EMT Practice Test

1. Question Content...


Question List

Question1: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Question2: Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Question3: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question4: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443.

Question5: Which option is an IPv6 routing protocol?

Question6: In a virtual router, which object contains all potential routes?

Question7: Which feature prevents the submission of corporate login information into website forms?

Question8: A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny".
Which action will this cause configuration on the matched traffic?

Question9: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question10: A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process The failure is caused because

Question11: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question12: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question13: A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Question14: The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

Question15: A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two)

Question16: A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

Question17: Which CLI command can be used to export the tcpdump capture?

Question18: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question19: Which event will happen if an administrator uses an Application Override Policy?

Question20: Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

Question21: A
users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

Question22: In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

Question23: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x- enabled wireless network device that has no native integration with PAN-OS software?

Question24: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs.
There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question25: What are the differences between using a service versus using an application for Security Policy match?

Question26: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

Question27: Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

Question28: An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane
Which CLI command should the administrator use to obtain the packet capture for validating the configuration^

Question29: Which three authentication factors does PAN-OS® software support for MFA (Choose three.)

Question30: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

Question31: A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server?
(Choose two.)

Question32: A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy?
(Choose two)

Question33: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question34: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question35: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to
http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question36: What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

Question37: What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Question38: Which statement accurately describes service routes and virtual systems?

Question39: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question40: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Question41: Given the following diagram:

A VPN connection has been created to allow traffic from the Trust-L3 zone of Site A to reach the Trust-L3 zone of Site B.
Each site is using tunnel.1 in the Untrust-L3 zone for the VPN connection. A static route needs to be added to the default virtual router in the Site A firewall to enable traffic from Site A to reach all workstations in Site B.
Which static route configuration will satisfy the requirement?

Question42: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question43: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question44: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question45: The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

Question46: A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for
analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

Question47: Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

Question48: If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

Question49: A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Question50: What are two benefits of nested device groups in Panorama? (Choose two.)

Question51: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question52: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

Question53: Based on the image, what caused the commit warning?

Question54: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question55: Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

Question56: Click the Exhibit button below,


A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

Question57: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-
OS® version, and serial number?

Question58: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

Question59: Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

Question60: What is exchanged through the HA2 link?

Question61: Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Question62: A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Question63: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

Question64: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question65: What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Question66: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)

Question67: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

Question68: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A:

B:

C:

D:

E:

Question69: The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

Question70: Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A:

B:

C:

D:

Question71: As a best practice, which URL category should you target first for SSL decryption*?

Question72: When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

Question73: A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two )

Question74: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)

Question75: Which CLI command can be used to export the tcpdump capture?

Question76: If the firewall has the link monitoring configuration, what will cause a failover?

Question77: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)

Question78: An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?

Question79: Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Question80: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series
firewalls? (Choose two.)

Question81: A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Question82: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the
Policies tab.
Which profile is the cause of the missing Policies tab?

Question83: Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

Question84: What is the purpose of the firewall decryption broker?

Question85: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question86: How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

Question87: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question88: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question89: Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

Question90: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question91: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question92: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

Question93: Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

Question94: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question95: Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

Question96:

Question97: A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users
Which two settings must the customer configure? (Choose two)

Question98: Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

Question99: Which processing order will be enabled when a Panorama administrator selects the setting "Objects
defined in ancestors will take higher precedence?"

Question100: Which three firewall states are valid? (Choose three.)

Question101: Which CLI command enables an administrator to check the CPU utilization of the dataplane?

Question102: The certificate information displayed in the following image is for which type of certificate?
Exhibit:

Question103: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question104: Which three options are supported in HA Lite? (Choose three.)

Question105: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question106: An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

Question107: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question108: What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

Question109: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

Question110: A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.
To install the certificate and key for an endpoint, which three components are required? (Choose three.)

Question111: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

Question112: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question113: A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

Question114: Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

Question115: View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

Question116: N NO: 54
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Question117: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question118: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question119: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

Question120: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question121: What are the differences between using a service versus using an application for Security Policy match?

Question122: Which feature prevents the submission of corporate login information into website forms?

Question123: What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

Question124: A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.
Where would you configure this setting?

Question125: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

Question126: A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because

Question127: Given these tables:


SVR1 is a webserver hosted in the DMZ zone. The FQDN of www.myserver.com is registered to an external DNS provider and resolves to 203.1.200.123 in the Untrust-L3 zone. Users in the Trust-L3 zone use the external FQDN to access SVR1.
Which NAT rule will process traffic sourced from the Trust-L3 zone destined for SVR1?

Question128: What are three reasons why an installed session can be identified with the application

Question129: An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

Question130: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question131: What are the main benefits of WildFire? (Select the three correct answers.)

Question132: An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

Question133: Which feature prevents the submission of corporate login information into website forms?

Question134: To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves The wireless devices are from various manufacturers Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

Question135: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question136: Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

Question137: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question138: What must be used in Security Policy Rule that contain addresses where NAT policy applies?

Question139: An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

Question140: PAN-OS 8.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

Question141: An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

Question142: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question143: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

Question144: An administrator wants to upgrade an NGFW from PAN-OS® 8.0.2 to PAN-OS® 9.0. The firewall is not a part of an HA pair. What needs to be updated first?

Question145: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question146: An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)


Question147: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question148: in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

Question149: Which three options are supported in HA Lite? (Choose three.)

Question150: The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

Question151: An administrator needs to implement an NGFW between their DMZ and Core network.
EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

Question152: Several offices are connected with VPNs using static IPV4 routes.
An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question153: What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

Question154: An administrator creates an SSL decryption rule decrypting traffic on all ports.
The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs.
There are three entries. The first entry shows traffic dropped as application Unknown.
The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question155: Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log?
(Choose two.)

Question156: Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two.)

Question157: Which Panorama objects restrict administrative access to specific device-groups?

Question158: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panoram A.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question159: Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.

Question160: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question161: A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com
goes to http://www company com
How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

Question162: What file type upload is supported as part of the basic WildFire service?

Question163: Which two features does PAN-OS® software use to identify applications? (Choose two)

Question164: The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

Question165: Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

Question166: Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

Question167: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question168: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question169: What is the purpose of the firewall decryption broker?

Question170: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question171: The certificate information displayed in the following image is for which type of certificate?
Exhibit:

Question172: Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

Question173: A company hosts a publicly accessible web server behind a Palo Alto Networks next- generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

Question174: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question175: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS® software would help in this case?

Question176: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question177: In High Availability, which information is transferred via the HA data link?

Question178: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections.
Which two configuration options can be used to correctly categorize their custom database application?
(Choose two.)

Question179: Which three options are supported in HA Lite? (Choose three.)

Question180: Which statement accurately describes service routes and virtual systems?

Question181: The certificate information displayed in the following image is for which type of certificate?
Exhibit:

Question182: Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

Question183: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Question184: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question185: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question186: What happens when en A P firewall cluster synchronies IPsec tunnel secunty associations (SAs)?

Question187: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Question188: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Question189: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question190: Panorama provides which two SD_WAN functions? (Choose two.)

Question191: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question192: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question193: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

Question194: What are the differences between using a service versus using an application for Security Policy match?

Question195: Which two features does PAN-OS software use to identify applications? (Choose two)

Question196: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question197: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

Question198: During SSL decryption which three factors affect resource consumption1? (Choose three )

Question199: Given the following table. Which configuration change on the firewall would cause it to use
10.66.24.88 as the next hop for the 192.168.93.0/30 network?

Question200: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question201: An administrator just submitted a newly found piece of spyware for WildFire analysis.
The spyware monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

Question202: An administrator wants to upgrade an NGFW from PAN-OS 7.1.2 to PAN-OS 8.1.0. The firewall is not a part of an HA pair.
What needs to be updated first?

Question203: A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Question204: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS® software can be upgraded?

Question205: A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

Question206: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

Question207: Which three fields can be included in a pcap filter? (Choose three)

Question208: What is exchanged through the HA2 link?

Question209: Which protection feature is available only in a Zone Protection Profile?

Question210: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

Question211: Wildfire may be used for identifying which of the following types of traffic?

Question212: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question213: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

Question214: An administrator has users accessing network resources through Citrix XenApp 7 x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question215: In the image, what caused the commit warning?

Question216: For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose
two.)

Question217: An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
Firewall has internet connectivity through e 1/1.

Default security rules and security rules allowing all SSL and web-browsing traffic to and from any

zone.
Service route is configured, sourcing update traffic from e1/1.

A communication error appears in the System logs when updates are performed.

Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

Question218: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question219: SD-WAN is designed to support which two network topology types? (Choose two.)

Question220: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Question221: An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?

Question222: When configuring the firewall for packet capture, what are the valid stage types?

Question223: When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Question224: Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

Question225: A
user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question226: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

Question227: Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

Question228: Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

Question229: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question230: If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Question231: Support for which authentication method was added in PAN-OS 7.0?

Question232: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question233: Which User-ID method should be configured to map IP addresses to username for users connected through a terminal server?

Question234: What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Question235: Which Palo Alto Networks VM-Series firewall is valid?

Question236: Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

Question237: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

Question238: Which Captive Portal mode must be configured to support MFA authentication?

Question239: An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

Question240: A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

Question241: When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

Question242: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded?

Question243: Which operation will impact the performance of the management plane?

Question244: Which feature prevents the submission of corporate login information into website forms?

Question245: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question246: A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

Question247: An administrator wants to upgrade an NGFW from PAN-OS 8.0.2 to PAN-OS 9.0. The firewall is not a part of an HA pair. What needs to be updated first?

Question248: How can a candidate or running configuration be copied to a host external from Panorama?

Question249: Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs?
(Choose two)

Question250: A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
* Users outside the company are in the "Untrust-L3" zone
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

Question251: Which feature prevents the submission of corporate login information into website forms?

Question252: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?