EMT Practice Test

1. Question Content...


Question List

Question1: Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity.
The administrator wants to determine where the traffic is going on the company.

What would be the administrator's next step?

Question2: What are three valid method of user mapping? (Choose three)

Question3: An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?

Question4: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question5: What are the differences between using a service versus using an application for Security Policy match?

Question6: Which field is optional when creating a new Security Police rule?

Question7: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question8: TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows.

Question9: Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

Question10: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question11: Given these tables:


SVR1 is a webserver hosted in the DMZ zone. The FQDN of www.myserver.com is registered to an external DNS provider and resolves to 203.1.200.123 in the Untrust-L3 zone. Users in the Trust-L3 zone use the external FQDN to access SVR1.
Which NAT rule will process traffic sourced from the Trust-L3 zone destined for SVR1?

Question12: Which administrative authentication method supports authorization by an external service?

Question13: Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Question14: The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)

Question15: Which interface configuration will accept specific VLAN IDs?

Question16: Which three rule types are available when defining policies in Panorama? (Choose three.)

Question17: Which Palo Alto Networks VM-Series firewall is valid?

Question18: Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question19: An administrator has left a firewall to use the default port for all management services.
Which three functions are performed by the dataplane? (Choose three.)

Question20: When performing the "ping" test shown in this CLI output:

What will be the source address in the ICMP packet?

Question21: In which two types of deployment is active/active HA configuration supported? (Choose two.)

Question22: Which log file can be used to identify SSL decryption failures?

Question23: How can a candidate or running configuration be copied to a host external from Panorama?

Question24: A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

Question25: An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required.
Which interface type would support this business requirement?

Question26: Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

Question27: Which logs enable a firewall administrator to determine whether a session was decrypted?

Question28: A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and- control (C2) servers.
Which Security Profile type will prevent these behaviors?

Question29: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question30: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question31: Several offices are connected with VPNs using static IPV4 routes.
An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question32: How is the Forward Untrust Certificate used?

Question33: Which CLI command displays the current management plane memory utilization?

Question34: True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can be scanned as it crosses the firewall with minimum amount of buffering, which in turn can allow advanced features like virus/malware scanning without effecting firewall performance

Question35: True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud.

Question36: Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.

Question37: Given the following table. Which configuration change on the firewall would cause it to use
10.66.24.88 as the next hop for the 192.168.93.0/30 network?

Question38: An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

Question39: A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

Question40: A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's network engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servers stopped communicating. There are no security policies that deny traffic between the two network segments. You suspect that there is an interface misconfiguration on ethernet1/1.
Which two commands should be used to troubleshoot the issue? (Choose two.)

Question41: A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?

Question42: After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

Question43: An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications.
QoS natively integrates with which feature to provide service quality?

Question44: A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
- Users outside the company are in the "Untrust-L3" zone
- The web server physically resides in the "Trust-L3" zone.
- Web server public IP address: 23.54.6.10
- Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

Question45: Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.0?
(Choose two.)

Question46: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5- minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question47: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question48: Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

Question49: Which DoS protection mechanism detects and prevents session exhaustion attacks?

Question50: Which two features does PAN-OS software use to identify applications? (Choose two.)

Question51: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question52: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

Question53: An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question54: In order to route traffic between layer 3 interfaces on the PAN firewall you need:

Question55: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question56: Which three fields can be included in a pcap filter? (Choose three)

Question57: Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

Question58: Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)

Question59: Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Question60: Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)

Question61: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question62: Wildfire may be used for identifying which of the following types of traffic?

Question63: A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two.)

Question64: A distributed log collection deployment has dedicated Log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first?

Question65: Which three firewall states are valid? (Choose three.)

Question66: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question67: For which two reasons would a firewall discard a packet as part of the packet flow sequence?
(Choose two.)

Question68: Which option describes the operation of the automatic commit recovery feature?

Question69: Which feature can provide NGFWs with User-ID mapping information?

Question70: A company has started utilizing WildFire in its network.
Which three file types are supported? (Choose three.)

Question71: During the packet flow process, which two processes are performed in application identification?
(Choose two.)

Question72: Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

Question73: Refer to Exhibit. A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.
He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

Question74: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question75: Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

Question76: An administrator just submitted a newly found piece of spyware for WildFire analysis.
The spyware monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

Question77: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question78: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

Question79: Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Question80: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question81: Which Panorama administrator types require the configuration of at least one access domain?
(Choose two.)

Question82: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question83: After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

Question84: A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

Question85: A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)

Question86: Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

Question87: Which data flow describes redistribution of user mappings?

Question88: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question89: Support for which authentication method was added in PAN-OS 7.0?

Question90: A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Question91: A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

Question92: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS?software?

Question93: What are the main benefits of WildFire? (Select the three correct answers.)

Question94: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question95: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question96: Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two.)

Question97: What are two benefits of nested device groups in Panorama? (Choose two.)

Question98: In an enterprise deployment, a network security engineer wants to assign rights to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

Question99: Panorama provides which two SD-WAN functions? (Choose two.)

Question100: Which three rule types are available when defining polices in Panorama? (Choose three.)