EMT Practice Test

1. Question Content...


Question List

Question1: Given the following table. Which configuration change on the firewall would cause it to use
10.66.24.88 as the next hop for the 192.168.93.0/30 network?

Question2: What is the function of a service route?

Question3: In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Question4: A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?

Question5: Your company has to Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized.
Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Question6: Which feature prevents the submission of corporate login information into website forms?

Question7: An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at
10.1.1.22.
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

Question8: You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

Question9: What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Question10: An administrator is attempting to create policies tor deployment of a device group and template stack.
When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?

Question11: On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

Question12: Which three rule types are available when defining policies in Panorama? (Choose three.)

Question13: Several offices are connected with VPNs using static IPv4 routes.
An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question14: An engineer needs to configure a standardized template for all Panorama-managed firewalls.
These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)

Question15: An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?

Question16: How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Question17: Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

Question18: When configuring the firewall for packet capture, what are the valid stage types?

Question19: When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Question20: The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

Question21: An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.
What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?

Question22: An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?

Question23: What are two valid deployment options for Decryption Broker? (Choose two)

Question24: An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

Question25: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question26: Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

Question27: How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

Question28: An engineer discovers the management interface is not routable to the User-ID agent.
What configuration is needed to allow the firewall to communicate to the User-ID agent?

Question29: What is the maximum number of samples that can be submitted to WildFire manually per day?

Question30: After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

What are two s for this type of issue? (Choose two)

Question31: An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Path Monitoring has been enabled with a Failure Condition of "any."
A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.
Which scenario will cause the Active firewall to fail over?

Question32: How can a candidate or running configuration be copied to a host external from Panorama?

Question33: What is exchanged through the HA2 link?

Question34: An engineer must configure the Decryption Broker feature.
Which Decryption Broker security chain supports bi-directional traffic flow?

Question35: A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed.
While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.
The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.
What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Question36: Which event will happen if an administrator uses an Application Override Policy?

Question37: When you configure an active/active high availability pair, which two links can you use? (Choose two.)

Question38: Which statement is true regarding a Best Practice Assessment?

Question39: A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

Question40: After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

Question41: Which hardware firewall platforms include both built-in front-to-back airflow and redundant power supplies?

Question42: Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?

Question43: How can packet buffer protection be configured?

Question44: Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

Question45: Refer to the diagram. An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups.
Where will the object need to be created within the device-group hierarchy?

Question46: What is the purpose of the firewall decryption broker?

Question47: Which log type would provide information about traffic blocked by a Zone Protection profile?

Question48: Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

Question49: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded?

Question50: Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

Question51: A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access?
(Choose three.)

Question52: A company has configured a URL Filtering profile with override action on their firewall.
Which two profiles are needed to complete the configuration? (Choose two.)

Question53: What is the URL for the full list of applications recognized by Palo Alto Networks?

Question54: When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Question55: An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?

Question56: Drag and Drop Question
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.

Question57: The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.
When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

Question58: An engineer troubleshoots an issue that causes packet drops.
Which command should the engineer run in the CLI to see if packet buffer protection is enabled and activated?

Question59: An engineer is pushing configuration from Panorama lo a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

Question60: Which option is part of the content inspection process?

Question61: Only two Trust to Untrust allow rules have been created in the Security policy
- Rule1 allows google-base
- Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Question62: Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

Question63: When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?

Question64: Which statement is true regarding a heatmap in a BPA report?

Question65: Which two events trigger the operation of automatic commit recovery? (Choose two.)

Question66: What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

Question67: An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

Question68: Before you upgrade a Palo Alto Networks NGFW what must you do?

Question69: Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Question70: Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.)

Question71: Which statement about High Availability timer settings is true?

Question72: A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface.
Which interface type and configuration setting will support this design?

Question73: An engineer is configuring a firewall with three interfaces:
- MGT connects to a switch with internet access.
- Ethernet1/1 connects to an edge router.
- Ethernet1/2 connects to a virtualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Question74: What is considered the best practice with regards to zone protection?

Question75: The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?

Question76: Which of the following are critical features of a Next Generation Firewall that provide Breach prevention? Choose two.

Question77: Which CLI command is used to determine how much disk space is allocated to logs?

Question78: What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

Question79: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question80: An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

Question81: In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

Question82: The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

Question83: What happens when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address?

Question84: View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?

Question85: A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

Question86: What are three tasks that cannot be configured from Panorama by using a template stack?
(Choose three)

Question87: What are two characteristic types that can be defined for a variable? (Choose two)

Question88: In order to route traffic between layer 3 interfaces on the PAN firewall you need:

Question89: Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

Question90: Which processing order will be enabled when a Panorama administrator selects the setting
"Objects defined in ancestors will take higher precedence?"

Question91: An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN- OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method?
(Choose two.)

Question92: An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you consider?

Question93: A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

Question94: Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Question95: What are the main benefits of WildFire? (Select the three correct answers.)

Question96: A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?

Question97: The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.
Why is the AE interface showing down on the passive firewall?

Question98: Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

Question99: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question100: An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)

Question101: Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Question102: How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

Question103: When setting up a security profile, which three items can you use? (Choose three.)

Question104: Which protection feature is available only in a Zone Protection Profile?

Question105: An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)

Question106: A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?

Question107: During SSL decryption which three factors affect resource consumption1? (Choose three )

Question108: When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Question109: Which Palo Alto Networks VM-Series firewall is valid?

Question110: Which CLI command displays the current management plane memory utilization?

Question111: During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA. Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Question112: Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

Question113: Which CLI command displays the physical media that are connected to ethernetl/8?

Question114: An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?

Question115: A client wants to detect the use of weak and manufacturer-default passwords for loT devices.
Which option will help the customer?

Question116: Refer to the exhibit. Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

Question117: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question118: A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?

Question119: The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)

Question120: In URL filtering, which component matches URL patterns?

Question121: To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices. You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufacturers.
Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

Question122: A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?

Question123: Which DoS protection mechanism detects and prevents session exhaustion attacks?

Question124: Refer to the screenshots. Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin access to Panorama and to the managed devices?

Question125: Which device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Question126: A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections.
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Question127: What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from
192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

Question128: An auditor has requested that roles and responsibilities be split inside the security team. Group A will manage templates, and Group B will manage device groups inside Panorama.
Which two specific firewall configurations will Group B manage? (Choose two.)

Question129: A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile.
What should be done next?

Question130: Refer to Exhibit. A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.
He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

Question131: An engineer must configure the Decryption Broker feature. To which router must the engineer assign the decryption forwarding interfaces that are used in Decryption Broker security chain?

Question132: An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)

Question133: An engineer is configuring Packet Buffer Protection on ingress zones to protect from single- session DoS attacks.
Which sessions does Packet Buffer Protection apply to?

Question134: The same route appears in the routing table three times using three different protocols.
Which mechanism determines how the firewall chooses which route to use?

Question135: Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?

Question136: Which statement accurately describes service routes and virtual systems?

Question137: A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?

Question138: Which protocol is supported by GlobalProtect Clientless VPN?

Question139: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question140: People are having intermittent quality issues during a live meeting via a web application.
How can the performance of this application be improved?

Question141: An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web UI? (Choose two.)

Question142: An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of SSL traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)

Question143: An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Question144: An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?

Question145: Given the screenshot, how did the firewall handle the traffic?

Question146: An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Link and Path Monitoring is enabled with the Failure Condition set to `any`.
There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to `all`.
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

Question147: An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:

What could be the cause of this problem?

Question148: A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)

Question149: How quickly are Wildfire updates about previously unknown files now being delivered from the cloud to customers with a WildFire subscription (as of version 6.1)?

Question150: An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used.
After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)

Question151: A network security engineer has a requirement to allow an external server to access an internal web server.
The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

Question152: Which is not a valid reason for receiving a decrypt-cert-validation error?

Question153: Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Question154: An administrator would like to determine which action the firewall will take for a specific CVE.

Given the screenshot below, where should the administrator navigate to view this information?

Question155: Which Panorama administrator types require the configuration of at least one access domain?
(Choose two.)

Question156: True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can be scanned as it crosses the firewall with minimum amount of buffering, which in turn can allow advanced features like virus/malware scanning without effecting firewall performance

Question157: An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?

Question158: In an enterprise deployment, a network security engineer wants to assign rights to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

Question159: Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

Question160: What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

Question161: A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

Question162: While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

Question163: As a best practice, logging at session start should be used in which case?

Question164: A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing.
What command could the engineer run to see the current state of the BGP state between the two devices?

Question165: On March 10, 2016, between 11:00 am and 11:30 am, users reported that web-browsing traffic to the IP address 1.1.1.1 failed.
Which filter can be applied to the traffic logs to show how many users were affected during this time frame?

Question166: An administrator notices interface ethernet1/2 failed on the active firewall in an active I passive firewall high availability(HA) pair.

Based on the image below, what - if any - action was taken by the active firewall when the link failed?

Question167: Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Question168: In a Panorama template, which three types of objects are configurable? (Choose three.)

Question169: TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows.

Question170: In a firewall, which three decryption methods are valid? (Choose three )

Question171: An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute location?

Question172: A network administrator notices there is a false-positive situation after enabling Security profiles.
When the administrator checks the threat prevention logs, the related signature displays:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?

Question173: An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Question174: Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question175: Which feature can be configured on VM-Series firewalls?

Question176: An administrator wants to enable zone protection.
Before doing so, what must the administrator consider?

Question177: An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)

Question178: An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

Question179: An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls.
The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

Question180: Refer to exhibit. An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

Question181: Which three authentication factors does PAN-OS@software support for MFA? (Choose three.)

Question182: Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

Question183: A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.
When creating a new rule, what is needed to allow the application to resolve dependencies?

Question184: Which states will a pair of firewalls be in if their HA Group ID is mismatched?

Question185: An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up.
If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

Question186: An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Question187: A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.
What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?

Question188: Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two.)

Question189: An engineer is configuring SSL Inbound Inspection for public access to a company's application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Question190: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question191: What are the three key components of a successful Three Tab Demo? (Select the three correct answers.)

Question192: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question193: Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

Question194: An engineer needs to see how many existing SSL decryption sessions are traversing a firewall What command should be used?

Question195: A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an address of
172.16.15.1.
In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?

Question196: Which new PAN-OS 11.0 feature supports IPv6 traffic?

Question197: Which CLI command can be used to export the tcpdump capture?

Question198: An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

Question199: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question200: An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface.
Which statement is true regarding the configuration of the Decryption Port Mirroring feature?

Question201: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question202: YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic.
The following interfaces and zones are in use on the firewall:
- ethernet 1/1, Zone: Untrust (Internet-facing)
- ethernet 1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet 1/1 has a QoS profile called Outbound, and interface Ethernet 1/21 has a QoS profile called Inbound.
Which setting for Class 6 will throttle YouTube traffic?

Question203: Which log file can be used to identify SSL decryption failures?

Question204: A traffic log might list an application as "not-applicable" for which two reasons? (Choose two )

Question205: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question206: What is the dependency for users to access services that require authentication?

Question207: What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

Question208: At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

Question209: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question210: A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

Question211: Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces? (Choose two)

Question212: Which benefit do policy rule UUlDs provide?

Question213: Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

Question214: What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

Question215: A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The engineer couldn't find any events related to VPN under system logs.
What is the likely cause?

Question216: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunnel is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question217: An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?

Question218: Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?

Question219: An administrator has users accessing network resources through Citrix XenApp 7 x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

Question220: Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

Question221: What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Question222: Which three external services perform both authentication and authorization for administration of firewalls? (Choose three.)

Question223: After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

Question224: A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?

Question225: Which Captive Portal mode must be configured to support MFA authentication?

Question226: An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS® software?

Question227: A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.


What should the NAT rule destination zone be set to?

Question228: An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?

Question229: Drag and Drop Question
Please match the terms to their corresponding definitions.

Question230: Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Question231: When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Question232: Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

Question233: A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

Question234: The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

Question235: Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Question236: Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity.
The administrator wants to determine where the traffic is going on the company.

What would be the administrator's next step?

Question237: Which virtual router feature determines if a specific destination IP address is reachable?

Question238: A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment?

Question239: What are the differences between using a service versus using an application for Security Policy match?

Question240: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question241: With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Question242: A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?

Question243: Which two features require another license on the NGFW? (Choose two.)

Question244: PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

Question245: An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.0.2. The firewall is not a part of an HA pair.
What needs to be updated first?

Question246: What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Question247: An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

Question248: You need to allow users to access the office-suite applications of their choice.
How should you configure the firewall to allow access to any office-suite application?

Question249: An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

Question250: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question251: Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?

Question252: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question253: Which command can be used to validate a Captive Portal policy?

Question254: An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)

Question255: Which three firewall states are valid? (Choose three.)

Question256: A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?

Question257: An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Question258: Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)

Question259: A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

Question260: An administrator needs to determine why users on the trust zone cannot reach certain websites.
The only information available is shown on the following image.
Which configuration change should the administrator make?

Question261: A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment.
]They want to ensure that they know as much as they can about QoS before deploying.
Which statement about the QoS feature is correct?

Question262: An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT.
Which type of certificate must be installed?

Question263: An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

Question264: To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Question265: An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?

Question266: Which field is optional when creating a new Security Police rule?

Question267: Which hardware platform should I consider if the customer needs at least 1 Gbps of Threat Prevention throughput and the ability to handle at least 250K sessions?

Question268: Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

Question269: During the packet flow process, which two processes are performed in application identification?
(Choose two.)

Question270: True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud.

Question271: The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

Question272: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

Question273: Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?

Question274: Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Question275: Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

Question276: A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to
11.0.x to take advantage of the newTLSv1.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

Question277: An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

Question278: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question279: In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

Question280: Wildfire may be used for identifying which of the following types of traffic?

Question281: Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Question282: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinkhole enabled, generating a traffic log.
What will be the destination IP address in that log entry?

Question283: What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator?

Question284: An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

Question285: The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall?
(Choose two)

Question286: An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Question287: A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

Question288: Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines?

Question289: An administrator analyzes the following portion of a VPN system log and notices the following issue:
`Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id
10.1.10.4/24 type IPv4 address protocol 0 port 0.`
What is the cause of the issue?

Question290: An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop.
Which three actions will help the administrator resolve this issue? (Choose three.)

Question291: The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

Question292: A firewall has Security policies from three sources:
1. locally created policies
2. shared device group policies as pre-rules
3. the firewall's device group as post-rules
How will the rule order populate once pushed to the firewall?

Question293: A variable name must start with which symbol?

Question294: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question295: The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

Question296: A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.
In which section is this configured?

Question297: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question298: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

Question299: Which source is the most reliable for collecting User-ID user mapping?

Question300: Which benefit do policy rule UUIDs provide?

Question301: An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Question302: Starting with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?

Question303: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question304: An engineer is tasked with configuring SSL forward proxy for traffic going to external sites. Which of the following statements is consistent with SSL decryption best practices?

Question305: An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewall's dashboard is showing as down.

What could an administrator do to troubleshoot the issue?

Question306: In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?

Question307: An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?

Question308: An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended. Where would you find this in Panorama or firewall logs?

Question309: An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes?

Question310: Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama.
The configuration problem seems to be on the firewall side.
Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

Question311: An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?

Question312: A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny".
Which action will this configuration cause on the matched traffic?

Question313: An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?

Question314: Ethernet1/1 has been configured with the following subinterfaces:

The following security policy rule is applied:

The Interface Management Profile permits the following:

A customer is trying to ping 10.10.10.1 from VLAN 799 IP 10.10.10.2/24.
What will be the result of this ping?