EMT Practice Test

1. Question Content...


Question List

Question1: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question2: An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

Question3: If the firewall has the link monitoring configuration, what will cause a failover?

Question4: Use the image below. If the firewall has the displayed link monitoring configuration what will cause a failover?

Question5: Which statement is true regarding a Best Practice Assessment?

Question6: An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed Which Panorama tool can help this organization?

Question7: A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny". Which action will this cause configuration on the matched traffic?

Question8: An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )

Question9: Which two events trigger the operation of automatic commit recovery? (Choose two.)

Question10: What are two benefits of nested device groups in Panorama? (Choose two.)

Question11: Based on the image, what caused the commit warning?

Question12: A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

Question13: A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table Which two configurations should you check on the firewall'? (Choose two )

Question14: Which data flow describes redistribution of user mappings?

Question15: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question16: Which CLI command displays the current management plan memory utilization?

Question17: What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

Question18: A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two )

Question19: Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two)

Question20: A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users Which two settings must the customer configure? (Choose two)

Question21: An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

Question22: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

Question23: An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Question24: A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

Question25: Which three options does the WF-500 appliance support for local analysis? (Choose three)

Question26: After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

Question27: Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

Question28: An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?

Question29: A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Question30: What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Question31: In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

Question32: in a template you can configure which two objects? (Choose two.)

Question33: Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

Question34: You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

Question35: Please match the terms to their corresponding definitions.

Question36: What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

Question37: A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

Question38: Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

Question39: Which feature can provide NGFWs with User-ID mapping information?

Question40: Match each type of DoS attack to an example of that type of attack

Question41: An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

Question42: An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

Question43: A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

Question44: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question45: Which logs enable a firewall administrator to determine whether a session was decrypted?

Question46: A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

Question47: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question48: An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane Which CLI command should the administrator use to obtain the packet capture for validating the configuration^

Question49: Which statement accurately describes service routes and virtual systems?

Question50: A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

Question51: Which three options are supported in HA Lite? (Choose three.)

Question52: A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem?

Question53: A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

Question54: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

Question55: Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

Question56: An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Question57: An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.)

Question58: Which two statements are true for the DNS Security service? (Choose two.)

Question59: When is the content inspection performed in the packet flow process?

Question60: An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?

Question61: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question62: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panoram A.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question63: Which three fields can be included in a pcap filter? (Choose three)

Question64: In a device group, which two configuration objects are defined? (Choose two )

Question65: Which CLI command displays the physical media that are connected to ethernetl/8?

Question66: Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines?

Question67: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question68: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question69: A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?

Question70: Which operation will impact performance of the management plane?

Question71: How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

Question72: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question73: Match each SD-WAN configuration element to the description of that element.

Question74: During SSL decryption which three factors affect resource consumption1? (Choose three )

Question75: Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Question76: Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

Question77: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question78: A security engineer needs firewall management access on a Inside interface When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

Question79: The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

Question80: Which command can be used to validate a Captive Portal policy?

Question81: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question82: An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes?

Question83: A standalone firewall with local objects and policies needs to be migrated into Panoram a. What procedure should you use so Panorama is fully managing the firewall?

Question84: What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

Question85: What happens when en A P firewall cluster synchronies IPsec tunnel secunty associations (SAs)?

Question86: What is the purpose of the firewall decryption broker?

Question87: Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

Question88: Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

Question89: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

Question90: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question91: When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Question92: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question93: A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

Question94: A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

Question95: What are two valid deployment options for Decryption Broker? (Choose two)

Question96: Which option describes the operation of the automatic commit recovery feature?

Question97: The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

Question98: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

Question99: How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

Question100: An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW?

Question101: A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.
Where would you configure this setting?

Question102: A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

Question103: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question104: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question105: In the following image from Panorama, why are some values shown in red?

Question106: When configuring the firewall for packet capture, what are the valid stage types?

Question107: In a firewall, which three decryption methods are valid? (Choose three )

Question108: You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

Question109: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

Question110: Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Question111: Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Question112: Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

Question113: What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Question114: The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

Question115: Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

Question116: What is a key step in implementing WildFire best practices?

Question117: What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Question118: What will be the source address in the ICMP packet?

Question119: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question120: Given the following configuration, which route is used for destination 10.10.0.4?

Question121: When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Question122: In High Availability, which information is transferred via the HA data link?

Question123: A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

Question124: Which feature prevents the submission of corporate login information into website forms?

Question125: Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

Question126: On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

Question127: Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question128: What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Question129: An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?

Question130: Which Panorama objects restrict administrative access to specific device-groups?

Question131: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

Question132: Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Question133: People are having intermittent quality issues during a live meeting via web application.

Question134: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?