EMT Practice Test

1. Question Content...


Question List

Question1: Which option is part of the content inspection process?

Question2: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against
worms and trojans.
Which Security Profile type will protect against worms and trojans?

Question3: For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose
two.)

Question4: Which two actions would be part of an automatic solution that would block sites with untrusted certificates
without enabling SSL Forward Proxy? (Choose two.)

Question5: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question6: Which CLI command can be used to export the tcpdump capture?

Question7: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for
all the existing monitoring/security platforms?

Question8: Which log file can be used to identify SSL decryption failures?

Question9: When backing up and saving configuration files, what is achieved using only the firewall and is not
available in Panorama?

Question10: An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The
following is occurring:
Firewall has internet connectivity through e 1/1.

Default security rules and security rules allowing all SSL and web-browsing traffic to and from any

zone.
Service route is configured, sourcing update traffic from e1/1.

A communication error appears in the System logs when updates are performed.

Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

Question11: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No
Decrypt" action? (Choose two.)

Question12: Which Captive Portal mode must be configured to support MFA authentication?

Question13: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch
port which it connects.
How would an administrator configure the interface to 1Gbps?

Question14: Which feature prevents the submission of corporate login information into website forms?

Question15: Which data flow describes redistribution of user mappings?

Question16: Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web
server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo
Alto Networks firewall.
A:

B:

C:

D:

Question17: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to
the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B
(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two.)

Question18: In a virtual router, which object contains all potential routes?

Question19: An administrator accidentally closed the commit window/screen before the commit was finished. Which two
options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A:

B:

C:

D:

Question20: A customer has an application that is being identified as unknown-tcp for one of their custom PostgreSQL
database connections.
Which two configuration options can be used to correctly categorize their custom database application?
(Choose two.)

Question21: How does Panorama prompt VMWare NSX to quarantine an infected VM?

Question22: Which User-ID method should be configured to map IP addresses to usernames for users connected
through a terminal server?

Question23: Refer to the exhibit.

Which certificates can be used as a Forward Trust certificate?

Question24: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the
Policies tab.
Which profile is the cause of the missing Policies tab?

Question25: Decrypted packets from the website https://www.microsoft.com will appear as which application and
service within the Traffic log?

Question26: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional
data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

Question27: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?

Question28: Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

Question29: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only
information available is shown on the following image.
Which configuration change should the administrator make?
A:

B:

C:

D:

E:

Question30: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

Question31: Which option would an administrator choose to define the certificate and protocol that Panorama and its
managed devices use for SSL/TLS services?

Question32: Which CLI command is used to simulate traffic going through the firewall and determine which Security
policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question33: What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

Question34: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the
internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question35: Which three settings are defined within the Templates object of Panorama? (Choose three.)

Question36: During the packet flow process, which two processes are performed in application identification? (Choose
two.)

Question37: Which feature can provide NGFWs with User-ID mapping information?

Question38: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is
allowed to access an internal application that contains highly-sensitive business data?

Question39: An administrator has left a firewall to use the default port for all management services.
Which three functions are performed by the dataplane? (Choose three.)

Question40: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a
third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question41: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question42: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also
creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are
three entries. The first entry shows traffic dropped as application Unknown. The next two entries show
traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as
SSL?

Question43: Which feature can be configured on VM-Series firewalls?

Question44: Which version of GlobalProtect supports split tunneling based on destination domain, client process, and
HTTP/HTTPS video streaming application?

Question45: Which two settings can be configured only locally on the firewall and not pushed from a Panorama
template or template stack? (Choose two.)

Question46: What are two benefits of nested device groups in Panorama? (Choose two.)

Question47: Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

Question48: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method,
which login will be detected as credential theft?

Question49: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices
to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama.
Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question50: Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

Question51: A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link
aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)

Question52: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to
the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question53: An administrator has users accessing network resources through Citrix XenApp 7 x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and
access resources?

Question54: Which three options are supported in HA Lite? (Choose three.)

Question55: An administrator creates a custom application containing Layer 7 signatures. The latest application and
threat dynamic update is downloaded to the same NGFW. The update contains an application that
matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

Question56: To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

Question57: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The
administrator determines that these sessions are form external users accessing the company's proprietary
accounting application. The administrator wants to reliably identify this traffic as their accounting
application and to scan this traffic for threats.
Which option would achieve this result?

Question58: Which operation will impact performance of the management plane?

Question59: Which feature must you configure to prevent users form accidentally submitting their corporate credentials
to a phishing website?

Question60: Which event will happen if an administrator uses an Application Override Policy?

Question61: Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats
detected in the last 30 days?

Question62: If the firewall has the link monitoring configuration, what will cause a failover?

Question63: Which protection feature is available only in a Zone Protection Profile?

Question64: A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

Question65: What are the differences between using a service versus using an application for Security Policy match?

Question66: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At
other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic
matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question67: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against
external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question68: What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter
when a firewall is rebooted? (Choose two.)

Question69: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not
in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question70: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo
Alto networks NGFW to inspect traffic when users browse to HTTP(S) websites?

Question71: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-
OS® version, and serial number?

Question72: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny".
Which action will this cause configuration on the matched traffic?

Question73: Which Panorama administrator types require the configuration of at least one access domain? (Choose
two.)

Question74: If a template stack is assigned to a device and the stack includes three templates with overlapping
settings, which settings are published to the device when the template stack is pushed?

Question75: A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)

Question76: Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

Question77: Which processing order will be enabled when a Panorama administrator selects the setting "Objects
defined in ancestors will take higher precedence?"

Question78: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not
participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS® software?

Question79: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series
firewalls? (Choose two.)

Question80: A global corporate office has a large-scale network with only one User-ID agent, which creates a
bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

Question81: A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need
to assign each VLAN to its own zone and assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

Question82: Which administrative authentication method supports authorization by an external service?

Question83: The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing
session using which kind of match?

Question84: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for
analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question85: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled
wireless network device that has no native integration with PAN-OS® software?

Question86: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from
Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to
allow cleartext web-browsing traffic to this server on tcp/443?

Question87: When is the content inspection performed in the packet flow process?

Question88: The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is
wrong?

Question89: An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

Question90: The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes
do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

Question91: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS
servers.
Which option will protect the individual servers?