EMT Practice Test

1. Question Content...


Question List

Question1: Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Question2: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question3: Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Question4: Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

Question5: An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?

Question6: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

Question7:
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

Question8: Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two)

Question9: In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

Question10: After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

Question11: A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

Question12: A remote administrator needs firewall access on an untrusted interface Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

Question13: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question14: A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Question15: What is exchanged through the HA2 link?

Question16: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question17: Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question18: An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)

B)

C)

D)

Question19: An administrator device-group commit push is tailing due to a new URL category How should the administrator correct this issue?

Question20: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question21: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question22: Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

Question23: An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?

Question24: The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

Question25: A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

Question26: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question27: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

Question28: Which Captive Portal mode must be configured to support MFA authentication?

Question29: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question30: SAML SLO is supported for which two firewall features? (Choose two.)

Question31: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

Question32: Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

Question33: What are three valid method of user mapping? (Choose three)

Question34: If the firewall has the link monitoring configuration, what will cause a failover?

Question35: What are two characteristic types that can be defined for a variable? (Choose two )

Question36: A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

Question37: Which three authentication factors does PAN-OS software support for MFA (Choose three.)

Question38: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question39: Match each SD-WAN configuration element to the description of that element.

Question40: Which field is optional when creating a new Security Policy rule?

Question41: An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )

Question42: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in
"the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question43: During the packet flow process, which two processes are performed in application identification? (Choose two.)

Question44: Which command can be used to validate a Captive Portal policy?

Question45: A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode.
Which statement is true about this deployment?

Question46: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny". Which action will this cause configuration on the matched traffic?

Question47: Which configuration task is best for reducing load on the management plane?

Question48: Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Question49: A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

Question50: A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table Which two configurations should you check on the firewall'? (Choose two )

Question51: Which three rule types are available when defining policies in Panorama? (Choose three.)

Question52: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question53: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Question54: An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?

Question55: Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

Question56: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question57: Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

Question58: In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

Question59: Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

Question60: When you configure an active/active high availability pair which two links can you use? (Choose two)

Question61: Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

Question62: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

Question63: On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

Question64: An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Question65: in URL filtering, which component matches URL patterns?

Question66: A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

Question67: When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Question68: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

Question69: Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

Question70: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question71: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question72: An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1?

Question73: When overriding a template configuration locally on a firewall, what should you consider?

Question74: Which option describes the operation of the automatic commit recovery feature?

Question75: The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

Question76: Which log file can be used to identify SSL decryption failures?

Question77: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)

B)

C)

D)

Question78: An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question79: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

Question80: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question81: Which CLI command displays the physical media that are connected to ethernetl/8?

Question82: When setting up a security profile which three items can you use? (Choose three )

Question83: An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Question84: Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

Question85: Panorama provides which two SD_WAN functions? (Choose two.)

Question86: A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

Question87: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question88: People are having intermittent quality issues during a live meeting via web application.

Question89: Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Question90: Which Panorama objects restrict administrative access to specific device-groups?

Question91: When configuring the firewall for packet capture, what are the valid stage types?

Question92: A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

Question93: Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

Question94: What are the differences between using a service versus using an application for Security Policy match?

Question95: Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Question96: An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?

Question97: Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Question98: Which CLI command displays the current management plan memory utilization?

Question99: An engines must configure the Decryption Broker feature To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

Question100: Which CLI command can be used to export the tcpdump capture?

Question101: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question102: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question103: An administrator wants to enable zone protection
Before doing so, what must the administrator consider?

Question104: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question105: Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

Question106: An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed Which Panorama tool can help this organization?

Question107: Which logs enable a firewall administrator to determine whether a session was decrypted?

Question108: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question109: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS software would help in this case?

Question110: An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration Which two solutions can the administrator use to scale this configuration? (Choose two.)

Question111: When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

Question112: When you configure a Layer 3 interface what is one mandatory step?

Question113: Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Question114: Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

Question115: For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

Question116: Which three fields can be included in a pcap filter? (Choose three)

Question117: Which CLI command enables an administrator to check the CPU utilization of the dataplane?

Question118: An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

Question119: How can packet butter protection be configured?

Question120: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to PanoramA.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question121: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question122: Match each type of DoS attack to an example of that type of attack

Question123: Which administrative authentication method supports authorization by an external service?