EMT Practice Test

1. Question Content...


Question List

Question1: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

Question2: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question3: What are two benefits of nested device groups in Panorama? (Choose two.)

Question4: To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

Question5: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question6: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question7: An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

Question8: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

Question9: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question10: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS® software would help in this case?

Question11: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question12: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question13: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question14: If the firewall has the link monitoring configuration, what will cause a failover?

Question15: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question16: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question17: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question18: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question19: Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

Question20: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question21: Which three options are supported in HA Lite? (Choose three.)

Question22: During the packet flow process, which two processes are performed in application identification? (Choose two.)

Question23: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?

Question24: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question25: Which event will happen if an administrator uses an Application Override Policy?

Question26: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny".
Which action will this cause configuration on the matched traffic?

Question27: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question28: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

Question29: Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

Question30: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question31: Which option is part of the content inspection process?

Question32: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A:

B:

C:

D:

E:

Question33: Which Captive Portal mode must be configured to support MFA authentication?

Question34: An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

Question35: An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications.
QoS natively integrates with which feature to provide service quality?

Question36: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question37: Which CLI command enables an administrator to view details about the firewall including uptime, PAN- OS® version, and serial number?

Question38: Which feature prevents the submission of corporate login information into website forms?

Question39: In a virtual router, which object contains all potential routes?

Question40: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question41: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

Question42: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama.
Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question43: Which CLI command can be used to export the tcpdump capture?

Question44: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question45: How can a candidate or running configuration be copied to a host external from Panorama?

Question46: Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

Question47: Which three settings are defined within the Templates object of Panorama? (Choose three.)

Question48: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question49: The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

Question50: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question51: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question52: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question53: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs.
The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question54: Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

Question55: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

Question56: Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A:

B:

C:

D:

Question57: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

Question58: Which three firewall states are valid? (Choose three.)

Question59: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded?

Question60: Which Palo Alto Networks VM-Series firewall is valid?

Question61: A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

Question62: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question63: Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

Question64: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question65: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

Question66: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question67: Which protection feature is available only in a Zone Protection Profile?

Question68: If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

Question69: An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

Question70: An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question71: The certificate information displayed in the following image is for which type of certificate?

Question72: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

Question73: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?