Palo Alto Networks - PCNSE Practice Questions
Test - PCNSE Practice Questions
PCNSE Practice Questions
Why is “Browsing to IP domains” an event that appears in the Botnet report? |
Only a newly-created website could have an IP address but not a URL, and newly- created websites are statistically more likely to provide command-and-control services that connect to malware. | |
IP domains are frequently used by command-and-control servers that have been blocked from becoming part of either a DNS domain or a Windows domain. | |
Web browsing to an IP address instead of a URL may indicate an attempt to avoid proper categorization when traffic passes through a URL Filtering system. | |
Web browsing to an IP address is not possible and is an indicator of a possible attempt to tunnel other applications through TCP port 80. | |
Mark for follow up |
A network administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware, and selects the default Profile. What should be done next? |
Nothing more is necessary. The actions already will be displayed with their default values. | |
Click the Rules tab and then look for rules with "default" in the Action column. | |
Click the Exceptions tab and then click Show all signatures. | |
The default actions will be displayed in the Action column. | |
Mark for follow up |
Which feature of the Palo Alto Networks firewall was designed to minimize network latency on the data plane? |
Multi-Pass Packet Stream Processing Engine | |
Single-Pass Parallel Processing Architecture | |
Automated Dynamic Content Update Scheduler | |
Standard XML-formatted configuration file | |
Mark for follow up |
A company uses Active Directory and RADIUS to capture User-ID information and implement user-based policies to control web access. Many Linux and Mac computers in the environment that do not have IP-address-to-user mappings. What is the best way to collect user information for those systems? |
Install the User-ID agent on the systems to collect user information | |
Install a Terminal Services agent in the environment | |
Load the GlobalProtect client and connect to the company GlobalProtect environment | |
Use Captive Portal to capture user information | |
Mark for follow up |
 Each week, a company wants to know the list of employees in the "mgt" group who are the biggest users of network bandwidth. Assume that the "mgt" group is properly configured on the company's Domain Controller, and that User-ID also is configured correctly. The firewall administrator starts to create the Custom report shown above: What must the administrator do or change to complete this Custom report? |
'Application Statistics' must be selected from the 'Database' option. | |
'Last 24 Hrs' must be selected from the 'Time Frame' option. | |
'Source User' must be selected from the 'Available Columns' option. | |
Explicitly set the 'Sort By' option. | |
Mark for follow up |
Which two authentication methods are supported in PAN-OS software when using SSH to manage a device? (Choose two.) |
PublicKeyAuthentication | |
RADIUS | |
Certificate-basedAuthentication | |
NTLM | |
Mark for follow up |
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL Decryption? |
2048 bits | |
1024 bits | |
4096 bits | |
512 bits | |
Mark for follow up |
A Palo Alto Networks firewall has been configured with multiple virtual systems and is administered by multiple personnel. Several administrators are logged into the firewall and are making configuration changes to separate virtual systems at the same time. Which option will ensure that no single administrator's changes are interrupted or undone by another administrator while still allowing all administrators to complete their changes prior to issuing a commit? |
One administrator sets a shared configuration lock and each administrator sets a commit lock. | |
Each administrator sets a shared configuration lock. | |
Each administrator sets a configuration and commit lock for the vsys to which they are making changes. | |
Each administrator sets a shared commit lock. | |
Mark for follow up |
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? (Choose two.) |
URLFiltering | |
GlobalProtect Data File | |
PAN-OS | |
Threat Prevention | |
App-ID | |
Mark for follow up |
Which Panorama feature allows for aggregated device logs to be forwarded to an external security information and event management (SIEM) system? |
Scheduled Log Aggregation and Forwarding | |
Device Group Log Forwarding Profiles | |
Collector Log Forwarding for Collector Groups | |
Log Forwarding Profile | |
Mark for follow up |
American Textile Corporation has acquired Fab Fabric Limited. American Textile uses a SIP-based VoIP phone system, which has been working well through a Palo Alto Networks firewall. However, integrating Fab Fabric's SIP phone system into American Textile's network has not been successful. The network security administrator for the combined company determines that the firewall is the cause of the failed phone system integration. Which action will disable the Application Level Gateway (ALG) firewall feature for the Fab Fabric phones while not affecting the American Textile Corporation phone system? |
Disable ALG in the Security policy that matches the traffic to and from the Fab Fabric phones | |
Create an application override policy that assigns SIP traffic to a custom application. | |
Create an Application Override policy that assigns traffic to and from the Fab Fabric phones to a custom application | |
Disable ALG for the "sip" application in the Applications sub-menu of the Objects tab. | |
Mark for follow up |
What is the proper method to determine which active sessions on the firewall matched a security rule named "ftp-out"? |
Apply the filter "(rule eq ftp-out) and (subtype eq start)" to the traffic logs. | |
In the CLI, run the command "show session all filter application ftp". | |
Apply the filter "(application eq ftp) and (subtype eq end)" to the traffic logs. | |
In the CLI, run the command "show session all filter rule ftp-out". | |
Mark for follow up |
Which statement is true of an OSPFv3 configuration on the Palo Alto Networks firewall? |
It supports dynamic interfaces such as DHCP. | |
It uses IPv4 addresses for the area ID. | |
It is enabled per-subnet instead of per-link. | |
It requires MD5 authentication. | |
Mark for follow up |
A US-CERT notification is published regarding a newly-discovered piece of malware. The infection is spread using spear phishing e-mails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to dynamically update to the latest databases automatically. Which component and implementation will detect and prevent this threat? |
Zone Protection profiles applied to the external zone with Packet Based Attack Protection with action set to block high severity threats | |
Antivirus profiles applied to outbound security policy rules with action set to block high severity threats | |
Vulnerability Protection profiles applied to inbound and outbound security policies with action set to block high severity threats | |
Antivirus profiles applied to inbound security policies with action set to block high severity threats | |
Mark for follow up |
Which method can be used to verify that the firewall is transmitting packets to the correct destination? |
Compare the routing table to the FIB table to ensure there are no discrepancies. | |
Verify the contents of the ARP table for the egress interface. | |
Collect packet captures from the transmit stage on the firewall. | |
Capture packet in the receive stage on the firewall. | |
Mark for follow up |
Which CLI command would allow an administrator to assess CPU usage by process on the management plane? |
show running resource monitor | |
show system resources | |
show system statistics | |
show process list | |
Mark for follow up |
Which action will display the NAT policies that are being enforced by the firewall? |
View the NAT policies currently displayed by the management plane in the GUI. | |
Navigate to the Policies tab in the GUI, select NAT from the configuration tree and check the box marked "Highlight Unused Rules". | |
From the command line, check the status of the NAT pool on the data plane using the command "nat-rule-ippool". | |
From the command line, check the NAT policies loaded on the data plane using the command "show running nat-policy". | |
Mark for follow up |
In which scenario would an active/active High Availability (HA) deployment be recommended instead of an active/passive HA pair? |
There is a potential for asymmetric routing to occur. | |
There is a need to double the net throughput capacity of the HA pair. | |
There is a need to load balance the traffic on the network. | |
There is a need for the firewalls to load balance the traffic on the network. | |
Mark for follow up |
Where can the oversubscription rate be adjusted on platforms that support NAT oversubscription? |
IIn the CLI, by using the command set session offload | |
In the GUI, under Device -> Setup -> Session -> Session Settings | |
In the GUI, by selecting the individual rule name and making the adjustment under the Translated Address tab | |
In CLI configuration mode, by issuing the command set deviceconfig setting nat reserve-ip with the appropriate argument | |
Mark for follow up |
Which x509 attribute is required for "Forward Trust Certificate" to be enabled? |
OCSP Location | |
SubjectAlternateName | |
CertificateAuthority | |
CRL Distribution Point | |
Mark for follow up |
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day? |
ACC->Application | |
Objects->Applications->web-browsing | |
Monitor->Session Browser | |
Monitor->App Scope->Summary | |
Mark for follow up |
Which public key infrastructure component is required to implement SSL Forward Proxy? |
CertificateAuthoritycertificate | |
Machine certificate | |
Certificate signing request | |
Online Certificate Status Protocol | |
Mark for follow up |
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose three.) |
Identifying unauthorized applications that attempt to connect over non-standard ports | |
Recognizing when SSH sessions are using SSH v1 instead of SSH v2 | |
Removing from the session table any TCP session without traffic for 3600 seconds | |
Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server | |
Validating that UDP port 53 packets are not being used to tunnel data for another protocol | |
Mark for follow up |
Which component must be configured before a User Activity report can be generated? |
SSLDecryption | |
GlobalProtect | |
Log Forwarding | |
User Identification | |
Mark for follow up |
What can be used to push network and device configurations from Panorama to firewalls running PAN-OS software? |
Service Profiles | |
Templates | |
Device groups | |
Management groups | |
Mark for follow up |
Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall? |
Inspecting HTTP data streams to detect instances of the POST method | |
Detecting a spoofed IP address | |
Detecting a mismatched overlapping TCP segment | |
Allowing some ICMP echo-reply packets by matching them to ICMP echo-request packets | |
Mark for follow up |
Given the following routing table: Which nexthop(s) would be added to the forwarding information base (FIB) for the 192.168.93.0/30 network? |
10.66.24.88, 10.66.24.93 | |
0.0.0.0 | |
10.66.24.93 | |
10.66.24.88 | |
Mark for follow up |
Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL? |
Default Trusted Certification Authorities | |
Certificate Profile | |
Data Filtering Profile | |
Decryption Profile | |
Mark for follow up |
Which three engines are built into the Single-Pass Parallel Processing Architecture? (Choose three.) |
Application Identification (App-ID) | |
User Identification (User-ID) | |
Threat Identification (Threat-ID) | |
Content Identification (Content-ID) | |
Group Identification (Group-ID) | |
Mark for follow up |
A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following source translation: Which filters need to be configured to match traffic originating from 192.168.1.10 in the "Trust-L3" zone to 2.2.2.2 in the "Untrust-L3" zone in the Transmit stage? |
Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 1.1.1.1 destination 2.2.2.2 | |
Filter 1 source 1.1.1.1 destination 192.168.1.10 Filter 2 source 192.168.1.10 destination 1.1.1.1 | |
Filter 1 source 1.1.1.1 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 1.1.1.1 | |
Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10 | |
Mark for follow up |
Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks next-generation firewall? (Choose two.) |
Dynamically opening small holes in the firewall to permit FTP data transfers, instead of being required to open all high port numbers | |
Distinguishing between SSH v1 and SSH v2 in a traffic stream | |
Limiting applications to using only their standard port numbers | |
Differentiating between traffic for the base Facebook application and traffic using Facebook Chat | |
Mark for follow up |
Which function resides on the management plane? |
Content inspection performed in software | |
System logging | |
Application ID | |
Server response inspection | |
Mark for follow up |
Given the following Security Policy and information about traffic traversing the firewall: Source Address: 192.168.64.10 Source Zone: Trust-L3 - Destination Address: 199.167.55.50 Destination Zone: Untrust-L3 Destination port: 85 - Application: web-browsing. Which rule will match the specified traffic? |
Rule number 6 | |
Rule number 3 | |
Rule number 2 | |
Rule number 4 | |
Mark for follow up |
The network is experiencing routing problems and the firewall administrator needs to determine the root cause. Which CLI command should the administrator use to verify routing behavior while watching the current flow of routed logs? |
less follow yes mp-log routed.log | |
show routing fib virtual-router vr1 | |
less mp-log routed.log | |
show routing summary virtual-router vr1 | |
Mark for follow up |
You are the network security engineer for a large corporation. On the same night you finished a successful migration, you receive an after-hours call from the Network Operations Center (NOC). After the latest firewall migration, traffic coming from the internal network (inside zone) is not reaching its destination on several rules present in the Security Policy that have the DMZ zone as target and are allowing the traffic. The NOC sends you an email message received on your phone with the information shown above. Given that there is no current internet access, which steps should the NOC engineer take to fix the problem? |
Change the destination zone to Inside zone and commit the change. | |
SSH into the device, enter in configure mode, and add the following static route command: set network virtual-router vr1 routing-table ip static-route dmzroute interface ethernet1/2 destination 10.15.26.0/24 nexthop ip-address 10.15.25.1 | |
Change the destination zone to DMZ zone and commit the change | |
SSH into the device, enter in configure mode, and add the following static route command: set network virtual-router vr1 routing-table ip static-route dmzroute interface ethernet1/2 destination 10.15.22.0/24 nexthop ip-address 172.15.22.65 | |
Mark for follow up |
Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint without incurring hosting fees for physical equipment? |
LSVPN (Large Scale VPN) | |
MDM (Mobile Device Manager) | |
GlobalProtect Satellite | |
VM-Series for AWS (Amazon Web Services) | |
Mark for follow up |
Which two statements regarding next-generation and legacy firewalls are true? (Choose two) |
Both legacy firewalls and next-generation firewalls can reassemble packets in a given HTTP stream that arrive in an incorrect order. | |
A next-generation firewall detects when traffic shifts from “normal” web browsing to a specific web application, not a more specific protocol. | |
A next-generation firewall can decrypt an attached encrypted .ZIP file sent through SMTP; a legacy firewall cannot. | |
Both legacy firewalls and next-generation firewalls can be configured to allow internal users to read, but not post at, an internet discussion board. | |
Mark for follow up |
A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside. All users are located on the Inside zone and are using public DNS servers for name resolution. The company hosts a publicly accessible web application on a server in the DMZ zone. Which NAT rule configuration will allow users on the Inside zone to access the web application using its public IP address? |
Explicit No-NAT Policy Rule | |
Three zone U-turn NAT | |
Two zone U-turn NAT | |
Bi-directional NAT | |
Mark for follow up |
A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing. Which High Availability (HA) mode best supports this design requirement? |
Active-Passive mode with "tcp-reject-non-syn" set to "no" | |
HA-LiteActive-Passivemode | |
Active-Passive mode | |
Active-Active mode | |
Mark for follow up |
Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since the last reboot? |
From the CLI, issue the command test nat-policy-match against each configured rule. | |
In the GUI, select the Highlight Unused Rules option under Policies -> NAT. | |
From the CLI, issue the command show session all filter nat-rule command. | |
From the CLI, issue the command show running nat-policy command. | |
Mark for follow up |
A user is reporting that they cannot download a PDF file from the internet. Which option will show whether the downloaded file has been blocked by a Security Profile? |
Filter the System log for "Download Failed" messages. | |
Filter the Traffic logs for all traffic from the user that resulted in a deny action. | |
Filter the Data Filtering logs for the user's traffic and the name of the PDF file. | |
Filter the Session Browser for all sessions from the user with the application "adobe". | |
Mark for follow up |
Given the Application Override policy shown above, what will be the effect of this policy? |
Traffic matching the Application Override policy will be assigned to the application "web-browsing". | |
Traffic to the WebTrends server from the DMZ zone will be subject to content and threat detection. | |
Traffic destined to TCP port 8888 will be assigned to the application "web-browsing" and discarded by the firewall. | |
Traffic matching the policy will be assigned to the "web-browsing" application, bypassing content and threat detection. | |
Mark for follow up |
A company has decided to install a Palo Alto Networks firewall using VWire interfaces. Because of pre-existing network configurations, the traffic on the upstream and downstream devices can have 802.1Q tags with the following values: 5 10 11 12 13 14 15 25 30 - How should the network administrator configure the Tag Allowed field of the VWire to allow only traffic with 802.1Q tag values of 11, 12, and 14? |
0 | |
[10-15] | |
{11-14} | |
11,12,14 | |
Mark for follow up |
A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What happens to an already-accepted and running FTP session at 5:01 p.m.? |
The session is terminated, and the initiator must establish a new session. | |
The session continues to run, because already-accepted sessions are not re- evaluated. | |
The session is re-evaluated to determine whether it is allowed under a different policy rule. | |
The session is re-evaluated if the default configuration setting “Rematch all sessions on config policy change” is enabled. | |
Mark for follow up |
Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose two.) |
Checking for suspicious, but technically compliant, protocol behavior | |
Inspecting traffic at the application layer | |
Temporarily allowing an external web server to send inbound packets after an outbound request for a web page | |
Creating virtual connections out of UDP traffic | |
Mark for follow up |
Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)? |
Layer3 | |
PPP | |
Virtual wire | |
Layer2 | |
Mark for follow up |
Which statement is true if a Security policy contains two rules that would both match a proposed new session? |
The rule with the most restrictive action will be applied. | |
Both rules will be applied. | |
The first rule that matches while evaluating the rules from top to bottom is the one that will be applied. | |
Deny rules are evaluated first, and then Accept rules. | |
Mark for follow up |
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule? |
Bidirectional | |
Static IP | |
Dynamic IP and Port | |
Dynamic IP | |
Mark for follow up |
You are analyzing a specific device group from Panorama and notice there are a very large number of "insufficient-data" log entries. What is known for certain about the "insufficient-data" in this display? Consider the following data: |
The number of bytes sent in packets where the application could not be identified | |
The number of bytes sent in sessions that were never fully opened with a SYN, SYN- ACK, ACK sequence | |
The number of bytes in the extra packets sent in a DoS attack | |
The number of bytes sent by hosts attempting to transmit malware | |
Mark for follow up |
A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released an antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic related to the infection. However, the Traffic log shows traffic between the workstation and the command-and-control server. Given the company's Dynamic Updates configuration: What is the cause of traffic not matching a malware signature? |
The update schedule is set to "download only" and not to "download and install". | |
The infection occurred during the hourly update window when the malware was identified. | |
A WildFire subscription is needed to detect malware. | |
The most recent updates were incremental and not full updates. | |
Mark for follow up |
A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will happen when someone attempts to initiate an SSH connection to ethernet1/1? |
SSH access to the interface will be allowed because intra-zone traffic is allowed by default. | |
SSH access to the interface will be allowed because the Management Profile is applied before the Security policy. | |
SSH access to the interface will be denied because intra-zone traffic is denied. | |
SSH access to the interface will be allowed because inter-zone traffic is allowed. | |
Mark for follow up |
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? |
Allow | |
Default | |
Log | |
Alert | |
Mark for follow up |
A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not to share this list outside of the organization. The Chief Information Security Officer has requested that all user access to these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline Palo Alto Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access to these URLs? |
Import the URLs to a Dynamic Block List and reference the Dynamic Block List in a Security policy rule set to deny. | |
Submit a Bulk Change Request via the Palo Alto Networks Support Portal containing the list of the URLs, request that the URLs be categorized as “Malware,” and set the action to "block" for the Malware category in a URL Filtering profile. | |
Use a script to automatically import each URL domain as an FQDN address object. | |
Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set to deny. | |
Mark for follow up |
A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of bogus TCP connections to internal servers behind the firewall. This traffic is allowed by security policies, and other than creating half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which Zone Protection Profile with SYN Flood Protection action, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic? |
SYN Cookies applied on the internal zone | |
Random Early Drop applied on the internet-facing zone | |
SYN Cookies applied on the internet-facing zone | |
Random Early Drop applied on the internal zone | |
Mark for follow up |
A US-CERT notification is published regarding a newly discovered piece of malware. The infection is spread using spear phishing emails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to dynamically update to the latest databases automatically. Which component and implementation will detect and prevent this threat? |
Antivirus Profiles applied to inbound Security policies with action set to block high-severity threats | |
Zone Protection Profiles applied to the external zone with Packet Based Attack Protection with action set to block high-severity threats | |
Vulnerability Protection Profiles applied to inbound and outbound Security policies with action set to block high-severity threats | |
Antivirus Profiles applied to outbound Security policy rules with action set to block high-severity threats | |
Mark for follow up |
A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be using HA-Lite. Which capability can be used in this situation? |
Session Sync | |
Configuration Sync | |
Link Aggregation | |
Jumbo Frames | |
Mark for follow up |
When would there be a benefit from the creation of a custom application signature? |
When the application can be used to send and receive malware | |
When a company wants to know who is watching World Cup soccer matches during work hours | |
When the risk level of a Palo Alto Networks-provided application signature needs to be changed | |
When the ability of an application to port hop needs to be eliminated | |
Mark for follow up |
What statement is true about the Highlight Unused Rules option for a Security Policy? |
A management plane restart will clear the counters for used/unused rules. | |
A dataplane restart will clear the counters for used/unused rules. | |
The counters for used/unused rules can be cleared using the "reset counter global name rule-use" CLI command. | |
The counters for used/unused rules can be cleared using the reset counter global name rule-use CLI command. | |
Mark for follow up |
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is configured to forward syslogs individually. The security engineer wants to leverage their two M-100 appliances to send syslog messages from a single source and already has deployed one in Panorama mode and the other as a Log Collector. What is the remaining step in this solution? |
Configure a Syslog Proxy Profile | |
EnableSyslogAggregation | |
Configure a Panorama Log Forwarding Profile | |
Configure Collector Log Forwarding | |
Mark for follow up |
Which Interface Type can be used to manage a firewall via SSH or HTTPS? |
Virtual Wire | |
Tap | |
HA | |
Layer3 | |
Layer2 | |
Mark for follow up |
| Validating that UDP port 53 packets are not being used to tunnel data for another protocol | |
Question 24 of 60.
| Which component must be configured before a User Activity report can be generated? |
| SSLDecryption | |||
| GlobalProtect | |||
| Log Forwarding | |||
| User Identification | |||
Question 25 of 60.
| What can be used to push network and device configurations from Panorama to firewalls running PAN-OS software? |
| Service Profiles | |||
| Templates | |||
| Device groups | |||
| Management groups | |||
Question 26 of 60.
| Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall? |
| Inspecting HTTP data streams to detect instances of the POST method | |||
| Detecting a spoofed IP address | |||
| Detecting a mismatched overlapping TCP segment | |||
| Allowing some ICMP echo-reply packets by matching them to ICMP echo-request packets | |||
Question 27 of 60.
 Given the following routing table: Which nexthop(s) would be added to the forwarding information base (FIB) for the 192.168.93.0/30 network? |
| 10.66.24.88, 10.66.24.93 | |||
| 0.0.0.0 | |||
| 10.66.24.93 | |||
| 10.66.24.88 | |||
Question 28 of 60.
| Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL? |
| Default Trusted Certification Authorities | |||
| Certificate Profile | |||
| Data Filtering Profile | |||
| Decryption Profile | |||
Question 29 of 60.
| Which three engines are built into the Single-Pass Parallel Processing Architecture? (Choose three.) |
| Application Identification (App-ID) | |
| User Identification (User-ID) | |
| Threat Identification (Threat-ID) | |
| Content Identification (Content-ID) | |
| Group Identification (Group-ID) | |
Question 30 of 60.
| A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following source translation: Which filters need to be configured to match traffic originating from 192.168.1.10 in the "Trust-L3" zone to 2.2.2.2 in the "Untrust-L3" zone in the Transmit stage? |
| Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 1.1.1.1 destination 2.2.2.2 | |||
| Filter 1 source 1.1.1.1 destination 192.168.1.10 Filter 2 source 192.168.1.10 destination 1.1.1.1 | |||
| Filter 1 source 1.1.1.1 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 1.1.1.1 | |||
| Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10 | |||
Question 31 of 60.
| Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks next-generation firewall? (Choose two.) |
| Dynamically opening small holes in the firewall to permit FTP data transfers, instead of being required to open all high port numbers | |
| Distinguishing between SSH v1 and SSH v2 in a traffic stream | |
| Limiting applications to using only their standard port numbers | |
| Differentiating between traffic for the base Facebook application and traffic using Facebook Chat | |
Question 32 of 60.
| Which function resides on the management plane? |
| Content inspection performed in software | |||
| System logging | |||
| Application ID | |||
| Server response inspection | |||
Question 33 of 60.
 Given the following Security Policy and information about traffic traversing the firewall: Source Address: 192.168.64.10 Source Zone: Trust-L3 - Destination Address: 199.167.55.50 Destination Zone: Untrust-L3 Destination port: 85 - Application: web-browsing. Which rule will match the specified traffic? |
| Rule number 6 | |||
| Rule number 3 | |||
| Rule number 2 | |||
| Rule number 4 | |||
Question 34 of 60.
| The network is experiencing routing problems and the firewall administrator needs to determine the root cause. Which CLI command should the administrator use to verify routing behavior while watching the current flow of routed logs? |
| less follow yes mp-log routed.log | |||
| show routing fib virtual-router vr1 | |||
| less mp-log routed.log | |||
| show routing summary virtual-router vr1 | |||
Question 35 of 60.
 You are the network security engineer for a large corporation. On the same night you finished a successful migration, you receive an after-hours call from the Network Operations Center (NOC). After the latest firewall migration, traffic coming from the internal network (inside zone) is not reaching its destination on several rules present in the Security Policy that have the DMZ zone as target and are allowing the traffic. The NOC sends you an email message received on your phone with the information shown above. Given that there is no current internet access, which steps should the NOC engineer take to fix the problem? |
| Change the destination zone to Inside zone and commit the change. | |||
| SSH into the device, enter in configure mode, and add the following static route command: set network virtual-router vr1 routing-table ip static-route dmzroute interface ethernet1/2 destination 10.15.26.0/24 nexthop ip-address 10.15.25.1 | |||
| Change the destination zone to DMZ zone and commit the change | |||
| SSH into the device, enter in configure mode, and add the following static route command: set network virtual-router vr1 routing-table ip static-route dmzroute interface ethernet1/2 destination 10.15.22.0/24 nexthop ip-address 172.15.22.65 | |||
Question 36 of 60.
| Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint without incurring hosting fees for physical equipment? |
| LSVPN (Large Scale VPN) | |||
| MDM (Mobile Device Manager) | |||
| GlobalProtect Satellite | |||
| VM-Series for AWS (Amazon Web Services) | |||
Question 37 of 60.
| Which two statements regarding next-generation and legacy firewalls are true? (Choose two) |
| Both legacy firewalls and next-generation firewalls can reassemble packets in a given HTTP stream that arrive in an incorrect order. | |
| A next-generation firewall detects when traffic shifts from “normal” web browsing to a specific web application, not a more specific protocol. | |
| A next-generation firewall can decrypt an attached encrypted .ZIP file sent through SMTP; a legacy firewall cannot. | |
| Both legacy firewalls and next-generation firewalls can be configured to allow internal users to read, but not post at, an internet discussion board. | |
Question 38 of 60.
| A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside. All users are located on the Inside zone and are using public DNS servers for name resolution. The company hosts a publicly accessible web application on a server in the DMZ zone. Which NAT rule configuration will allow users on the Inside zone to access the web application using its public IP address? |
| Explicit No-NAT Policy Rule | |||
| Three zone U-turn NAT | |||
| Two zone U-turn NAT | |||
| Bi-directional NAT | |||
Question 39 of 60.
 A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing. Which High Availability (HA) mode best supports this design requirement? |
| Active-Passive mode with "tcp-reject-non-syn" set to "no" | |||
| HA-LiteActive-Passivemode | |||
| Active-Passive mode | |||
| Active-Active mode | |||
Question 40 of 60.
| Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since the last reboot? |
| From the CLI, issue the command test nat-policy-match against each configured rule. | |||
| In the GUI, select the Highlight Unused Rules option under Policies -> NAT. | |||
| From the CLI, issue the command show session all filter nat-rule command. | |||
| From the CLI, issue the command show running nat-policy command. | |||
Question 41 of 60.
| A user is reporting that they cannot download a PDF file from the internet. Which option will show whether the downloaded file has been blocked by a Security Profile? |
| Filter the System log for "Download Failed" messages. | |||
| Filter the Traffic logs for all traffic from the user that resulted in a deny action. | |||
| Filter the Data Filtering logs for the user's traffic and the name of the PDF file. | |||
| Filter the Session Browser for all sessions from the user with the application "adobe". | |||
Question 42 of 60.
 Given the Application Override policy shown above, what will be the effect of this policy? |
| Traffic matching the Application Override policy will be assigned to the application "web-browsing". | |||
| Traffic to the WebTrends server from the DMZ zone will be subject to content and threat detection. | |||
| Traffic destined to TCP port 8888 will be assigned to the application "web-browsing" and discarded by the firewall. | |||
| Traffic matching the policy will be assigned to the "web-browsing" application, bypassing content and threat detection. | |||
Question 43 of 60.
| A company has decided to install a Palo Alto Networks firewall using VWire interfaces. Because of pre-existing network configurations, the traffic on the upstream and downstream devices can have 802.1Q tags with the following values: 5 10 11 12 13 14 15 25 30 - How should the network administrator configure the Tag Allowed field of the VWire to allow only traffic with 802.1Q tag values of 11, 12, and 14? |
| 0 | |||
| [10-15] | |||
| {11-14} | |||
| 11,12,14 | |||
Question 44 of 60.
| A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What happens to an already-accepted and running FTP session at 5:01 p.m.? |
| The session is terminated, and the initiator must establish a new session. | |||
| The session continues to run, because already-accepted sessions are not re- evaluated. | |||
| The session is re-evaluated to determine whether it is allowed under a different policy rule. | |||
| The session is re-evaluated if the default configuration setting “Rematch all sessions on config policy change” is enabled. | |||
Question 45 of 60.
| Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose two.) |
| Checking for suspicious, but technically compliant, protocol behavior | |
| Inspecting traffic at the application layer | |
| Temporarily allowing an external web server to send inbound packets after an outbound request for a web page | |
| Creating virtual connections out of UDP traffic | |
Question 46 of 60.
| Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)? |
| Layer3 | |||
| PPP | |||
| Virtual wire | |||
| Layer2 | |||
Question 47 of 60.
| Which statement is true if a Security policy contains two rules that would both match a proposed new session? |
| The rule with the most restrictive action will be applied. | |||
| Both rules will be applied. | |||
| The first rule that matches while evaluating the rules from top to bottom is the one that will be applied. | |||
| Deny rules are evaluated first, and then Accept rules. | |||
Question 48 of 60.
| Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule? |
| Bidirectional | |||
| Static IP | |||
| Dynamic IP and Port | |||
| Dynamic IP | |||
Question 49 of 60.
 You are analyzing a specific device group from Panorama and notice there are a very large number of "insufficient-data" log entries. What is known for certain about the "insufficient-data" in this display? Consider the following data: |
| The number of bytes sent in packets where the application could not be identified | |||
| The number of bytes sent in sessions that were never fully opened with a SYN, SYN- ACK, ACK sequence | |||
| The number of bytes in the extra packets sent in a DoS attack | |||
| The number of bytes sent by hosts attempting to transmit malware | |||
Question 50 of 60.
 A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released an antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic related to the infection. However, the Traffic log shows traffic between the workstation and the command-and-control server. Given the company's Dynamic Updates configuration: What is the cause of traffic not matching a malware signature? |
| The update schedule is set to "download only" and not to "download and install". | |||
| The infection occurred during the hourly update window when the malware was identified. | |||
| A WildFire subscription is needed to detect malware. | |||
| The most recent updates were incremental and not full updates. | |||
Question 51 of 60.
| A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will happen when someone attempts to initiate an SSH connection to ethernet1/1? |
| SSH access to the interface will be allowed because intra-zone traffic is allowed by default. | |||
| SSH access to the interface will be allowed because the Management Profile is applied before the Security policy. | |||
| SSH access to the interface will be denied because intra-zone traffic is denied. | |||
| SSH access to the interface will be allowed because inter-zone traffic is allowed. | |||
Question 52 of 60.
| Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? |
| Allow | |||
| Default | |||
| Log | |||
| Alert | |||
Question 53 of 60.
| A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not to share this list outside of the organization. The Chief Information Security Officer has requested that all user access to these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline Palo Alto Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access to these URLs? |
| Import the URLs to a Dynamic Block List and reference the Dynamic Block List in a Security policy rule set to deny. | |||
| Submit a Bulk Change Request via the Palo Alto Networks Support Portal containing the list of the URLs, request that the URLs be categorized as “Malware,” and set the action to "block" for the Malware category in a URL Filtering profile. | |||
| Use a script to automatically import each URL domain as an FQDN address object. | |||
| Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set to deny. | |||
Question 54 of 60.
| A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of bogus TCP connections to internal servers behind the firewall. This traffic is allowed by security policies, and other than creating half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which Zone Protection Profile with SYN Flood Protection action, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic? |
| SYN Cookies applied on the internal zone | |||
| Random Early Drop applied on the internet-facing zone | |||
| SYN Cookies applied on the internet-facing zone | |||
| Random Early Drop applied on the internal zone | |||
Question 55 of 60.
| A US-CERT notification is published regarding a newly discovered piece of malware. The infection is spread using spear phishing emails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to dynamically update to the latest databases automatically. Which component and implementation will detect and prevent this threat? |
| Antivirus Profiles applied to inbound Security policies with action set to block high-severity threats | |||
| Zone Protection Profiles applied to the external zone with Packet Based Attack Protection with action set to block high-severity threats | |||
| Vulnerability Protection Profiles applied to inbound and outbound Security policies with action set to block high-severity threats | |||
| Antivirus Profiles applied to outbound Security policy rules with action set to block high-severity threats | |||
Question 56 of 60.
| A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be using HA-Lite. Which capability can be used in this situation? |
| Session Sync | |||
| Configuration Sync | |||
| Link Aggregation | |||
| Jumbo Frames | |||
Question 57 of 60.
| When would there be a benefit from the creation of a custom application signature? |
| When the application can be used to send and receive malware | |||
| When a company wants to know who is watching World Cup soccer matches during work hours | |||
| When the risk level of a Palo Alto Networks-provided application signature needs to be changed | |||
| When the ability of an application to port hop needs to be eliminated | |||
Question 58 of 60.
| What statement is true about the Highlight Unused Rules option for a Security Policy? |
| A management plane restart will clear the counters for used/unused rules. | |||
| A dataplane restart will clear the counters for used/unused rules. | |||
| The counters for used/unused rules can be cleared using the "reset counter global name rule-use" CLI command. | |||
| The counters for used/unused rules can be cleared using the reset counter global name rule-use CLI command. | |||
Question 59 of 60.
| A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is configured to forward syslogs individually. The security engineer wants to leverage their two M-100 appliances to send syslog messages from a single source and already has deployed one in Panorama mode and the other as a Log Collector. What is the remaining step in this solution? |
| Configure a Syslog Proxy Profile | |||
| EnableSyslogAggregation | |||
| Configure a Panorama Log Forwarding Profile | |||
| Configure Collector Log Forwarding | |||
Question 60 of 60.
| Which Interface Type can be used to manage a firewall via SSH or HTTPS? |
| Virtual Wire | |||
| Tap | |||
| HA | |||
| Layer3 | |||
| Layer2 | |||
| Save / Return Later |
Next Generation firewalls are used to protect the system from being harmed. These firewalls filter the traffic configured on the system and checks for the faults by monitoring the data and do deep inspection by spotting malware.
ReplyDeleteGreat Post!!! thanks for sharing with us.
ReplyDeleteWhy Java is Called Platform Independent
How is Java Platform Independent
This comment has been removed by the author.
ReplyDelete