion?

Question47: What are two sources of information for determining whether the firewall has been successful in communicating with an external UserID Agent?

Question48: When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on:

Question49: In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been compromised?

Question50: A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities.

Question51: Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management Interface is not employed when sending these types of traffic?

Question52: When adding an application in a Policy-based Forwarding rule, only a subset of the entire App-ID database is represented. Why would this be?

Question53: Will an exported configuration contain Management Interface settings?

Question54: Which of the following describes the sequence of the Global Protect agent connecting to a Gateway?

Question55: Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports?

Question56: In PANOS 6.0, rule numbers are:

Question57: After the installation of the Threat Prevention license, the firewall must be rebooted.

Question58: "What is the result of an Administrator submitting a WildFire report's verdict back to Palo Alto Networks as
"Incorrect"?

Question59: Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels?

Question60: The following can be configured as a next hop in a Static Route:

Question61: An interface in tap mode can transmit packets on the wire.

Question62: To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with the following characteristics:

Question63: What needs to be done prior to committing a configuration in Panorama after making a change via the CLI or web interface on a device?

Question64: If the Forward Proxy Ready shows "no" when running the command show system setting ssl-decrypt setting, what is most likely the cause?

Question65: The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

Question66: An interface in Virtual Wire mode must be assigned an IP address.

Question67: Can multiple administrator accounts be configured on a single firewall?

Question68: After the installation of a new Application and Threat database, the firewall must be rebooted.

Question69: Security policies specify a source interface and a destination interface.

Question70: A Config Lock may be removed by which of the following users?

Question71: In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.

Question72: Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?

Question73: In which of the following can UserID be used to provide a match condition?

Question74: What is the default setting for 'Action' in a Decryption Policy's rule?

Question75: Which statement below is True?

Question76: Which of the following statements is NOT True regarding a Decryption Mirror interface?

Question77: When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:

Question78: When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted?

Question79: Wildfire may be used for identifying which of the following types of traffic?

Question80: When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSHtunnel AppID?

Question81: Configuring a pair of devices into an Active/Active HA pair provides support for:

Question82:
Taking into account only the information in the screenshot above, answer the following question:
A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?

Question83: What option should be configured when using User-ID?

Question84: Which of the following are necessary components of a GlobalProtect solution?

Question85: Subsequent to the installation of new licenses, the firewall must be rebooted

Question86: After the installation of a new version of PANOS, the firewall must be rebooted.

Question87: Color-coded tags can be used on all of the items listed below EXCEPT:

Question88: As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest method of mapping network users that do not sign into LDAP. Which information source would allow reliable User ID mapping for these users, requiring the least amount of configuration?

Question89: When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web browsing traffic?

Question90: Which of the following are methods HA clusters use to identify network outages?

Question91: Enabling "Highlight Unused Rules" in the Security policy window will:

Question92: When configuring UserID on a Palo Alto Networks firewall, what is the proper procedure to limit User mappings to a particular DHCP scope?

Question93: When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?

Question94: As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?

Question95: Which of the following can provide information to a Palo Alto Networks firewall for the purposes of UserID?

Question96: To allow the PAN device to resolve internal and external DNS host names for reporting and for security policies, an administrator can do the following:

Question97: When configuring a Decryption Policy, which of the following are available as matching criteria in a policy?
(Choose three.)

Question98: How do you reduce the amount of information recorded in the URL Content Filtering Logs?

Question99: What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication?

Question100: For non-Microsoft clients, what Captive Portal method is supported?

Question101: The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

Question102: In PAN-OS 5.0, how is Wildfire enabled?

Question103: Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server's private IP address. Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server?

Question104: You can assign an IP address to an interface in Virtual Wire mode.

Question105: What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for the action setting?

Question106: Which routing protocol is supported on the Palo Alto Networks platform?

Question107: Which of the following must be enabled in order for UserID to function?

Question108: Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment?

Question109: A "Continue" action can be configured on the following Security Profiles:

Question110: In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.

Question111: Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?

Question112: Which of the following options may be enabled to reduce system overhead when using Content ID?

Question113: What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall?

Question114: Which of the following Global Protect features requires a separate license?

Question115: You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic?

Question116: Which of the following objects cannot use User-ID as a match criteria?

Question117: In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:

Question118: What are two sources of information for determining if the firewall has been successful in communicating with an external User-ID Agent?

Question119: Which of the following statements is NOT True about Palo Alto Networks firewalls?

Question120: Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which of the following also prevents "SplitBrain"?

Question121: With PAN-OS 5.0, how can a common NTP value be pushed to a cluster of firewalls?

Question122: As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all denied applications. Why would this be?

Question123: When configuring the firewall for UserID, what is the maximum number of Domain Controllers that can be configured?

Question124: Which type of license is required to perform Decryption Port Mirroring?

Question125: Which of the following interface types can have an IP address assigned to it?

Question126: Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like?

Question127: A "Continue" action can be configured on which of the following Security Profiles?

Question128: When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of checking within a profile is:

Question129: Which of the following is NOT a valid option for built-in CLI access roles?

Question130: Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP. Which IP should the Security Policy use as the "Destination IP" in order to allow traffic to the server.

Question131: As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>.... and then what operation?

Question132: In order to route traffic between layer 3 interfaces on the PAN firewall you need:

Question133: What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?

Question134:
Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are true?

Question135: After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal authentication page when they launch their web browsers. How can this be corrected?

Question136: Which of the following types of protection are available in DoS policy?

Question137: In an Anti-Virus profile, changing the action to "Block" for IMAP or POP decoders will result in the following:

Question138: Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles).

Question139: With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of the device. In situations where the public ID is not static, this value can be replaced with a domain name or other text value

Question140: Administrative Alarms can be enabled for which of the following except?

Question141: What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator?

Question142: Which of the following platforms supports the Decryption Port Mirror function?

Question143: Both SSL decryption and SSH decryption are disabled by default.

Question144: When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:

Question145: When using Config Audit, the color yellow indicates which of the following?

Question146: Which link is used by an Active-Passive cluster to synchronize session information?

Question147: Select the implicit rules enforced on traffic failing to match any user defined Security Policies:

Question148: Which of the following represents HTTP traffic events that can be used to identify potential Botnets?

Question149: You'd like to schedule a firewall policy to only allow a certain application during a particular time of day.
Where can this policy option be configured?

Question150: A user complains that they are no longer able to access a needed work application after you have implemented vulnerability and anti-spyware profiles. The user's application uses a unique port. What is the most efficient way to allow the user access to this application?

Question151: Users may be authenticated sequentially to multiple authentication servers by configuring:

Question152: Which of the following most accurately describes Dynamic IP in a Source NAT configuration?

Question153: Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator?

Question154: Which fields can be altered in the default Vulnerability Protection Profile?

Question155: Users can be authenticated serially to multiple authentication servers by configuring:

Question156: When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security policies can be set to match on multicast IP addresses.

Question157: Which of the Dynamic Updates listed below are issued on a daily basis?

Question158: What option should be configured when using User Identification?

Question159: What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PAN- DB)?

Question160:
Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of response?

Question161: Which of the following fields is not available in DoS policy?

Question162: When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset.

Question163: The "Disable Server Return Inspection" option on a security profile:

Question164: Which feature can be configured to block sessions that the firewall cannot decrypt?

Question165: In Active/Active HA environments, redundancy for the HA3 interface can be achieved by:

Question166: When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the rule? (Choose three.)

Question167: Which best describes how Palo Alto Networks firewall rules are applied to a session?

Question168: When creating an application filter, which of the following is true?

Question169: Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies.

Question170: In PAN-OS 5.0, which of the following features is supported with regards to IPv6?

Question171: When a user logs in via Captive Portal, their user information can be checked against: