Question 1 of 50.

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Password-protected access to specific file downloads for authorized users.
Increased speed on downloads of file types that are explicitly enabled.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to
be downloaded.
Mark for follow up

Question 2 of 50.
Which of the following statements is NOT True regarding a Decryption Mirror interface?
Supports SSL outbound
Requires superuser privilege
Supports SSL inbound
Can be a member of any VSYS
Mark for follow up

Question 3 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address
or an Address Object.
True

False

Mark for follow up

Question 4 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the
firewall.
Display rules that caused a validation error to occur at the time a Commit was performed.
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the
firewall.
Highlight all rules that did not match traffic within an administrator-specified time period.

Mark for follow up

Question 5 of 50.
The "Disable Server Response Inspection" option on a Security Profile
Should only be selected on Security Policies that allow traffic to an internal trusted server.
Disables inspection of packets sent to external trusted servers.
Only performs inspection of traffic from the side that sends the TCP SYN-ACK packet.
Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet.
Mark for follow up

Question 6 of 50.
User-ID is enabled in the configuration of
A Zone.
A Security Profile.
An Interface.
A Security Policy.
Mark for follow up

Question 7 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True

False

Mark for follow up

Question 8 of 50.
Security policies specify a source interface and a destination interface.
True

False

Mark for follow up

Question 9 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

False

Mark for follow up

Question 10 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate
configuration. These changes may be undone by Device > Setup > Operations > Configuration
Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Mark for follow up

Question 11 of 50.
When configuring User-ID on a Palo Alto Networks firewall, what is the proper procedure to limit User
mappings to a particular DHCP scope?
In the DHCP settings on the Palo Alto Networks firewall, point the DHCP Relay to the IP address of the User-ID
agent.
In the zone in which User Identification is enabled, create a User Identification ACL Include List using the same
IP ranges as those allocated in the DHCP scope.
In the zone in which User Identification is enabled, select the "Restrict Allocated IP" checkbox.
Under the User Identification settings, under the User Mapping tab, select the "Restrict Users to Allocated IP"
checkbox.
Mark for follow up

Question 12 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)

Source Zone
Application
Destination Zone
Source User
Mark for follow up

Question 13 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The MGT interface address.
The local loopback address.
Any layer 3 interface address specified by the firewall administrator.
The default gateway of the firewall.
Mark for follow up

Question 14 of 50.
Which of the following search engines are supported by the "Safe Search Enforcement" option? (Select all
correct answers.)
Bing
Google
Baidu
Yahoo
Mark for follow up

Question 15 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the
firewall has "Safe Search Enforcement" Enabled?
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google
search.
The user will be redirected to a different search site that is specified by the firewall administrator.

Mark for follow up

Question 16 of 50.
Which of the following describes the sequence of the GlobalProtect Agent connecting to a GlobalProtect
Gateway?
The Agent connects to the Portal and uses a round-robin rule to establish a connection to the next available
Gateway.
The Agent connects to the Portal, obtains a list of Gateways, and connects to the Gateway with the fastest
PING response time.
The Agent connects to the Portal, obtains a list of Gateways, and connects to the Gateway with the fastest SSL
response time.
The Agent connects to the closest Gateway and sends the HIP report to the Portal.
Mark for follow up

Question 17 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
devicereader
deviceadmin
read/write
superuser
Mark for follow up

Question 18 of 50.

The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this device from
e1/2 to e1/1, which of the following statements must be True about this firewalls configuration? (Select all
correct answers.)
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and
e1/2.)
There must be a security policy from Internet zone to trust zone that allows ping.
There must be a security policy from trust zone to Internet zone that allows ping.
There must be appropriate routes in the default virtual router.

Mark for follow up

Question 19 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual
systems?
A custom admin role must be created for this specific combination of rights.
vsysadmin
Device Administrator
Superuser
Mark for follow up

Question 20 of 50.
What is the result of an Administrator submitting a WildFire reports verdict back to Palo Alto Networks as
Incorrect?
You will receive an update within 15 minutes.
The signature will be updated for False positive and False negative files in the next Application signature
update.
The signature will be updated for False positive and False negative files in the next AV signature update.
You will receive an email to disable the signature manually.
Mark for follow up

Question 21 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.
An Authentication Profile.
An Authentication Sequence.
Mark for follow up

Question 22 of 50.

Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To
enable this feature within the GUI go to
Network > Network Profiles > Zone Protection
Objects > Zone Protection
Interfaces > Interface Number > Zone Protection
Policies > Profile > Zone Protection
Mark for follow up

Question 23 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed
Mark for follow up

Question 24 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Anti-virus
Mark for follow up

Question 25 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering Logs?
Enable "Log container page only".
Disable URL packet captures.
Enable URL log caching.

Enable DSRI.
Mark for follow up

Question 26 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in PBF
Decryption Profile in Security Profile
Decryption Profile in Security Policy
Decryption Profile in Decryption Policy
Mark for follow up

Question 27 of 50.
Which of the following CANNOT use the source user as a match criterion?
DoS Protection
Policy Based Forwarding
QoS
Secuirty Policies
Anti-virus Profile
Mark for follow up

Question 28 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True

False

Mark for follow up

Question 29 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct answers.)

Applications
Anti-virus
Applications and Threats
BrightCloud URL Filtering
Mark for follow up

Question 30 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
Last match applied.
First match applied.
The rule with the highest rule number is applied.
Most specific match applied.
Mark for follow up

Question 31 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the
following also prevents "Split-Brain"?
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2
link.
Configuring an independent backup HA1 link.
Under Packet Forwarding, selecting the VR Sync checkbox.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Mark for follow up

Question 32 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes

Mark for follow up

No

Question 33 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Heartbeat and Session Monitors
Path and Link Monitoring
Link and Session Monitors
VR and VSYS Monitors
Mark for follow up

Question 34 of 50.
Will an exported configuration contain Management Interface settings?
Yes

No

Mark for follow up

Question 35 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
System defaults may be restored by performing a factory reset in Maintenance Mode.
Initial configuration may be accomplished thru the MGT interface or the Console port.
The Admin account may not be disabled.
The Admin account may be disabled.
Mark for follow up

Question 36 of 50.
Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv1
ISIS
RSTP

Mark for follow up

Question 37 of 50.
Which of the following are necessary components of a GlobalProtect solution?
GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server
GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server
GlobalProtect Gateway, GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect
Server
GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal
Mark for follow up

Question 38 of 50.
In an Anti-virus profile, setting the action to "Block" for IMAP and POP3 decoders will result in which of the
following actions?
The firewall with this Anti-virus profile will behave as if an "Alert" is the specified action, and the server sending
the email will attempt to re-send it.
The firewall will send an HTTP 404 error message back to the server that is attempting to send the email.
All email messages sent using the IMAP or POP3 protocols will be dropped by the firewall, even if they are not
infected with a virus.
Its not possible to set an Anti-virus profile action to Block IMAP and POP3 traffic.
Mark for follow up

Question 39 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
IGRP
EIGRP
ISIS
RIPv2
Mark for follow up

Question 40 of 50.

As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.
The firewall admin did not create a custom response page to notify potential users that their attempt to access
the web-based application is being blocked due to policy.
Mark for follow up

Question 41 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000
Mark for follow up

Question 42 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Address Objects
Vulnerability Profiles
Zones
Service Groups
Mark for follow up

Question 43 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other
web-browsing traffic?
Create an additional rule that blocks all other traffic.
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.

When creating the policy, ensure that web-browsing is included in the same rule.
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will
automatically include the implicit web-browsing application dependency.
Mark for follow up

Question 44 of 50.
What are two sources of information for determining whether the firewall has been successful in
communicating with an external User-ID Agent?
System Logs and Authentication Logs.
System Logs and the indicator light under the User-ID Agent settings in the firewall.
Traffic Logs and Authentication Logs.
System Logs and an indicator light on the chassis.
Mark for follow up

Question 45 of 50.
WildFire may be used for identifying which of the following types of traffic?
DHCP
Malware
RIPv2
OSPF
Mark for follow up

Question 46 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable up to 10 megabytes.
Always 10 megabytes.
Configurable up to 2 megabytes.
Always 2 megabytes.
Mark for follow up

Question 47 of 50.
What is the function of the GlobalProtect Portal?
To maintain the list of Global Protect Gateways and specify HIP data that the agent should report.
To load-balance GlobalProtect client connections to GlobalProtect Gateways.
To maintain the list of remote GlobalProtect Portals and the list of categories for checking the client machine.
To provide redundancy for tunneled connections through the GlobalProtect Gateways.
Mark for follow up

Question 48 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True

False

Mark for follow up

Question 49 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span
port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions most
likely explains this behavior?
There is no zone assigned to the interface.
The interface is not assigned an IP address.
The interface is not assigned a virtual router.
The interface is not up.
Mark for follow up

Question 50 of 50.
Which of the following facts about dynamic updates is correct?
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.

Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are
released weekly.
Mark for follow up

Save / Return Later

Summary