Question 1 of 45.

A Security policy rule displayed in italic font indicates which condition?

The rule has been overridden.

The rule is active.
The rule is a clone.
The rule is disabled.

Mark for follow up

Question 2 of 45.

A Server Profile enables a firewall to locate which server type?

a server with an available VPN connection

a server with remote user accounts
a server with firewall threat updates
a server with firewall software updates

Mark for follow up

Question 3 of 45.

An Antivirus Security Profile specifies Actions and WildFire Actions. Wildfire Actions enable you to
configure the firewall to perform which operation?

Block traffic when a WildFire virus signature is detected.

Delete packet data when a virus is suspected.
Download new antivirus signatures from WildFire.
Upload traffic to WildFire when a virus is suspected.

Mark for follow up

Question 4 of 45.

Application block pages can be enabled for which applications?

MGT port-based
any
web-based
non-TCP/IP

Mark for follow up

Question 5 of 45.

Because a firewall examines every packet in a session, a firewall can detect application ________?

groups
shifts
errors
filters

Mark for follow up

Question 6 of 45.

Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate
that you should take which action?

Re-download the URL seed database.

Reboot the firewall.
Validate connectivity to the PAN-DB cloud.
Validate your Security policy rules.

Mark for follow up

Question 7 of 45.

For which firewall feature should you create forward trust and forward untrust certificates?

SSL Inbound Inspection decryption

SSH decryption
SSL client-side certificate checking
SSL forward proxy decryption

Mark for follow up

Question 8 of 45.

If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are
recorded in which log type?
 Data Filtering
Traffic
WildFire Submissions
Threat

Mark for follow up

Question 9 of 45.

If there is an HA configuration mismatch between firewalls during peer negotiation, which state
will the passive firewall enter?

PASSIVE
INITIAL
NON-FUNCTIONAL
ACTIVE

Mark for follow up

Question 10 of 45.

In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose
three.)
synchronizing sessions
exchanging hellos
synchronizing configuration
exchanging heartbeats

Mark for follow up

Question 11 of 45.

In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)
link groups
hellos
path groups
heartbeats
Question 12 of 45.

Which two user mapping methods are supported by the User-ID integrated agent? (Choose two.)
LDAP Filters
WMI probing
Client Probing
NetBIOS Probing

Mark for follow up

Question 13 of 45.

SSL Inbound Inspection requires that the firewall be configured with which two components?
(Choose two.)
client's digital certificate
client•'s public key
server's private key
server's digital certificate

Mark for follow up

Question 14 of 45.

The Threat log records events from which three Security Profiles? (Choose three.)
Vulnerability Protection
File Blocking
Antivirus
URL Filtering
WildFire Analysis
Anti-Spyware

Mark for follow up

Question 15 of 45.

The User-ID feature is enabled per __________?

firewall interface
firewall
User-ID agent
firewall security zone

Mark for follow up

Question 16 of 45.

What are the two separate planes that make up the PAN-OS architecture? (Choose two.)
signature processing plane
control/management plane
dataplane
HA plane
routing plane

Mark for follow up

Question 17 of 45.

What are two benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule?
(Choose two.)
acceptable protocol checking
expired certificate checking
URL category match checking
untrusted certificate checking

Mark for follow up

Question 18 of 45.

What is a characteristic of Dynamic Admin Roles?

They can be dynamically modified by external authorization systems.

Role privileges can be dynamically updated by a firewall administrator.
They can be dynamically created or deleted by a firewall administrator.
Role privileges can be dynamically updated with newer software releases.

Mark for follow up

Question 19 of 45.
What is a use case for deploying Palo Alto Networks NGFW in the public cloud?

extending the corporate data center into the public cloud

faster WildFire analysis response time
cost savings through one-time purchase of Palo Alto Networks hardware and
subscriptions
centralizing your data storage on premise

Mark for follow up

Question 20 of 45.

When SSL traffic passes through the firewall, which component is evaluated first?

Security policy
Decryption policy
Decryption Profile
Decryption exclusions list

Mark for follow up

Question 21 of 45.

Where does a GlobalProtect client connect to first when trying to connect to the network?

GlobalProtect Portal
AD agent
GlobalProtect Gateway
User-ID agent

Mark for follow up

Question 22 of 45.

Which condition must exist before a firewall's in-band interface can process traffic?

The firewall must be enabled.

The firewall must not be a loopback interface.
The firewall must be assigned an IP address.
The firewall must be assigned to a security zone.

Mark for follow up

Question 23 of 45.

Which feature is a dynamic grouping of applications used in Security policy rules?

 dependent applications
application group
application filter
implicit applications

Mark for follow up

Question 24 of 45.

Which interface type does NOT require any configuration changes to adjacent network devices?

Virtual Wire
Layer 2
Tap
Layer 3

Mark for follow up

Question 25 of 45.

Which interface type is NOT assigned to a security zone?

Virtual Wire
VLAN
HA
Layer 3

Mark for follow up

Question 26 of 45.

Which statement describes a function provided by an Interface Management Profile?

It determines which firewall services are accessible from external devices.

It determines which external services are accessible by the firewall.
It determines which administrators can manage which interfaces.
It determines the NetFlow and LLDP interface management settings.

Mark for follow up

Question 27 of 45.

Which statement describes the Export named configuration snapshot operation?

The running configuration is transferred from memory to the firewall'•s storage device.
A copy of the configuration is uploaded to the cloud as a backup.
The candidate configuration is transferred from memory to the firewall'•s storage device.
A saved configuration is transferred to an external host•s storage device.
Mark for follow up

Question 28 of 45.

Which statement is true about a URL Filtering Profile• continue password?

There is a password per firewall administrator account.

There is a single, per-firewall password.
There is a password per website.
There is a password per session.

Mark for follow up

Question 29 of 45.

Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)
maximum file size
application
file types
direction

Mark for follow up

Question 30 of 45.

Which three MGT port configuration settings are required in order to access the WebUI? (Choose
three.)
Default gateway
IP address
Hostname
Netmask

Mark for follow up

Question 31 of 45.

Which three network modes are supported by active/passive HA? (Choose three.)
Virtual Wire
Layer 3
Layer 2
Tap

Mark for follow up

Question 32 of 45.
Which two file types can be sent to WildFire for analysis if a firewall has only a standard
subscription service? (Choose two.)
.jar
.pdf
.dll
.exe

Mark for follow up

Question 33 of 45.

Which user mapping method is recommended for a highly mobile user base?

GlobalProtect
Client Probing
Session Monitoring
Server Monitoring

Mark for follow up

Question 34 of 45.

Which User-ID user mapping method is recommended for environments where users frequently
change IP addresses?

Client Probing
Captive Portal
Session Monitoring
Server Monitoring

Mark for follow up

Question 35 of 45.

Which file must be downloaded from the firewall to create a Heatmap and Best Practices
Assessment report?

XML file
Tech Support File
firewall config file
stats dump file

Mark for follow up

Question 36 of 45.

GlobalProtect clientless VPN provides secure remote access to web applications that use which
three technologies? (Choose three.)
 Java
HTML
JavaScript
HTML5
Python
Ruby

Mark for follow up

Question 37 of 45.

Which three subscription services are included as part of the GlobalProtect cloud service? (Choose
three.)
WildFire®
Panorama
Threat Prevention
AutoFocus
URL Filtering
Aperture

Mark for follow up

Question 38 of 45.

What is the maximum number of WildFire® appliances that can be grouped in to a WildFire®
appliance cluster?

12
24
32
20

Mark for follow up

Question 39 of 45.

The decryption broker feature is supported by which three Palo Alto Networks firewall series?
(Choose three.)
PA-5200
PA-3000
PA-5000
PA-3200
VM-Series
PA-7000

Mark for follow up

Question 40 of 45.
Which three HTTP header insertion types are predefined? (Choose three.)
WebEx
Box
Google
Slack
YouTube
Dropbox

Mark for follow up

Question 41 of 45.

Which VM-Series model was introduced with the release of PAN-OS® 8.1?

VM-300 Lite
VM-50 Lite
VM-200 Lite
VM-100 Lite

Mark for follow up

Question 42 of 45.

Which cloud computing platform provides shared resources, servers, and storage in a pay-as-you-
go model?

hybrid
community
private
public

Mark for follow up

Question 43 of 45.

Which cloud computing service model will enable an application developer to develop, manage,
and test their applications without the expense of purchasing equipment?

platform as a service
infrastructure as a service
software as a service
code as a service

Mark for follow up

Question 44 of 45.
Cloud security is a shared responsibility between the cloud provider and the customer. Which
security platform is the cloud provider responsible for?

encryption management
identity and access management
firewall and network traffic
foundation services

Mark for follow up

Question 45 of 45.

Which essential cloud characteristic is designed for applications that will be required to run on all
platforms including smartphones, tablets, and laptops?

measured services
on-demand self service
broad network access
rapid elasticity

Mark for follow up

- una regla de política de seguridad que se muestra en letra cursiva indica qué condición?
la regla está deshabilitada
- ¿un perfil de servidor permite que un cortafuegos ubique qué tipo de servidor?
un servidor con cuentas de usuario remotas
- ¿Se puede adjuntar un perfil de gestión de interfaz a los dos tipos de interfaz?
loopback
capa 3
- La aplicación ID que se ejecuta en un cortafuegos identifica las aplicaciones utilizando tres
métodos:
Heurística del programa
Firmas de aplicaciones
Decodificadores de protocolo conocidos
- ¿Se pueden habilitar las páginas de páginas de bloques de aplicaciones para qué
aplicaciones?
basado en nosotros
- Debido a que un firewall examina cada paquete en una sesión, ¿un firewall puede detectar
la aplicación?
turnos
- ¿Para qué función de cortafuegos debe crear confianza de reenvío y reenviar certificados
no confiables?
Descifrado proxy proxy SSL

- Si hay una discrepancia en la configuración de HA entre los firewalls durante la

negociación entre pares, ¿en qué estado ingresará el firewall pasivo?
No funcional