Palo Alto Questions and Answers Graded A+

Palo Alto Questions and Answers Graded A+ Which feature can be configured to block sessions that the firewall cannot decrypt? Decryption profile in decryption policy What is default setting for "Action" in a decryption policy rule? No-decrypt Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server? SSL Forward Proxy When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing? App-ID On the Next Generation Firewall, which is the first configuration step for SSL Forward Proxy decryption? Forward Trust Certificate Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers? SSL Inbound Inspection True or False. In the Next Generation Firewall, even if the Decryption policy rule action is "no-decrypt," the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates. True On the Next Generation firewall, what type of security profile detects infected files being transferred with the application? Anti-Virus Which WildFire verdict includes viruses, worms, trojans, remote access tools, rootkits, and botnets? Malware Without a Wildfire subscription, which of the following files can be submitted by the Next Generation FIrewall to the hosted Wildfire virtualized sandbox? PE Files Only In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates? 5 Minutes Which CLI command is used to verify successful file uploads to WildFire? debug wildfire upload-log show Which WildFire verdict indicates no security threat but might display obtrusive behavior? Grayware True or False. If a file type is matched in the File Blocking Profile and WildFire Analysis Profile, and if the File Blocking Profile action is set to "block," then the file is not forwarded to WildFire. True What are two sources of information for determining whether the Next Generation firewall has been successful in communication with an external User-ID Agent? System logs and the indicator light under the User-ID Agent settings in the firewall For the Palo Alto Networks Next Generation Firewall to access a Global Catalog server, LDAP must be set to communicate with which port? 3268 Which Palo alto Networks User-ID component runs on Microsoft and Citrix terminal servers? Palo Alto Networks Terminal Services agent Which User-ID component and mapping method is recommended for web clients that do not use the domain server? Captive Portal Which port does the Palo Alto Networks Windows-based User-ID agent use by default? TCP port 5007 What options are available for selecting users for a security policy on the Next Generation firewall? Known-user, Pre-logon, Unknown-user The User-ID feature identifies the user and IP address of the computer the user is logged into for Next Generation firewall policy enforcement. True In which Palo Alto Networks GlobalProtect client connection method does the user explicitly initiate the connection? On-demand Which Palo Alto Networks GlobalProtect component is responsible for coordinating communications and interaction between all other GlobalProtect components? Portal Which Palo Alto Networks GlobalProtect deployment component provides security enforcement for traffic from GlobalProtect agents and applications? Gateway On a Palo Alto Networks Firewall, what is the maximum number of IPsec tunnels that can be associated with a tunnel interface? 10 What three basic requirements are necessary to create a VPN in the Next Generation firewall? Configure the IPSec tunnel, Add a static route, Create the tunnel interface True or False. In the Palo Alto Networks GlobalProtect connection sequence, there is direct communication among gateways or between gateways and portals. False Virtual Private Networks (VPNs) allow systems to connect securely over public networks as if they were connecting over a Local Area Network (LAN). True In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display? Global What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Application Command Center (ACC) What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)? Threat Activity, Blocked Activity, Network Traffic When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal? Change In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF? Group On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic? 6514 What is the prerequisite for configuring a pair of Next Generation firewalls in an Active/Passive High Availability (HA) pair? The firewalls must have the same set of licenses The firewalls in an HA pair can be assigned a Device Priority value to indicate a preference for which firewall should assume the active role. If you need to designate a specific firewall in the HA pair as the active firewall, you must enable the preemptive behavior on both the firewalls and assign a Device Priority value for each firewall. The firewall with which Device Priority value is designated as the higher priority and active firewall? Lower During which Palo Alto Networks Active/Passive Firewall Sate is normal traffic discarded? Passive During the Palo Alto Networks Active/Passive HA Pair Start-Up, the firewall remains in the INITIAL state after boot-up until it discovers a peer and negotiations begin. After how long of a timeout does the firewall become ACTIVE if HA negotiation has not started? 60-second Which Palo Alto Networks High Availability configuration is not designed to increase throughput? Active/Active What mechanism on a Next Generation firewall is used to trigger a High Availability failover if the interface goes down? Link monitoring True or False. To enable High Availability on a Palo Alto Networks device, both firewalls must be the same model. True If the admin username and password is known, what command is used to reset the system to factory default? Request System private-data-reset