EMT Practice Test

1. Question Content...


Question List

Question1: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question2: A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

Question3: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question4: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question5: Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

Question6: Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Question7: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question8: As a best practice, which URL category should you target first for SSL decryption*?

Question9: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

Question10: A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

Question11: An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

Question12: Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two)

Question13: An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )

Question14: What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Question15: A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

Question16: Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

Question17: Which logs enable a firewall administrator to determine whether a session was decrypted?

Question18: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question19: To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves The wireless devices are from various manufacturers Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

Question20: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question21: Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Question22: An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

Question23: Which GlobalProtect component must be configured to enable Clientless VPN?

Question24: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question25: Given the following configuration, which route is used for destination 10.10.0.4?

Question26: Which feature prevents the submission of corporate login information into website forms?

Question27: A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?

Question28: Which command can be used to validate a Captive Portal policy?

Question29: Which Captive Portal mode must be configured to support MFA authentication?

Question30: Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)

Question31: Which operation will impact performance of the management plane?

Question32: If the firewall has the link monitoring configuration, what will cause a failover?

Question33: To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

Question34: Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question35: To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Question36: A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

Question37: Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

Question38: Which option is part of the content inspection process?

Question39: An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

Question40: An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Question41: Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Question42: An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed Which Panorama tool can help this organization?

Question43: When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Question44: Which three options are supported in HA Lite? (Choose three.)

Question45: Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question46: A customer is replacing their legacy remote access VPN solution The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.
Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled

What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?

Question47: Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log?
(Choose two.)

Question48: Which log file can be used to identify SSL decryption failures?

Question49: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question50: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question51: In the following image from Panorama, why are some values shown in red?

Question52: A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

Question53: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

Question54: Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

Question55: A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?

Question56: Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

Question57: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question58: Which CLI command enables an administrator to check the CPU utilization of the dataplane?

Question59: Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?

Question60: Which option is an IPv6 routing protocol?

Question61: A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

Question62: Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

Question63: An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute location?

Question64: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

Question65: Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

Question66: Which protocol is supported by GlobalProtect Clientless VPN?

Question67: Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

Question68: Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the
192.168.93.0/30 network?

Question69: Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

Question70: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question71: The UDP-4501 protocol-port is used between which two GlobalProtect components?

Question72: A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama?

Question73: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question74: An administrator wants to enable zone protection
Before doing so, what must the administrator consider?

Question75: Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

Question76: An administrator needs to upgrade an NGFW to the most current version of PAN-OS software. The following is occurring:
*Firewall has Internet connectivity through e1/1.
*Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
*Service route is configured, sourcing update traffic from e1/1.
*A communication error appears in the System logs when updates are performed.
*Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

Question77: Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

Question78: An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message?

Question79: An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?

Question80: Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

Question81: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Question82: An engines must configure the Decryption Broker feature To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

Question83: Which interface configuration will accept specific VLAN IDs?

Question84: Please match the terms to their corresponding definitions.

Question85: To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

Question86: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question87: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question88: An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )

Question89: Which three options does the WF-500 appliance support for local analysis? (Choose three)

Question90: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question91: What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

Question92: What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Question93: What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

Question94: A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

Question95: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question96: A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

Question97: In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

Question98: SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https
//www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com website.
2 End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

Question99: An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.
Which server OS platforms can be used for server monitoring with User-ID?

Question100: During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons.
In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Question101: An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

Question102: An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes?

Question103: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question104: Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

Question105: Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Question106: Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three )

Question107:
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

Question108: A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Question109: A variable name must start with which symbol?

Question110: Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Question111: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question112: Which two features require another license on the NGFW? (Choose two.)

Question113: An administrator is building Security rules within a device group to block traffic to and from malicious locations How should those rules be configured to ensure that they are evaluated with a high priority?

Question114: A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.
Where would you configure this setting?

Question115: An administrator needs to gather information about the CPU utilization on both the management plane and the data plane Where does the administrator view the desired data?

Question116: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

Question117: In a Panorama template which three types of objects are configurable? (Choose three)

Question118: What are two benefits of nested device groups in Panorama? (Choose two.)

Question119: An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question120: Which three rule types are available when defining policies in Panorama? (Choose three.)

Question121: An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question122: VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Question123: Which Panorama objects restrict administrative access to specific device-groups?

Question124: How can packet butter protection be configured?

Question125: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question126: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question127: A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which security Profile type will prevent these behaviors?

Question128: in URL filtering, which component matches URL patterns?

Question129: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded?

Question130: Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

Question131: An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Question132: What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

Question133: A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting?

Question134: A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.
To install the certificate and key for an endpoint, which three components are required? (Choose three.)

Question135: A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

Question136: With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

Question137: A network security engineer has a requirement to allow an external server to access an internal web server.
The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?