EMT Practice Test

1. Question Content...


Question List

Question1: What is considered the best practice with regards to zone protection?

Question2: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question3: An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?

Question4: What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Question5: A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

Question6: What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Question7: A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?

Question8: Which statement is true regarding a Best Practice Assessment?

Question9: Before you upgrade a Palo Alto Networks NGFW, what must you do?

Question10: When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

Question11: An administrator analyzes the following portion of a VPN system log and notices the following issue
"Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?

Question12: Which data flow describes redistribution of user mappings?

Question13: An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)


C)

D)

Question14: An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)

Question15: What is the best description of the HA4 Keep-Alive Threshold (ms)?

Question16: In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

Question17: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question18: What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

Question19: What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

Question20: SAML SLO is supported for which two firewall features? (Choose two.)

Question21: An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

Question22: WildFire will submit for analysis blocked files that match which profile settings?

Question23: A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution During onboarding the following options and licenses were selected and enabled
- Prisma Access for Remote Networks 300Mbps
- Prisma Access for Mobile Users 1500 Users
- Cortex Data Lake 2TB
- Trusted Zones trust
- Untrusted Zones untrust
- Parent Device Group shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?

Question24: An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?

Question25: SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com website.
2 End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

Question26: During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Question27: Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three )

Question28: A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

Question29: A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

Question30: A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?

Question31: A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.
Which statement about the QoS feature is correct?

Question32: Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Question33: What is the function of a service route?

Question34: When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Question35: Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Question36: A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

Question37: An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?