Skip to main content

PAN-OS Features - Test Out

·14 mins

Several questions covering App ID, User-ID, Firewall Deployment, Quantum, Passwordless Authentication and Features included in PAN-OS 12.1 Orion All of this is free to learn from the Features Module at learn.paloaltonetworks.com
Free account required to view The Learning Center

What can the use of User-ID data redistribution do for XenoGenic?

  • Enforce user-based policies when users rely on local sources for authentication.
  • Enable connections to source devices based on either the serial number or the host and port numbers.
  • Streamline resource utilization by configuring one or more firewalls to collect mapping information through redistribution.
  • Ensure that each firewall can receive mapping information and authentication timestamps from up to 100 redistribution points.

What does the Log Setting parameter in each Security Policy rule determine?

  • The size of the logs.
  • The application type or the IP address of an attacker.
  • Whether the rule-matching traffic is logged to the Traffic log.
  • The timestamp of system events on the firewall or network traffic events.

What is the main function of an Interface Management Profile?

  • To define the IP addresses of management traffic
  • To restrict management traffic to one or more specific IP addresses
  • To configure Layer 3 subinterfaces and logical interfaces like VLAN, loopback, and tunnel interfaces
  • To enable a Layer 3 interface to carry management traffic by defining protocols, services, and IP addresses that an in-band firewall interface allows

An engineer at XenoGenic is confused about the options available for SSL Decryption on the NGFW. Which nodes does an SSL Forward Proxy make secure?

  • Known URLs by inspecting the SSL certificate
  • Servers and clients by identifying applications
  • Servers and applications by decrypting and inspecting traffic coming in from the internet
  • Known clients and host machines by decrypting and inspecting traffic going out to the internet

The engineers at XenoGenic have asked you for additional information about network address translation (NAT). What are the three types of Source NAT that a Palo Alto Networks firewall supports?

  • Static IP, Dynamic IP, and Dynamic IP and Port (DIPP)
  • Static Port, Dynamic Port, and Dynamic Port and IP (DPIP)
  • Static Address, Dynamic Address, and Dynamic Address and Port (DAP)
  • Static Interface, Dynamic Interface, and Dynamic Interface and Port (DIP)

XenoGenic is assessing the importance of monitoring internal traffic (East-West). Which statement is true about internal traffic?

  • Internal traffic does not require any visibility or monitoring.
  • By default, the intrazone default policy blocks traffic, with no logging and no Security Profiles assigned.
  • Neither client-side Vulnerability Protection nor server-side Vulnerability Protection is relevant for internal traffic.
  • You can enhance the visibility and security of internal traffic by applying Security Profiles that alert for any threats detected and enabling logging.

XenoGenic is deciding how to schedule and use dynamic updates for NGFW signatures. Which statement best describes the Application Availability approach to a dynamic-updates strategy?

  • Changes are implemented only after an administrator has assessed any potential impact.
  • Signatures are downloaded and installed promptly after their release to ensure maximum security.
  • Changes in application signatures are automatically overridden so that they do not impact traffic matching logic.
  • Changes in application signatures are automatically overridden so that they do not impact traffic matching logic.

XenoGenic would like you to explain App-ID in more detail. What is the function of the ‘application-default’ setting in a firewall’s security policy?

  • To allow access to an application only on its standard ports as defined by Palo Alto Networks
  • To match the associated policy rule to all TCP or UDP ports from 1 to 65535 to maximize application access
  • To allow SSH traffic and SSH-tunnel traffic regardless of the destination port that SSH applications may try to use
  • To require the administrator to define a new service under Objects > Services and specify the protocol and one or more TCP or UDP ports

You need to explain the components of User-ID to the engineers at XenoGenic. Where does a PAN-OS Integrated User-ID Agent run and what does it do?

  • It runs in the cloud and collects IP-address-to-username information.
  • It runs on the firewall and collects IP-address-to-username information.
  • It runs on a domain member, collects IP-address-to-username information, and sends this information to the firewall.
  • It runs on Microsoft and Citrix terminal servers, collects IP-address-to-username information, and sends this information to the firewall.

XenoGenic needs to track all changes made to devices in their network. Where can you find details about all changes made to the running configuration of the firewall?

  • Active Directory
  • Configuration log
  • Admin role profiles
  • Vendor-Specific Attributes (VSA) list

XenoGenic wants to take advantage of User-ID across their locations and would like to know more about User-ID redistribution. What is the role of User-ID redistribution in a network with multiple firewalls?

  • It ensures that sessions are synchronized across all firewalls.
  • It helps to share IP-to-user mappings from one firewall to another.
  • It ensures that all firewalls have the same policy enforcement rules.
  • It allows users to connect through different firewalls to the same resources.

XenoGenic uses SNMP to monitor network devices. Which action can PAN-OS software take when working with SNMP servers?

  • Send SNMP SET messages to the SNMP server.
  • Send SNMP GET messages to the SNMP server.
  • Respond to SNMP SET messages from the SNMP server.
  • Respond to SNMP GET messages from the SNMP server.

XenoGenic has many IoT devices. What can they use Device-ID on a firewall or in Panorama to do?

  • Provide user-based policy and app-based policy rules.
  • Identify devices and obtain policy rule recommendations for those devices.
  • Update outdated operating software on devices connected to the network.
  • Support a Bring Your Own Device (BYOD) policy in corporate environments.

One of the network architects with XenoGenic has asked you to explain the benefits of configuring User-ID on the NGFW. Which feature can they implement with User-ID specifically to enhance user identity protection?

  • Captive Portal
  • Credential phishing prevention
  • Dynamic IP address allocation
  • Role-based access control (RBAC)

XenoGenic engineers have asked you about App-ID. What is Palo Alto Network’s definition of an application?

  • A tool or service that must be allowed for business purposes
  • A service that might need to be blocked or controlled for personal use
  • A specific program or feature whose communication can be labeled, monitored, and controlled
  • A program that is delivered through a web browser, a client-server model, or a decentralized peer-to-peer design

A XenoGenic engineer has asked you what happens to the running configuration on a Palo Alto Networks firewall when an administrator commits changes made to the candidate configuration. Which statement is accurate?

  • The running configuration in control-plane memory is pushed to data-plane memory, where it is used to inspect and control traffic traversing the firewall.
  • The changes are saved to the running configuration in control-plane and data-plane memory, and a date and timestamped version of the running configuration is created.
  • The changes are saved to the candidate configuration in control-plane and data-plane memory, and a date and timestamped version of the candidate configuration is created.
  • The running configuration in control-plane and data-plane memory is overwritten with the changes made to the candidate configuration, and a date and timestamped version of the running configuration is created.

XenoGenic will be implementing a high-availability (HA) infrastructure. Which statement is true about the HA links in an Active/Passive HA pair?

  • Data flow on the Data Link is bidirectional.
  • The Control Link and Data Link do not require an IP address.
  • The Data Link is used to synchronize sessions, forwarding tables, IPsec security associations, and ARP tables.
  • The Control Link is used to synchronize sessions, forwarding tables, IPsec security associations, and ARP tables.

There are several individual IP addresses that engineers at XenoGenic want to block. Which approach to blocking traffic to specific IP addresses is a valid option?

  • Create Address Objects and set them to block.
  • Select all IP addresses in a geographic region and set the group to block.
  • Create a Deny Security policy rule and add entries under the Source tab in the Source Address section.
  • Create a Deny Security policy rule and add entries under the Destination tab in the Destination Address section.

You are explaining the benefits of URL Filtering to XenoGenic engineers. Which statement about PAN-OS URL Filtering capability is true?

  • The firewall requires a nightly download of a URL Filtering file for updates.
  • URL categories can be used in Authentication, Decryption, QoS, and Security policies.
  • The firewall cannot apply URL filtering to SSL encrypted traffic unless it is decrypted.
  • You can only create custom URL categories if the firewall has a URL Filtering license.

Which configuration on the firewall can XenoGenic use to specify destination hosts for which connections will NOT be decrypted by their SSL Decryption implementation?

  • SSL Profile List
  • Known Bad URL List
  • SSL Decryption Exclusion List
  • Online Certificate Status Protocol (OCSP) List

which setting is the default for logging session information in the Traffic log?

  • Log at session start.
  • Log at session end.
  • Log at both session start and session end.
  • Do not log at all.

XenoGenic engineers need more information about Packet Buffer Protection. What is the purpose of Packet Buffer Protection in a firewall?

  • To protect the firewall from multi-session DoS attacks by monitoring sessions across all zones
  • To initiate logging and packet dropping when 50 percent of the firewall’s storage capacity is used
  • To place a session in the discard state if the firewall cannot reduce packet buffer use below the Activate threshold
  • To prevent a single session from a single source from overwhelming the firewall packet buffer by sending multiple packets

You are explaining Decryption on the NGFW and an ABC network architect has asked “What happens when a firewall using SSL Forward Proxy cannot verify a server certificate?” Which answer to this question is correct?

  • The firewall allows the connection immediately.
  • The firewall re-issues its own handshake request to the server.
  • The firewall signs the server certificate with a forward untrust certificate.
  • The firewall uses a common CA to validate the certificate and the identity of the server.

How can the use of Multi-Factor Authentication (MFA) prevent the use of stolen credentials to access XenoGenic’s network resources?

  • MFA allows users to authenticate just once a day, reducing the chance of attackers intercepting valid credentials.
  • MFA relies on something the user knows, such as a username and password, which attackers cannot easily steal.
  • MFA requires the user or an attacker to present two or more forms of user credentials, making unauthorized access more difficult.
  • MFA challenges are based on the sensitivity of the information stored on the network resource, making it unattractive for attackers.

You are introducing the concept of Security Profiles to XenoGenic. What is the primary purpose of Security Profiles in a firewall’s security policy?

  • To block all network traffic that does not meet specific criteria
  • To perform additional security checks on allowed network traffic
  • To log all network traffic, regardless of whether it is allowed or blocked
  • To replace the need for Security policy rules in managing network traffic

XenoGenic will be setting up site-to-site VPNs. Which statement is true about the IKE Phase 1 process of establishing an IPsec tunnel?

  • It uses Auto mode to encrypt tunnel data.
  • It is the final step in the process, responsible for handling data traffic within the established tunnel.
  • It is responsible for the negotiation process using the IKE-Crypto profile, but it does not authenticate the firewalls.
  • It identifies the endpoints of the VPN using peer IDs, which could be the IP address, a domain name, or another string.

As a part of the test deployment, XenoGenic engineers have asked you about using the NGFW to protect IoT devices in their network. What does the IoT Security app use to identify and classify devices?

  • IP and source port of the session
  • Metadata from network protocols and sessions
  • Private or sensitive information in the sessions
  • Information from the cloud in Session logs and Enhanced Application logs (EALs)

XenoGenic will start with the use of port-based rules on their Palo Alto Networks firewalls but will move to an application-based ruleset over time. Which strategy is recommended to convert port-based rules to application-based rules?

  • Convert all the port-based rules to application-based rules at once for efficiency.
  • Disable all port-based rules immediately after creating corresponding application-based rules.
  • Delete port-based rules as soon as the corresponding application-based rule has been created.
  • Prioritize rule conversion based on the amount of traffic the rule has processed or the number of apps the rule is processing.

When XenoGenic deploys GlobalProtect, what will be the primary function of the GlobalProtect Portal in their GlobalProtect infrastructure?

  • To apply Security policy for access to internal resources
  • To provide security enforcement for traffic from GlobalProtect agents and apps
  • To deliver configuration information to every client connecting to the GlobalProtect network
  • To enable access to network resources via the deployed GlobalProtect portals and gateways

XenoGenic wants to block incoming SYN floods. What are the two methods that PAN-OS software uses to mitigate TCP SYN floods?

  • RED and Maximum Threshold
  • SYN Cookies and Alarm Rate
  • RED and SYN Cookies
  • Connections per Second and Packets per Second

XenoGenic has configured its firewalls to block phishing attempts. Beyond blocking, what additional actions can XenoGenic configure to enhance credential-phishing prevention?

  • Send a warning email to the user.
  • Automatically change user credentials.
  • Block all credential submissions for a user for a configurable time.
  • Present a response page that warns users against submitting credentials to websites.

XenoGenic is curious about verdicts in WildFire. What does a Grayware file or URL verdict from WildFire indicate?

  • It is safe and does not exhibit malicious behavior.
  • It is malicious in nature and intent and poses a security threat.
  • It behaves similarly to malware but is not malicious in nature or intent.
  • It is a phishing attempt that is added to the PAN-DB database to block future phishing attacks.

To secure their NGFWs from tampering and intrusion, which action does Palo Alto Networks recommend that XenoGenic AVOID because it is contrary to best practices?

  • Enabling management interface access over the internet.
  • Using a jump server to connect to firewall management.
  • Limiting access to appropriate users within the organization.
  • Using service routes for external services instead of using the management port.

XenoGenic needs to develop a log-forwarding strategy for their NGFWs. Which management-plane logs can be forwarded from Palo Alto Networks firewalls?

  • Logs originating from the data plane.
  • Logs generated from Security policies and zones.
  • Traffic, Threat, URL, Data Filtering, WildFire, and Decryption logs.
  • System, Configuration, User-ID, HIP Match, GlobalProtect, and IP-Tag logs.

XenoGenic engineers have asked you to explain service routes. What does a service route do on a PANW firewall?

  • It directs traffic from the firewall to the update server to download updated software or malware signatures.
  • It provides a path from a data interface to a service, allowing the firewall to access external services through an in-band port.
  • It allows the firewall to verify the digital certificate of the update server from which software or database updates are downloaded.
  • It enables the firewall to access the DNS servers, external authentication servers, and Palo Alto Networks services via the MGT interface.

XenoGenic uses SNMP to monitor network devices. What types of MIBs do Palo Alto Networks NGFW’s support for use with SNMP?

  • Only Standard MIBs
  • Only Enterprise MIBs
  • Both Standard and Enterprise MIBs
  • Neither Standard nor Enterprise MIBs

XenoGenic wants to use LDAP to authenticate firewall administrators. What is the first step in configuring the firewall to authenticate administrators against an external system like LDAP?

  • Creating a Server profile for LDAP
  • Adding the LDAP server to the server list
  • Creating an Authentication profile for LDAP
  • Providing details about the LDAP server

XenoGenic engineers want to minimize the potential for credential theft by means of phishing. What unique action does the Credential Theft Protection feature take to protect a user who unknowingly attempts to log on to a phishing website using their corporate credentials?

  • It identifies and deletes the phishing email automatically.
  • It sends an alert to the IT department about the suspicious activity.
  • It changes the user’s password immediately and sends an email to the user to notify them about the change.
  • It blocks the credentials from being sent to the new website and displays a notification page to the user explaining the situation.

A XenoGenic engineer has asked you about DoS Protection. What is the purpose of configuring the Maximum Concurrent Sessions threshold in a Denial of Service (DoS) Protection Profile?

  • To limit traffic using a specified DoS Protection profile
  • To block all packets from the source zone when the threshold is exceeded
  • To determine the maximum number of concurrent sessions supported by the firewall
  • To specify the maximum number of sessions for the hosts in the zone being protected

You are helping XenoGenic engineers set up decryption for outbound user traffic to the internet. Which type of certificate do you use on the firewall to warn users about any problems with the actual certificates of destination websites?

  • Forward Root CA
  • Forward Trust Certificate
  • Forward Decryption Policy
  • Forward Untrust Certificate