1Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto

Networks firewall?
To pull info from other NW resources for USER-ID

2After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

3The "Disable Server Response Inspection" option on a Security Profile

Internal Trusted Server

4Which pre-defined Admin Role has all rights except the rights to create administrative accounts and
virtual systems?
Device Admin

5Which of the following statements is NOT True about Palo Alto Networks firewalls?
The Admin account may be disabled

6In Palo Alto Networks terms, an application is:

A specific program detected within an identified stream that can be detected, monitored and/or blocked

7Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based
(customized user roles) for Administrator Accounts.
True

8When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
Block list, Allow list, Custom Cat, Cache files, Loc URL DB

9When configuring Admin Roles for Web UI access, what are the available access levels?
Enable, RO & Disable

10What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
First match applied

11Which of the following is NOT a valid option for built-in CLI Admin roles?
Read/Write

12Can multiple administrator accounts be configured on a single firewall?

Yes

13Which of the following CANNOT use the source user as a match criterion?
AV profile

14When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can
be configured?
100

15After the installation of the Threat Prevention license, the firewall must be rebooted.
False

16In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)
Sec Policies

17What is the function of the GlobalProtect Portal?

To maintain list of Glob Prot GWs & specify HIP data that the agent should report

18When configuring User-ID on a Palo Alto Networks firewall, what is the proper procedure to limit User
mappings to a particular DHCP scope?
In the Zone in which UID is enabled, create a UID ACL Include list using same IP ranges as allocated in
DHCP scope

19A "Continue" action can be configured on which of the following Security Profiles?
URL filtering & File Blocking

20What will the user experience when attempting to access a blocked hacking website through a
translation service such as Google Translate or Bing Translator?
A Blocked page response when the URL filt policy to block is enf

21Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal
servers private IP address. Which IP address should the Security Policy use as the "Destination IP" in
order to allow traffic to the server?
The Server's Pub IP

22Which of the following facts about dynamic updates is correct?

AV daily. App & Threat updates weekly

23What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off
communication?
Local Loop add

24When you have created a Security Policy Rule that allows Facebook, what must you do to block all other
web-browsing traffic?
Nothing

25Which of the following are necessary components of a GlobalProtect solution?

GP GW , GP Agent, GP Portal

26-

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
SSH & BitTorrent

27Which of the following platforms supports the Decryption Port Mirror function?
PA-3000

28When Destination Network Address Translation is being performed, the destination in the corresponding
Security Policy Rule should use:
Post-NAT Dest zone & Post-NAT IP
29In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)
Source User, Source Zone, App
30Which type of license is required to perform Decryption Port Mirroring?
Free PAN-PA decrypt
31An interface in tap mode can transmit packets on the wire.
False
32Which of the following interface types can have an IP address assigned to it? (Select all correct answers.)
L3
33Which statement about config locks is True?
Admin who set it OR SuperUser
34Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv2
35Which link is used by an Active/Passive cluster to synchronize session information?
Data Link
36Which of the following must be enabled in order for User-ID to function?
UID must be enabled for Src zone of the traffic that is to be identified
37Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
Next available IP in the configured pool is used but Src port unchanged

38A Config Lock may be removed by which of the following users? (Select all correct answers.)
The Admin who set it & SuperUser
39Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone allowed
Inter-zone denied
40Enabling "Highlight Unused Rules" in the Security Policy window will:
High all rules that have not matched traffic since Rule was created or last Reboot of FW
41Which statement below is True?
PAN-OS uses PAN-DB as Def URL filt DB but supports BrightCloud
42Both SSL decryption and SSH decryption are disabled by default.
True
43When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements
is True?
The FW resolves FQDN when the policy is committed & resolves the FQDN again each time again at DNS TTL
expiration
44In a Destination NAT configuration, the Translated Address field may be populated with either an IP address
or an Address Object.
True
45Security policies specify a source interface and a destination interface.
False
46When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the
rule? (Choose 3 answers.)
Source User
Source Zone
URL cat

47When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Responding side System log
48What is the result of an Administrator submitting a WildFire reports verdict back to Palo Alto Networks as
Incorrect?
The sig will be updated for False + & F- files in next AV sig update
49An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
False
50Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted
WildFire virtualized sandbox?
PE files only
51Which of the following statements is NOT True about Palo Alto Networks firewalls?
The Admin account may be disabled
52In PAN-OS 6.0, rule numbers are:
Numbers that specify the order in which sec pol are evaluated
53In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True
54Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To
enable this feature within the GUI go to
Nw-NW prof-Zone protection
55Using the API in PAN-OS 6.0, WildFire subscribers can upload up to how many samples per day?
100
56All of the interfaces on a Palo Alto Networks device must be of the same interface type.
False

57The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Protection against unwanted dnlds by showing user response pg indic file is dnlding
58Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability profs
59Will an exported configuration contain Management Interface settings?
Yes
60-

Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
SSH denied
BitTorrent allowed

61When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between 2 config files

62-

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of
network users that do not sign-in using LDAP. Which information source would allow for reliable User-ID
mapping while requiring the least effort to configure?
Exchange CAS sec logs

63The following can be configured as a next hop in a static route:

Virtual Router

64Which of the following options may be enabled to reduce heavy server load conditions when using ContentID?
DSRI
65What are two sources of information for determining whether the firewall has been successful in
communicating with an external User-ID Agent?
Sys Logs & Indicator light under UID agent settings in the FW
66As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The FW admin didnt create custom response pg to notify potential users that their attempt to access the
Web based app is blocked due to policy
67After the installation of a new Application and Threat database, the firewall must be rebooted.
False
68-

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
SSH & BitTorrent

69An interface in Virtual Wire mode must be assigned an IP address.

False

70What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable upto 10 MB
71Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryp Prof in Decryp Pol
72Which of the following search engines are supported by the "Safe Search Enforcement" option? (Select all
correct answers.)
Yahoo Google Bing
73Which of the following statements is NOT True regarding a Decryption Mirror interface?
Can be a member of any Vsys
74Which mode will allow a user to choose when they wish to connect to the Global Protect Network?
On demand mode
75-

Which of the following describes the sequence of the GlobalProtect Agent connecting to a GlobalProtect
Gateway?
Fastest SSL response time

76Which of the following are methods that HA clusters use to identify network outages?

Path & Link monitoring

77Which of the following is True of an application filter?

An application filter automatically includes a new application when one of the new applications characteristics are
included in the filter.

78When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2
tunneling in policies by specifying the SSH-tunnel App-ID?
SSH proxy

79In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router

80What will be the user experience when the safe search option is NOT enabled for Google search but the
firewall has "Safe Search Enforcement" Enabled?

A block page will be presented with instructions on how to set strict Safe Search for Google.

81User-ID is enabled in the configuration of

A Zone