Академический Документы
Профессиональный Документы
Культура Документы
Paloalto Networks
Exam PCNSE6
Palo Alto Networks Certified Network Security Engineer 6.0
Version: 6.1
Question No : 2
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations
>
Configuration Management>....and then what operation?
A. Revert to Running Configuration
B. Revert to last Saved Configuration
C. Load Configuration Version
D. Import Named Configuration Snapshot
Answer: A
Question No : 3 HOTSPOT
A company has a Palo Alto Networks firewall with a single VSYS that has both locally
defined rules as well as shared and device-group rules pushed from Panorama.
In what order are the policies evaluated?
Which NAT Policy rule will allow users outside the company to access the web server?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Question No : 5
Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. DHCP
C. DNS
D. Viruses
Answer: D
Question No : 6
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the "Forward" and "Continue and Forward" File-Blocking actions
B. A custom file blocking action must be enabled for all PDF and PE type files
C. Wildfire is automatically enabled with a valid URL-Filtering license
D. Via the URL-Filtering "Continue" Action.
Answer: A
Question No : 7
The IT department has received complaints about VoIP call jitter when the sales staff is
making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS
policy written in the rulebase. The IT manager wants to find out what traffic is causing the
jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most
bandwidth?
A. Application Command Center (ACC)
B. QoS Statistics
C. QoS Log
D. Applications Report
Answer: A
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Question No : 8
Which two steps are required to make Microsoft Active Directory users appear in the
firewalls traffic log? Choose 2 answers
Question No : 9
Administrative Alarms can be enabled for which of the following except?
A. Certificate Expirations
B. Security Violation Thresholds
C. Security Policy Tags
D. Traffic Log capacity
Answer: A
Question No : 10
Where in the firewall GUI can an administrator see how many sessions of web-browsing
traffic have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Answer: D
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
Question No : 11
Question No : 12
Which of the following would be a reason to use an XML API to communicate with a Palo
Alto Networks firewall?
A. So that information can be pulled from other network resources for User-ID
B. To allow the firewall to push UserID information to a Network Access Control (NAC)
device.
C. To permit sys logging of User Identification events
Answer: B
Question No : 13
When Network Address Translation has been performed on traffic, Destination Zones in
Security rules should be based on:
A. Post-NAT addresses
B. The same zones used in the NAT rules
C. Pre-NAT addresses
D. None of the above
Answer: A
Question No : 14
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the
A Composite Solution With Just One Click - Certification Guaranteed
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive"
state. Firewall 5050-B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and
is back online?
A. Both firewalls are active (split brain)
B. Firewall 5050-B
C. Firewall 5050-A
D. It could be either firewall
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-2926
Question No : 15
Which three engines are built into the Single-Pass Parallel Processing Architecture?
Choose 3 answers
A. Application Identification (App-ID)
B. Group Identification (Group-ID)
C. User Identification (User-ID)
D. Threat Identification (Threat-ID)
E. Content Identification (Content-ID)
Answer: A,C,E
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page
5
Question No : 16
In an Anti-Virus profile, changing the action to Block for IMAP or POP decoders will result
in the following:
A. The connection from the server will be reset
B. The Anti-virus profile will behave as if Alert had been specified for the action
C. The traffic will be dropped by the firewall
D. Error 541 being sent back to the server
Answer: B
Question No : 17
Subsequent to the installation of new licenses, the firewall must be rebooted
A. True
B. False
Answer: B
Question No : 18
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best
answer
A. To maintain the list of remote GlobalProtect Portals and list of categories for checking
the client machine
B. To maintain the list of GlobalProtect Gateways and list of categories for checking the
client machine
C. To load balance GlobalProtect client connections to GlobalProtect Gateways
D. None of the above
Answer: B
10
Question No : 19
Can multiple administrator accounts be configured on a single firewall?
A. Yes
B. No
Answer: A
Question No : 20
Taking into account only the information in the screenshot above, answer the following
question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs
to be configured? Select all that apply.
A. Security policy from trust zone to Internet zone that allows ping
B. Create the appropriate routes in the default virtual router
C. Security policy from Internet zone to trust zone that allows ping
D. Create a Management profile that allows ping. Assign that management profile to e1/1
and e1/2
Answer: A,D
Question No : 21
A firewall administrator is troubleshooting problems with traffic passing through the Palo
Alto Networks firewall.
11
Question No : 22
Which feature can be configured with an IPv6 address?
A. Static Route
B. RIPv2
C. DHCP Server
D. BGP
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-5493
Question No : 23
When creating an application filter, which of the following is true?
A. They are used by malware
B. Excessive bandwidth may be used as a filter match criteria
C. They are called dynamic because they automatically adapt to new IP addresses
D. They are called dynamic because they will automatically include new applications from
an application signature update if the new application's type is included in the filter
Answer: D
12
Question No : 25
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
A. Configuring a corresponding HA4 interface
B. Configuring HA3 as an Aggregate Ethernet bundle
C. Configuring multiple HA3 interfaces
D. Configuring HA3 in a redundant group
Answer: B
Question No : 26
A Palo Alto Networks firewall has the following interface configuration;
13
Which interface configuration change should be applied to ethernet1/6 to allow the two
hosts to communicate based on this information?
A. Change the Management Profile.
B. Change the security policy to explicitly allow ICMP on this interface.
C. Change the configured zone to DMZ.
D. Change the Virtual Router setting to VR1.
Answer: D
14
Question No : 28
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
A. Multi-Core Security Processor
B. Signature Match Processor
C. Network Processor
D. Protocol Decoder Processor
E. Management Processor
Answer: A,B,C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page
8
Question No : 29
What happens at the point of Threat Prevention license expiration?
A. Threat Prevention no longer updated; existing database still effective
B. Threat Prevention is no longer used; applicable traffic is allowed
C. Threat Prevention no longer used; applicable traffic is blocked
A Composite Solution With Just One Click - Certification Guaranteed
15
Question No : 30
Wildfire may be used for identifying which of the following types of traffic?
A. Malware
B. DNS
C. DHCP
D. URL Content
Answer: A
Question No : 31
A company has purchased a WildFire subscription and would like to implement dynamic
updates to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for
WildFire updates?
A. Every 24 hours
B. Every 30 minutes
C. Every 15 minutes
D. Every 1 hour
E. Every 5 minutes
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11
Question No : 32
A Composite Solution With Just One Click - Certification Guaranteed
16
Question No : 33
As the Palo Alto Networks administrator responsible for User Identification, you are looking
for the simplest method of mapping network users that do not sign into LDAP. Which
information source would allow reliable User ID mapping for these users, requiring the least
amount of configuration?
A. WMI Query
B. Exchange CAS Security Logs
C. Captive Portal
D. Active Directory Security Logs
Answer: C
Question No : 34
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure
that no other web-browsing traffic is permitted?
A. Ensure that the Service column is defined as "application-default" for this security rule.
This will automatically include the implicit web-browsing application dependency.
B. Create a subsequent rule which blocks all other traffic
C. When creating the rule, ensure that web-browsing is added to the same rule. Both
applications will be processed by the Security policy, allowing only Facebook to be
accessed. Any other applications can be permitted in subsequent rules.
D. No other configuration is required on the part of the administrator, since implicit
application dependencies will be added automaticaly.
17
Question No : 35
After migrating from an ASA firewall, the VPN connection between a remote network and
the Palo Alto Networks firewall is not establishing correctly. The following entry is
appearing in the logs:
pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/vpns/interpret-vpn-error-messages.html
Question No : 36
Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. last match applied
B. first match applied
C. all matches applied
D. most specific match applied
Answer: B
Question No : 37
18
Question No : 38
Which of the following must be configured when deploying User-ID to obtain information
from an 802.1x authenticator?
A. Terminal Server Agent
B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
D. XML API for User-ID Agent
Answer: D
Question No : 39
Users can be authenticated serially to multiple authentication servers by configuring:
A. Multiple RADIUS Servers sharing a VSA configuration
B. Authentication Sequence
C. Authentication Profile
D. A custom Administrator Profile
Answer: B
19
Question No : 41
Which of the following must be enabled in order for UserID to function?
A. Captive Portal Policies must be enabled.
B. UserID must be enabled for the source zone of the traffic that is to be identified.
C. Captive Portal must be enabled.
D. Security Policies must have the UserID option enabled.
Answer: B
Question No : 42
What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering
Database (PAN-DB)?
A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to
reduce the number of logging events.
B. URL-Filtering can now be employed as a match condition in Security policy
C. IP-Based Threat Exceptions can now be driven by custom URL categories
D. Daily database downloads for updates are no longer required as devices stay in-sync
with the cloud.
Answer: D
20
Question No : 44
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A. Security, NAT, Policy-Based Forwarding
B. Intrazone, Interzone, Global
C. Intrazone, Interzone, Universal
D. Application, User, Content
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19
Question No : 45
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall
administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's
traffic logs.
What could be the problem?
21
Question No : 46
WildFire Analysis Reports are available for the following Operating Systems (select all that
apply)
A. Windows XP
B. Windows 7
C. Windows 8
D. Mac OS-X
Answer: A,B,C
Question No : 47
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being
flooded with tens of thousands of bogus UDP connections per second to a single
destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without
dropping legitimate traffic to other hosts inside the network?
A. Zone Protection Policy with UDP Flood Protection
B. Classified DoS Protection Policy using destination IP only with a Protect action
C. QoS Policy to throttle traffic below maximum limit
D. Security Policy rule to deny traffic to the IP address and port that is under attack
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746
22
23
Question No : 49
Which of the following describes the sequence of the Global Protect agent connecting to a
Gateway?
A. The Agent connects to the Portal obtains a list of Gateways, and connects to the
Gateway with the fastest SSL response time
B. The agent connects to the closest Gateway and sends the HIP report to the portal
C. The agent connects to the portal, obtains a list of gateways, and connects to the
gateway with the fastest PING response time
D. The agent connects to the portal and randomly establishes a connection to the first
available gateway
Answer: A
Question No : 50
A network administrator uses Panorama to push security policies to managed firewalls at
branch offices.
Which policy type should be configured on Panorama if the administrator wishes to allow
local administrators at the branch office sites to override these policies?
A. Implicit Rules
B. Post Rules
C. Default Rules
D. Pre Rules
Answer: D
Question No : 51
The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode
24
Question No : 52
What is the default setting for 'Action' in a Decryption Policy's rule?
A. No-decrypt
B. Decrypt
C. Any
D. None
Answer: D
Question No : 53
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2
answers
A. Virtual Wire
B. Loopback
C. Tunnel
D. Layer3
Answer: B,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page
10
Question No : 54
25
Question No : 55
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A. VLAN
B. Vwire
C. Security Profile
D. Virtual Router
Answer: A
Question No : 56
Which URL Filtering Security Profile action logs the URL Filtering category to the URL
Filtering log?
A. Allow
B. Alert
C. Log
D. Default
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/urlfiltering/configure-url-filtering.html
Question No : 57
A Composite Solution With Just One Click - Certification Guaranteed
26
Question No : 58
When configuring Admin Roles for Web UI access, what are the available access levels?
A. Enable and Disable only
B. None, Superuser, Device Administrator
C. Allow and Deny only
D. Enable, Read-Only and Disable
Answer: D
Question No : 59
Which of the following objects cannot use User-ID as a match criteria?
A. Security Policies
B. QoS
C. Policy Based Forwarding
D. DoS Protection
E. None of the above
Answer: E
Question No : 60
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security
A Composite Solution With Just One Click - Certification Guaranteed
27
Question No : 61
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto
Networks security services? Choose 2 answers
A. Threat Prevention
B. App-ID
C. URL Filtering
D. PAN-OS
E. GlobalProtect Data File
Answer: A,E
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html
Question No : 62
When an interface is in Tap mode and a policy action is set to block, the interface will send
a TCP reset.
A. True
B. False
Answer: B
Question No : 63
28
Question No : 64
What will the user experience when browsing a Blocked hacking website such as
www.2600.com via Google Translator?
A. The URL filtering policy to Block is enforced
B. It will be translated successfully
C. It will be redirected to www.2600.com
D. User will get "HTTP Error 503 - Service unavailable" message
Answer: A
Question No : 65
Palo Alto Networks maintains a dynamic database of malicious domains. Which two
Security Platform components use this database to prevent threats? Choose 2 answers
A. Brute-force signatures
B. DNS-based command-and-control signatures
C. PAN-DB URL Filtering
D. BrightCloud URL Filtering
Answer: B,C
Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html
29
A. BitTorrent
B. Gnutella
C. Skype
D. SSH
Answer: A,D
Question No : 67
What is the correct policy to most effectively block Skype?
A. Allow Skype, block Skype-probe
B. Allow Skype-probe, block Skype
C. Block Skype-probe, block Skype
D. Block Skype
Answer: A
Question No : 68
Which one of the options describes the sequence of the GlobalProtect agent connecting to
a Gateway?
A. The agent connects to the portal, obtains a list of the Gateways, and connects to the
Gateway with the fastest SSL connect time
A Composite Solution With Just One Click - Certification Guaranteed
30
Question No : 69
For non-Microsoft clients, what Captive Portal method is supported?
A. NTLM Auth
B. User Agent
C. Local Database
D. Web Form Captive Portal
Answer: D
Question No : 70
A network engineer experienced network reachability problems through the firewall. The
routing table on the device is complex. To troubleshoot the problem the engineer ran a
Command Line Interface (CLI) command to determine the egress interface for traffic
destined to 98.139.183.24. The command resulted in the following output:
31
Question No : 71
In the following display, ethernetl/6 is configured with an interface management profile that
allows ping with no restriction on the source address:
What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of
ethernet1/6?
A. The firewall will send an ICMP redirect message to the client.
B. The client will receive an ICMP "destination unreachable" packet.
C. The interface will respond.
D. The traffic will be dropped by the firewall.
Answer: D
Question No : 72
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the URL-Filtering "Continue" Action
B. Wildfire is automaticaly enabled with a valid URL-Filtering license
C. A custom file blocking action must be enabled for all PDF and PE type files
A Composite Solution With Just One Click - Certification Guaranteed
32
Question No : 73
What is the maximum usable storage capacity of an M-100 appliance?
A. 2TB
B. 4TB
C. 6TB
D. STB
Answer: B
Reference:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set
-up-panorama/set-up-the-m-100-appliance.html
Question No : 74
Traffic going to a public IP address is being translated by your PANW firewall to your web
server's private IP. Which IP should the Security Policy use as the "Destination IP" in order
to allow traffic to the server.
A. The servers public IP
B. The firewalls gateway IP
C. The servers private IP
D. The firewalls MGT IP
Answer: A
Question No : 75
Which fields can be altered in the default Vulnerability profile?
33
Question No : 76
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the
certificate sent by the firewall to the client be when doing SSL Decryption?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/panos/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxyserver-certificates.html
Question No : 77
A "Continue" action can be configured on the following Security Profiles:
A. URL Filtering, File Blocking, and Data Filtering
B. URL Filteringn
C. URL Filtering and Antivirus
D. URL Filtering and File Blocking
Answer: D
Question No : 78
34
Question No : 79
With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the
public IP address of the device. In situations where the public ID is not static, this value can
be replaced with a domain name or other text value
A. True
B. False
Answer: A
Question No : 80
To create a custom signature object for an Application Override Policy, which of the
following fields are mandatory?
A. Category
B. Regular Expressions
C. Ports
D. Characteristics
Answer: D
Question No : 81 HOTSPOT
Match the components with their role in preventing threats.
Answer options may be used more than once or not at all.
A Composite Solution With Just One Click - Certification Guaranteed
35
Answer:
Question No : 82
Which method is the most efficient for determining which administrator made a specific
A Composite Solution With Just One Click - Certification Guaranteed
36
Question No : 83
What option should be configured when using User-ID
A. Enable User-ID per zone
B. Enable User-ID per interface
C. Enable User-ID per Security Policy
D. None of the above
Answer: C
Question No : 84
What built-in administrator role allows all rights except for the creation of administrative
accounts and virtual systems?
A. superuser
B. vsysadmin
C. A custom role is required for this level of access
D. deviceadmin
Answer: D
Question No : 85
37
38
Question No : 86
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface
goes down?
A. Link Monitoring
B. Heartbeat Polling
C. Preemption
D. SNMP Polling
Answer: A
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130
Question No : 87
A security engineer has been asked by management to optimize how Palo Alto Networks
firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA5060 s, each of which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog
messages from a single source and has already deployed one in Panorama mode and the
other as a Log Collector.
39
Question No : 88
What are two sources of information for determining if the firewall has been successful in
communicating with an external User-ID Agent?
A. System Logs and the indicator light under the User-ID Agent settings in the firewall
B. There's only one location - System Logs
C. There's only one location - Traffic Logs
D. System Logs and indicator light on the chassis
Answer: A
Question No : 89 HOTSPOT
Assuming that the default antivirus profile is installed, match each decoder with its default
action.
Answer options may be used more than once or not at all.
40
Answer:
41
Question No : 90
A company has a web server behind their Palo Alto Networks firewall that they would like to
make accessible to the public. They have decided to configure a destination NAT Policy
rule.
Given the following zone information:
DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
A Composite Solution With Just One Click - Certification Guaranteed
42
Question No : 91
What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off
communication?
A. MGT interface address
B. Loopback interface address
C. Any one Layer 3 interface address
D. Localhost address
Answer: B
Question No : 92
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most
informative logs?
A. Responding side, Traffic Logs
B. Initiating side, Traffic Logs
C. Responding side, System Logs
D. Initiating side, System Logs
Answer: C
Question No : 93
Which three inspections can be performed with a next-generation firewall but NOT with a
A Composite Solution With Just One Click - Certification Guaranteed
43
Question No : 94
Which link is used by an Active-Passive cluster to synchronize session information?
A. The Data Link
B. The Control Link
C. The Uplink
D. The Management Link
Answer: A
Question No : 95
Which option allows an administrator to segrate Panorama and Syslog traffic, so that the
Management Interface is not employed when sending these types of traffic?
A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and
Syslog devices.
B. Define a Loopback interface for the Panorama and Syslog Devices
C. On the Device tab in the Web UI, create custom server profiles for Syslog and
Panorama
D. Service Route Configuration
Answer: D
Question No : 96
A Composite Solution With Just One Click - Certification Guaranteed
44
Question No : 97
By default, all PA-5060 syslog data is forwarded out the Management interface. What
needs to be configured in order to send syslog data out of a different interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the
same route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs
will be sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reportsand-logging/define-remote-logging-destinations.html
Question No : 98
A company has a policy that denies all applications they classify as bad and permits only
applications they classify as good. The firewall administrator created the following security
policy on the company s firewall:
45
Question No : 99
Which of the following options may be enabled to reduce system overhead when using
Content ID?
A. STP
B. VRRP
C. RSTP
D. DSRI
Answer: D
Question No : 100
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
A. Password-protected access to specific file downloads, for authorized users increased
speed on the downloads of the allowed file types
B. Protection against unwanted downloads, by alerting the user with a response page
indicating that file is going to be downloaded
C. The Administrator the ability to leverage Authentication Profiles in order to protect
against unwanted downloads
Answer: C
Question No : 101
A Composite Solution With Just One Click - Certification Guaranteed
46
Question No : 102
Which authentication method can provide role-based administrative access to firewalls
running PAN-OS?
A. LDAP
B. Certificate-based authentication
C. Kerberos
D. RADIUS with Vendor Specific Attributes
Answer: D
Question No : 103
A company is in the process of upgrading their existing Palo Alto Networks firewalls from
version 6.1.0 to 6.1.1.
Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the
enterprise? Choose 3 answers
A. Push the PAN-OS 6.1.1 updates from the support site to install on each firewall.
B. Download PAN-OS 6.1.1 files from the support site and install them on each firewall
after manually uploading.
C. Download PAN-OS 6.1.1 to a USB drive and the firewall will automatically update after
the USB drive is inserted in the firewall.
D. Push the PAN-OS 6.1.1 update from one firewall to all of the other remaining after
updating one firewall.
E. Download and push PAN-OS 6.1.1 from Panorama to each firewall.
A Composite Solution With Just One Click - Certification Guaranteed
47
Question No : 104
How do you limit the amount of information recorded in the URL Content Filtering Logs?
A. Enable DSRI
B. Disable URL packet captures
C. Enable URL log caching
D. Enable Log container page only
Answer: D
Question No : 105
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
A. Dynamic numbers that refer to a security policys order and are especially useful when
filtering security policies by tags
B. Numbers referring to when the security policy was created and do not have a bearing on
the order of policy enforcement
C. Static numbers that must be manually re-numbered whenever a new security policy is
added
Answer: A
Question No : 106
Which mode will allow a user to choose how they wish to connect to the GlobalProtect
Network as they would like?
A. Single Sign-On Mode
A Composite Solution With Just One Click - Certification Guaranteed
48
Question No : 107
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption
capabilities.
A. True
B. False
Answer: B
Question No : 108
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect
when the Connect Method is set to "pre-logon"?
A. Certificate Revocation List
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.
Question No : 109
A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive
configuration and will be using HA-Lite.
49
Question No : 110
When configuring Security rules based on FQDN objects, which of the following statements
are true?
A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each
time Security rules are evaluated.
B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration. There is no limit on the number of IP addresses stored for each resolved
FQDN.
C. In order to create FQDN-based objects, you need to manually define a list of associated
IP. Up to 10 IP addresses can be configured for each FQDN entry.
D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration. The resolution of this FQDN stores up to 10 different IP addresses.
Answer: C
Question No : 111
Which routing protocol is supported on the Palo Alto Networks platform?
A. BGP
B. RSTP
C. ISIS
D. RIPv1
Answer: A
50
Question No : 112
Which two statements are true about DoS Protection Profiles and Policies? Choose 2
answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone
basis, regardless of interface(s). They provide reconnaissance protection against TCP/UDP
port scans and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They
provide resource protection by limiting the number of sessions that can be used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force
methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing
"random early drop".
Answer: B,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-325328/Application%20DDoS%20Mitigation.pdf page 4
Question No : 113
To properly configure DOS protection to limit the number of sessions individually from
specific source IPs you would configure a DOS Protection rule with the following
characteristics:
A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified
Address with "source-ip-only" configured
B. Action: Deny, Aggregate Profile with "Resources Protection" configured
C. Action: Protect, Aggregate Profile with "Resources Protection" configured
D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified
Address with "source-ip-only" configured
Answer: A
Question No : 114
A Composite Solution With Just One Click - Certification Guaranteed
51
Question No : 115
An Outbound SSL forward-proxy decryption rule cannot be created using which type of
zone?
A. Virtual Wire
B. Tap
C. L3
D. L2
Answer: A
Question No : 116
A security architect has been asked to implement User-ID in a MacOS environment with no
enterprise email, using a Sun LDAP server for user authentication.
In this environment, which two User-ID methods are effective for mapping users to IP
addresses? Choose 2 answers
A. Terminal Server Agent
B. Mac OS Agent
C. Captive Portal
D. GlobalProtect
Answer: C,D
Question No : 117
52
Question No : 118
In PANOS 6.0, rule numbers are:
A. Numbers that specify the order in which security policies are evaluated.
B. Numbers created to be unique identifiers in each firewalls policy database.
C. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in
conflict.
D. Numbers created to make it easier for users to discuss a complicated or difficult
sequence of rules.
Answer: A
53
Answer:
Question No : 120
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Global Protect
B. URL Filtering
C. Antivirus
D. Applications and Threats
A Composite Solution With Just One Click - Certification Guaranteed
54
Question No : 121
What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an
Active/Passive High Availability (HA) pair?
A. The peer HA1 IP address must be the same on both firewalls.
B. The management interfaces must be on the same network.
C. The firewalls must have the same set of licenses.
D. The HA interfaces must be directly connected to each other.
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 134
Question No : 122
Both SSL decryption and SSH decryption are disabled by default.
A. True
B. False
Answer: A
Question No : 123
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning
a Palo Alto Networks firewall for multiple virtual systems?
A. In the GUI under Network->Global Protect->Gateway->Vsys2
B. In the GUI under Device->Setup->Session->Session Settings
C. In the GUI under Device->Virtual Systems->Vsys2->Resource
D. In the GUI under Network->Global Protect->Portal->Vsys2
55
Question No : 124
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a
dependency Application need to also be enabled if the application does not employ HTTP,
SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.
A. Yes
B. No
Answer: A
Question No : 125
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and RoleBased (customized user roles)
A. True
B. False
Answer: A
Question No : 126
Which fields can be altered in the default Vulnerability Protection Profile?
A. Category
B. Severity
C. None
Answer: C
56
Question No : 127
Which of the following types of protection are available in DoS policy?
A. Session Limit, SYN Flood, UDP Flood
B. Session Limit, Port Scanning, Host Swapping, UDP Flood
C. Session Limit, SYN Flood, Host Swapping, UDP Flood
D. Session Limit, SYN Flood, Port Scanning, Host Swapping
Answer: A
Question No : 128
Select the implicit rules enforced on traffic failing to match any user defined Security
Policies:
A. Intra-zone traffic is denied
B. Inter-zone traffic is denied
C. Intra-zone traffic is allowed
D. Inter-zone traffic is allowed
Answer: B,C
Question No : 129
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
A. OSPF
B. NAT64
C. IPSec VPN tunnels
D. None of the above
Answer: B
57
Question No : 131
Which of the following interfaces types will have a MAC address?
A. Layer 3
B. Tap
C. Vwire
D. Layer 2
Answer: D
Question No : 132
Given the following routing table:
Which configuration change on the firewall would cause it to use 10.66.24.88 as the
A Composite Solution With Just One Click - Certification Guaranteed
58
Question No : 133
What is the name of the debug save file for IPSec VPN tunnels?
A. set vpn all up
B. test vpn ike-sa
C. request vpn IPsec-sa test
D. Ikemgr.pcap
Answer: D
Question No : 134
Which of the following fields is not available in DoS policy?
A. Destination Zone
B. Source Zone
C. Application
D. Service
Answer: C
Question No : 135
59
Question No : 136
Will an exported configuration contain Management Interface settings?
A. Yes
B. No
Answer: A
Question No : 137
What has happened when the traffic log shows an internal host attempting to open a
session to a properly configured sinkhole address?
A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
B. The internal host attempted to use DNS to resolve a known malicious domain into an IP
address.
C. A rogue DNS server is now using the sinkhole address to direct traffic to a known
malicious domain.
D. A malicious domain is trying to contact an internal DNS server.
Answer: B
Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14
60
Answer:
61
Question No : 139
As the Palo Alto Networks administrator, you have enabled Application Block pages.
Afterward, some users do not receive web-based feedback for all denied applications. Why
would this be?
A. Some users are accessing the Palo Alto Networks firewall through a virtual system that
does not have Application Block pages enabled.
B. Application Block Pages will only be displayed when Captive Portal is configured
C. Some Application ID's are set with a Session Timeout value that is too low.
D. Application Block Pages will only be displayed when users attempt to access a denied
web-based application.
62
Question No : 140
When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:
A. The PostNAT destination zone and PostNAT IP address.
B. The PreNAT destination zone and PreNAT IP address.
C. The PreNAT destination zone and PostNAT IP address.
D. The PostNAT destination zone and PreNAT IP address.
Answer: D
Question No : 141
When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2
mode, security policies can be set to match on multicast IP addresses.
A. True
B. False
Answer: B
Question No : 142
A firewall is being attacked with a port scan. Which component can prevent this attack?
A. DoS Protection
B. Anti-Spyware
C. Vulnerability Protection
D. Zone Protection
Answer: D
Reference: https://live.paloaltonetworks.com/docs/DOC-4501
63
Question No : 143
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone.
B. It is used for Captive Portal to identify unknown users.
C. It is used when web servers request a client certificate.
D. It is the issuer for an external certificate which is not trusted by the firewall.
Answer: D
Question No : 144
A hotel chain is using a system to centrally control a variety of items in guest rooms. The
client devices in each guest room communicate to the central controller using TCP and
frequently disconnect due to a premature timeouts when going through a Palo Alto
Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom
application.
C. Create an application with a specified TCP timeout and assign traffic to it with an
application override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom
application.
Answer: C
Question No : 145
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a
specific file type, and there is a specific application that you want to match in the policy.
64
Question No : 146
Youd like to schedule a firewall policy to only allow a certain application during a particular
time of day. Where can this policy option be configured?
A. Policies > Security > Service
B. Policies > Security > Options
C. Policies > Security > Application
D. Policies > Security > Profile
Answer: D
Question No : 147
When employing the Brightcloud URL filtering database on the Palo Alto Networks
firewalls, the order of checking within a profile is:
A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic
URL Filtering
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic
URL Filtering
C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories,
Predefined Categories
D. None of the above
A Composite Solution With Just One Click - Certification Guaranteed
65
Question No : 148
Which source address translation type will allow multiple devices to share a single
translated source address while using a single NAT Policy rule?
A. Dynamic IP and Port
B. Dynamic IP
C. Bi-directional
D. Static IP
Answer: A
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/networking/nat.html
Question No : 149
A user complains that they are no longer able to access a needed work application after
you have implemented vulnerability and anti-spyware profiles. The user's application uses
a unique port. What is the most efficient way to allow the user access to this application?
A. Utilize an Application Override Rule, referencing the custom port utilzed by this
application. Application Override rules bypass all Layer 7 inspection, thereby allowing
access to this application.
B. In the Threat log, locate the event which is blocking access to the user's application and
create a IP-based exemption for this user.
C. In the vulnerability and anti-spyware profiles, create an application exemption for the
user's application.
D. Create a custom Security rule for this user to access the required application. Do not
apply vulnerability and anti-spyware profiles to this rule.
Answer: B
Question No : 150
A Composite Solution With Just One Click - Certification Guaranteed
66
Question No : 151
Which Security Policy rule configuration option disables antivirus and anti-spyware
scanning of server-to-client flows only?
A. Apply an Application Override Policy
B. Disable Server Response Inspection
C. Add server IP to Security Policy exception
D. Disable HIP Profile
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/gettingstarted/set-up-basic-security-policies.html
Question No : 152
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)
67
68
Answer:
69
70