EMT Practice Test

1. Question Content...


Question List

Question1: An administrator wants to enable zone protection
Before doing so, what must the administrator consider?

Question2: Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

Question3: When overriding a template configuration locally on a firewall, what should you consider?

Question4: Which field is optional when creating a new Security Policy rule?

Question5: What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

Question6: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question7: Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

Question8: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question9: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question10: Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

Question11: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question12: When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Question13: A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

Question14: Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Question15: Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

Question16: Which DoS protection mechanism detects and prevents session exhaustion attacks?

Question17: Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

Question18: An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

Question19: What are two benefits of nested device groups in Panorama? (Choose two.)

Question20: Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

Question21: An administrator wants to upgrade an NGFW from PAN-OS® 9.0 to PAN-OS® 10.0. The firewall is not a part of an HA pair. What needs to be updated first?

Question22: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question23: Which feature can provide NGFWs with User-ID mapping information?

Question24: Which event will happen if an administrator uses an Application Override Policy?

Question25: A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process The failure is caused because

Question26: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question27: An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)

B)

C)

Question28: An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

Question29: YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

Question30: An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

Question31: Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

Question32: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question33: An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?

Question34: What are two characteristic types that can be defined for a variable? (Choose two )

Question35: Which operation will impact performance of the management plane?

Question36: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

Question37: Place the steps in the WildFire process workflow in their correct order.

Question38: In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

Question39: Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

Question40: Click the Exhibit button below,


A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

Question41: Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question42: When configuring the firewall for packet capture, what are the valid stage types?

Question43: At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

Question44: The certificate information displayed in the following image is for which type of certificate?
Exhibit:

Question45: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question46: Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

Question47: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question48: In High Availability, which information is transferred via the HA data link?

Question49: How can a candidate or running configuration be copied to a host external from Panorama?

Question50: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

Question51: Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

Question52: In a Panorama template which three types of objects are configurable? (Choose three)

Question53: Which is not a valid reason for receiving a decrypt-cert-validation error?

Question54: What must be used in Security Policy Rule that contain addresses where NAT policy applies?

Question55: When you configure a Layer 3 interface what is one mandatory step?

Question56: In which two types of deployment is active/active HA configuration supported? (Choose two.)

Question57: Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Question58: An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Question59: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question60: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

Question61: The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

Question62: An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question63: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question64: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question65: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question66: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question67: Which three function are found on the dataplane of a PA-5050? (Choose three)

Question68: Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?

Question69: A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
* DMZ zone: DMZ-L3
* Public zone: Untrust-L3
* Guest zone: Guest-L3
* Web server zone: Trust-L3
* Public IP address (Untrust-L3): 1.1.1.1
* Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Question70: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question71: Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

Question72: Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

Question73: Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

Question74: Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

Question75: What file type upload is supported as part of the basic WildFire service?

Question76: View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

Question77: Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Question78: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question79: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question80: PBF can address which two scenarios? (Select Two)

Question81: A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

Question82: A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

Question83: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question84: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

Question85: A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Question86: A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Question87: The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

Question88: What is the purpose of the firewall decryption broker?

Question89: Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

Question90: A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

Question91: Which data flow describes redistribution of user mappings?

Question92: Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Question93: Which administrative authentication method supports authorization by an external service?

Question94: Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

Question95: Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Question96: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question97: An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
* Firewall has Internet connectivity through e1/1.
* Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
* Service route is configured, sourcing update traffic from e1/1.
* A communication error appears in the System logs when updates are performed.
* Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

Question98: Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

Question99: Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

Question100: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question101: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question102: Which protection feature is available only in a Zone Protection Profile?

Question103: Which statement accurately describes service routes and virtual systems?

Question104: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question105: Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

Question106: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question107: Match each SD-WAN configuration element to the description of that element.

Question108: A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two)

Question109: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question110: Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?

Question111: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question112: An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

Question113: When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Question114: An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)