1Which of the following would be a reason to use the PAN-OS XML API to communica

te with a Palo Alto

Networks firewall?
To pull info from other NW resources for USER-ID
2After the installation of a new version of PAN-OS, the firewall must be reboote
d.
True
3The "Disable Server Response Inspection" option on a Security Profile
Internal Trusted Server
4Which pre-defined Admin Role has all rights except the rights to create adminis
trative accounts and
virtual systems?
Device Admin
5Which of the following statements is NOT True about Palo Alto Networks firewall
s?
The Admin account may be disabled
6In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, mo
nitored and/or blocked
7Palo Alto Networks firewalls support the use of both Dynamic (built-in user rol
es) and Role-Based
(customized user roles) for Administrator Accounts.
True

8When employing the BrightCloud URL filtering database in a Palo Alto Networks f
irewall, the order of
evaluation within a profile is:
Block list, Allow list, Custom Cat, Cache files, Loc URL DB
9When configuring Admin Roles for Web UI access, what are the available access l
evels?
Enable, RO & Disable
10What general practice best describes how Palo Alto Networks firewall policies
are applied to a session?
First match applied
11Which of the following is NOT a valid option for built-in CLI Admin roles?
Read/Write
12Can multiple administrator accounts be configured on a single firewall?
Yes
13Which of the following CANNOT use the source user as a match criterion?
AV profile
14When configuring the firewall for User-ID, what is the maximum number of Domai
n Controllers that can
be configured?
100

15After the installation of the Threat Prevention license, the firewall must be
rebooted.
False
16In which of the following can User-ID be used to provide a match condition? (S
elect all correct answers.)
Sec Policies
17What is the function of the GlobalProtect Portal?
To maintain list of Glob Prot GWs & specify HIP data that the agent should repor
t
18When configuring User-ID on a Palo Alto Networks firewall, what is the proper
procedure to limit User
mappings to a particular DHCP scope?
In the Zone in which UID is enabled, create a UID ACL Include list using same IP
ranges as allocated in
DHCP scope
19A "Continue" action can be configured on which of the following Security Profi
les?
URL filtering & File Blocking
20What will the user experience when attempting to access a blocked hacking webs
ite through a
translation service such as Google Translate or Bing Translator?
A Blocked page response when the URL filt policy to block is enf
21Traffic going to a public IP address is being translated by a Palo Alto Networ
ks firewall to an internal
server s private IP address. Which IP address should the Security Policy use as the
"Destination IP" in
order to allow traffic to the server?
The Server's Pub IP

22Which of the following facts about dynamic updates is correct?

AV daily. App & Threat updates weekly
23What is the default DNS sinkhole address used by the Palo Alto Networks Firewa
ll to cut off
communication?
Local Loop add
24When you have created a Security Policy Rule that allows Facebook, what must y
ou do to block all other
web-browsing traffic?
Nothing
25Which of the following are necessary components of a GlobalProtect solution?
GP GW , GP Agent, GP Portal
26Taking into account only the information in the screenshot above, answer the fol
lowing question. Which
applications will be allowed on their standard ports? (Select all correct answer
s.)
SSH & BitTorrent
27Which of the following platforms supports the Decryption Port Mirror function?
PA-3000

28When Destination Network Address Translation is being performed, the destinati

on in the corresponding
Security Policy Rule should use:
Post-NAT Dest zone & Post-NAT IP
29In PAN-OS 6.0 and later, which of these items may be used as match criterion i
n a Policy-Based Forwarding
Rule? (Choose 3.)
Source User, Source Zone, App
30Which type of license is required to perform Decryption Port Mirroring?
Free PAN-PA decrypt
31An interface in tap mode can transmit packets on the wire.
False
32Which of the following interface types can have an IP address assigned to it?
(Select all correct answers.)
L3
33Which statement about config locks is True?
Admin who set it OR SuperUser
34Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv2
35Which link is used by an Active/Passive cluster to synchronize session informa
tion?
Data Link
36Which of the following must be enabled in order for User-ID to function?
UID must be enabled for Src zone of the traffic that is to be identified
37Which of the following most accurately describes Dynamic IP in a Source NAT co
nfiguration?
Next available IP in the configured pool is used but Src port unchanged

38A Config Lock may be removed by which of the following users? (Select all corr
ect answers.)
The Admin who set it & SuperUser
39Select the implicit rules that are applied to traffic that fails to match any
administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone allowed
Inter-zone denied
40Enabling "Highlight Unused Rules" in the Security Policy window will:
High all rules that have not matched traffic since Rule was created or last Rebo
ot of FW
41Which statement below is True?
PAN-OS uses PAN-DB as Def URL filt DB but supports BrightCloud
42Both SSL decryption and SSH decryption are disabled by default.
True
43When configuring a Security Policy Rule based on FQDN Address Objects, which o
f the following statements
is True?
The FW resolves FQDN when the policy is committed & resolves the FQDN again each
time again at DNS TTL
expiration
44In a Destination NAT configuration, the Translated Address field may be popula
ted with either an IP address
or an Address Object.
True
45Security policies specify a source interface and a destination interface.
False
46When configuring a Decryption Policy Rule, which of the following are availabl
e as matching criteria in the
rule? (Choose 3 answers.)
Source User
Source Zone
URL cat

47When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log wi
ll be most informative?
Responding side System log
48 What is the result of an Administrator submitting a WildFire report s verdict back to
Palo Alto Networks as
Incorrect ?
The sig will be updated for False + & F- files in next AV sig update
49An enterprise PKI system is required to deploy SSL Forward Proxy decryption ca
pabilities.
False
50Without a WildFire subscription, which of the following files can be submitted
by the Firewall to the hosted
WildFire virtualized sandbox?
PE files only
51Which of the following statements is NOT True about Palo Alto Networks firewal
ls?
The Admin account may be disabled
52In PAN-OS 6.0, rule numbers are:
Numbers that specify the order in which sec pol are evaluated
53In a Palo Alto Networks firewall, every interface in use must be assigned to a
zone in order to process traffic.
True
54Reconnaissance Protection is a feature used to protect the Palo Alto Networks
firewall from port scans. To
enable this feature within the GUI go to
Nw-NW prof-Zone protection
55Using the API in PAN-OS 6.0, WildFire subscribers can upload up to how many sa
mples per day?
100
56All of the interfaces on a Palo Alto Networks device must be of the same inter
face type.
False

57The "Drive-By Download" protection feature, under File Blocking profiles in Co

ntent-ID, provides:
Protection against unwanted dnlds by showing user response pg indic file is dnld
ing
58Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability profs
59Will an exported configuration contain Management Interface settings?
Yes
60Taking into account only the information in the screenshot above, answer the fol
lowing question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which state
ments are True?
SSH denied
BitTorrent allowed
61When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between 2 config files
62As the Palo Alto Networks Administrator responsible for User-ID, you need to ena
ble mapping of
network users that do not sign-in using LDAP. Which information source would all
ow for reliable User-ID
mapping while requiring the least effort to configure?
Exchange CAS sec logs

63The following can be configured as a next hop in a static route:

Virtual Router
64Which of the following options may be enabled to reduce heavy server load cond
itions when using ContentID?
DSRI
65What are two sources of information for determining whether the firewall has b
een successful in
communicating with an external User-ID Agent?
Sys Logs & Indicator light under UID agent settings in the FW
66As the Palo Alto Networks Administrator you have enabled Application Block pag
es. Afterwards, not
knowing they are attempting to access a blocked web-based application, users cal
l the Help Desk to
complain about network connectivity issues. What is the cause of the increased n
umber of help desk calls?
The FW admin didn t create custom response pg to notify potential users that their a
ttempt to access the
Web based app is blocked due to policy
67After the installation of a new Application and Threat database, the firewall
must be rebooted.
False
68Taking into account only the information in the screenshot above, answer the fol
lowing question. Which
applications will be allowed on their standard ports? (Select all correct answer
s.)
SSH & BitTorrent

69An interface in Virtual Wire mode must be assigned an IP address.

False
70What is the maximum file size of .EXE files uploaded from the firewall to Wild
Fire?
Configurable upto 10 MB
71Which feature can be configured to block sessions that the firewall cannot dec
rypt?
Decryp Prof in Decryp Pol
72Which of the following search engines are supported by the "Safe Search Enforc
ement" option? (Select all
correct answers.)
Yahoo Google Bing
73Which of the following statements is NOT True regarding a Decryption Mirror in
terface?
Can be a member of any Vsys
74Which mode will allow a user to choose when they wish to connect to the Global
Protect Network?
On demand mode
75Which of the following describes the sequence of the GlobalProtect Agent connect
ing to a GlobalProtect
Gateway?
Fastest SSL response time
76Which of the following are methods that HA clusters use to identify network ou
tages?
Path & Link monitoring
77Which of the following is True of an application filter?
An application filter automatically includes a new application when one of the n
ew application s characteristics are
included in the filter.

78When configuring a Decryption Policy rule, which option allows a firewall admi
nistrator to control SSHv2
tunneling in policies by specifying the SSH-tunnel App-ID?
SSH proxy
79In order to route traffic between Layer 3 interfaces on the Palo Alto Networks
firewall, you need a:
Virtual Router
80What will be the user experience when the safe search option is NOT enabled fo
r Google search but the
firewall has "Safe Search Enforcement" Enabled?
A block page will be presented with instructions on how to set strict Safe Searc
h for Google.
81User-ID is enabled in the configuration of
A Zone