In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
True
False

Question 19 of 50.

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?

Responding side, Traffic log
Responding side, System Log
Initiating side, System log
Initiating side, Traffic log

Question 20 of 50.

When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:

The Pre-NAT destination zone and Post-NAT IP addresses. 
The Post-NAT destination zone and Post-NAT IP addresses. 
The Pre-NAT destination zone and Pre-NAT IP addresses. 
The Post-NAT destination zone and Pre-NAT IP addresses.

Destination NAT Example—One-to-One Mapping
The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address).

The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address.

Question 21 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
  HTTPS
SSH
Telnet
HTTP

By default, HTTP and telnet are disabled on the MGT interface but HTTPS, SSH, Ping , and SNMP are allowed.

Question 22 of 50.

When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?

This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type—and all users must use this method. 
This cannot be done. A single user can only use one authentication type. 
Create multiple authentication profiles for the same user. 
Create an Authentication Sequence, dictating the order of authentication profiles.

An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).

Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user (the firewall always checks the local database first if the sequence includes one). A user is denied access only if authentication fails for all the profiles in the authentication sequence.

Question 23 of 50.

Which of the following statements is NOT True about Palo Alto Networks firewalls?

Initial configuration may be accomplished thru the MGT interface or the Console port. 
By default the MGT Port’s IP Address is 192.168.1.1/24. 
System defaults may be restored by performing a factory reset in Maintenance Mode. 
The default Admin account may be disabled or deleted.

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

IGRP
RIPv2
ISIS
EIGRP

Question 25 of 50.

The “Drive-By Download” protection feature, under File Blocking profiles in Content-ID, provides:

The ability to use Authentication Profiles, in order to protect against unwanted downloads. 
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded. 
Increased speed on downloads of file types that are explicitly enabled. 
Password-protected access to specific file downloads for authorized users. 

Known as a phishing attack. Once the user visits such a website, the website would start downloading exploits to user’s computer without user’s intervention. Such downloads are also referred to as drive-by-downloads in the sense that the user didn’t have to explicitly download the exploits; just by the virtue of visiting the website would cause the download to happen.

Such attacks can be usually nipped in the bud by a URL filtering solution that would detect user’s traffic going to a pre-categorized malware website. Our next-generation firewalls provide URL filtering solution that can help in detecting such traffic and thereby preventing the attack.

To test your file blocking configuration, access a client PC in the trust zone of the firewall and attempt to download a .exe file from a website in the untrust zone. A response page should display. Click Continue to download the file. You can also set other actions, such as alert only, forward (which will forward to WildFire), or block, which will not provide a continue page to the user. The following shows the default response page for File Blocking:

Question 26 of 50.

In which of the following can User-ID be used to provide a match condition?

Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Question 27 of 50.

Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?

A custom admin role must be created for this specific combination of rights. 
Device Administrator
Superuser
vsysadmin

Question 28 of 50.

As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?

Some App-ID’s are set with a Session Timeout value that is too low. 
The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy. 
Application Block Pages will only be displayed when Captive Portal is configured. 
The File Blocking Block Page was disabled. 

You can perform any of the following functions for Response Pages.
To import a custom HTML response page, click the link of the page type you would like to change and then click import/export. Browse to locate the page. A message is displayed to indicate whether the import succeeded. For the import to be successful, the file must be in HTML format.
To export a custom HTML response page, click Export for the type of page. Select whether to open the file or save it to disk and, if appropriate, select Always use the same option.
To enable or disable the Application Block page or SSL Decryption Opt-out pages, click Enable for the type of page. Select or deselect Enable, as appropriate.
To use the default response page instead of a previously uploaded custom page, delete the custom block page and commit. This will set the default block page as the new active page.

Question 29 of 50.

PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile type?

Threat Analysis
File Analysis
Malware Analysis
WildFire Analysis

A new WildFire Analysis profile is introduced with PAN-OS 7.0 in order to forward files and email links for WildFire analysis, replacing the need to use File Blocking profile rules to forward files for WildFire analysis.

Question 30 of 50.

Which of the following facts about dynamic updates is correct?

Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly. 
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly. 
Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly. 
Anti-virus updates are released daily. Application and Threat updates are released weekly. 

Antivirus—Includes new and updated antivirus signatures, including signatures discovered by the WildFire cloud service. You must have a Threat Prevention subscription to get these updates. New antivirus signatures are published daily.
Applications—Includes new and updated application signatures. This update does not require any additional subscriptions, but it does require a valid maintenance/support contract. New application updates are published weekly.
Applications and Threats —Includes new and updated application and threat signatures. This update is available if you have a Threat Prevention subscription (and you get it instead of the Applications update). New Applications and Threats updates are published weekly.
GlobalProtect Data File —Contains the vendor-specific information for defining and evaluating host information profile (HIP) data returned by GlobalProtect agents. You must have a GlobalProtect portal and GlobalProtect gateway license in order to receive these updates. In addition, you must create a schedule for these updates before GlobalProtect will function.
BrightCloud URL Filtering —Provides updates to the BrightCloud URL Filtering database only. You must have a BrightCloud subscription to get these updates. New BrightCloud URL database updates are published daily. If you have a PAN-DB license, scheduled updates are not required as devices remain in-sync with the servers automatically.
WildFire—Provides near real-time malware and antivirus signatures created as a result of the analysis done by the WildFire cloud service. Without the subscription, you must wait 24 to 48 hours for the signatures to roll into the Applications and Threat update.

Question 31 of 50.

Both SSL decryption and SSH decryption are disabled by default.
True
False

Question 32 of 50.

Which statement below is True?

PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB. 
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB. 
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud. 
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud. 

URL Filtering Vendors

Palo Alto Networks firewalls support two vendors for URL filtering purposes:

PAN-DB—A Palo Alto Networks developed URL filtering database that is tightly integrated into PAN-OS by utilizing high-performance local caching to perform maximum inline performance for URL lookups while a distributed cloud architecture provides coverage for the latest websites. In addition, PAN-DB is tightly integrated with WildFire such that whenever WildFire deems a site malicious, it updates the corresponding PAN-DB URL category to malware, immediately blocking any future access to the site as long as you have a URL Filtering profile attached to the security policy rule. To view a list of PAN-DB URL filtering categories, refer to https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.

BrightCloud—A third-party URL database that is owned by Webroot, Inc. and is integrated into PAN-OS firewalls. For information on the BrightCloud URL database, visit http://brightcloud.com.

Question 33 of 50.

WildFire may be used for identifying which of the following types of traffic?

OSPF
DHCP
RIPv2
Malware

Question 34 of 50.

When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will send a TCP reset.
True
False

Question 35 of 50.

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:

Virtual Router
VLAN
Virtual Wire
Security Profile

Question 36 of 50.

In Palo Alto Networks terms, an application is:

A specific program detected within an identified stream that can be detected, monitored, and/or blocked. 
A combination of port and protocol that can be detected, monitored, and/or blocked. 
A file installed on a local machine that can be detected, monitored, and/or blocked. 
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked. 

Question 37 of 50.

Which of the following is True of an application filter?

An application filter automatically includes a new application when one of the new application’s characteristics are included in the filter. 
An application filter is used by malware to evade detection by firewalls and anti-virus software. 
An application filter automatically adapts when an application moves from one IP address to another. 
An application filter specifies the users allowed to access an application. 

An application filter is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk factor, and characteristic. This is useful when you want to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to access…As new applications office programs emerge and new App-IDs get created, these new applications will automatically match the filter you defined; you will not have to make any additional changes to your policy rulebase to safely enable any application that matches the attributes you defined for the filter.

Question 38 of 50.

Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?

1000
50
500
10

WildFire API —The WildFire subscription provides access to the WildFire API, which enables direct programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.

Question 39 of 50.

The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this firewall’s configuration? (Select all correct answers.)
  There must be a security policy rule from Internet zone to trust zone that allows ping. 
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.) 
There must be a security policy rule from trust zone to Internet zone that allows ping. 
There must be appropriate routes in the default virtual router.

Question 40 of 50.

When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?

When creating the policy, ensure that web-browsing is included in the same rule. 
Ensure that the Service column is defined as “application-default” for this Security policy. Doing this will automatically include the implicit web-browsing application dependency. 
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use. 
Create an additional rule that blocks all other traffic.

Question 41 of 50.

Users may be authenticated sequentially to multiple authentication servers by configuring:

An Authentication Profile. 
Multiple RADIUS servers sharing a VSA configuration. 
An Authentication Sequence. 
A custom Administrator Profile.

Configure an authentication sequence.
Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user. Select Device > Authentication Sequence and click Add….

Question 42 of 50.

An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True
False

Question 43 of 50.

Which feature can be configured to block sessions that the firewall cannot decrypt?

Decryption Profile in Security Policy
Decryption Profile in Security Profile
Decryption Profile in Decryption Policy
Decryption Profile in PBF

A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication.
Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period.
Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.

Question 44 of 50.

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
  Network Access Control (NAC) device
Domain Controller
SSL Certificates
RIPv2

Question 45 of 50.

Which of the following is NOT a valid option for built-in CLI Admin roles?

read/write
superuser
deviceadmin
devicereader

The Role scope controls the available options:
Device role— superuser, superreader, deviceadmin, devicereader, or None
Virtual System role— vsysadmin, vsysreader, or None

Question 46 of 50.

User-ID is enabled in the configuration of …

A Zone. 
An Interface. 
A Security Policy. 
A Security Profile.

Question 47 of 50.

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server’s private IP address. Which IP address should the Security Policy use as the “Destination IP” in order to allow traffic to the server?

The server’s public IP
The firewall’s gateway IP
The firewall’s MGT IP
The server’s private IP

Question 48 of 50.

What is the default setting for ‘Action’ in a Decryption Policy’s rule?

No-Decrypt
Decrypt
Any
None

Question 49 of 50.

You can assign an IP address to an interface in Virtual Wire mode.
True
False

Question 50 of 50.

Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?

To permit syslogging of User Identification events. 
To pull information from other network resources for User-ID. 
To allow the firewall to push User-ID information to a Network Access Control (NAC) device.

Although the User-ID functionality provides many out-of-the box methods for obtaining user mapping information, you may have some applications or devices that capture user information that cannot be natively integrated with User-ID. In this case you can use the User-ID XML API to create custom scripts that allow you to leverage existing user data and send it to the User-ID agent or directly to the firewall.