EMT Practice Test

1. Question Content...


Question List

Question1: Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

Question2: An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

Question3: When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

Question4: Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question5: Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Question6: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded?

Question7: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question8: Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

Question9: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

Question10: A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Question11: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question12: The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed.
The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

Question13: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question14: For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

Question15: A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
* Users outside the company are in the "Untrust-L3" zone
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server?
(Choose two)

Question16: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

Question17: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question18: Which CLI command displays the current management plan memory utilization?

Question19: A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Question20: An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)


Question21: Which three firewall states are valid? (Choose three)

Question22: Which event will happen if an administrator uses an Application Override Policy?

Question23: A network security engineer has a requirement to allow an external server to access an internal web server.
The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

Question24: The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

Question25: How is the Forward Untrust Certificate used?

Question26: Which CLI command can be used to export the tcpdump capture?

Question27: In a virtual router, which object contains all potential routes?

Question28: The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

Question29: Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

Question30: Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

Question31: A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

Question32: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question33: To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

Question34: A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy?
(Choose two)

Question35: Which two features does PAN-OS software use to identify applications? (Choose two)

Question36: When configuring the firewall for packet capture, what are the valid stage types?

Question37: The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

Question38: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question39: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

Question40: Which three firewall states are valid? (Choose three.)

Question41: Which is not a valid reason for receiving a decrypt-cert-validation error?

Question42: What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

Question43: A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?

Question44: YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic.
The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

Question45: An administrator wants to upgrade an NGFW from PAN-OS 8.0.2 to PAN-OS 9.0. The firewall is not a part of an HA pair. What needs to be updated first?

Question46: The certificate information displayed in the following image is for which type of certificate?
Exhibit:

Question47: Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

Question48: Which log file can be used to identify SSL decryption failures?

Question49: Which feature can be configured on VM-Series firewalls?

Question50: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question51: Which three options are supported in HA Lite? (Choose three.)

Question52: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question53: Which data flow describes redistribution of user mappings?

Question54: A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

Question55: Which three function are found on the dataplane of a PA-5050? (Choose three)

Question56: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question57: Which DoS protection mechanism detects and prevents session exhaustion attacks?

Question58: Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question59: A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
*DMZ zone: DMZ-L3
*Public zone: Untrust-L3
*Guest zone: Guest-L3
*Web server zone: Trust-L3
*Public IP address (Untrust-L3): 1.1.1.1
*Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Question60: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question61: Which Captive Portal mode must be configured to support MFA authentication?

Question62: O: 49
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question63: Which Palo Alto Networks VM-Series firewall is valid?

Question64: Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

Question65: Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

Question66: Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

Question67: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question68: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question69: What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Question70: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question71: An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question72: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

Question73: Exhibit:

What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

Question74: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question75: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs.
The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question76: An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

Question77: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question78: A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

Question79: When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Question80: Which operation will impact performance of the management plane?

Question81: Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

Question82: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question83: An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

Question84: Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Question85: Which feature can provide NGFWs with User-ID mapping information?

Question86: A customer wants to set up a site-to-site VPN using tunnel interfaces?
Which two formats are correct for naming tunnel interfaces? (Choose two.)

Question87: Which administrative authentication method supports authorization by an external service?

Question88: Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Question89: An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question90: Which interface configuration will accept specific VLAN IDs?

Question91: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question92: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question93: Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

Question94: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Question95: Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

Question96: When is the content inspection performed in the packet flow process?

Question97: Which protection feature is available only in a Zone Protection Profile?

Question98: Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

Question99: What are two benefits of nested device groups in Panorama? (Choose two.)

Question100: In the following image from Panorama, why are some values shown in red?

Question101:
What will be the source address in the ICMP packet?

Question102: Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Question103: Which option is part of the content inspection process?

Question104: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question105: An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

Question106: How can a candidate or running configuration be copied to a host external from Panorama?

Question107: Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

Question108: Which command can be used to validate a Captive Portal policy?

Question109: An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

Question110: A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two)

Question111: Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

Question112: Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Question113: Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

Question114: People are having intermittent quality issues during a live meeting via web application.

Question115: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

Question116: Which field is optional when creating a new Security Policy rule?

Question117: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

Question118: The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

Question119: When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Question120: Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

Question121: Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?

Question122: A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

Question123: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question124: What is exchanged through the HA2 link?

Question125: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question126: Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Question127: An administrator needs to upgrade an NGFW to the most current version of PAN-OS software. The following is occurring:
*Firewall has Internet connectivity through e1/1.
*Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
*Service route is configured, sourcing update traffic from e1/1.
*A communication error appears in the System logs when updates are performed.
*Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

Question128: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question129: ON NO: 80
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question130: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version, and serial number?

Question131: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question132: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

Question133: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question134: What are three valid method of user mapping? (Choose three)

Question135: During the packet flow process, which two processes are performed in application identification? (Choose two.)

Question136: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

Question137: View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

Question138: Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

Question139: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny". Which action will this cause configuration on the matched traffic?

Question140: Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

Question141: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question142: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)

B)

C)

D)

Question143: Support for which authentication method was added in PAN-OS 8.0?