EMT Practice Test

1. Question Content...


Question List

Question1: Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

Question2: What is exchanged through the HA2 link?

Question3: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

Question4: An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

Question5: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny".
Which action will this cause configuration on the matched traffic?

Question6: Which three authentication factors does PAN-OS® software support for MFA? (Choose three.)

Question7: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama.
Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question8: The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

Question9: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

Question10: When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Question11: A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Question12: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question13: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question14: Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Question15: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question16: Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

Question17: Which data flow describes redistribution of user mappings?

Question18: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question19: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question20: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question21: An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.0.2. The firewall is not a part of an HA pair.
What needs to be updated first?

Question22: A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

Question23: An administrator has users accessing network resources through Citrix XenApp 7 x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question24: A customer wants to set up a site-to-site VPN using tunnel interfaces?
Which two formats are correct for naming tunnel interfaces? (Choose two.)

Question25: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question26: When is the content inspection performed in the packet flow process?

Question27: In High Availability, which information is transferred via the HA data link?

Question28: Which CLI command enables an administrator to check the CPU utilization of the dataplane?

Question29: An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

Question30: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question31: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question32: An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications.
QoS natively integrates with which feature to provide service quality?

Question33: Which two settings can be configured only locally on the firewall and not pushed from a Panorama template stack? (Choose two.)

Question34: Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

Question35: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question36: An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

Question37: Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.
A:

B:

C:

D:

Question38: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080?

Question39: Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

Question40: An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?

Question41: Which log file can be used to identify SSL decryption failures?

Question42: What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

Question43: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?

Question44: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

Question45: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question46: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

Question47: Which two features does PAN-OS® software use to identify applications? (Choose two.)

Question48: Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

Question49: Which three firewall states are valid? (Choose three.)

Question50: Which Palo Alto Networks VM-Series firewall is valid?

Question51: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question52: Which virtual router feature determines if a specific destination IP address is reachable?

Question53: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question54: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question55: Which event will happen if an administrator uses an Application Override Policy?

Question56: Which Captive Portal mode must be configured to support MFA authentication?

Question57: What are the differences between using a service versus using an application for Security Policy match?

Question58: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question59: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

Question60: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

Question61: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question62: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question63: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question64: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

Question65: Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

Question66: What are two benefits of nested device groups in Panorama? (Choose two.)

Question67: A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

Question68: An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

Question69: An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question70: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question71: Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

Question72: An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required.
Which interface type would support this business requirement?

Question73: Which DoS protection mechanism detects and prevents session exhaustion attacks?

Question74: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question75: Based on the following image, what is the correct path of root, intermediate, and end-user certificate?