Palo Alto Questions + Answers

Business, Finance, Economics, Accounting, Operations Management, Computer Science, Electrical Engineering, Mechanical Engineering, Civil Engineering, Chemical Engineering, Algebra, Precalculus, Statistics and Probabilty, Advanced Math, Physics, Chemistry, Biology, Nursing, Psychology, Certifications, Tests, Prep, and more.
Post Reply
answerhappygod
Site Admin
Posts: 899603
Joined: Mon Aug 02, 2021 8:13 am

Palo Alto Questions + Answers

Post by answerhappygod »

Question 1 ( Topic 1 )
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
A. True
B. False


Answer : A

Question 2 ( Topic 1 )
Color-coded tags can be used on all of the items listed below EXCEPT:
A. Address Objects
B. Zones
C. Service Groups
D. Vulnerability Profiles


Answer : D

Question 3 ( Topic 1 )
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of UserID?
A. Domain Controller
B. SSL Certificates
C. RIPv2
D. Network Access Control (NAC) device


Answer : ABD

Question 4 ( Topic 1 )
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web browsing traffic?
A. Create an additional rule that blocks all other traffic.
B. When creating the policy, ensure that webbrowsing is included in the same rule.
C. Ensure that the Service column is defined as "applicationdefault" for this Security policy. Doing this will automatically include the implicit webbrowsing application dependency.
D. Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed for Facebook use.


Answer : D

Question 5 ( Topic 1 )
As the Palo Alto Networks Administrator responsible for UserID, you need to enable mapping of network users that do not sign in using LDAP. Which information source would allow for reliable UserID mapping while requiring the least effort to configure?
A. Active Directory Security Logs
B. WMI Query
C. Captive Portal
D. Exchange CAS Security logs


Answer : A


Question 6 ( Topic 1 )
Which of the following CANNOT use the source user as a match criterion?
A. Policy Based Forwarding
B. Secuirty Policies
C. QoS
D. DoS Protection
E. Antivirus Profile


Answer : E

Question 7 ( Topic 1 )
Which statement below is True?
A. PANOS uses BrightCloud as its default URL Filtering database, but also supports PANDB.
B. PANOS uses PANDB for URL Filtering, replacing BrightCloud.
C. PANOS uses BrightCloud for URL Filtering, replacing PANDB.
D. PANOS uses PANDB as the default URL Filtering database, but also supports BrightCloud.


Answer : D

Question 8 ( Topic 1 )
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSHtunnel AppID?
A. SSH Proxy
B. SSL Forward Proxy
C. SSL Inbound Inspection
D. SSL Reverse Proxy


Answer : A

Question 9 ( Topic 1 )
What are two sources of information for determining whether the firewall has been successful in communicating with an external UserID Agent?
A. System Logs and the indicator light under the UserID Agent settings in the firewall.
B. Traffic Logs and Authentication Logs.
C. System Logs and an indicator light on the chassis.
D. System Logs and Authentication Logs.


Answer : A

Question 10 ( Topic 1 )
What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for the action setting?
A. A File Blocking profile with possible actions of "Forward" or "Continue and Forward".
B. A Data Filtering profile with possible actions of "Forward" or "Continue and Forward".
C. A Vulnerability Protection profile with the possible action of "Forward".
D. A URL Filtering profile with the possible action of "Forward".


Answer : A

Question 11 ( Topic 1 )
When configuring UserID on a Palo Alto Networks firewall, what is the proper procedure to limit User mappings to a particular DHCP scope?
A. In the zone in which User Identification is enabled, create a User Identification ACL Include List using the same IP ranges as those allocated in the DHCP scope.
B. Under the User Identification settings, under the User Mapping tab, select the "Restrict Users to Allocated IP" checkbox.
C. In the zone in which User Identification is enabled, select the "Restrict Allocated IP" checkbox.
D. In the DHCP settings on the Palo Alto Networks firewall, point the DHCP Relay to the IP address of the UserID agent.


Answer : A

Question 12 ( Topic 1 )
A Config Lock may be removed by which of the following users?
A. The administrator who set it
B. Device administrators
C. Any administrator
D. Superusers


Answer : AD

Question 13 ( Topic 1 )
After the installation of a new version of PANOS, the firewall must be rebooted.
A. True
B. False


Answer : A

Question 14 ( Topic 1 )
When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the rule? (Choose three.)
A. Source Zone
B. URL Category
C. Application
D. Service
E. Source User


Answer : ABE

Question 15 ( Topic 1 )
After the installation of the Threat Prevention license, the firewall must be rebooted.
A. True
B. False


Answer : B


Question 16 ( Topic 1 )
What is the function of the GlobalProtect Portal?
A. To maintain the list of Global Protect Gateways and specify HIP data that the agent should report.
B. To loadbalance
C. GlobalProtect client connections to GlobalProtect Gateways.
D. To maintain the list of remote GlobalProtect Portals and the list of categories for checking the client machine.
E. To provide redundancy for tunneled connections through the GlobalProtect Gateways.


Answer : D

Question 17 ( Topic 1 )
Which mode will allow a user to choose when they wish to connect to the Global Protect Network?
A. Always On mode
B. Optional mode
C. Single SignOn mode
D. On Demand mode


Answer : D

Question 18 ( Topic 1 )
After the installation of a new Application and Threat database, the firewall must be rebooted.
A. True
B. False


Answer : B

Question 19 ( Topic 1 )


Taking into account only the information in the screenshot above, answer the following question:
A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?
A. The interface is not assigned a virtual router.
B. The interface is not assigned an IP address.
C. The interface is not up.
D. There is no zone assigned to the interface.


Answer : D

Question 20 ( Topic 1 )
Which of the following platforms supports the Decryption Port Mirror function?
A. PA3000
B. VMSeries 100
C. PA2000
D. PA4000


Answer : A

Question 21 ( Topic 1 )
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
A. True
B. False


Answer : B

Question 22 ( Topic 1 )
UserID is enabled in the configuration of:
A. a Security Profile.
B. an Interface.
C. a Security Policy.
D. a Zone.


Answer : D

Question 23 ( Topic 1 )
Which of the following interface types can have an IP address assigned to it?
A. Layer 3
B. Layer 2
C. Tap
D. Virtual Wire


Answer : A

Question 24 ( Topic 1 )
As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues.
What is the cause of the increased number of help desk calls?
A. The File Blocking Block Page was disabled.
B. Some AppID's are set with a Session Timeout value that is too low.
C. The firewall admin did not create a custom response page to notify potential users that their attempt to access the web based application is being blocked due to policy.
D. Application Block Pages will only be displayed when Captive Portal is configured.


Answer : B

Question 25 ( Topic 1 )
Security policies specify a source interface and a destination interface.
A. True
B. False


Answer : B

Question 26 ( Topic 1 )
Select the implicit rules that are applied to traffic that fails to match any administrator defined Security Policies.
A. Intrazone traffic is allowed
B. Interzone traffic is denied
C. Intrazone traffic is denied
D. Interzone traffic is allowed


Answer : AB

Question 27 ( Topic 1 )
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which of the following also prevents "SplitBrain"?
A. Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
B. Under "Packet Forwarding", selecting the VR Sync checkbox.
C. Configuring an independent backup HA1 link.
D. Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.


Answer : D

Question 28 ( Topic 1 )
Which of the following statements is NOT True regarding a Decryption Mirror interface?
A. Requires superuser privilege
B. Supports SSL outbound
C. Can be a member of any VSYS
D. Supports SSL inbound


Answer : C

Question 29 ( Topic 1 )


Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?
A. URL Categories (BrightCloud or PANDB),
B. Custom Categories, Block List, Allow List.
C. Block List, Allow List, URL Categories (BrightCloud or PANDB), Custom Categories.
D. Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PANDB).
E. Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PANDB).


Answer : B

Question 30 ( Topic 1 )
An interface in tap mode can transmit packets on the wire.
A. True
B. False


Answer : B

Question 31 ( Topic 1 )
Which of the following is NOT a valid option for builtin CLI Admin roles?
A. deviceadmin
B. superuser
C. devicereader
D. read/write


Answer : D

Question 32 ( Topic 1 )
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Applications
B. BrightCloud URL Filtering
C. Applications and Threats
D. Antivirus


Answer : BD

Question 33 ( Topic 1 )
In PANOS 6.0 and later, which of these items may be used as match criterion in a PolicyBased Forwarding Rule? (Choose three.)
A. Source User
B. Source Zone
C. Destination Zone
D. Application


Answer : ABD

Question 34 ( Topic 1 )
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
A. Always 2 megabytes.
B. Always 10 megabytes.
C. Configurable up to 2 megabytes.
D. Configurable up to 10 megabytes.


Answer : D

Question 35 ( Topic 1 )
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
A. The next available address in the configured pool is used, and the source port number is changed.
B. A single IP address is used, and the source port number is unchanged.
C. A single IP address is used, and the source port number is changed.
D. The next available IP address in the configured pool is used, but the source port number is unchanged.


Answer : A
Join a community of subject matter experts. Register for FREE to view solutions, replies, and use search function. Request answer by replying!
Top
Post Reply

Return to “Archived Questions & Answers”