- Expert Verified, Online, Free.

Prepare for your PCNSA exam with additional products

Study Guide 803 PDF Pages $19.99

Video Course 77 Lectures $19.99

Topic 1 - Single Topic
Q1 Topic 1

DRAG DROP -
Match the Palo Alto Networks Security Operating Platform architecture to its description.
Select and Place:

Answer:

Q2 Topic 1

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting
functions on a separate processor?

 A. management
 B. network processing
 C. data
 D. security processing

Answer: A
Community vote distribution
A (100%)
Q3 Topic 1

A security administrator has configured App-ID updates to be automatically downloaded and

installed. The company is currently using an application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled
SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

 A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it

no longer matches the SuperApp-base application
 B. No impact because the apps were automatically downloaded and installed
 C. No impact because the firewall automatically adds the rules to the App-ID interface
 D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is
denied until the security administrator approves the applications

Answer: C

Community vote distribution

A (100%)
Q4 Topic 1

How many zones can an interface be assigned with a Palo Alto Networks firewall?

 A. two
 B. three
 C. four
 D. one

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-
zones/security-zone-overview

Community vote distribution

D (83%)
C (17%)
Q5 Topic 1
Which two configuration settings shown are not the default? (Choose two.)

 A. Enable Security Log

 B. Server Log Monitor Frequency (sec)
 C. Enable Session
 D. Enable Probing

Answer: BC
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/
device-user-identification-user-mapping/enable-server- monitoring

Community vote distribution

BC (67%)
CD (22%)
11%
Q6 Topic 1
Which dataplane layer of the graphic shown provides pattern protection for spyware and
vulnerability exploits on a Palo Alto Networks Firewall?

 A. Signature Matching
 B. Network Processing
 C. Security Processing
 D. Data Interfaces

Answer: A

Community vote distribution

A (88%)
13%
Q7 Topic 1

Which option shows the attributes that are selectable when setting up application filters?

 A. Category, Subcategory, Technology, and Characteristic

 B. Category, Subcategory, Technology, Risk, and Characteristic
 C. Name, Category, Technology, Risk, and Characteristic
 D. Category, Subcategory, Risk, Standard Ports, and Technology

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-
application-filters
Community vote distribution
B (100%)
Q8 Topic 1

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

 A. Block List
 B. Custom URL Categories
 C. PAN-DB URL Categories
 D. Allow List

Answer: AD

Community vote distribution

BC (89%)
11%
Q9 Topic 1

DRAG DROP -
Match the Cyber-Attack Lifecycle stage to its correct description.
Select and Place:

Answer:

Q10 Topic 1

Which two statements are correct about App-ID content updates? (Choose two.)

 A. Updated application content might change how Security policy rules are enforced.
 B. After an application content update, new applications must be manually classified
prior to use.
 C. Existing security policy rules are not affected by application content updates.
 D. After an application content update, new applications are automatically identified and
classified.
Answer: CD

Community vote distribution

AD (91%)
9%
Q11 Topic 1

Which User-ID mapping method should be used for an environment with users that do not
authenticate to Active Directory?

 A. Windows session monitoring

 B. passive server monitoring using the Windows-based agent
 C. Captive Portal
 D. passive server monitoring using a PAN-OS integrated User-ID agent

Answer: C

Community vote distribution

C (100%)
Q12 Topic 1

An administrator needs to allow users to use their own office applications. How should the
administrator configure the firewall to allow multiple applications in a dynamic environment?

 A. Create an Application Filter and name it Office Programs, then filter it on the
business-systems category, office-programs subcategory
 B. Create an Application Group and add business-systems to it
 C. Create an Application Filter and name it Office Programs, then filter it on the
business-systems category
 D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre
Office

Answer: A

Community vote distribution

A (100%)
Q13 Topic 1

Which statement is true regarding a Best Practice Assessment?

 A. The BPA tool can be run only on firewalls

 B. It provides a percentage of adoption for each assessment area
 C. The assessment, guided by an experienced sales engineer, helps determine the areas of
greatest risk where you should focus prevention activities
 D. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture
Answer: B
Reference:
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-
practice-security-policy/use-palo-alto-networks- assessment-and-review-tools

Community vote distribution

B (100%)
Q14 Topic 1

Employees are shown an application block page when they try to access YouTube. Which
security policy is blocking the YouTube application?

 A. intrazone-default
 B. Deny Google
 C. allowed-security services
 D. interzone-default

Answer: D

Community vote distribution

D (88%)
13%
Q15 Topic 1

Choose the option that correctly completes this statement. A Security Profile can block or allow
traffic ____________.

 A. on either the data place or the management plane.

 B. after it is matched by a security policy rule that allows traffic.
 C. before it is matched to a Security policy rule.
 D. after it is matched by a security policy rule that allows or blocks traffic.

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html

Community vote distribution

B (92%)
8%
Q16 Topic 1
When creating a Source NAT policy, which entry in the Translated Packet tab will display the
options Dynamic IP and Port, Dynamic, Static IP, and None?

 A. Translation Type
 B. Interface
 C. Address Type
 D. IP Address

Answer: A

Community vote distribution

A (100%)
Q17 Topic 1

Which interface does not require a MAC or IP address?

 A. Virtual Wire
 B. Layer3
 C. Layer2
 D. Loopback

Answer: A

Community vote distribution

A (100%)
Q18 Topic 1

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago.
Which utility should the company use to identify out-of-date or unused rules on the firewall?

 A. Rule Usage Filter > No App Specified

 B. Rule Usage Filter >Hit Count > Unused in 30 days
 C. Rule Usage Filter > Unused Apps
 D. Rule Usage Filter > Hit Count > Unused in 90 days

Answer: D
Community vote distribution
D (100%)
Q19 Topic 1

DRAG DROP -
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Select and Place:
Answer:

Q20 Topic 1

What are two differences between an implicit dependency and an explicit dependency in App-
ID? (Choose two.)

 A. An implicit dependency does not require the dependent application to be added in the
security policy
 B. An implicit dependency requires the dependent application to be added in the security
policy
 C. An explicit dependency does not require the dependent application to be added in the
security policy
 D. An explicit dependency requires the dependent application to be added in the security
policy
Answer: AD

Community vote distribution

AD (100%)
Q21 Topic 1

Recently changes were made to the firewall to optimize the policies and the security team wants
to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?

 A. At the CLI enter the command reset rules and press Enter
 B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
 C. Reboot the firewall
 D. Use the Reset Rule Hit Counter > All Rules option

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-
security/creating-and-managing-policies

Community vote distribution

D (100%)
Q22 Topic 1

Which two App-ID applications will you need to allow in your Security policy to use facebook-
chat? (Choose two.)

 A. facebook
 B. facebook-chat
 C. facebook-base
 D. facebook-email

Answer: BC
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

Community vote distribution

BC (100%)
Q23 Topic 1

Which User-ID agent would be appropriate in a network with multiple WAN links, limited
network bandwidth, and limited firewall management plane resources?

 A. Windows-based agent deployed on the internal network

 B. PAN-OS integrated agent deployed on the internal network
 C. Citrix terminal server deployed on the internal network
 D. Windows-based agent deployed on each of the WAN Links
Answer: A

Community vote distribution

A (75%)
D (25%)
Q24 Topic 1

Your company requires positive username attribution of every IP address used by wireless
devices to support a new compliance requirement. You must collect IP
`"to-user mappings as soon as possible with minimal downtime and minimal configuration
changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

 A. syslog
 B. RADIUS
 C. UID redistribution
 D. XFF headers

Answer: A

Community vote distribution

A (100%)
Q25 Topic 1

An administrator receives a global notification for a new malware that infects hosts. The
infection will result in the infected host attempting to contact a command- and-control (C2)
server.
Which two security profile components will detect and prevent this threat after the firewall's
signature database has been updated? (Choose two.)

 A. vulnerability protection profile applied to outbound security policies

 B. anti-spyware profile applied to outbound security policies
 C. antivirus profile applied to outbound security policies
 D. URL filtering profile applied to outbound security policies

Answer: BD
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/create-best-practice-security-
profiles

Community vote distribution

BC (78%)
BD (22%)
Q26 Topic 1
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to
an email?

 A. Delivery
 B. Reconnaissance
 C. Command and Control
 D. Exploitation

Answer: D

Community vote distribution

A (96%)
4%
Q27 Topic 1

Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the
User- ID agent

 A. 2-3-4-1
 B. 1-4-3-2
 C. 3-1-2-4
 D. 1-3-2-4

Answer: D

Community vote distribution

D (100%)
Q28 Topic 1

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`,
and action = Allow

 A. Destination IP: 192.168.1.123/24

 B. Application = "Telnet"
 C. Log Forwarding
 D. USER-ID = "Allow users in Trusted"

Answer: B

Community vote distribution

B (100%)
Q29 Topic 1

Based on the security policy rules shown, ssh will be allowed on which port?

 A. 80
 B. 53
 C. 22
 D. 23

Answer: C

Community vote distribution

C (100%)
Q30 Topic 1

Which license must an Administrator acquire prior to downloading Antivirus Updates for use
with the firewall?

 A. Threat Prevention
 B. WildFire
 C. Antivirus
 D. URL Filtering

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/install-content-and-
software-updates.html
Community vote distribution
A (100%)
Q31 Topic 1

An administrator notices that protection is needed for traffic within the network due to malicious
lateral movement activity. Based on the image shown, which traffic would the administrator
need to monitor and block to mitigate the malicious activity?

 A. branch office traffic

 B. north-south traffic
 C. perimeter traffic
 D. east-west traffic

Answer: D

Community vote distribution

D (100%)
Q32 Topic 1

Given the topology, which zone type should zone A and zone B to be configured with?

 A. Layer3
 B. Tap
  C. Layer2
 D. Virtual Wire

Answer: A

Community vote distribution

A (100%)
Q33 Topic 1

To use Active Directory to authenticate administrators, which server profile is required in the
authentication profile?

 A. domain controller
 B. TACACS+
 C. LDAP
 D. RADIUS

Answer: C

Community vote distribution

C (100%)
Q34 Topic 1

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

 A. Layer 2
 B. Tap
 C. Layer 3
 D. Virtual Wire

Answer: B

Community vote distribution

B (100%)
Q35 Topic 1

Which administrator type provides more granular options to determine what the administrator
can view and modify when creating an administrator account?

 A. Root
 B. Dynamic
 C. Role-based
 D. Superuser

Answer: C

Community vote distribution

C (100%)
Q36 Topic 1

Which administrator type utilizes predefined roles for a local administrator account?

 A. Superuser
 B. Role-based
 C. Dynamic
 D. Device administrator

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/get-started-with-the-cli/give-
administrators-access-to-the-cli/administrative- privileges?PageSpeed=noscript

Community vote distribution

C (100%)
Q37 Topic 1

Which two security profile types can be attached to a security policy? (Choose two.)

 A. antivirus
 B. DDoS protection
 C. threat
 D. vulnerability

Answer: AD
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/security-profiles

Community vote distribution

AD (100%)
Q38 Topic 1

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop.
The USB drive had malware on it that loaded onto their computer and then contacted a known
command and control (CnC) server, which ordered the infected machine to begin Exfiltrating
data from the laptop.
Which security profile feature could have been used to prevent the communication with the CnC
server?

 A. Create an anti-spyware profile and enable DNS Sinkhole

 B. Create an antivirus profile and enable DNS Sinkhole
 C. Create a URL filtering profile and block the DNS Sinkhole category
 D. Create a security policy and enable DNS Sinkhole
Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-
security-profiles-anti-spyware-profile

Community vote distribution

A (100%)
Q39 Topic 1

Which user mapping method could be used to discover user IDs in an environment with multiple
Windows domain controllers?

 A. Active Directory monitoring

 B. Windows session monitoring
 C. Windows client probing
 D. domain controller monitoring

Answer: A

Community vote distribution

D (85%)
A (15%)
Q40 Topic 1

Which three statements describe the operation of Security policy rules and Security Profiles?
(Choose three.)

 A. Security policy rules are attached to Security Profiles.

 B. Security Profiles are attached to Security policy rules.
 C. Security Profiles should be used only on allowed traffic.
 D. Security policy rules inspect but do not block traffic.
 E. Security policy rules can block or allow traffic.

Answer: ABC

Community vote distribution

BCE (100%)
Q41 Topic 1
Given the image, which two options are true about the Security policy rules. (Choose two.)

 A. The Allow-Office-Programs rule is using an Application Filter.

 B. In the Allow-FTP policy, FTP is allowed using App-ID.
 C. The Allow-Office-Programs rule is using an Application Group.
 D. The Allow-Social-Media rule allows all of Facebook's functions.

Answer: BC

Community vote distribution

AD (100%)
Q42 Topic 1

Which type of Security policy rule would match traffic flowing between the Inside zone and
Outside zone, within the Inside zone, and within the Outside zone?

 A. global
 B. intrazone
 C. interzone
 D. universal

Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

Community vote distribution

D (100%)
Q43 Topic 1

Which Palo Alto Networks firewall security platform provides network security for mobile
endpoints by inspecting traffic deployed as internet gateways?

 A. GlobalProtect
 B. AutoFocus
 C. Aperture
 D. Panorama

Answer: A
Community vote distribution
A (100%)
Q44 Topic 1

Which two statements are correct regarding multiple static default routes when they are
configured as shown in the image? (Choose two.)

 A. Path monitoring does not determine if route is useable.

 B. Route with highest metric is actively used.
 C. Path monitoring determines if route is useable.
 D. Route with lowest metric is actively used.

Answer: CD

Community vote distribution

CD (100%)
Q45 Topic 1
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run
malicious code against a targeted machine.

 A. Exploitation
 B. Installation
 C. Reconnaissance
 D. Act on Objective

Answer: A

Community vote distribution

A (100%)
Q46 Topic 1

Which file is used to save the running configuration with a Palo Alto Networks firewall?

 A. running-config.xml
 B. run-config.xml
 C. running-configuration.xml
 D. run-configuration.xml

Answer: A

Community vote distribution

A (100%)
Q47 Topic 1

In the example security policy shown, which two websites would be blocked? (Choose two.)

 A. LinkedIn
 B. Facebook
 C. YouTube
  D. Amazon

Answer: AB

Community vote distribution

AB (100%)
Q48 Topic 1

Which Palo Alto Networks component provides consolidated policy creation and centralized
management?

 A. GlobalProtect
 B. Panorama
 C. Prisma SaaS
 D. AutoFocus

Answer: B
Reference:
https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management-
datasheet

Community vote distribution

B (100%)
Q49 Topic 1

Which statement is true regarding a Prevention Posture Assessment?

 A. The Security Policy Adoption Heatmap component filters the information by device
groups, serial numbers, zones, areas of architecture, and other categories
 B. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture
 C. It provides a percentage of adoption for each assessment area
 D. It performs over 200 security checks on Panorama/firewall for the assessment

Answer: B
Reference:
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-
practice-security-policy/use-palo-alto-networks- assessment-and-review-tools

Community vote distribution

B (100%)
Q50 Topic 1

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an
integrated approach to prevent threats? (Choose five.)

 A. User identification
  B. Filtration protection
 C. Vulnerability protection
 D. Antivirus
 E. Application identification
 F. Anti-spyware

Answer: ACDEF

Community vote distribution

ACDEF (100%)
Q51 Topic 1

The PowerBall Lottery has reached a high payout amount and a company has decided to help
employee morale by allowing employees to check the number, but doesn't want to unblock the
gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the
company unlocking the gambling URL category? (Choose two.)

 A. Add all the URLs from the gambling category except powerball.com to the block list
and then set the action for the gambling category to allow.
 B. Manually remove powerball.com from the gambling URL category.
 C. Add *.powerball.com to the allow list
 D. Create a custom URL category called PowerBall and add *.powerball.com to the
category and set the action to allow.

Answer: CD

Community vote distribution

CD (100%)
Q52 Topic 1

Which service protects cloud-based applications such as Dropbox and Salesforce by

administering permissions and scanning files for sensitive information?

 A. Aperture
 B. AutoFocus
 C. Panorama
 D. GlobalProtect

Answer: A

Community vote distribution

A (100%)
Q53 Topic 1

An administrator receives a global notification for a new malware that infects hosts. The
infection will result in the infected host attempting to contact and command-and-control (C2)
server.
Which security profile components will detect and prevent this threat after the firewall's
signature database has been updated?

 A. antivirus profile applied to outbound security policies

 B. data filtering profile applied to inbound security policies
 C. data filtering profile applied to outbound security policies
 D. vulnerability profile applied to inbound security policies

Answer: C

Community vote distribution

A (90%)
10%
Q54 Topic 1

Which update option is not available to administrators?

 A. New Spyware Notifications

 B. New URLs
 C. New Application Signatures
 D. New Malicious Domains
 E. New Antivirus Signatures

Answer: B

Community vote distribution

B (100%)
Q55 Topic 1

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and
future Public Cloud environments. All other required connections have already been enabled
between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-
admin make?

 A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22.

Create a security-rule between zone USERS and OUTSIDE to allow traffic from any
source IP-address to any destination IP-address for SERVICE-SSH
 B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow
traffic from any source IP-address to any destination IP-address for application SSH
 C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that
contains source-port-TCP-22 should be created. A second security-rule is required that
allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any
source-IP-address to any destination-Ip-address
 D. In addition to option c, an additional rule from zone OUTSIDE to USERS for
application SSH from any source-IP-address to any destination-IP-address is required to
allow the return-traffic from the SSH-servers to reach the server-admin
Answer: B

Community vote distribution

B (100%)
Q56 Topic 1

How often does WildFire release dynamic updates?

 A. every 5 minutes
 B. every 15 minutes
 C. every 60 minutes
 D. every 30 minutes

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-
wildfire-updates

Community vote distribution

A (100%)
Q57 Topic 1

What is the minimum frequency for which you can configure the firewall to check for new
WildFire antivirus signatures?

 A. every 30 minutes
 B. every 5 minutes
 C. every 24 hours
 D. every 1 minute

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-
wildfire-updates

Community vote distribution

D (100%)
Q58 Topic 1

Your company has 10 Active Directory domain controllers spread across multiple WAN links.
All users authenticate to Active Directory. Each link has substantial network bandwidth to
support all mission-critical applications. The firewall's management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto
Networks?

 A. Windows-based agent on a domain controller

 B. Captive Portal
  C. Citrix terminal server agent with adequate data-plane resources
 D. PAN-OS integrated agent

Answer: A

Community vote distribution

A (100%)
Q59 Topic 1

DRAG DROP -
Arrange the correct order that the URL classifications are processed within the system.
Select and Place:
Answer:

Q60 Topic 1

What must you configure to enable the firewall to access multiple Authentication Profiles to
authenticate a non-local account?

 A. authentication sequence
 B. LDAP server profile
 C. authentication server list
 D. authentication list profile

Answer: A
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/framemaker/pan-os/7-1/
pan-os-admin.pdf page 144

Community vote distribution

A (100%)
Q61 Topic 1

Which Security Profile mitigates attacks based on packet count?

 A. zone protection profile

 B. URL filtering profile
 C. antivirus profile
 D. vulnerability profile

Answer: A
Community vote distribution
A (100%)
Q62 Topic 1

Which interface type uses virtual routers and routing protocols?

 A. Tap
 B. Layer3
 C. Virtual Wire
 D. Layer2

Answer: B

Community vote distribution

B (100%)
Q63 Topic 1

Which URL Filtering Profile action does not generate a log entry when a user attempts to access
a URL?

 A. Override
 B. Allow
 C. Block
 D. Continue

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/
url-filtering-profile-actions

Community vote distribution

B (100%)
Q64 Topic 1

An internal host needs to connect through the firewall using source NAT to servers of the
internet.
Which policy is required to enable source NAT on the firewall?

 A. NAT policy with internal zone and internet zone specified

 B. post-NAT policy with external source and any destination address
 C. NAT policy with no internal or internet zone selected
 D. pre-NAT policy with external source and any destination address

Answer: A

Community vote distribution

A (100%)
Q65 Topic 1

Which Security Profile can provide protection against ICMP floods, based on individual
combinations of a packet's source and destination IP addresses?

 A. DoS protection
 B. URL filtering
 C. packet buffering
 D. anti-spyware

Answer: A

Community vote distribution

A (100%)
Q66 Topic 1

Which path in PAN-OS 9.0 displays the list of port-based security policy rules?

 A. Policies> Security> Rule Usage> No App Specified

 B. Policies> Security> Rule Usage> Port only specified
 C. Policies> Security> Rule Usage> Port-based Rules
 D. Policies> Security> Rule Usage> Unused Apps

Answer: C

Community vote distribution

A (100%)
Q67 Topic 1

Which two components are utilized within the Single-Pass Parallel Processing architecture on a
Palo Alto Networks Firewall? (Choose two.)

 A. Layer-ID
 B. User-ID
 C. QoS-ID
 D. App-ID

Answer: BD
Reference:
http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-
single-pass-parallel-processing-hardware-architecture.html

Community vote distribution

BD (100%)
Q68 Topic 1

Which path is used to save and load a configuration with a Palo Alto Networks firewall?
  A. Device>Setup>Services
 B. Device>Setup>Management
 C. Device>Setup>Operations
 D. Device>Setup>Interfaces

Answer: C

Community vote distribution

C (100%)
Q69 Topic 1

DRAG DROP -
Match the network device with the correct User-ID technology.
Select and Place:
Answer:

Q70 Topic 1

Which action related to App-ID updates will enable a security administrator to view the existing
security policy rule that matches new application signatures?

 A. Review Policies
 B. Review Apps
 C. Pre-analyze
 D. Review App Matches

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/review-new-app-id-impact-on- existing-policy-rules

Community vote distribution

A (100%)
Q71 Topic 1

How do you reset the hit count on a Security policy rule?

 A. Select a Security policy rule, and then select Hit Count > Reset.
 B. Reboot the data-plane.
 C. First disable and then re-enable the rule.
 D. Type the CLI command reset hitcount <POLICY-NAME>.
Answer: A

Community vote distribution

A (100%)
Q72 Topic 1

Given the topology, which zone type should you configure for firewall interface E1/1?

 A. Tap
 B. Tunnel
 C. Virtual Wire
 D. Layer3

Answer: A

Community vote distribution

A (100%)
Q73 Topic 1

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

 A. Management
 B. High Availability
 C. Aggregate
 D. Aggregation

Answer: C

Community vote distribution

C (100%)
Q74 Topic 1

Which security policy rule would be needed to match traffic that passes between the Outside
zone and Inside zone, but does not match traffic that passes within the zones?

 A. intrazone
 B. interzone
  C. universal
 D. global

Answer: B

Community vote distribution

B (80%)
C (20%)
Q75 Topic 1

Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL then which choice would be the last to
block access to the URL?

 A. EDL in URL Filtering Profile

 B. Custom URL category in URL Filtering Profile
 C. Custom URL category in Security policy rule
 D. PAN-DB URL category in URL Filtering Profile

Answer: C

Community vote distribution

D (82%)
B (18%)
Q76 Topic 1

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in
a perimeter-only firewall deployment?

 A. north-south
 B. inbound
 C. outbound
 D. east-west

Answer: D

Community vote distribution

D (92%)
8%
Q77 Topic 1

Which protocol is used to map usernames to user groups when User-ID is configured?

 A. TACACS+
 B. SAML
 C. LDAP
 D. RADIUS
Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

Community vote distribution

C (100%)
Q78 Topic 1

Which definition describes the guiding principle of the zero-trust architecture?

 A. trust, but verify

 B. always connect and verify
 C. never trust, never connect
 D. never trust, always verify

Answer: D
Reference:
https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

Community vote distribution

D (100%)
Q79 Topic 1

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: _________?
Service: ____________?

Action: allow -
(Choose two.)

 A. Service = ‫ג‬€application-default‫ג‬€
 B. Service = ‫ג‬€service-telnet‫ג‬€
 C. Application = ‫ג‬€Telnet‫ג‬€
 D. Application = ‫ג‬€any‫ג‬€

Answer: AC

Community vote distribution

AC (100%)
Q80 Topic 1

In which profile should you configure the DNS Security feature?

  A. Anti-Spyware Profile
 B. Zone Protection Profile
 C. Antivirus Profile
 D. URL Filtering Profile

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/
enable-dns-security.html

Community vote distribution

A (100%)
Q81 Topic 1

Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0?
(Choose two.)

 A. It is automatically enabled and configured.

 B. It eliminates the need for dynamic DNS updates.
 C. It functions like PAN-DB and requires activation through the app portal.
 D. It removes the 100K limit for DNS entries for the downloaded DNS updates.

Answer: AB

Community vote distribution

BC (53%)
BD (37%)
11%
Q82 Topic 1

Which two features can be used to tag a username so that it is included in a dynamic user group?
(Choose two.)

 A. GlobalProtect agent
 B. XML API
 C. User-ID Windows-based agent
 D. log forwarding auto-tagging

Answer: BD

Community vote distribution

BC (60%)
BD (40%)
Q83 Topic 1

The CFO found a malware infected USB drive in the parking lot, which when inserted infected
their corporate laptop. The malware contacted a known command- and-control server, which
caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the
command-and-control server?

 A. Create an anti-spyware profile and enable DNS Sinkhole feature.

 B. Create an antivirus profile and enable its DNS Sinkhole feature.
 C. Create a URL filtering profile and block the DNS Sinkhole URL category
 D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

Answer: D

Community vote distribution

A (92%)
8%
Q84 Topic 1

You must configure which firewall feature to enable a data-plane interface to submit DNS
queries on behalf of the control plane?

 A. virtual router
 B. Admin Role profile
 C. DNS proxy
 D. service route

Answer: C
Reference:
https://weberblog.net/palo-alto-dns-proxy-for-management-services/

Community vote distribution

D (77%)
C (23%)
Q85 Topic 1

Which component provides network security for mobile endpoints by inspecting traffic routed
through gateways?

 A. Prisma SaaS
 B. GlobalProtect
 C. AutoFocus
 D. Panorama

Answer: A
Reference:
https://www.paloaltonetworks.com/resources/whitepapers/protecting-the-extended-perimeter-
with-globalprotect-cloud-service-full

Community vote distribution

B (100%)
Q86 Topic 1

For the firewall to use Active Directory to authenticate users, which Server Profile is required in
the Authentication Profile?

 A. TACACS+
 B. RADIUS
 C. LDAP
 D. SAML

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an-
authentication-profile-and-sequence

Q87 Topic 1

Which operations are allowed when working with App-ID application tags?

 A. Predefined tags may be deleted.

 B. Predefined tags may be augmented by custom tags.
 C. Predefined tags may be modified.
 D. Predefined tags may be updated by WildFire dynamic updates.

Answer: C

Community vote distribution

B (100%)
Q88 Topic 1

Your company occupies one floor in a single building. You have two Active Directory domain
controllers on a single network. The firewall's management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?

 A. Windows-based agent deployed on each domain controller

 B. PAN-OS integrated agent deployed on the firewall
 C. Citrix terminal server agent deployed on the network
 D. Windows-based agent deployed on the internal network a domain member

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/
configure-user-mapping-using-the-windows-user-id- agent/configure-the-windows-based-user-
id-agent-for-user-mapping.html

Community vote distribution

B (91%)
9%
Q89 Topic 1

Which type of administrative role must you assign to a firewall administrator account, if the
account must include a custom set of firewall permissions?

 A. Role-based
 B. Multi-Factor Authentication
 C. Dynamic
 D. SAML

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-
firewall-administrators/administrative-role-types.html

Community vote distribution

A (100%)
Q90 Topic 1

Which statement is true regarding a Heatmap report?

 A. When guided by authorized sales engineer, it helps determine the areas of greatest
security risk
 B. It runs only on firewalls.
 C. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture.
 D. It provides a percentage of adoption for each assessment area.

Answer: D
Reference:
https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-
assessment-bpa-tool-for-ngfw-and-panorama/ba-p/248343

Community vote distribution

D (100%)
Q91 Topic 1
Based on the screenshot presented, which column contains the link that when clicked, opens a
window to display all applications matched to the policy rule?

 A. Apps Allowed
 B. Service
 C. Name
 D. Apps Seen

Answer: C

Community vote distribution

D (100%)
Q92 Topic 1

Access to which feature requires the PAN-OS Filtering license?

 A. PAN-DB database
 B. DNS Security
 C. Custom URL categories
 D. URL external dynamic lists

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-
and-subscriptions.html

Q93 Topic 1

Based on the screenshot, what is the purpose of the Included Groups?

 A. They are groups that are imported from RADIUS authentication servers.
 B. They are the only groups visible based on the firewall's credentials.
 C. They contain only the users you allow to manage the firewall.
 D. They are used to map users to groups.
Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

Community vote distribution

D (100%)
Q94 Topic 1

Based on the graphic, which statement accurately describes the output shown in the Server
Monitoring panel?

 A. The User-ID agent is connected to a domain controller labeled lab-client.

 B. The host lab-client has been found by the User-ID agent.
 C. The host lab-client has been found by a domain controller.
 D. The User-ID agent is connected to the firewall labeled lab-client.

Answer: C

Community vote distribution

A (100%)
Q95 Topic 1

Which action results in the firewall blocking network traffic without notifying the sender?

 A. Drop
 B. Deny
 C. Reset Server
  D. Reset Client

Answer: B

Community vote distribution

A (100%)
Q96 Topic 1

What do Dynamic User Groups help you to do?

 A. create a policy that provides auto-remediation for anomalous user behavior and
malicious activity
 B. create a dynamic list of firewall administrators
 C. create a QoS policy that provides auto-remediation for anomalous user behavior and
malicious activity
 D. create a policy that provides auto-sizing for anomalous user behavior and malicious
activity

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-
user-groups

Community vote distribution

A (100%)
Q97 Topic 1

Which type of security policy rule will match traffic that flows between the Outside zone and
inside zone, but would not match traffic that flows within the zones?

 A. global
 B. intrazone
 C. interzone
 D. universal

Answer: B

Community vote distribution

C (100%)
Q98 Topic 1

You notice that protection is needed for traffic within the network due to malicious lateral
movement activity. Based on the image shown, which traffic would you need to monitor and
block to mitigate the malicious activity?

 A. branch office traffic

 B. north-south traffic
 C. perimeter traffic
 D. east-west traffic

Answer: D

Community vote distribution

D (100%)
Q99 Topic 1
DRAG DROP -
Match each feature to the DoS Protection Policy or the DoS Protection Profile.
Select and Place:

Answer:

Q100 Topic 1

Which type of administrator account cannot be used to authenticate user traffic flowing through
the firewall's data plane?

 A. Kerberos user
 B. SAML user
 C. local database user
 D. local user

Answer: B

Community vote distribution

D (100%)
Q101 Topic 1

How frequently can WildFire updates be made available to firewalls?

 A. every 15 minutes
 B. every 30 minutes
 C. every 60 minutes
 D. every 5 minutes

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-updates/
dynamic-content-updates.html#:~:text=WildFire%
20signature%20updates%20are%20made,within%20a%20minute%20of%20availability
.

Community vote distribution

D (100%)
Q102 Topic 1

Starting with PAN-OS version 9.1, which new type of object is supported for use within the User
field of a Security policy rule?

 A. remote username
 B. dynamic user group
 C. static user group
 D. local username

Answer: B

Community vote distribution

B (100%)
Q103 Topic 1

Which link in the web interface enables a security administrator to view the Security policy rules
that match new application signatures?

 A. Review App Matches

 B. Review Apps
 C. Pre-analyze
 D. Review Policies

Answer: D

Community vote distribution

D (100%)
Q104 Topic 1
Based on the shown security policy, which Security policy rule would match all FTP traffic from
the inside zone to the outside zone?

 A. interzone-default
 B. internal-inside-dmz
 C. inside-portal
 D. egress-outside

Answer: D

Community vote distribution

D (56%)
C (44%)
Q105 Topic 1

Which type of firewall configuration contains in-progress configuration changes?

 A. backup
 B. candidate
 C. running
 D. committed

Answer: B

Community vote distribution

B (100%)
Q106 Topic 1

Which three configuration settings are required on a Palo Alto Network firewall management
interface? (Choose three.)

 A. hostname
 B. netmask
 C. default gateway
 D. auto-negotiation
  E. IP address

Answer: BCE
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

Q107 Topic 1

What is an advantage for using application tags?

 A. They are helpful during the creation of new zones.

 B. They help content updates automate policy updates.
 C. They help with the creation of interfaces.
 D. They help with the design of IP address allocations in DHCP.

Answer: B

Community vote distribution

B (100%)
Q108 Topic 1

At which point in the App-ID update process can you determine if an existing policy rule is
affected by an App-ID update?

 A. after clicking Check Now in the Dynamic Update window

 B. after committing the firewall configuration
 C. after installing the update
 D. after downloading the update

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-
updates

Community vote distribution

D (80%)
A (20%)
Q109 Topic 1

You receive notification about a new malware that infects hosts. An infection results in the
infected host attempting to contact a command-and-control server.
Which Security Profile detects and prevents this threat from establishing a command-and-control
connection?

 A. Vulnerability Protection Profile applied to outbound Security policy rules.

 B. Anti-Spyware Profile applied to outbound security policies.
 C. Antivirus Profile applied to outbound Security policy rules
  D. Data Filtering Profile applied to outbound Security policy rules.

Answer: B

Community vote distribution

B (100%)
Q110 Topic 1

Which statement is true regarding a Best Practice Assessment?

 A. It runs only on firewalls.

 B. It shows how current configuration compares to Palo Alto Networks
recommendations.
 C. When guided by an authorized sales engineer, it helps determine the areas of greatest
risk where you should focus prevention activities.
 D. It provides a set of questionnaires that help uncover security risk prevention gaps
across all areas of network and security architecture.

Answer: B

Community vote distribution

B (100%)
Q111 Topic 1

The PowerBall Lottery has reached an unusually high value this week. Your company has
decided to raise morale by allowing employees to access the PowerBall
Lottery website (www.powerball.com) for just this week. However, the company does not want
employees to access any other websites also listed in the URL filtering `gambling` category.
Which method allows the employees to access the PowerBall Lottery website but without
unblocking access to the `gambling` URL category?

 A. Add just the URL www.powerball.com to a Security policy allow rule.

 B. Manually remove powerball.com from the gambling URL category.
 C. Add *.powerball.com to the URL Filtering allow list.
 D. Create a custom URL category, add *.powerball.com to it and allow it in the Security
Profile.

Answer: CD

Community vote distribution

A (67%)
CD (33%)
Q112 Topic 1

Which Palo Alto Networks service protects cloud-based applications such as Dropbox and
Salesforce by monitoring permissions and shares and scanning files for sensitive information?
  A. Prisma SaaS
 B. AutoFocus
 C. Panorama
 D. GlobalProtect

Answer: A

Community vote distribution

A (100%)
Q113 Topic 1

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?

 A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
 B. Reboot the firewall
 C. Use the Reset Rule Hit Counter > All Rules option
 D. Use the CLI enter the command reset rules all

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-
security/creating-and-managing-policies

Community vote distribution

C (100%)
Q114 Topic 1

Based on the Security policy rules shown, SSH will be allowed on which port?

 A. the default port

 B. only ephemeral ports
 C. any port
 D. same port as ssl and snmpv3

Answer: A

Community vote distribution

A (100%)
Q115 Topic 1

You receive notification about new malware that is being used to attack hosts. The malware
exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall's
threat signature database?

 A. Data Filtering Profile applied to outbound Security policy rules

 B. Antivirus Profile applied to outbound Security policy rules
 C. Data Filtering Profile applied to inbound Security policy rules
 D. Vulnerability Protection Profile applied to inbound Security policy rules

Answer: B

Community vote distribution

D (100%)
Q116 Topic 1

Palo Alto Networks firewall architecture accelerates content inspection performance while
minimizing latency using which two components? (Choose two.)

 A. Network Processing Engine

 B. Policy Engine
 C. Parallel Processing Hardware
 D. Single Stream-based Engine

Answer: CD

Community vote distribution

CD (100%)
Q117 Topic 1

An administrator is reviewing another administrator's Security policy log settings.

Which log setting configuration is consistent with best practices for normal traffic?

 A. Log at Session Start and Log at Session End both enabled

 B. Log at Session Start enabled, Log at Session End disabled
 C. Log at Session Start disabled, Log at Session End enabled
 D. Log at Session Start and Log at Session End both disabled

Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC

Q118 Topic 1

Which Security profile would you apply to identify infected hosts on the protected network using
DNS traffic?

 A. URL filtering
 B. vulnerability protection
 C. anti-spyware
 D. antivirus

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles

Q119 Topic 1

Given the topology, which zone type should zone A and zone B to be configured with?

 A. Layer3
 B. Ethernet
 C. Layer2
 D. Virtual Wire

Answer: A

Q120 Topic 1

Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific
website.
How can file uploading/downloading be restricted for the website while permitting general
browsing access to that website?

 A. Create a Security policy with a URL Filtering profile that references the site access
setting of block to NO-FILES.
  B. Create a Security policy that references NO-FILES as a URL Category qualifier with
an appropriate File Blocking profile.
 C. Create a Security policy with a URL Filtering profile that references the site access
setting of continue to NO-FILES.
 D. Create a Security policy that references NO-FILES as a URL Category qualifier with
an appropriate Data Filtering profile.

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-file-
blocking

Q121 Topic 1

Which URL Filtering profile action would you set to allow users the option to access a site only
if they provide a URL admin password?

 A. authorization
 B. continue
 C. authentication
 D. override

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/
url-filtering-profile-actions.html

Q122 Topic 1
How are Application Filters or Application Groups used in firewall policy?

 A. An Application Group is a static way of grouping applications and cannot be

configured as a nested member of Application Group.
 B. An Application Group is a dynamic way of grouping applications and can be
configured as a nested member of an Application Group.
 C. An Application Filter is a dynamic way to group applications and can be configured as
a nested member of an Application Group.
 D. An Application Filter is a static way of grouping applications and can be configured as
a nested member of an Application Group.

Answer: C

Q123 Topic 1

Which tab would an administrator click to create an address object?

 A. Objects
 B. Monitor
 C. Device
 D. Policies

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-
addresses

Q124 Topic 1

An administrator wishes to follow best practices for logging traffic that traverses the firewall.
Which log setting is correct?

 A. Enable Log at Session Start

 B. Disable all logging
 C. Enable Log at both Session Start and End
 D. Enable Log at Session End

Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC

Q125 Topic 1

Which two firewall components enable you to configure SYN flood protection thresholds?
(Choose two.)
  A. QoS profile
 B. DoS Protection profile
 C. Zone Protection profile
 D. DoS Protection policy

Answer: BC

Q126 Topic 1

An administrator would like to see the traffic that matches the interzone-default rule in the traffic
logs.
What is the correct process to enable this logging?

 A. Select the interzone-default rule and click Override; on the Actions tab, select Log at
Session End and click OK.
 B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at
Session End and click OK.
 C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at
Session Start and click OK.
 D. This rule has traffic logging enabled by default; no further action is required.

Answer: B

Q127 Topic 1

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

 A. Add static routes to route between the two interfaces

 B. Add interfaces to the virtual router
 C. Add zones attached to interfaces to the virtual router
 D. Enable the redistribution profile to redistribute connected routes

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/virtual-routers.html

Q128 Topic 1

An administrator wants to prevent users from submitting corporate credentials in a phishing

attack.
Which Security profile should be applied?

 A. antivirus
 B. anti-spyware
 C. URL-filtering
 D. vulnerability protection

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/prevent-
credential-phishing/set-up-credential-phishing- prevention.html#idc77030dc-6022-4458-8c50-
1dc0fe7cffe4

Q129 Topic 1

Which two rule types allow the administrator to modify the destination zone? (Choose two.)

 A. interzone
 B. shadowed
 C. intrazone
 D. universal
Answer: AD
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

Q130 Topic 1

What is the main function of Policy Optimizer?

 A. reduce load on the management plane by highlighting combinable security rules

 B. migrate other firewall vendors' security rules to Palo Alto Networks configuration
 C. eliminate ‫ג‬€Log at Session Start‫ג‬€ security rules
 D. convert port-based security rules to application-based security rules

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-
optimizer.html

Q131 Topic 1

Based on the screenshot, what is the purpose of the group in User labelled `it`?

 A. Allows ‫ג‬€any‫ג‬€ users to access servers in the DMZ zone.

 B. Allows users to access IT applications on all ports.
 C. Allow users in group ‫ג‬€it‫ג‬€ to access IT applications.
 D. Allow users in group ‫ג‬€DMZ‫ג‬€ to access IT applications.

Answer: C

Q132 Topic 1

Which action results in the firewall blocking network traffic without notifying the sender?

 A. Drop
 B. Deny
 C. No notification
 D. Reset Client

Answer: A

Q133 Topic 1
Assume that traffic matches a Security policy rule but the attached Security Profiles is
configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?

 A. If it is a block rule, then Security Profile action is applied last.

 B. If it is an allow rule, then the Security policy rule is applied last.
 C. If it is a block rule, then the Security policy rule action is applied last.
 D. If it is an allowed rule, then the Security Profile action is applied last.

Answer: D

Q134 Topic 1

Which Security profile can you apply to protect against malware such as worms and Trojans?

 A. antivirus
 B. data filtering
 C. vulnerability protection
 D. anti-spyware

Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-
profiles#:~:text=Antivirus%20profiles%20protect%20against%20viruses,as
%20well%20as%20spyware%20downloads
.

Q135 Topic 1
Given the network diagram, traffic should be permitted for both Trusted and Guest users to
access general Internet and DMZ servers using SSH, web-browsing and SSL applications.
Which policy achieves the desired results?
A.

B.

C.

D.

Answer: B

Q136 Topic 1
Which license is required to use the Palo Alto Networks built-in IP address EDLs?

 A. DNS Security
 B. Threat Prevention
 C. WildFire
 D. SD-Wan

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-
in-policy/built-in-edls.html#:~:text=With%20an%
20active%20Threat%20Prevention,to%20protect%20against%20malicious%20hosts

Q137 Topic 1

Which statement is true about Panorama managed devices?

 A. Panorama automatically removes local configuration locks after a commit from

Panorama.
 B. Local configuration locks prohibit Security policy changes for a Panorama managed
device.
 C. Security policy rules configured on local firewalls always take precedence.
 D. Local configuration locks can be manually unlocked from Panorama.

Answer: A
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/
manage-locks-for-restricting-configuration-changes.html
Q138 Topic 1

A Security Profile can block or allow traffic at which point?

 A. on either the data plane or the management plane

 B. after it is matched to a Security policy rule that allows or blocks traffic
 C. after it is matched to a Security policy rule that allows traffic
 D. before it is matched to a Security policy rule

Answer: C

Q139 Topic 1

DRAG DROP -
Place the following steps in the packet processing order of operations from first to last.
Select and Place:
Answer:

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

Q140 Topic 1

Which type of address object is `10.5.1.1/0.127.248.2`?

 A. IP netmask
 B. IP subnet
 C. IP wildcard mask
 D. IP range

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-address-object-to-
represent-ip-addresses/create-an-address-object.html

Q141 Topic 1

Which component is a building block in a Security policy rule?

 A. decryption profile
 B. destination interface
 C. timeout (min)
 D. application

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-
security/building-blocks-in-a-security-policy-rule.html
Q142 Topic 1

You have been tasked to configure access to a new web server located in the DMZ.
Based on the diagram what configuration changes are required in the NGFW virtual router to
route traffic from the 10.1.1.0/24 network to 192.168.1.0/24?

 A. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-
hop of 172.16.1.2.
 B. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-
hop of 192.168.1.10
 C. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-
hop of 172.16.1.2.
 D. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-
hop of 192.168.1.254.

Answer: C

Q143 Topic 1

An administrator would like to use App-ID's deny action for an application and would like that
action updated with dynamic updates as new content becomes available.
Which security policy action causes this?

 A. Reset server
 B. Reset both
 C. Deny
 D. Drop

Answer: C

Q144 Topic 1
Selecting the option to revert firewall changes will replace what settings?

 A. the candidate configuration with settings from the running configuration

 B. dynamic update scheduler settings
 C. the running configuration with settings from the candidate configuration
 D. the device state with settings from another configuration

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-
configuration-backups/revert-firewall-configuration- changes.html

Q145 Topic 1

An administrator has configured a Security policy where the matching condition includes a
single application, and the action is drop.
If the application's default deny action is reset-both, what action does the firewall take?

 A. It silently drops the traffic.

 B. It silently drops the traffic and sends an ICMP unreachable code.
 C. It sends a TCP reset to the server-side device.
 D. It sends a TCP reset to the client-side and server-side devices.

Answer: D

Q146 Topic 1

Which three types of authentication services can be used to authenticate user traffic flowing
through the firewall's data plane? (Choose three.)

 A. SAML 2.0
 B. Kerberos
 C. TACACS
 D. TACACS+
 E. SAML 1.0

Answer: ABD

Q147 Topic 1

Which objects would be useful for combining several services that are often defined together?

 A. application filters
 B. service groups
 C. shared service objects
 D. application groups
Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-
services.html

Q148 Topic 1

Given the screenshot, what two types of route is the administrator configuring? (Choose two.)

 A. BGP
 B. static route
 C. default route
 D. OSPF

Answer: BC

Q149 Topic 1

Which rule type is appropriate for matching traffic both within and between the source and
destination zones?

 A. interzone
 B. shadowed
 C. intrazone
  D. universal

Answer: A

Q150 Topic 1

An administrator would like to override the default deny action for a given application, and
instead would like to block the traffic and send the ICMP code
`communication with the destination is administratively prohibited`.
Which security policy action causes this?

 A. Drop
 B. Drop, send ICMP Unreachable
 C. Reset both
 D. Reset server

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy/security-
policy-actions.html

Q151 Topic 1

You receive notification about new malware that infects hosts through malicious files transferred
by FTP.
Which Security profile detects and protects your internal networks from this threat after you
update your firewall's threat signature database?

 A. URL Filtering profile applied to inbound Security policy rules.

 B. Data Filtering profile applied to outbound Security policy rules.
 C. Antivirus profile applied to inbound Security policy rules.
 D. Vulnerability Protection profile applied to outbound Security policy rules.

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles

Q152 Topic 1

An administrator wants to prevent access to media content websites that are risky.
Which two URL categories should be combined in a custom URL category to accomplish this
goal? (Choose two.)

 A. recreation-and-hobbies
 B. streaming-media
 C. known-risk
  D. high-risk

Answer: BD

Q153 Topic 1

Which dynamic update type includes updated anti-spyware signatures?

 A. PAN-DB
 B. Applications and Threats
 C. GlobalProtect Data File
 D. Antivirus

Answer: B

Q154 Topic 1

An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?

 A. Drop
 B. Deny
 C. Block
 D. Reset-server

Answer: A

Q155 Topic 1

Which object would an administrator create to block access to all high-risk applications?

 A. HIP profile
 B. Vulnerability Protection profile
 C. application group
 D. application filter

Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0

Q156 Topic 1

Which option is part of the content inspection process?

 A. Packet forwarding process

 B. IPsec tunnel encryption
  C. SSL Proxy re-encrypt
 D. Packet egress process

Answer: C
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

Q157 Topic 1

How does an administrator schedule an Applications and Threats dynamic update while delaying
installation of the update for a certain amount of time?

 A. Disable automatic updates during weekdays

 B. Automatically ‫ג‬€download and install‫ג‬€ but with the ‫ג‬€disable new applications‫ג‬€
option used
 C. Automatically ‫ג‬€download only‫ג‬€ and then install Applications and Threats later, after
the administrator approves the update
 D. Configure the option for ‫ג‬€Threshold‫ג‬€

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/threat-prevention/best-practices-for-
application-and-threat-content-updates#

Q158 Topic 1

What must be considered with regards to content updates deployed from Panorama?

 A. Content update schedulers need to be configured separately per device group.

 B. Panorama can only install up to five content versions of the same type for potential
rollback scenarios.
 C. A PAN-OS upgrade resets all scheduler configurations for content updates.
 D. Panorama can only download one content update at a time for content updates of the
same type.

Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-
updates/deploy-updates-to-firewalls-log-collectors-and-
wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html

Q159 Topic 1

During the packet flow process, which two processes are performed in application identification?
(Choose two.)
  A. pattern based application identification
 B. application override policy match
 C. session application identified
 D. application changed from content inspection

Answer: AB
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

Q160 Topic 1

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through
DNAT.

Which Security policy rule will allow traffic to flow to the web server?

 A. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow

 B. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
 C. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
 D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-
examples/destination-nat-exampleone-to-one-mapping

Q161 Topic 1

What does an administrator use to validate whether a session is matching an expected NAT
policy?

 A. system log
  B. test command
 C. threat log
 D. config audit

Answer: B
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

Q162 Topic 1

What is the purpose of the automated commit recovery feature?

 A. It reverts the Panorama configuration.

 B. It causes HA synchronization to occur automatically between the HA peers after a
push from Panorama.
 C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to
Panorama after the change.
 D. It generates a config log after the Panorama configuration successfully reverts to the
last running configuration.

Answer: C
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/enable-
automated-commit-recovery.html

Q163 Topic 1

According to the best practices for mission critical devices, what is the recommended interval for
antivirus updates?

 A. by minute
 B. hourly
 C. daily
 D. weekly

Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-
content-and-threat-content-updates/best-practices- mission-critical.html

Q164 Topic 1

DRAG DROP -
Place the steps in the correct packet-processing order of operations.
Select and Place:

Answer:

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

Q165 Topic 1

Which Security policy match condition would an administrator use to block traffic from IP
addresses on the Palo Alto Networks EDL of Known Malicious IP
Addresses list?

 A. destination address
 B. source address
 C. destination zone
 D. source zone

Answer: D

Q166 Topic 1

URL categories can be used as match criteria on which two policy types? (Choose two.)
  A. authentication
 B. decryption
 C. application override
 D. NAT

Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/
url-category-as-policy-match-criteria.html

Q167 Topic 1

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

 A. The web session was unsuccessfully decrypted.

 B. The traffic was denied by security profile.
 C. The traffic was denied by URL filtering.
 D. The web session was decrypted.

Answer: CD

Q168 Topic 1

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP
address. Traffic will be steered to the specific server based on the application, where Host A
(10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)
  A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow
 B. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow
 C. Untrust (Any) to Untrust (10.1.1.1), ssh - Allow
 D. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing - Allow
 E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Answer: AE

Q169 Topic 1

Which type of profile must be applied to the Security policy rule to protect against buffer
overflows, illegal code execution, and other attempts to exploit system flaws?

 A. URL filtering
 B. vulnerability protection
 C. file blocking
 D. anti-spyware

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-
security-profiles-vulnerability-protection.html

Q170 Topic 1

Starting with PAN-OS version 9.1, application dependency information is now reported in which
two locations? (Choose two.)

 A. on the App Dependency tab in the Commit Status window

 B. on the Policy Optimizer's Rule Usage page
 C. on the Application tab in the Security Policy Rule creation window
 D. on the Objects > Applications browser pages

Answer: AC
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-
policy/resolve-application-dependencies.html

Q171 Topic 1

What action will inform end users when their access to Internet content is being restricted?

 A. Create a custom ‫ג‬€URL Category‫ג‬€ object with notifications enabled.

 B. Publish monitoring data for Security policy deny logs.
 C. Ensure that the ‫ג‬€site access‫ג‬€ setting for all URL sites is set to ‫ג‬€alert‫ג‬€.
 D. Enable ‫ג‬€Response Pages‫ג‬€ on the interface providing Internet access.
Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-
response-pages.html

Q172 Topic 1

What is a recommended consideration when deploying content updates to the firewall from
Panorama?

 A. Before deploying content updates, always check content release version compatibility.
 B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
 C. Content updates for firewall A/A HA pairs need a defined master device.
 D. After deploying content updates, perform a commit and push to Panorama.

Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-
updates/deploy-updates-to-firewalls-log-collectors-and-
wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html

Q173 Topic 1

Which information is included in device state other than the local configuration?

 A. uncommitted changes
 B. audit logs to provide information of administrative account changes
 C. system logs to provide information of PAN-OS changes
 D. device group and template settings pushed from Panorama

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-
operations.html

Q174 Topic 1
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

 A. It defines the SSL/TLS encryption strength used to protect the management interface.
 B. It defines the CA certificate used to verify the client's browser.
 C. It defines the certificate to send to the client's browser from the management interface.
 D. It defines the firewall's global SSL/TLS timeout values.
Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0

Q175 Topic 1

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule,
which is set to default configuration.
What should the administrator do?

 A. change the logging action on the rule

 B. review the System Log
 C. refresh the Traffic Log
 D. tune your Traffic Log filter to include the dates

Answer: A

Q176 Topic 1

When is the content inspection performed in the packet flow process?

 A. after the application has been identified

 B. after the SSL Proxy re-encrypts the packet
 C. before the packet forwarding process
 D. before session lookup

Answer: A
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

Q177 Topic 1

During the App-ID update process, what should you click on to confirm whether an existing
policy rule is affected by an App-ID update?

 A. check now
 B. review policies
 C. test policy match
 D. download

Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/review-new-app-id-impact-on- existing-policy-rules

Q178 Topic 1
When creating a custom URL category object, which is a valid type?

 A. domain match
 B. host names
 C. wildcard
 D. category match

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-custom-
objects-url-category.html

Q179 Topic 1

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP
port is used for management access?

 A. 80
 B. 8443
 C. 4443
 D. 443

Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000Cm8SCAS#:~:text=Details,using%20https%20on%20port%204443

Q180 Topic 1

What two authentication methods on the Palo Alto Networks firewalls support authentication and
authorization for role-based access control (RBAC)? (Choose two.)

 A. SAML
 B. TACACS+
 C. LDAP
 D. Kerberos

Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-
firewall-administrators/administrative-authentication.html

Q181 Topic 1

Which administrative management services can be configured to access a management interface?

  A. HTTPS, HTTP, CLI, API
 B. HTTPS, SSH, telnet, SNMP
 C. SSH, telnet, HTTP, HTTPS
 D. HTTP, CLI, SNMP, HTTPS

Answer: C

Q182 Topic 1

Which feature would be useful for preventing traffic from hosting providers that place few
restrictions on content whose services are frequently used by attackers to distribute illegal or
unethical material?

 A. Palo Alto Networks C&G IP Addresses

 B. Palo Alto Networks High Risk IP Addresses
 C. Palo Alto Networks Known Malicious IP Addresses
 D. Palo Alto Networks Bulletproof IP Addresses

Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/
edl-for-bulletproof-isps

Q183 Topic 1

Which security policy match condition would an administrator use to block traffic to IP
addresses on the Palo Alto Networks Bulletproof IP Addresses list?

 A. source address
 B. destination address
 C. source zone
 D. destination zone

Answer: A

Q184 Topic 1

Which three filter columns are available when setting up an Application Filter? (Choose three.)

 A. Parent App
 B. Category
 C. Risk
 D. Standard Ports
 E. Subcategory
Answer: BCE
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXfCAK

Q185 Topic 1

Which stage of the cyber attack lifecycle makes it important to provide ongoing education to
users on spear phishing links, unknown emails, and risky websites?

 A. reconnaissance
 B. delivery
 C. installation
 D. exploitation

Answer: A
Reference :
https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle

Q186 Topic 1

A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it
infected their corporate laptop with unknown malware The malware caused the laptop to begin
infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?

 A. DNS Sinkhole
 B. WildFire Analysis
 C. Antivirus
 D. DoS Protection

Answer: A

Q187 Topic 1

What must be configured before setting up Credential Phishing Prevention?

 A. Threat Prevention
 B. Anti Phishing Block Page
 C. User-ID
 D. Anti Phishing profiles

Answer: C
Reference :
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-
credential-phishing/set-up-credential-phishing-prevention
Q188 Topic 1

Which DNS Query action is recommended for traffic that is allowed by Security policy and
matches Palo Alto Networks Content DNS Signatures?

 A. block
 B. sinkhole
 C. allow
 D. alert

Answer: B

Q189 Topic 1

Which statement best describes a common use of Policy Optimizer?

 A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7

App ID Security policy for every Layer 4 policy that exist. Admins can then manually
enable policies they want to keep and delete ones they want to remove.
 B. Policy Optimizer can display which Security policies have not been used in the last 90
days.
 C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security
policies have unused applications.
 D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy
selected.

Answer: D

Q190 Topic 1
Which two statements are correct regarding multiple static default routes when they are
configured as shown in the image? (Choose two.)

 A. The route with lowest metric is used.

 B. The route with the highest administrative distance is used.
 C. The virtual router would load balance across the two routes.
 D. Path monitoring determines whether a route is usable.

Answer: AD

Q191 Topic 1

An address object of type IP Wildcard Mask can be referenced in which part of the
configuration?

 A. Security policy rule

 B. ACC global fitter
 C. NAT address pool
 D. external dynamic list

Answer: C

Q192 Topic 1

You receive notification about a new malware that infects hosts. An infection results in the
infected host attempting to contact command-and-control server.
Which Security Profile, when applied to outbound Security policy rules, detects and prevents this
threat from establishing a command-and-control connection?

 A. Anti-Spyware Profile
 B. Data Filtering Profile
 C. Antivirus Profile
 D. Vulnerability Protection Profile

Answer: B

Q193 Topic 1

Which Palo Alto Networks component provides consolidated policy creation?

 A. Policy Optimizer
 B. Prisma SaaS
 C. GlobalProtect
 D. Panorama

Answer: D

Q194 Topic 1

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN
zone, and also needs to match DNS traffic within the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?

 A. interzone
 B. intrazone
 C. default
 D. universal

Answer: D

Q195 Topic 1

According to best practices, how frequently should WildFire updates he made to perimeter
firewalls?

 A. every 10 minutes
 B. every minute
 C. every 5 minutes
 D. in real time

Answer: D
Q196 Topic 1

Given the topology, which interface type should you configure for firewall interface E1/1?

 A. Layer 2
 B. virtual wire
 C. tap
 D. mirror port

Answer: C

Q197 Topic 1

Which solution is a viable option to capture user identification when Active Directory is not in
use?

 A. Cloud identity Engine

 B. Directory Sync Service
 C. group mapping
 D. Authentication Portal

Answer: A
Reference:
https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-
directory-type/configure-an-on-premises-directory/install- the-cloud-identity-agent

Q198 Topic 1

What allows a security administrator to preview the Security policy rules that match new
application signatures?

 A. Policy Optimizer--New App Viewer

 B. Dynamic Updates--Review App
 C. Review Release Notes
 D. Dynamic Updates--Review Policies
Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/review-new-app-id-impact-on- existing-policy-rules.html

Q199 Topic 1

If using group mapping with Active Directory Universal Groups, what must you do when
configuring the User ID?

 A. Configure a Primary Employee ID number for user-based Security policies.

 B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on
port 636 or 389.
 C. Create an LDAP Server profile to connect to the root domain of the Global Catalog
server on port 3268 or 3269 for SSL.
 D. Configure a frequency schedule to clear group mapping cache.

Answer: C
Reference:
https://docs.paloaltonetworks.com/best-practices/10-0/user-id-best-practices/user-id-best-
practices/user-id-best-practices-for-group-mapping.html

Q200 Topic 1

An administrator needs to add capability to perform real time signature lookups to block or
sinkhole all known malware domains.
Which type of single, unified engine will get this result?

 A. Content ID
 B. App-ID
 C. Security Processing Engine
 D. User-ID

Answer: C

Q201 Topic 1

Which action would an administrator take to ensure that a service object will be available only to
the selected device group?

 A. ensure that disable override is selected

 B. uncheck the shared option
 C. ensure that disable override is cleared
 D. create the service object in the specific template

Answer: B
Community vote distribution
B (100%)
Q202 Topic 1

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are
verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from
telemetry?

 A. Palo Alto Networks High-Risk IP Addresses

 B. Palo Alto Networks Known Malicious IP Addresses
 C. Palo Alto Networks C&C IP Addresses
 D. Palo Alto Networks Bulletproof IP Addresses

Answer: B

Community vote distribution

B (100%)
Q203 Topic 1

An administrator would like to determine the default deny action for the application dns-over-
https.
Which action would yield the information?

 A. View the application details in beacon.paloaltonetworks.com

 B. Check the action for the Security policy matching that traffic
 C. Check the action for the decoder in the antivirus profile
 D. View the application details in Objects > Applications

Answer: B

Community vote distribution

D (100%)
Q204 Topic 1

Access to which feature requires a URL Filtering license?

 A. PAN-DB database
 B. External dynamic lists
 C. DNS Security
 D. Custom URL categories

Answer: A

Community vote distribution

A (100%)
Q205 Topic 1
What is the main function of the Test Policy Match function?

 A. ensure that policy rules are not shadowing other policy rules
 B. confirm that rules meet or exceed the Best Practice Assessment recommendations
 C. confirm that policy rules in the configuration are allowing donning the correct traffic
 D. verify that policy rules from Expedition are valid

Answer: D

Community vote distribution

C (100%)
Q206 Topic 1

Which attribute can a dynamic address group use as a filtering condition to determine its
membership?

 A. subnet mask
 B. tag
 C. IP address
 D. wildcard mask

Answer: B

Community vote distribution

B (100%)
Q207 Topic 1

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet
and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and
Trust Zones?
A.

B.

C.

D.

Answer: C

Q208 Topic 1

What are the three DNS Security categories available to control DNS traffic? (Choose three.)

 A. Parked Domains
 B. Spyware Domains
 C. Vulnerability Domains
 D. Phishing Domains
 E. Malware Domains

Answer: BDE

Community vote distribution

ADE (100%)
Q209 Topic 1

What are three valid information sources that can be used when tagging users to dynamic user
groups? (Choose three.)

 A. firewall logs
 B. custom API scripts
  C. Security Information and Event Management Systems (SIEMS), such as Splunk
 D. biometric scanning results from iOS devices
 E. DNS Security service

Answer: CDE

Community vote distribution

ABC (100%)
Q210 Topic 1

The compliance officer requests that all evasive applications need to be blocked on all perimeter
firewalls out to the internet. The firewall is configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a
security policy using App-ID to comply with this request? (Choose two.)

 A. Create a deny rule at the top of the policy from trust to untrust with service
application-default and add an application filter with the evasive characteristic
 B. Create a deny rule at the top of the policy from trust to untrust over any service and
select evasive as the application
 C. Create a deny rule at the top of the policy from trust to untrust with service
application-default and select evasive as the application
 D. Create a deny rule at the top of the policy from trust to untrust over any service and
add an application filter with the evasive characteristic

Answer: AD

Community vote distribution

AD (100%)
Q211 Topic 1

Which object would an administrator create to enable access to all applications in the office-
programs subcategory?

 A. HIP profile
 B. URL category
 C. application group
 D. application filter

Answer: D

Community vote distribution

D (100%)
Q212 Topic 1
Given the detailed log information above, what was the result of the firewall traffic inspection?

 A. It was blocked by the Vulnerability Protection profile action

 B. It was blocked by the Security policy action
 C. It was blocked by the Anti-Virus Security profile action
 D. It was blocked by the Anti-Spyware Profile action

Answer: D

Community vote distribution

D (100%)
Q213 Topic 1
An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.
What is the best way to do this?

 A. Create a static NAT rule translating to the destination interface.

 B. Create a static NAT rule with an application override.
 C. Create a Security policy rule to allow the traffic.
 D. Create a new NAT rule with the correct parameters and leave the translation type as
None.

Answer: D

Community vote distribution

D (100%)
Q214 Topic 1

What can be achieved by selecting a policy target prior to pushing policy rules from Panorama?
*

 A. You can specify the location as pre- or post-rules to push policy rules
 B. You can specify the firewalls in a device group to which to push policy rules
 C. Doing so provides audit information prior to making changes for selected policy rules
 D. Doing so limits the templates that receive the policy rules

Answer: A

Community vote distribution

B (100%)
Q215 Topic 1

When an ethernet interface is configured with an IPv4 address, which type of zone is it a member
of?

 A. Layer 3
 B. Virtual Wire
 C. Tap
 D. Tunnel

Answer: A

Community vote distribution

A (100%)
Q216 Topic 1

An administrator would like to create a URL Filtering log entry when users browse to any
gambling website.
What combination of Security policy and Security profile actions is correct?
  A. Security policy = deny, Gambling category in URL profile = block
 B. Security policy = drop, Gambling category in URL profile = allow
 C. Security policy = allow, Gambling category in URL profile = alert
 D. Security policy = allow, Gambling category in URL profile = allow

Answer: C

Community vote distribution

C (100%)
Q217 Topic 1

An administrator is investigating a log entry for a session that is allowed and has the end reason
of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)

 A. IP Protocol
 B. Packets sent/received
 C. Decrypted
 D. Action

Answer: BD

Community vote distribution

AB (100%)
Q218 Topic 1

What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)

 A. It requires an active subscription to a third-party DNS Security service

 B. It requires a valid URL Filtering license
 C. It uses techniques such as DGA/DNS tunneling detection and machine learning
 D. It requires a valid Threat Prevention license
 E. It enables users to access real-time protections using advanced predictive analytics

Answer: CDE

Community vote distribution

CDE (100%)
Q219 Topic 1

After making multiple changes to the candidate configuration of a firewall, the administrator
would like to start over with a candidate configuration that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient
way to accomplish this?

 A. Revert to running configuration

 B. Load named configuration snapshot
  C. Revert to last saved configuration
 D. Import named config snapshot

Answer: A

Community vote distribution

A (100%)
Q220 Topic 1

What are three valid ways to map an IP address to a username? (Choose three.)

 A. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

 B. WildFire verdict reports
 C. DHCP Relay logs
 D. using the XML API
 E. usernames inserted inside HTTP Headers

Answer: ADE

Community vote distribution

ADE (100%)
Q221 Topic 1

How is an address object of type IP range correctly defined?

 A. 192.168.40.1-192.168.40.255
 B. 192.168.40.1-255
 C. 192.168.40.1, 192.168.40.255
 D. 192.168.40.1/24

Answer: A

Community vote distribution

A (86%)
14%
Q222 Topic 1

An administrator is troubleshooting traffic that should match the interzone-default rule.

However, the administrator doesn't see this traffic in the traffic logs on the firewall. The
interzone-default was never changed from its default configuration.
Why doesn't the administrator see the traffic?

 A. The interzone-default policy is disabled by default.

 B. Traffic is being denied on the interzone-default policy.
 C. Logging on the interzone-default policy is disabled.
 D. The Log Forwarding profile is not configured on the policy.
Answer: C

Q223 Topic 1

What do you configure if you want to set up a group of objects based on their ports alone?

 A. address groups
 B. custom objects
 C. application groups
 D. service groups

Answer: D

Community vote distribution

D (100%)
Q224 Topic 1

What are two valid selections within a Vulnerability Protection profile? (Choose two.)

 A. deny
 B. drop
 C. default
 D. sinkhole

Answer: BC

Community vote distribution

BC (100%)
Q225 Topic 1

Which three interface deployment methods can be used to block traffic flowing through the Palo
Alto Networks firewall? (Choose three.)

 A. Tap
 B. HA
 C. Layer 3
 D. Layer 2
 E. Virtual Wire

Answer: CDE

Community vote distribution

CDE (100%)
Q226 Topic 1
An administrator would like to override the default deny action for a given application, and
instead would like to block the traffic.
Which security policy action causes this?

 A. Drop
 B. Drop, send ICMP Unreachable
 C. Reset both
 D. Reset server

Answer: B

Community vote distribution

A (100%)
Q227 Topic 1

When creating an Admin Role profile, if no changes are made, which two administrative
methods will you have full access to? (Choose two.)

 A. web UI
 B. XML API
 C. command line
 D. RESTAPI

Answer: AD

Community vote distribution

AD (100%)
Q228 Topic 1

An administrator would like to apply a more restrictive Security profile to traffic for file sharing
applications. The administrator does not want to update the Security policy or object when new
applications are released.
Which object should the administrator use as a match condition in the Security policy?

 A. the Online Storage and Backup URL category

 B. the Content Delivery Networks URL category
 C. an application group containing all of the file-sharing App-IDs reported in the traffic
logs
 D. an application filter for applications whose subcategory is file-sharing

Answer: D

Community vote distribution

D (50%)
C (50%)
Q229 Topic 1
Which list of actions properly defines the order of steps needed to add a local database user
account and create a new group to which this user will be assigned?

 A. 1. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name
for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click
OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter
a Name for the group. 7. Add the user to the group and click OK.
 B. 1. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a
Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and
click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6.
Enter a Name for the group. 7. Add the user to the group and click OK.
 C. 1. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter
and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to
Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to
the group and click OK.
 D. 1. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter
and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to
Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to
the group and click OK.

Answer: A

Community vote distribution

A (100%)
Q230 Topic 1

When creating a Panorama administrator type of Device Group and Template Admin, which two
things must you create first? (Choose two.)

 A. server profile
 B. admin role
 C. password profile
 D. access domain

Answer: BD

Community vote distribution

BD (100%)
Q231 Topic 1

An administrator is configuring a NAT rule.

At a minimum, which three forms of information are required? (Choose three.)

 A. source zone
 B. name
 C. destination interface
 D. destination zone
  E. destination address

Answer: ABD

Community vote distribution

ABD (100%)
Q232 Topic 1

An administrator wants to prevent hacking attacks through DNS queries to malicious domains.
Which two DNS policy actions can the administrator choose in the Anti-Spyware Security
Profile? (Choose two.)

 A. deny
 B. block
 C. sinkhole
 D. override

Answer: BC

Community vote distribution

BC (100%)
Q233 Topic 1

An administrator is creating a NAT policy.

Which combination of address and zone are used as match conditions? (Choose two.)

 A. Pre-NAT address
 B. Pre-NAT zone
 C. Post-NAT address
 D. Post-NAT zone

Answer: AD

Community vote distribution

BD (33%)
AB (33%)
AD (33%)
Q234 Topic 1

A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this
purpose? (Choose three.)

 A. OSPF
 B. EIGRP
 C. IS-IS
 D. BGP
  E. RIP

Answer: ADE

Community vote distribution

ADE (100%)
Q235 Topic 1

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the
SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the
SERVER zone to the DMZ on SSH only.
Which rule group enables the required traffic?
A.
B.

C.

D.

Answer: C

Q236 Topic 1

Which firewall feature do you need to configure to query Palo Alto Networks service updates
over a data-plane interface instead of the management interface?

 A. service route
 B. dynamic updates
 C. SNMP setup
 D. data redistribution

Answer: A

Community vote distribution

A (100%)
Q237 Topic 1
In order to fulfill the corporate requirement to backup the configuration of Panorama and the
Panorama-managed firewalls securely, which protocol should you select when adding a new
scheduled config export?

 A. HTTPS
 B. SMB v3
 C. SCP
 D. FTP

Answer: C

Community vote distribution

C (100%)
Q238 Topic 1

All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.

Complete the empty field in the Security policy using an application object to permit only this
type of access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: __________

Service: application-default -
Action: allow

 A. Application = "any"
 B. Application = "web-browsing"
 C. Application = "ssl"
 D. Application = "http"

Answer: D

Community vote distribution

B (100%)
Q239 Topic 1

An administrator wants to prevent users from unintentionally accessing malicious domains

where data can be exfiltrated through established connections to remote systems.

From the Pre-defined Categories tab within the URL Filtering profile, what is the right
configuration to prevent such connections?

 A. Set the hacking category to continue.

  B. Set the phishing category to override.
 C. Set the malware category to block.
 D. Set the Command and Control category to block.

Answer: C

Community vote distribution

D (100%)
Q240 Topic 1

An administrator would like to follow the best-practice approach to log the traffic that traverses
the firewall.

What action should they take?

 A. Enable both Log at Session Start and Log at Session End.

 B. Enable Log at Session End.
 C. Enable Log at Session Start.
 D. Disable all logging options.

Answer: B

Community vote distribution

B (100%)
Q241 Topic 1

Which two protocols are available on a Palo Alto Networks Firewall Interface Management
Profile? (Choose two.)

 A. HTTPS
 B. RDP
 C. SCP
 D. SSH

Answer: AD

Community vote distribution

AD (100%)
Q242 Topic 1

A network administrator created an intrazone Security policy rule on the firewall. The source
zones were set to IT. Finance, and HR.

Which two types of traffic will the rule apply to? (Choose two)

 A. traffic between zone IT and zone Finance

 B. traffic between zone Finance and zone HR
  C. traffic within zone IT
 D. traffic within zone HR

Answer: CD

Community vote distribution

CD (100%)
Q243 Topic 1

You receive notification about new malware that infects hosts through malicious files transferred
by FTP.

Which Security profile detects and protects your internal networks from this threat after you
update your firewall’s threat signature database?

 A. Data Filtering profile applied to outbound Security policy rules.

 B. Vulnerability Protection profile applied to outbound Security policy rules.
 C. URL Filtering profile applied to inbound Security policy rules.
 D. Antivirus profile applied to inbound Security policy rules.

Answer: A

Community vote distribution

D (90%)
10%
Q244 Topic 1

An administrator would like to override the default deny action for a given application, and
instead would like to block the traffic.

Which security policy action causes this?

 A. Drop
 B. Drop, send ICMP Unreachable
 C. Reset both
 D. Reset client

Answer: B

Community vote distribution

A (86%)
14%
Q245 Topic 1

What does an application filter help you to do?

  A. It dynamically shapes defined application traffic based on active sessions and
bandwidth usage.
 B. It dynamically filters applications based on critical, high, medium, low, or
informational severity.
 C. It dynamically groups applications based on application attributes such as category
and subcategory.
 D. It dynamically provides application statistics based on network, threat, and blocked
activity.

Answer: C

Community vote distribution

C (100%)
Q246 Topic 1

Which action can be set in a URL Filtering Security profile to provide users temporary access to
all websites in a given category using a provided password?

 A. continue
 B. override
 C. hold
 D. exclude

Answer: B

Community vote distribution

B (100%)
Q247 Topic 1

Which type of address object is www.paloaltonetworks.com?

 A. named address
 B. IP range
 C. FQDN
 D. IP netmask

Answer: C

Community vote distribution

C (100%)
Q248 Topic 1

What are the requirements for using Palo Alto Networks EDL Hosting Service?

 A. an additional paid subscription

 B. any supported Palo Alto Networks firewall or Prisma Access firewall
 C. a firewall device running with a minimum version of PAN-OS 10.1
  D. an additional subscription free of charge

Answer: B

Community vote distribution

B (100%)
Q249 Topic 1

What are two valid selections within an Antivirus profile? (Choose two.)

 A. deny
 B. drop
 C. block-ip
 D. default

Answer: BD

Community vote distribution

BD (100%)
Q250 Topic 1

Your company is highly concerned with their intellectual property being accessed by
unauthorized resources. There is a mature process to store and include metadata tags for all
confidential documents.

Which Security profile can further ensure that these documents do not exit the corporate
network?

 A. File Blocking
 B. Data Filtering
 C. Anti-Spyware
 D. URL Filtering

Answer: D

Community vote distribution

B (100%)
Q251 Topic 1

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

  A. Highlight Unused Rules is checked.
 B. There are seven Security policy rules on this firewall.
 C. The view Rulebase as Groups is checked.
 D. Eleven rules use the “Infrastructure” tag.

Answer: C

Community vote distribution

C (100%)
Q252 Topic 1

Prior to a maintenance-window activity, the administrator would like to make a backup of only
the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient
way to achieve this outcome?

 A. export named configuration snapshot

 B. save named configuration snapshot
 C. export device state
 D. save candidate config

Answer: A

Community vote distribution

A (100%)
Q253 Topic 1

DRAG DROP
-

Match each rule type with its example.

Answer:

Q254 Topic 1

What are the two default behaviors for the intrazone-default policy? (Choose two.)
  A. Allow
 B. Log at Session End
 C. Deny
 D. Logging disabled

Answer: AB

Community vote distribution

AD (100%)
Q255 Topic 1

Which statement is true regarding NAT rules?

 A. Translation of the IP address and port occurs before security processing.

 B. Firewall supports NAT on Layer 3 interfaces only.
 C. Static NAT rules have precedence over other forms of NAT.
 D. NAT rules are processed in order from top to bottom.

Answer: A

Community vote distribution

D (100%)
Q256 Topic 1

An administrator would like to block access to a web server, while also preserving resources and
minimizing half-open sockets.

What are two security policy actions the administrator can select? (Choose two.)

 A. Reset server
 B. Deny
 C. Drop
 D. Reset both

Answer: AC

Community vote distribution

AD (83%)
CD (17%)
Q257 Topic 1

An administrator wants to create a NAT policy to allow multiple source IP addresses to be

translated to the same public IP address.

What is the most appropriate NAT policy to achieve this?

 A. Static IP
  B. Destination
 C. Dynamic IP and Port
 D. Dynamic IP

Answer: C

Community vote distribution

C (100%)
Q258 Topic 1

What are three Palo Alto Networks best practices when implementing the DNS Security Service?
(Choose three.)

 A. Configure a URL Filtering profile

 B. Train your staff to be security aware.
 C. Plan for mobile-employee risk.
 D. Rely on a DNS resolver.
 E. Implement a threat intel program.

Answer: ADE

Community vote distribution

BCE (80%)
ACE (20%)
Q259 Topic 1

An administrator would like to see the traffic that matches the intrazone-default rule in the traffic
logs.

What is the correct process to enable this logging?

 A. Select the intrazone-default rule and click Override; on the Actions tab, select Log at
Session End and click OK.
 B. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at
Session End and click OK.
 C. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at
Session Start and click OK.
 D. This rule has traffic logging enabled by default; no further action is required.

Answer: A

Community vote distribution

A (100%)
Q260 Topic 1

What is a function of application tags?

  A. automated referenced applications in a policy
 B. application prioritization
 C. IP address allocations in DHCP
 D. creation of new zones

Answer: A

Community vote distribution

A (100%)
Q261 Topic 1

An administrator wants to filter access to www.paloaltonetworks.com via a custom URL

category.

Which syntax would match this?

 A. https://paloaltonetworks.com
 B. #.paloaltonetworks.com
 C. http://paloaltonetworks.com
 D. *.paloaltonetworks.com

Answer: D

Q262 Topic 1

What are two valid selections within an Anti-Spyware profile? (Choose two.)

 A. Random early drop

 B. Drop
 C. Deny
 D. Default

Answer: BD

Q263 Topic 1

What is a prerequisite before enabling an administrative account which relies on a local firewall
user database?

 A. Configure an authentication profile.

 B. Configure an authentication sequence.
 C. Isolate the management interface on a dedicated management VLAN.
 D. Configure an authentication policy.

Answer: A
Q264 Topic 1

Which Security policy set should be used to ensure that a policy is applied first?

 A. Local firewall policy

 B. Shared pre-rulebase
 C. Parent device-group pre-rulebase
 D. Child device-group pre-rulebase

Answer: B

Q265 Topic 1

An administrator is trying to implement an exception to an external dynamic list manually. Some

entries are shown underlined in red.

What would cause this error?

 A. Entries contain symbols.

 B. Entries are wildcards.
 C. Entries contain regular expressions.
 D. Entries are duplicated.

Answer: C

Q266 Topic 1

What can be achieved by disabling the Share Unused Address and Service Objects with Devices
setting on Panorama?

 A. Increase the per-firewall capacity for address and service objects

 B. Reduce the configuration and session synchronization time between HA pairs
 C. Increase the backup capacity for configuration backups per firewall
 D. Reduce the number of objects pushed to a firewall

Answer: D

Q267 Topic 1

Which Security profile can be used to detect and block compromised hosts from trying to
communicate with external command-and-control (C2) servers?

 A. URL Filtering
 B. Antivirus
 C. Vulnerability
 D. Anti-Spyware
Answer: D

Q268 Topic 1

An administrator is trying to enforce policy on some (but not all) of the entries in an external
dynamic list.

What is the maximum number of entries that they can be excluded?

 A. 50
 B. 100
 C. 200
 D. 1,000

Answer: B

Q269 Topic 1

A website is unexpectedly allowed due to miscategorization.

What are two ways to resolve this issue for a proper response? (Choose two.)

 A. Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category
to block.
 B. Review the categorization of the website on https://urlfiltering paloaltonetworks.com.
Submit for "request change", identifying the appropriate categorization, and wait for
confirmation before testing again.
 C. Identify the URL category being assigned to the website.
Edit the active URL Filtering profile and update that category's site access settings to
block.
 D. Create a URL category and assign the affected URL.
Add a Security policy with a URL category qualifier of the custom URL category below
the original policy.
Set the policy action to Deny.

Answer: BD

Q270 Topic 1

If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should
E1/1 be configured as?

 A. Tap
 B. Virtual Wire
 C. Layer 2
  D. Layer 3

Answer: A

Q271 Topic 1

An administrator manages a network with 300 addresses that require translation. The
administrator configured NAT with an address pool of 240 addresses and found that connections
from addresses that needed new translations were being dropped.

Which type of NAT was configured?

 A. Dynamic IP
 B. Static IP
 C. Dynamic IP and Port
 D. Destination NAT

Answer: C

Q272 Topic 1

The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile
with customized privileges. In particular, the new EMEA Regional Panorama Administrator
should be able to:

Access only EMEA-Regional device groups with read-only privileges

Access only EMEA-Regional templates with read-only privileges

What is the correct configuration for the new EMEA Regional Panorama Administrator profile?

 A. Administrator Type = Device Group and Template Admin

Admin Role = EMEA_Regional_Admin_read_only
Access Domain = EMEA-Regional
 B. Administrator Type = Dynamic -
Admin Role = Superuser (read-only)
 C. Administrator Type = Dynamic -
Admin Role = Panorama Administrator
 D. Administrator Type = Custom Panorama Admin
Profile = EMEA Regional Admin_read_only

Answer: A

Q273 Topic 1

An administrator would like to reference the same address object in Security policies on 100
Panorama managed firewalls, across 10 devices groups and five templates.
Which configuration action should the administrator take when creating the address object?

 A. Ensure that Disable Override is cleared.

 B. Ensure that the Shared option is cleared.
 C. Ensure that the Shared option is checked.
 D. Tag the address object with the Global tag.

Answer: C

Q274 Topic 1

Which type of policy allows an administrator to both enforce rules and take action?

 A. Authentication
 B. Security
 C. NAT
 D. Decryption

Answer: A

Q275 Topic 1

With the DNS Security subscription, when will the cloud-based signature database provide users
access to newly added DNS signatures?

 A. Within five minutes, after downloading updates

 B. Instantly, after downloading updates
 C. Within five minutes, without downloading updates
 D. Instantly, without downloading updates

Answer: B

Q276 Topic 1

Why should a company have a File Blocking profile that is attached to a Security policy?

 A. To block uploading and downloading of any type of files

 B. To block uploading and downloading of specific types of files
 C. To detonate files in a sandbox environment
 D. To analyze file types

Answer: B

Q277 Topic 1
What can be used as match criteria for creating a dynamic address group?

 A. MAC addresses
 B. IP addresses
 C. Usernames
 D. Tags

Answer: D

Q278 Topic 1

An administrator is reviewing packet captures to troubleshoot a problem with an application, and

they observe TCP resets to the client and the server.

Which security policy action causes this?

 A. Drop
 B. Reset server
 C. Reset client
 D. Reset both

Answer: D

Q279 Topic 1

An administrator would like to protect against inbound threats such as buffer overflows and
illegal code execution.

Which Security profile should be used?

 A. Vulnerability protection
 B. Anti-spyware
 C. URL filtering
 D. Antivirus

Answer: B

Q280 Topic 1

An organization has some applications that are restricted for access by the Human Resources
Department only, and other applications that are available for any known user in the
organization.

What object is best suited for this configuration?

 A. Application Group
  B. Tag
 C. External Dynamic List
 D. Application Filter

Answer: A

Q281 Topic 1

Which two configurations does an administrator need to compare in order to see differences
between the active configuration and potential changes if committed? (Choose two.)

 A. Device state
 B. Active
 C. Candidate
 D. Running

Answer: CD

Q282 Topic 1

An administrator configured a Security policy rule where the matching condition includes a
single application and the action is set to deny.

What deny action will the firewall perform?

 A. Discard the session’s packets and send a TCP reset packet to let the client know the
session has been terminated
 B. Drop the traffic silently
 C. Perform the default deny action as defined in the App-ID database for the application
 D. Send a TCP reset packet to the client- and server-side devices

Answer: A

Q283 Topic 1

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how
should a Security policy with App-ID be configured?

 A. Source Zone: Trusted -

Destination Zone: DMZ -

Services: SSH -

Applications: Any -
Action: Allow
  B. Source Zone: Trusted -

Destination Zone: DMZ -

Services: Application-Default -

Applications: SSH -
Action: Allow
 C. Source Zone: Trusted -

Destination Zone: DMZ -

Services: Application-Default -

Applications: SSH -
Action: Deny
 D. Source Zone: Trusted -

Destination Zone: DMZ -

Services: SSH -

Applications: Any -
Action: Deny

Answer: B

Q284 Topic 1

An administrator configured a Security policy rule with an Antivirus Security profile. The
administrator did not change the action for the profile.

If a virus gets detected, how will the firewall handle the traffic?

 A. It allows the traffic but generates an entry in the Threat logs.

 B. It drops the traffic because the profile was not set to explicitly allow the traffic.
 C. It allows the traffic because the profile was not set the explicitly deny the traffic.
 D. It uses the default action assigned to the virus signature.

Answer: D

Q285 Topic 1

An administrator needs to allow users to use only certain email applications.

How should the administrator configure the firewall to restrict users to specific email
applications?

 A. Create an application filter and filter it on the collaboration category.

 B. Create an application filter and filter it on the collaboration category, email
subcategory.
 C. Create an application group and add the email applications to it.
 D. Create an application group and add the email category to it.

Answer: C

Q286 Topic 1

DNS exceptions can be set under which Security profile?

 A. Data Filtering
 B. URL Filtering
 C. Anti-Spyware
 D. Antivirus

Answer: C

Q287 Topic 1

An administrator is troubleshooting an issue with an accounts payable application.

Which log setting could be temporarily configured to improve visibility?

 A. Log at Session Start and Log at Session End both enabled

 B. Log at Session Start and Log at Session End both disabled
 C. Log at Session Start enabled, Log at Session End disabled
 D. Log at Session Start disabled, Log at Session End enabled

Answer: A

Q288 Topic 1

By default, which action is assigned to the interzone-default rule?

 A. Allow
 B. Deny
 C. Reset-client
 D. Reset-server

Answer: B
Q289 Topic 1

What is the maximum volume of concurrent administrative account sessions?

 A. 2
 B. Unlimited
 C. 10
 D. 1

Answer: B

Q290 Topic 1

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

 A. Rules without App Controls

 B. New App Viewer
 C. Rule Usage – Unused
 D. Unused Apps

Answer: B

Q291 Topic 1

Where within the firewall GUI can all existing tags be viewed?

 A. Policies > Tags

 B. Network > Tags
 C. Objects > Tags
 D. Monitor > Tags
Answer: C

Q292 Topic 1

What is the Anti-Spyware Security profile default action?

 A. Sinkhole
 B. Reset-client
 C. Drop
 D. Reset-both

Answer: C

Q293 Topic 1

To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)

 A. MAC
 B. IPv6
 C. Email
 D. IPv4

Answer: BD

Q294 Topic 1

A NetSec manager was asked to create a new firewall administrator profile with customized
privileges. The new firewall administrator must be able to download TSF File and Starts Dump
File but must not be able to reboot the device.

Where does the NetSec manager go to configure the new firewall administrator role profile?

 A. Device > Admin Roles > Add > XML API > Configuration
 B. Device > Admin Roles > Add > XML API > Operational Request
 C. Device > Admin Roles > Add > Web UI > Support
 D. Device > Admin Roles > Add > Web UI > Operations

Answer: D

Q295 Topic 1

What must exist in order for the firewall to route traffic between Layer 3 interfaces?

 A. Virtual router
 B. Virtual wires
 C. Traffic Distribution profile
  D. VLANs

Answer: D

Q296 Topic 1

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using
Panorama?

 A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add
 B. Panorama > Device Deployment > Content Updates > Schedules > Add
 C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add
 D. Panorama > Content Updates > Device Deployment > Schedules > Add

Answer: B

Q297 Topic 1

In which threat profile object would you configure the DNS Security service?

 A. Antivirus
 B. Anti-Spyware
 C. WildFire
 D. URL Filtering

Answer: C

Q298 Topic 1

Which rule type is appropriate for matching traffic occurring within a specified zone?

 A. Universal
 B. Shadowed
 C. Intrazone
 D. Interzone

Answer: C

Q299 Topic 1

Which two matching criteria are used when creating a Security policy involving NAT? (Choose
two.)

 A. Pre-NAT address
 B. Post-NAT address
 C. Pre-NAT zone
  D. Post-NAT zone

Answer: AB

Q300 Topic 1

If a universal security rule was created for source zones A & B and destination zones A & B, to
which traffic would the rule apply?

 A. Some traffic between A & B

 B. Some traffic within A
 C. All traffic within zones A & B
 D. Some traffic within B

Answer: C

Q301 Topic 1

Which interface type requires no routing or switching but applies Security or NAT policy rules
before passing allowed traffic?

 A. Tap
 B. Virtual Wire
 C. Layer 2
 D. Layer 3

Answer: B

Community vote distribution

B (100%)
Q302 Topic 1

What is a valid Security Zone type in PAN-OS?

 A. Management
 B. Logical
 C. Transparent
 D. Tap

Answer: A

Community vote distribution

D (100%)
Q303 Topic 1

An administrator is creating a Security policy rule and sees that the destination zone is grayed
out.
While creating the rule, which option was selected to cause this?

 A. Interzone
 B. Source zone
 C. Universal (default)
 D. Intrazone

Answer: A

Community vote distribution

D (100%)
Q304 Topic 1

How many levels can there be in a device-group hierarchy, below the shared level?

 A. 2
 B. 3
 C. 4
 D. 5

Answer: D

Community vote distribution

C (100%)
Q305 Topic 1

Where in Panorama would Zone Protection profiles be configured?

 A. Templates
 B. Device Groups
 C. Shared
 D. Panorama tab

Answer: D

Community vote distribution

A (100%)
Q306 Topic 1

Which parameter is used to view the Security policy rulebase as groups?

 A. Tags
 B. Service
 C. Type
 D. Action
Answer: A

Community vote distribution

A (100%)
Q307 Topic 1

When a security rule is configured as Intrazone, which field cannot be changed?

 A. Destination Zone
 B. Actions
 C. Source Zone
 D. Application

Answer: A

Q308 Topic 1

An administrator is trying to understand which NAT policy is being matched.

In what order does the firewall evaluate NAT policies?

 A. Dynamic IP and Port first, then Static, and finally Dynamic IP

 B. From top to bottom
 C. Static NAT rules first, then lop down
 D. Static NAT rules first, then Dynamic

Answer: B

Q309 Topic 1

Which policy set should be used to ensure that a policy is applied just before the default security
rules?

 A. Shared post-rulebase
 B. Local firewall policy
 C. Parent device-group post-rulebase
 D. Child device-group post-rulebase

Answer: D

Community vote distribution

A (100%)
Q310 Topic 1

Which rule type is appropriate for matching traffic occurring within a specified zone?
How should the administrator configure the firewall to restrict users to specific email
applications?

 A. Create an application filter and filter it on the collaboration category.

 B. Create an application filter and filter it on the collaboration category, email
subcategory.
 C. Create an application group and add the email applications to it.
 D. Create an application group and add the email category to it.

Answer: B

Community vote distribution

C (100%)
Q311 Topic 1

Review the screenshot below. Based on the information it contains, which protocol decoder will
detect a machine-learning match, create a Threat log entry, and permit the traffic?

 A. smb
 B. imap
 C. ftp
 D. http2
Answer: D

Community vote distribution

B (100%)
Q312 Topic 1

An interface can belong to how many Security Zones?

 A. 1
 B. 2
 C. 3
 D. 4

Answer: A

Community vote distribution

A (100%)
Q313 Topic 1

What are the two types of Administrator accounts? (Choose two.)

 A. Role Based
 B. Superuser
 C. Dynamic
 D. Local

Answer: AD

Community vote distribution

AC (100%)
Q314 Topic 1

The Net Sec Manager asked to create a new Firewall Operator profile with customized
privileges.
In particular, the new firewall operator should be able to:

Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML
as Server profiles to be used inside an Authentication profile.

The firewall operator should not be able to access anything else.

What is the right path m order to configure the new firewall Administrator Profile?

 A. Device > Admin Roles > Add > Web UI > Device > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
 B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
  C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else
 D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else

Answer: D

Community vote distribution

A (100%)
Q315 Topic 1

Within the WildFire Analysis profile, which three items are configurable? (Choose three.)

 A. FileType
 B. Direction
 C. Service
 D. Application
 E. Objects

Answer: ACE

Community vote distribution

ABD (100%)
Q316 Topic 1

Which Security profile can be used to configure sinkhole IPs m the DNS Sinkhole settings?

 A. Vulnerability Protection
 B. Anti-Spyware
 C. Antivirus
 D. URL Filtering

Answer: B

Community vote distribution

B (100%)
Q317 Topic 1

Which three management interface settings must be configured for functional dynamic updates
and administrative access on a Palo Alto Networks firewall? (Choose three.)

 A. NTP
 B. IP address
 C. MTU
 D. DNS server
 E. service routes
Answer: ABD

Community vote distribution

BDE (55%)
ABD (45%)
Q318 Topic 1

How does the Policy Optimizer policy view differ from the Security policy view?

 A. It provides sorting options that do not affect rule order

 B. It specifies applications seen by rules
 C. It displays rule utilization
 D. It details associated zones

Answer: C

Community vote distribution

A (100%)
Q319 Topic 1

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the
DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

 A. Intrazone
 B. Interzone
 C. Universal
 D. Tagged

Answer: B

Community vote distribution

C (100%)
Q320 Topic 1

What do application filters help provide access to?

 A. Applications that are explicitly sanctioned for use within a company

 B. Applications that are not explicitly sanctioned and that a company wants users to be
able to access
 C. Applications that are explicitly unsanctioned for use within a company
 D. Applications that are not explicitly unsanctioned and that a company wants users to be
able to access

Answer: B
Q321 Topic 1

What is the function of an application group object?

 A. It contains applications that you want to treat similarly in policy

 B. It groups applications dynamically based on application attributes that you define
 C. It represents specific ports and protocols for an application
 D. It identifies the purpose of a rule or configuration object and helps you better organize
your rulebase

Answer: D

Community vote distribution

A (100%)
Q322 Topic 1

How would a Security policy need to be written to allow outbound traffic using Secure Shell
(SSH) to destination ports tcp/22 and tcp/4422?

 A. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh" and service "tcp-
4422".
 B. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422",
and service "application-default".
 C. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin also creates a custom service object named "tcp-22" with port tcp/22.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422",
and service "tcp-22".
 D. The admin creates a Security policy allowing application "ssh" and service
"application-default".

Answer: C

Community vote distribution

C (92%)
8%
Q323 Topic 1

Which type of DNS signatures are used by the firewall to identify malicious and command-and-
control domains?

 A. DNS Malicious signatures

 B. DNS Security signatures
 C. DNS Malware signatures
 D. DNS Block signatures
Answer: B

Community vote distribution

B (100%)
Q324 Topic 1

Which Security policy action will message a user's browser that their web session has been
terminated?

 A. Reset client
 B. Deny
 C. Drop
 D. Reset server

Answer: D

Community vote distribution

A (63%)
B (38%)
Q325 Topic 1

In order to protect users against exploit kits that exploit a vulnerability and then automatically
download malicious payloads, which Security profile should be configured?

 A. Anti-Spyware
 B. WildFire
 C. Vulnerability Protection
 D. Antivirus

Answer: C

Community vote distribution

C (100%)
Q326 Topic 1

Which verdict may be assigned to a WildFire sample?

 A. Phishing
 B. Spyware
 C. PUP
 D. Malware

Answer: D

Community vote distribution

A (100%)
Q327 Topic 1
To protect against illegal code execution, which Security profile should be applied?

 A. Antivirus profile on allowed traffic

 B. Antivirus profile on denied traffic
 C. Vulnerability Protection profile on allowed traffic
 D. Vulnerability Protection profile on denied traffic

Answer: D

Community vote distribution

C (100%)
Q328 Topic 1

Which three types of entries can be excluded from an external dynamic list? (Choose three.)

 A. IP addresses
 B. Applications
 C. User-ID
 D. Domains
 E. URLs

Answer: ADE

Community vote distribution

ADE (100%)
Q329 Topic 1

The Administrator profile “PCNSA Admin” is configured with an Authentication profile

“Authentication Sequence PCNSA”.
The Authentication Sequence PCNSA has a profile list with four Authentication profiles:

Auth Profile LDAP -

Auth Profile Radius -

Auth Profile Local -

Auth Profile TACACS -

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still
reachable but has lost the “PCNSA Admin” username and password.

Which option describes the “PCNSA Admin” login capabilities after the outage?

 A. Auth OK because of the Auth Profile TACACS

 B. Auth KO because RADIUS server lost user and password for PCNSA Admin
 C. Auth OK because of the Auth Profile Local
  D. Auth KO because LDAP server is not reachable

Answer: D

Community vote distribution

C (100%)
Q330 Topic 1

By default, which action is assigned to the intrazone-default rule?

 A. Reset-client
 B. Reset-server
 C. Deny
 D. Allow

Answer: D

Q331 Topic 1

A Panorama administrator would like to create an address object for the DNS server located in
the New York City office, but does not want this object added to the other Panorama managed
firewalls.

Which configuration action should the administrator take when creating the address object?

 A. Tag the address object with the New York Office tag.
 B. Ensure that Disable Override is cleared.
 C. Ensure that the Shared option is checked.
 D. Ensure that the Shared option is cleared.

Answer: D

Q332 Topic 1

An administrator is troubleshooting an issue with traffic that matches the interzone-default rule,
which is set to default configuration.

What should the administrator do?

 A. Change the logging action on the rule

 B. Tune your Traffic Log filter to include the dates
 C. Refresh the Traffic Log
 D. Review the System Log

Answer: D
Q333 Topic 1

What is the default action for the SYN Flood option within the DoS Protection profile?

 A. Reset-client
 B. Alert
 C. Sinkhole
 D. Random Early Drop

Answer: D

Q334 Topic 1

Application groups enable access to what?

 A. Applications that are explicitly unsanctioned for use within a company

 B. Applications that are not explicitly unsanctioned and that an administrator wants users
to be able to access
 C. Applications that are explicitly sanctioned for use within a company
 D. Applications that are not explicitly sanctioned and that an administrator wants users to
be able to access

Answer: C

Q335 Topic 1

Where does a user assign a tag group to a policy rule in the policy creation window?

 A. General tab
 B. Usage tab
 C. Application tab
 D. Actions tab

Answer: B

Q336 Topic 1

What is used to monitor Security policy applications and usage?

 A. Security profile
 B. App-ID
 C. Policy-based forwarding
 D. Policy Optimizer

Answer: D
Q337 Topic 1

What is considered best practice with regards to committing configuration changes?

 A. Wait until all running and pending jobs are finished before committing.
 B. Export configuration after each single configuration change performed.
 C. Validate configuration changes prior to committing.
 D. Disable the automatic commit feature that prioritizes content database installations
before committing.

Answer: C

Q338 Topic 1

Which Security profile generates an alert based on a threshold when the action is set to Alert?

 A. Vulnerability Protection
 B. Antivirus
 C. DoS protection
 D. Anti-Spyware

Answer: A

Q339 Topic 1
Given the network diagram, which two statements are true about traffic between the User and
Server networks? (Choose two.)

 A. Traffic is permitted through the default Intrazone “allow” rule.

 B. Traffic restrictions are not possible because the networks are in the same zone.
 C. Traffic is permitted through the default Interzone “allow” rule.
 D. Traffic restrictions are possible by modifying Intrazone rules.

Answer: AD

Q340 Topic 1

Which setting is available to edit when a tag is created on the local firewall?

 A. Color
 B. Location
 C. Order
  D. Priority

Answer: D

Q341 Topic 1

With the PAN-OS 11.0 Nova release, which two attack options can new inline deep learning
analysis engines detect and prevent? (Choose two.)

 A. Command injection attacks

 B. SSL attacks
 C. SQL injection attacks
 D. HTTP attacks

Answer: C

Q342 Topic 1

Which profile must be applied to the Security policy rule to block spyware on compromised
hosts from trying to phone-home or beacon out to external command-and-control (C2) servers?

 A. Anti-spyware
 B. File blocking
 C. WildFire
 D. URL filtering

Answer: D

Q343 Topic 1

Which feature dynamically analyzes and detects malicious content by evaluating various web
page details using a series of machine learning (ML) models?

 A. Antivirus Inline ML
 B. URL Filtering Inline ML
 C. Anti-Spyware Inline ML
 D. WildFire Inline ML

Answer: B

Q344 Topic 1

An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses
the firewall.

When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.
What might cause this issue?

 A. Office365 traffic is logged in the System Log.

 B. Office365 traffic is logged in the Authentication Log.
 C. Traffic matches the interzone-default rule, which does not log traffic by default.
 D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.

Answer: C

Q345 Topic 1

When creating an address object, which option is available to select from the Type drop-down
menu?

 A. IPv6 Address
 B. IP Netmask
 C. IPv4 Address
 D. IP Address Class

Answer: B

Q346 Topic 1

Ethernet 2/1 has an IP Address of 10.0 1 2 in Zone ‘trust’ (LAN).

If both interfaces are connected to the same virtual router, which IP address information will an
administrator need to enter in the Destination field to access the internet?
  A. 0.0.0.0
 B. 10.0.2.1/32
 C. 10.0.1.254/32
 D. 0.0.0.0/0

Answer: A

Q347 Topic 1

Where within the URL Filtering security profile must a user configure the action to prevent
credential submissions?

 A. URL Filtering > Categories

 B. URL Filtering > URL Filtering Settings
 C. URL Filtering > Inline Categorization
 D. URL Filtering > HTTP Header Insertion
Answer: B

Q348 Topic 1

Which Security profile must be added to Security policies to enable DNS Signatures to be
checked?

 A. URL Filtering
 B. Vulnerability Protection
 C. Anti-Spyware
 D. Antivirus

Answer: C

Q349 Topic 1

Which two Security profile actions can only be applied to DoS Protection profiles? (Choose
two.)

 A. Reset-server
 B. Reset-both
 C. SYN cookies
 D. Random Early Drop

Answer: CD

Q350 Topic 1

Where can you apply URL Filtering policy in a Security policy rule?

 A. Within the applications selection

 B. Within a destination address
 C. Within a service type
 D. Within the actions tab

Answer: D

Q351 Topic 1

Which interface types are assigned to IEEE 802.1Q VLANs?

 A. Tunnel interfaces
 B. Layer 2 subinterfaces
 C. Layer 3 subinterfaces
 D. Loopback interfaces
Answer: C

Q352 Topic 1

Which three factors can be used to create malware based on domain generation algorithms?
(Choose three.)

 A. Time of day
 B. URL custom categories
 C. Other unique values
 D. Cryptographic keys
 E. IP address

Answer: ACD

Q353 Topic 1

Which action column is available to edit in the Action tab of an Antivirus security profile?

 A. Virus
 B. Signature
 C. Spyware
 D. Trojan

Answer: A

Q354 Topic 1
Given the detailed log information above, what was the result of the firewall traffic inspection?

 A. It denied the category DNS phishing.

 B. It denied the traffic because of unauthorized attempts.
 C. It was blocked by the Anti-Virus Security profile action.
 D. It was blocked by the Anti-Spyware Profile action.

Answer: D

Q355 Topic 1

When configuring a security policy, what is a best practice for User-ID?

  A. Use only one method for mapping IP addresses to usernames.
 B. Allow the User-ID agent in zones where agents are not monitoring services.
 C. Limit User-ID to users registered in an Active Directory server.
 D. Deny WMI traffic from the User-ID agent to any external zone.

Answer: D

Q356 Topic 1

What are three DNS policy actions? (Choose three.)

 A. Block
 B. Allow
 C. Strict
 D. Sinkhole
 E. Alert

Answer: AD

Q357 Topic 1

Which System log severity level would be displayed as a result of a user password change?

 A. Low
 B. Medium
 C. High
 D. Critical

Answer: B

Q358 Topic 1

An administrator would like to block traffic to all high risk audio streaming applications,
including new App-IDs introduced with content updates.

Which filter should the administrator configure in the application filter object?

 A. The category is media, and the characteristic includes Evasive.

 B. The subcategory is audio-streaming, and the risk is 1.
 C. The subcategory is audio-streaming, and the risk is 5.
 D. The category is media, and the tag is high risk.

Answer: C

Q359 Topic 1
An administrator receives a notification about new malware that is being used to attack hosts.
The malware exploits a software bug in a common application.

Which Security Profile will detect and block access to this threat after the administrator updates
the firewall's threat signature database?

 A. Vulnerability Profile applied to inbound Security policy rules

 B. Antivirus Profile applied to outbound Security policy rules
 C. Data Filtering Profile applied to outbound Security policy rules
 D. Data Filtering Profile applied to inbound Security policy rules

Answer: A

Q360 Topic 1

The NetSec Manager asked to create a new firewall Local Administrator profile with customized
privileges named New_Admin. This new administrator has to authenticate without inserting any
username or password to access the WebUI.

What steps should the administrator follow to create the New_Admin Administrator profile?

 A. 1. Set the Authentication profile to Local.

2. Select the "Use only client certificate authentication" check box.
3. Set Role to Role Based.
 B. 1. Select the "Use only client certificate authentication" check box.
2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Certificate Name = New Admin
 C. 1. Select the "Use only client certificate authentication" check box.
2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Common Name = New_Admin
 D. 1. Select the "Use only client certificate authentication" check box.
2. Set Role to Role Based.
3. Issue to the Client a Certificate with Common Name = New Admin

Answer: D

Q361 Topic 1

Which Security profile prevents users from submitting valid corporate credentials online?

 A. WildFire
 B. URL filtering
 C. Advanced threat prevention
 D. SSL decryption

Answer: B
Q362 Topic 1

Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.)

 A. It contains all the features already in a Threat Prevention subscription.

 B. It provides the ability to identify evasive and previously unseen command-and-control
(C2) threats.
 C. When it is active, a WildFire profile is no longer needed.
 D. Due to its more advanced signatures, it provides the ability to identify new threats.

Answer: AB

Q363 Topic 1

With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability
security profile?

 A. Vulnerability Exceptions
 B. Advanced Rules
 C. Inline Cloud Analysis
 D. WildFire Inline ML

Answer: A

Q364 Topic 1

DRAG DROP
-

Drag the steps into the correct order to create a static route.
Answer:

Q365 Topic 1

What are the two ways to implement an exception to an external dynamic list? (Choose two.)

 A. Edit the external dynamic list by removing the entries to exclude.

 B. Select the entries to exclude from the List Entries list.
 C. Manually add an entry to the Manual Exceptions list.
 D. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.

Answer: AC

Q366 Topic 1

An administrator needs to create a Security policy rule that matches DNS traffic sourced from
either the LAN or VPN zones, destined for the DMZ or Untrust zones.

The administrator does not want to match traffic where the source and destination zones are
LAN, and also does not want to match traffic where the source and destination zones are VPN.

Which Security policy rule type should they use?

 A. Interzone
 B. Universal
 C. Intrazone
 D. Default

Answer: B
Q367 Topic 1

An administrator is reviewing the Security policy rules shown in the screenshot.

Why are the two fields in the Security policy EDL-Deny highlighted in red?

 A. Because antivirus inspection is enabled for this policy

 B. Because the destination zone, address, and device are all "any"
 C. Because the action is Deny
 D. Because the Security-EDL tag has been assigned the red color

Answer: D

Q368 Topic 1

What are two differences between an application group and an application filter? (Choose two.)

 A. Application groups enable access to sanctioned applications explicitly, while

application filters enable access to sanctioned applications implicitly.
 B. Application groups are static, while application filters are dynamic.
 C. Application groups dynamically group applications based on attributes, while
application filters contain applications that are statically grouped.
 D. Application groups can be added to application filters, while application filters cannot
be added to application groups.

Answer: AB

Q369 Topic 1

An administrator reads through the following Applications and Threats Content Release Notes
before an update:
Which rule would continue to allow the file upload to confluence after the update?

 A.

 B.

 C.

 D.

Answer: B

Q370 Topic 1

Which two events can be found in data-filtering logs? (Choose two.)

 A. Specific users attempting to authenticate

 B. Sensitive information attempting to exit the network
 C. An unsuccessful attempt to establish a TLS session
 D. A download attempt of a blocked file type

Answer: BD

Q371 Topic 1

Which statement applies to the Intrazone Security policy rule?

 A. The traffic within the same security zone will not be allowed.
 B. It requires a Zone Protection profile to be applied.
  C. It applies regardless of whether it is from the same security zone or a different one.
 D. It applies to all matching traffic within the specified source security zones.

Answer: D

Q372 Topic 1

Review the screenshot below. Which statement is correct about the information it contains?

 A. Highlight Unused Rules is checked.

 B. Tunnel Traffic has the High Risk tag applied.
 C. There are six Security policy rules on this firewall.
 D. View Rulebase as Groups is checked.

Answer: D

Q373 Topic 1

An administrator wants to enable users to access retail websites that are considered minimum
risk.

Which two URL categories should be combined in a custom URL category to accomplish this
goal? (Choose two.)

 A. e-commerce
 B. known-good
 C. shopping
 D. low-risk

Answer: AC

Q374 Topic 1
What are three advantages of user-to-group mapping? (Choose three.)

 A. It does not require additional objects to be configured.

 B. It does not require a Server profile.
 C. It simplifies user administration.
 D. It automatically adds new users to the appropriate group.
 E. It allows an administrator to write more granular policies.

Answer: CDE

Q375 Topic 1

Which situation is recorded as a system log?

 A. A connection with an authentication server has been dropped.

 B. A file that has been analyzed is potentially dangerous for the system.
 C. An attempt to access a spoofed website has been blocked.
 D. A new asset has been discovered on the network.

Answer: A

Q376 Topic 1

Within an Anti-Spyware security profile, which tab is used to enable machine learning based
engines?

 A. Signature Policies
 B. Signature Exceptions
 C. Machine Learning Policies
 D. Inline Cloud Analysis

Answer: D

Q377 Topic 1

Which two statements correctly describe how pre-rules and local device rules are viewed and
modified? (Choose two.)

 A. Pre-rules can be modified by the local administrator or by a Panorama administrator

who has switched to a local firewall.
 B. Pre-rules and local device rules can be modified in Panorama.
 C. Pre-rules can be viewed on managed firewalls.
 D. Pre-rules are modified in Panorama only, and local device rules are modified on local
firewalls only.

Answer: CD
Q378 Topic 1

The administrator profile "SYS01 Admin" is configured with authentication profile

"Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with
four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius
• Auth Profile Local
• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still
reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

 A. Auth KO because RADIUS server lost user and password for SYS01 Admin
 B. Auth OK because of the Auth Profile TACACS
 C. Auth OK because of the Auth Profile Local
 D. Auth KO because LDAP server is not reachable

Answer: C

Q379 Topic 1

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

 A. Static Port
 B. Dynamic IP and Port (DIPP)
 C. Dynamic IP
 D. Static IP and Port (SIPP)
 E. Static IP

Answer: BCE

Q380 Topic 1

What are the two main reasons a custom application is created? (Choose two.)

 A. To change the default categorization of an application

 B. To visually group similar applications
 C. To correctly identify an internal application in the traffic log
 D. To reduce unidentified traffic on a network

Answer: CD
Q381 Topic 1

By default, what is the maximum number of templates that can be added to a template stack?

 A. 6
 B. 8
 C. 10
 D. 12

Answer: B

Q382 Topic 1

What does rule shadowing in Security policies do?

 A. It shows rules with the same Source Zones and Destination Zones.
 B. It indicates that a broader rule matching the criteria is configured above a more
specific rule.
 C. It indicates rules with App-ID that are not configured as port-based.
 D. It shows rules that are missing Security profile configurations.

Answer: B

Q383 Topic 1

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

 A. Security profile
 B. Authentication profile
 C. Server profile
 D. Interface Management profile

Answer: BC

Q384 Topic 1

Which order of steps is the correct way to create a static route?

 A. 1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop
3) Enter the IP address for the specific next hop
4) Add an IPv4 or IPv6 route by name
 B. 1) Enter the IP address for the specific next hop
2) Add an IPv4 or IPv6 route by name
3) Enter the route and netmask
4) Specify the outgoing interface for packets to use to go to the next hop
  C. 1) Enter the route and netmask
2) Enter the IP address for the specific next hop
3) Specify the outgoing interface for packets to use to go to the next hop
4) Add an IPv4 or IPv6 route by name
 D. 1) Enter the IP address for the specific next hop
2) Enter the route and netmask
3) Add an IPv4 or IPv6 route by name
4) Specify the outgoing interface for packets to use to go to the next hop

Answer: C

Q385 Topic 1

Which two actions are needed for an administrator to get real-time WildFire signatures? (Choose
two.)

 A. Enable Dynamic Updates.

 B. Obtain a Threat Prevention subscription.
 C. Obtain a WildFire subscription.
 D. Move within the WildFire public cloud region.

Answer: AC

Q386 Topic 1

Which two features implement one-to-one translation of a source IP address while allowing the
source port to change? (Choose two.)

 A. Dynamic IP
 B. Dynamic IP and Port (DIPP)
 C. Static IP
 D. Dynamic IP / Port Fallback

Answer: AC

Q387 Topic 1

What are three ways application characteristics are used? (Choose three.)

 A. As a setting to define a new custom application

 B. As a global filter in the Application Command Center (ACC)
 C. As an attribute to define an application group
 D. As an object to define Security policies
 E. As an attribute to define an application filter

Answer: ABE
Q388 Topic 1

In which two Security Profiles can an action equal to the block IP feature be configured?
(Choose two.)

 A. Antivirus
 B. URL Filtering
 C. Vulnerability Protection
 D. Anti-spyware

Answer: AD

Q389 Topic 1

When is an event displayed under threat logs?

 A. When traffic matches a corresponding Security Profile

 B. When traffic matches any Security policy
 C. Every time a session is blocked
 D. Every time the firewall drops a connection

Answer: A

Q390 Topic 1

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

 A. Network
 B. Policies
 C. Objects
 D. Device

Answer: C