Question 1 of 60.
A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing.
Which High Availability (HA) mode best supports this design requirement?
HA-LiteActive-Passivemode
Active-Passive mode
Active-Active mode
Question 2 of 60.
A company uses Active Directory and RADIUS to capture User-ID information and implement user-based
policies to control web access. Many Linux and Mac computers in the environment that do not have IP-
address-to-user mappings. What is the best way to collect user information for those systems?
Load the GlobalProtect client and connect to the company GlobalProtect environment
Question 3 of 60.
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security
services? (Choose two.)
Threat Prevention
URLFiltering
PAN-OS
App-ID
Question 4 of 60.
A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL Filtering
Profiles are in place and properly configured on both inbound and outbound policies. A Security Operation
Center (SOC) engineer starts his shift and faces the traffic logs presented in the screenshot shown above. He
notices that the traffic is being allowed outbound. Which actions should the SOC engineer take to safely allow
known but not yet qualified applications, without disrupting the remaining traffic policies?
Create Application Override policies after a packet capture to identify the applications that are triggering
the "unknown-tcp". Then create new custom applications for those policies, and add these new policies above
the current policy that allows the traffic.
Create an Application Override policy after a packet capture to identify the applications that are triggering
the "unknown-tcp". Then create a new custom application, and add this new policy below the current policy
that is blocking the traffic.
Create a policy to deny only the inbound traffic because "unknown-tcp" happens when a TCP handshake
hasn't occurred properly. Then add this new policy above the current policy that allows the traffic.
Create a policy to deny all traffic inbound or outbound with the application "unknown-tcp". Then place the
new policy above the current policy that allows the traffic.
Question 5 of 60.
Which three engines are built into the Single-Pass Parallel Processing Architecture? (Choose three.)
A US-CERT notification is published regarding a newly-discovered piece of malware. The infection is spread
using spear phishing e-mails that prompt users to click an HTTP hyperlink, which then downloads the malware.
Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall
is configured to dynamically update to the latest databases automatically. Which component and
implementation will detect and prevent this threat?
Zone Protection profiles applied to the external zone with Packet Based Attack Protection with action set
to block high severity threats
Vulnerability Protection profiles applied to inbound and outbound security policies with action set to block
high severity threats
Antivirus profiles applied to outbound security policy rules with action set to block high severity threats
Antivirus profiles applied to inbound security policies with action set to block high severity threats
Question 7 of 60.
A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What happens to an
already-accepted and running FTP session at 5:01 p.m.?
The session is terminated, and the initiator must establish a new session.
The session is re-evaluated if the default configuration setting “Rematch all sessions on config policy
change” is enabled.
The session is re-evaluated to determine whether it is allowed under a different policy rule.
The session continues to run, because already-accepted sessions are not re- evaluated.
Question 8 of 60.
Which component must be configured before a User Activity report can be generated?
GlobalProtect
User Identification
SSLDecryption
Log Forwarding
When would there be a benefit from the creation of a custom application signature?
When a company wants to know who is watching World Cup soccer matches during work hours
When the risk level of a Palo Alto Networks-provided application signature needs to be changed
Question 10 of 60.
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred
in the last day?
ACC->Application
Objects->Applications->web-browsing
Monitor->App Scope->Summary
Monitor->Session Browser
Question 11 of 60.
Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL?
Certificate Profile
Decryption Profile
Question 12 of 60.
Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint
without incurring hosting fees for physical equipment?
GlobalProtect Satellite
Question 13 of 60.
Which statement is true of an OSPFv3 configuration on the Palo Alto Networks firewall?
Question 14 of 60.
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by
the firewall to the client be when doing SSL Decryption?
512 bits
4096 bits
2048 bits
1024 bits
Question 15 of 60.
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall?
(Choose three.)
Removing from the session table any TCP session without traffic for 3600 seconds
Validating that UDP port 53 packets are not being used to tunnel data for another protocol
Allowing a packet through from an external DNS server only if an internal host recently queried that DNS
server
Which Virtual Wire Tag Allowed value(s) will allow only untagged traffic to traverse a virtual wire?
"any"
0-4094
1-4094
Question 17 of 60.
Which CLI command would allow an administrator to assess CPU usage by process on the management
plane?
Question 18 of 60.
A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside.
All users are located on the Inside zone and are using public DNS servers for name resolution. The company
hosts a publicly accessible web application on a server in the DMZ zone. Which NAT rule configuration will
allow users on the Inside zone to access the web application using its public IP address?
Bi-directional NAT
Question 19 of 60.
Each week, a company wants to know the list of employees in the "mgt" group who are the biggest users of
network bandwidth. Assume that the "mgt" group is properly configured on the company's Domain Controller,
and that User-ID also is configured correctly. The firewall administrator starts to create the Custom report
shown above: What must the administrator do or change to complete this Custom report?
Question 20 of 60.
What statement is true about the Highlight Unused Rules option for a Security Policy?
A management plane restart will clear the counters for used/unused rules.
The counters for used/unused rules can be cleared using the "reset counter global name rule-use" CLI
command.
The counters for used/unused rules can be cleared using the reset counter global name rule-use CLI
command.
Question 21 of 60.
Which action will display the NAT policies that are being enforced by the firewall?
From the command line, check the status of the NAT pool on the data plane using the command "nat-
rule-ippool".
View the NAT policies currently displayed by the management plane in the GUI.
Navigate to the Policies tab in the GUI, select NAT from the configuration tree and check the box marked
"Highlight Unused Rules".
From the command line, check the NAT policies loaded on the data plane using the command "show
running nat-policy".
Question 22 of 60.
Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks
next-generation firewall? (Choose two.)
Differentiating between traffic for the base Facebook application and traffic using Facebook Chat
Limiting applications to using only their standard port numbers
Dynamically opening small holes in the firewall to permit FTP data transfers, instead of being required to
open all high port numbers
Question 23 of 60.
What is the proper method to determine which active sessions on the firewall matched a security rule named
"ftp-out"?
Apply the filter "(rule eq ftp-out) and (subtype eq start)" to the traffic logs.
In the CLI, run the command "show session all filter rule ftp-out".
In the CLI, run the command "show session all filter application ftp".
Apply the filter "(application eq ftp) and (subtype eq end)" to the traffic logs.
Question 24 of 60.
A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released
an antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat
Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic
related to the infection. However, the Traffic log shows traffic between the workstation and the command-and-
control server. Given the company's Dynamic Updates configuration: What is the cause of traffic not matching
a malware signature?
The update schedule is set to "download only" and not to "download and install".
The most recent updates were incremental and not full updates.
The infection occurred during the hourly update window when the malware was identified.
Question 25 of 60.
A network administrator needs to view the default action for a specific spyware signature. The administrator
follows the tabs and menus through Objects > Security Profiles > Anti-Spyware, and selects the default Profile.
What should be done next?
Click the Rules tab and then look for rules with "default" in the Action column.
The default actions will be displayed in the Action column.
Click the Exceptions tab and then click Show all signatures.
Nothing more is necessary. The actions already will be displayed with their default values.
Question 26 of 60.
WebandNetTrends Unlimited's new web server software is discovered to produce traffic that the Palo Alto
Networks firewall sees as "unknown-tcp" traffic. Which two configurations would identify the application while
preserving the ability of the firewall to perform content and threat detection on the traffic? (Choose two.)
A custom application with content and threat detection enabled, which includes a signature, identifying
the new web server's traffic
A custom application, with a name properly describing the new web server's purpose
An Application Override policy that assigns the new web server traffic to the built-in application "web-
browsing"
A custom application and an Application Override policy that assigns traffic going to and from the web
server to the custom application
Question 27 of 60.
Which statement is true if a Security policy contains two rules that would both match a proposed new session?
The first rule that matches while evaluating the rules from top to bottom is the one that will be applied.
Question 28 of 60.
Which mechanism is used to trigger a High Availability (HA) failover in the event the management plane
becomes unresponsive in the active firewall?
Heartbeat Polling
Path Monitoring
Link Monitoring
SNMP Polling
Mark for follow up
Question 29 of 60.
Which statement is true about how Palo Alto Networks firewalls monitor traffic on the network?
Unlike traditional firewalls that use port or protocol to identify applications, the Palo Alto Networks
firewalls use the application signature (the App-ID technology) to identify applications.
Unlike traditional firewalls that use port or protocol to identify applications, the Palo Alto Networks
firewalls use the Application Override rules to identify and monitor applications.
Traffic logs are generated by policies that have "deny" defined as their action, and will not log any traffic
that matches policies configured to "allow".
Palo Alto Networks firewalls use Content-ID to examine the content of traffic to identify applications in
logs and reports.
Question 30 of 60.
A US-CERT notification is published regarding a newly discovered piece of malware. The infection is spread
using spear phishing emails that prompt users to click an HTTP hyperlink, which then downloads the malware.
Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall
is configured to dynamically update to the latest databases automatically. Which component and
implementation will detect and prevent this threat?
Zone Protection Profiles applied to the external zone with Packet Based Attack Protection with action set
to block high-severity threats
Vulnerability Protection Profiles applied to inbound and outbound Security policies with action set to block
high-severity threats
Antivirus Profiles applied to outbound Security policy rules with action set to block high-severity threats
Antivirus Profiles applied to inbound Security policies with action set to block high-severity threats
Question 31 of 60.
A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire subscription.
The Security policy rule shown above matches the client HTTP session: Which three actions take place when
the firewall's Content-ID engine detects a virus in the file and the decoder action is set to “block”? (Choose
three.)
Question 32 of 60.
Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since
the last reboot?
From the CLI, issue the command test nat-policy-match against each configured rule.
In the GUI, select the Highlight Unused Rules option under Policies -> NAT.
From the CLI, issue the command show session all filter nat-rule command.
From the CLI, issue the command show running nat-policy command.
Question 33 of 60.
Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)?
Virtual wire
Layer3
Layer2
PPP
Question 34 of 60.
A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not
to share this list outside of the organization. The Chief Information Security Officer has requested that all user
access to these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline
Palo Alto Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access
to these URLs?
Use a script to automatically import each URL domain as an FQDN address object.
Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set
to deny.
Import the URLs to a Dynamic Block List and reference the Dynamic Block List in a Security policy rule
set to deny.
Submit a Bulk Change Request via the Palo Alto Networks Support Portal containing the list of the URLs,
request that the URLs be categorized as “Malware,” and set the action to "block" for the Malware category in a
URL Filtering profile.
Question 35 of 60.
A company policy dictates that logs must be retained in their original format for a period of time that would
exceed the space limitations of the Palo Alto Networks firewall’s internal storage. Which two options will allow
the company to meet this requirement? (Choose two.)
Question 36 of 60.
Where can the oversubscription rate be adjusted on platforms that support NAT oversubscription?
In the GUI, under Device -> Setup -> Session -> Session Settings
In CLI configuration mode, by issuing the command set deviceconfig setting nat reserve-ip with the
appropriate argument
In the GUI, by selecting the individual rule name and making the adjustment under the Translated
Address tab
Question 37 of 60.
Application ID
System logging
Question 38 of 60.
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog
messages are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is
configured to forward syslogs individually. The security engineer wants to leverage their two M-100 appliances
to send syslog messages from a single source and already has deployed one in Panorama mode and the other
as a Log Collector. What is the remaining step in this solution?
EnableSyslogAggregation
Question 39 of 60.
Description
HIP Profiles
Application Default
Question 40 of 60.
A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security
rule with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will
happen when someone attempts to initiate an SSH connection to ethernet1/1?
SSH access to the interface will be denied because intra-zone traffic is denied.
SSH access to the interface will be allowed because inter-zone traffic is allowed.
SSH access to the interface will be allowed because intra-zone traffic is allowed by default.
SSH access to the interface will be allowed because the Management Profile is applied before the
Security policy.
A user is reporting that they cannot download a PDF file from the internet. Which option will show whether the
downloaded file has been blocked by a Security Profile?
Filter the Data Filtering logs for the user's traffic and the name of the PDF file.
Filter the Traffic logs for all traffic from the user that resulted in a deny action.
Filter the Session Browser for all sessions from the user with the application "adobe".
Question 42 of 60.
Company employees have been given access to the GlobalProtect Portal at https:// portal.company.com:
Assume the following: The URL portal.company.com resolves to the external interface of the firewall on the
company's external DNS server and to the internal interface of the firewall on the company's internal DNS
server. The URL gateway1.company.com resolves to the external interface of the firewall on the company's
external DNS server and to the internal interface of the firewall on the company's internal DNS server. The
DNS entry for gateway1 resolves to the internal interface of the firewall on the company's internal DNS server.
The URL resolves both inside and outside the network. This Gateway configuration will have which two
outcomes? (Choose two.)
Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Clients outside the network will be able to connect to the external gateway Gateway1.
Clients outside the network will NOT be able to connect to the external gateway Gateway1.
Clients inside the network will be able to connect to the internal gateway Gateway1.
Question 43 of 60.
Consider this graphic representation of the Threat Monitor report: What does this report display?
Question 44 of 60.
Which public key infrastructure component is required to implement SSL Forward Proxy?
CertificateAuthoritycertificate
Machine certificate
Question 45 of 60.
Given the following Security Policy and information about traffic traversing the firewall: Source Address:
192.168.64.10 Source Zone: Trust-L3 - Destination Address: 199.167.55.50 Destination Zone: Untrust-L3
Destination port: 85 - Application: web-browsing. Which rule will match the specified traffic?
Rule number 4
Rule number 3
Rule number 6
Rule number 2
Question 46 of 60.
Which Panorama feature allows for aggregated device logs to be forwarded to an external security information
and event management (SIEM) system?
IP domains are frequently used by command-and-control servers that have been blocked from becoming
part of either a DNS domain or a Windows domain.
Web browsing to an IP address instead of a URL may indicate an attempt to avoid proper categorization
when traffic passes through a URL Filtering system.
Only a newly-created website could have an IP address but not a URL, and newly- created websites are
statistically more likely to provide command-and-control services that connect to malware.
Web browsing to an IP address is not possible and is an indicator of a possible attempt to tunnel other
applications through TCP port 80.
Question 48 of 60.
Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose
two.)
Temporarily allowing an external web server to send inbound packets after an outbound request for a
web page
Question 49 of 60.
Which item can be configured with IPv6 addresses on a Palo Alto Networks firewall?
OSPFv3
RIPv2
DHCP Server
BGP
Question 50 of 60.
Which two external authentication methods can be used with Authentication Profiles in PAN-OS? (Choose
two.)
NTLM
LDAP
RSH
RADIUS
Question 51 of 60.
A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-L3 DMZ Trust-
L3. The company hosts a publicly accessible web application on a server that resides in the Trust-L3 zone.
The web server is associated with the following IP addresses: Web Server Public IP: 2.2.2.1/24 , Web Server
Private IP: 192.168.1.10/24 . The security administrator configures the following two-zone U-Turn NAT rule to
allow users using 10.10.1.0/24 on the "Trust-L3" zone to access the web server using its public IP address in
the Untrust-L3 zone: Which statement is true in this situation?
The traffic will be considered intra-zone based on the translated destination zone.
Source translation is required because the destination address is in the same zone as the source.
Question 52 of 60.
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
Alert
Allow
Log
Default
Question 53 of 60.
CertificateAuthority
SubjectAlternateName
Question 54 of 60.
Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall?
Allowing some ICMP echo-reply packets by matching them to ICMP echo-request packets
Question 55 of 60.
Given the following routing table: Which nexthop(s) would be added to the forwarding information base (FIB)
for the 192.168.93.0/30 network?
10.66.24.88
10.66.24.93
0.0.0.0
10.66.24.88, 10.66.24.93
Question 56 of 60.
Which two authentication methods are supported in PAN-OS software when using SSH to manage a device?
(Choose two.)
RADIUS
PublicKeyAuthentication
NTLM
Certificate-basedAuthentication
American Textile Corporation has acquired Fab Fabric Limited. American Textile uses a SIP-based VoIP
phone system, which has been working well through a Palo Alto Networks firewall. However, integrating Fab
Fabric's SIP phone system into American Textile's network has not been successful. The network security
administrator for the combined company determines that the firewall is the cause of the failed phone system
integration. Which action will disable the Application Level Gateway (ALG) firewall feature for the Fab Fabric
phones while not affecting the American Textile Corporation phone system?
Disable ALG in the Security policy that matches the traffic to and from the Fab Fabric phones
Disable ALG for the "sip" application in the Applications sub-menu of the Objects tab.
Create an Application Override policy that assigns traffic to and from the Fab Fabric phones to a custom
application
Create an application override policy that assigns SIP traffic to a custom application.
Question 58 of 60.
A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of
bogus TCP connections to internal servers behind the firewall. This traffic is allowed by security policies, and
other than creating half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which
Zone Protection Profile with SYN Flood Protection action, when enabled with the correct threshold, would
mitigate this attack without dropping legitimate traffic?
Question 59 of 60.
In which scenario would an active/active High Availability (HA) deployment be recommended instead of an
active/passive HA pair?
There is a need for the firewalls to load balance the traffic on the network.
A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be
using HA-Lite. Which capability can be used in this situation?
Link Aggregation
Session Sync
Configuration Sync
Jumbo Frames