PCNSA Exam 352 Questions with Verified Answers
Palo Alto NGFWs enable you to adopt security best practices to minimize opportunities for attack by
... [Show More] using the following *three* policy types... - CORRECT ANSWER Application, User, and Content based policies.
T/F:
Palo Alto NGFWs allow you to automate workflows via integration with administrative tools such as ticketing services, or any system with a RESTful API. - CORRECT ANSWER True
What are the *three* families of Palo Alto NGFWs? - CORRECT ANSWER 1) VM Series
2) Prisma Access (Cloud Firewall SaaS)
3) Physical Firewalls
Name at least *three* of the physical Palo Alto NGFW models. - CORRECT ANSWER 1) PA-220
2) PA800
3) PA-3200
4) PA-5200
5) PA-7000
Older models include: PA-200, PA-500, PA-3000 and PA-5000.
What capabilities does Palo Alto Traps *Advanced Endpoint Protection* provide? - CORRECT ANSWER Advanced Endpoint Protection blocks: exploits, ransomware, malware, and fileless attacks to minimize infected endpoints and servers.
What does *AutoFocus* provide? - CORRECT ANSWER AutoFocus provides instant access to community-based threat data, enhanced with deep context and attribution from the Unit 42 threat research team, saving analysts time and effort.
How often is the WildFire cloud database updated? - CORRECT ANSWER Approximately every *5* minutes.
What is Palo Alto *WildFire*? - CORRECT ANSWER WildFire is a cloud based malware analysis and zero day exploit detection feature.
What is Palo Alto *Threat Prevention*? - CORRECT ANSWER Threat Prevention is an IPS feature for detecting network signatures.
What is Palo Alto *URL Filtering*? - CORRECT ANSWER URL Filtering is a feature for categorizing web traffic and preventing phishing attempts.
What is Palo Alto *MineMeld*? - CORRECT ANSWER MineMeld is a threat intelligence aggregation tool for gathering and applying IOCs at the firewall.
What is Palo Alto *Cortex Data Lake*? - CORRECT ANSWER Cortex Data Lake is a tool for collecting and managing vast amounts of security logs.
What is Palo Alto *Cortex XDR*? - CORRECT ANSWER Cortex XDR is a machine learning *UBA tool*, for detecting post-intrusion activities, such as risky behavior, data exfiltration, or anomalies.
The Palo Alto Networks Security Operating Platform is designed for which *three* purposes?
A) consume innovations quickly
B) ensure compliance
C) focus on what matters
D) prevent successful cyberattacks - CORRECT ANSWER *A)* consume innovations quickly
*C)* focus on what matters
*D)* prevent successful cyberattacks
Which item is not one of the six primary components of the Palo Alto Networks Security Operating Platform?
A) applications (Palo Alto Networks applications, third-party applications, customer applications)
B) Cloud-Delivered Security Services
C) WildFire
D) Cortex and Cortex Data Lake
E) Network Security
F) Advanced Endpoint Protection
G) Cloud Security - CORRECT ANSWER *C)* WildFire
Which cloud-delivered security service provides instant access to community-based threat data?
A) Prisma SaaS
B) AutoFocus
C) Threat 42
D) Cortex XDR - CORRECT ANSWER B) AutoFocus
Which cloud-delivered security service provides security for branches and mobile users?
A) MineMeld
B) Cortex XDR
C) AutoFocus
D) Prisma Access - CORRECT ANSWER *D)* Prisma Access
Which Palo Alto Networks Security Operating Platform component provides *access to applications* from Palo Alto Networks, third parties, and customers?
A) Cloud-Delivered Security Services
B) WildFire
C) Cortex
D) Network Security
E) Advanced Endpoint Protection - CORRECT ANSWER C) Cortex
Which Palo Alto Networks firewall feature provides all the following abilities?
• Stops malware, exploits, and ransomware before they can compromise endpoints
• Provides protection while endpoints are online and offline, on network and off
• Coordinates enforcement with network and cloud security to prevent successful attacks
• Detects threats and automates containment to minimize impact
• Includes WildFire cloud-based threat analysis service with your Cortex XDR subscription
• Integrates with the Palo Alto Networks Security Operating Platform
A) Cortex XDR
B) Prisma SaaS
C) URL Filtering
D) WildFire
E) GlobalProtect
F) AutoFocus - CORRECT ANSWER *A)* Cortex XDR
What architecture does Palo Alto use to reduce latency with processing packets? - CORRECT ANSWER Single-Pass Parallel Processing (SP3) architecture.
What are the *two* components of Single-Pass Parallel Processing (SP3) architecture? - CORRECT ANSWER 1) Single-Pass Software
2) Parallel Processing Hardware
T/F:
Management and Data planes have dedicated hardware resources (CPU, RAM, and storage), making them independent of each other. - CORRECT ANSWER True
T/F:
When administrator is running a very processor-intensive report, he/she may notice the firewall has decreased ability to process packets. - CORRECT ANSWER False
The firewall would not be affected by this reporting job, because there is separation of the data and control (management) planes.
What are some of the *management features* the control plane provides the firewall with? - CORRECT ANSWER 1) Firewall configuration
2) Logging
3) Reporting
What are some of the *data processing* features the data plane provides the firewall with? - CORRECT ANSWER 1) Signature matching
2) Security processing
3) Network processing
Which plane is signature matching part of, and what are some of the things signature matching can identify? - CORRECT ANSWER Signature matching is part of the data plane.
Signature matching can identify: exploits (IPS), viruses, spyware, CC#s, and SSNs.
Which plane is security processing part of, and what are some of the things security processing handles? - CORRECT ANSWER Security processing is part of the data plane.
Security processing handles: App-ID, User-ID, URL match, policy match, app decoding, SSL/IPSEC, and decompression.
Which plane is network processing part of, and what are some of the things network processing handles? - CORRECT ANSWER Network processing is part of the data plane.
Network processing handles: flow control, route lookup, MAC lookup, QoS, and NAT.
Which *three* management features does the control plane provide?
A) security processing
B) logging
C) reporting
D) firewall configuration
E) signature matching
F) network processing - CORRECT ANSWER *B)* logging
*C)* reporting
*D)* firewall configuration
Which *three* data processing features does the data plane provide?
A) network processing
B) security processing
C) signature matching
D) firewall configuration
E) logging
F) reporting - CORRECT ANSWER *A)* network processing
*B)* security processing
*C)* signature matching
Which *three* of the following components are part of the Network Processing module?
A) QoS
B) NAT
C) App-ID
D) flow control
E) url match
F) spyware - CORRECT ANSWER *A)* QoS
*B)* NAT
*D)* flow control
Which approach most accurately defines the Palo Alto Networks *SP3 architecture*?
A) prioritize first
B) sequential processing
C) scan it all, scan it once
D) zero trust segmentation platform - CORRECT ANSWER *C)* scan it all, scan it once
What is the result of using a stream-based design of architecture?
A) superior performance
B) increased latency
C) superior latency
D) increased functionality - CORRECT ANSWER *A)* superior performance
What is the *zero trust* security model? - CORRECT ANSWER Zero Trust is an alternative security model that addresses the shortcomings of the traditional, perimeter-centric strategies.
Where is the blindspot in traditional *perimeter* security models? - CORRECT ANSWER Traditional perimeter security models have a blindspot with monitoring lateral (east-west) traffic within the network.
Which security model does Palo Alto Networks recommend that you deploy?
A) separation-of-trust
B) zero trust
C) trust-then-verify
D) never trust - CORRECT ANSWER *B)* zero trust
The Zero Trust model is implemented to specifically inspect which type of traffic? - CORRECT ANSWER East-West (Lateral)
What are the *three* main concepts of Zero Trust?
A) All resources are accessed in a secure manner, regardless of location.
B) Access control is on a "need-to-know" basis and is strictly enforced.
C) Credentials need to be verified.
D) All traffic is logged and inspected.
E) Internal users are trusted implicitly.
F) External users are trusted explicitly. - CORRECT ANSWER *A)* All resources are accessed in a secure manner, regardless of location.
*B)* Access control is on a "need-to-know" basis and is strictly enforced.
*D)* All traffic is logged and inspected.
Which *three* Palo Alto Networks products secure your network?
A) MineMerge
B) Prisma SaaS
C) URL filtering
D) Containers
E) TrapContent
F) WildFire - CORRECT ANSWER *B)* Prisma SaaS
*C)* URL filtering
*F)* WildFire
According to Palo Alto, what are the *six* stages of the Cyber Attack Lifecycle? - CORRECT ANSWER 1) Reconnaissance
2) Weaponization & Delivery
3) Exploitation
4) Installation
5) Command & Control
6) Actions on the Objective
How do network security zones assist the zero trust model? - CORRECT ANSWER Network security zones segment traffic and allow for inspection between zones.
T/F:
Blocking just one stage in the Cyber-Attack Lifecycle is all that is needed to protect a company's network from attack. - CORRECT ANSWER True
Which of the following are stages of the Cyber-Attack Lifecycle? (Choose two.)
A) weaponization and delivery
B) manipulation
C) extraction
D) command and control - CORRECT ANSWER *A)* weaponization and delivery
*D)* command and control
Command and control be prevented through which *two* methods?
A) exploitation
B) DNS Sinkholing
C) URL filtering
D) reconnaissance - CORRECT ANSWER *B)* DNS Sinkholing
*C)* URL filtering
Exploitation can be mitigated by which actions? (Choose two.)
A) keeping systems patched
B) using local accounts
C) blocking known and unknown vulnerability exploits on the endpoint
D) providing admin credentials - CORRECT ANSWER *A)* keeping systems patched
*C)* blocking known and unknown vulnerability exploits on the endpoint
What are the *four* methods used to manage the Palo Alto Networks next-generation firewalls? - CORRECT ANSWER 1) Web interface
2) CLI
3) Panorama
4) XML API
What is required to accomplish tasks like retrieving licenses and updating the threat and application signatures on the firewall? - CORRECT ANSWER The firewall must be able to access the Internet via its management (MGT) port.
To gain access to the firewall for the first time, what *four* pieces of information are needed for the MGT port? - CORRECT ANSWER 1) IP address
2) Netmask
3) Default gateway
4) At least one DNS server address
Note:
If the firewall is set up as a DHCP client, this information will be included automatically via DHCP.
What is the default username and password for a Palo Alto Firewall? - CORRECT ANSWER Username: admin
Password: admin
What benefit does CLI access to the firewall offer admins? - CORRECT ANSWER Debug information.
What CLI command allows you to access configuration mode while in operational mode? - CORRECT ANSWER *configure*
What are some basic networking commands available from the CLI, while in operational mode? - CORRECT ANSWER Ping, traceroute, etc.
Which mode enables you to display and modify the configuration parameters of the firewall, verify candidate configuration, and commit the config? - CORRECT ANSWER Configuration Mode
What CLI command would show you both your system up-time and MAC address? - CORRECT ANSWER *show system state*
What is the name of the Palo Alto Networks product that provides centralized web-based management, reporting, and logging for multiple firewalls? - CORRECT ANSWER Panorama
How does the Palo Alto XML API work? - CORRECT ANSWER The XML API provides a representational state transfer (REST)-based interface to access firewall configurations, operational status, reports, and packet captures from the firewall.
What sort of tasks can the PAN-OS XML API be used to automate? - CORRECT ANSWER 1) Create, update, and modify firewall and Panorama configurations.
2) Execute operational mode commands, such as restarting the system or validating configurations.
3) Retrieve reports.
4) Manage users through User-ID.
5) Update dynamic objects without having to modify or commit new configurations.
What is the firewall dashboard? - CORRECT ANSWER *It is the home screen for the web management GUI.*
The firewall Dashboard provides information in a condensed format, including general information such as device name, MGT IP address, and licensing information. This page can be augmented by adding, removing, or editing widgets.
What are the *three* categories of widgets that can be displayed on the firewall dashboard? - CORRECT ANSWER 1) Application Widgets
2) Log Widgets
3) System Widgets
What is the *ACC* tab used for? - CORRECT ANSWER *ACC* uses the firewall logs to graphically depict traffic trends on your network.
What is the *Monitor* tab used for? - CORRECT ANSWER The *Monitor* tab provides logging visibility, the ability to run packet captures, and report options.
What is the *Policies* tab used for? - CORRECT ANSWER *Policies* allows the creation of policies such as security policy and NAT policy.
What is the *Objects* tab used for? - CORRECT ANSWER *Objects* allows the creation of objects such as Address objects.
What is the *Network* tab used for? - CORRECT ANSWER *Network* allows the configuration of network parameters such as interfaces and zones.
What is the *Device* tab used for? - CORRECT ANSWER *Device* allows the configuration of system information such as the hostname or certificates.
What does the *task* icon in the bottom right of the GUI do? - CORRECT ANSWER It displays the tasks that you, other administrators, or the PAN-OS software have initiated since the last firewall reboot (for example, manual commits or automatic FQDN refreshes).
What is the management interface used for? - CORRECT ANSWER The management interface is used to communicate with servers and systems including: *DNS*, *Email*, *Palo Alto Servers*, *external dynamic lists*, and Panorama.
What are service routes? - CORRECT ANSWER Service routes are used so that the communication between the firewall management interface and various servers goes through the data ports on the data plane. These data ports require appropriate security policy rules before external servers can be accessed.
What is the navigation path within the Palo Alto GUI, for customizing service routes? - CORRECT ANSWER Device *>* Setup *>* Services *>* Service Route Configuration *>* Customize
Which *three* important *network services* do Palo Alto NGFWs integrate with? - CORRECT ANSWER 1) DHCP
2) NTP
3) DNS
T/F:
Palo Alto NGFWs can operate without a primary DNS server configured. - CORRECT ANSWER False
What is the GUI path for configuring a DNS server or NTP server for the Palo Alto to use? - CORRECT ANSWER Device > Setup > Services > Services_gear_icon
What is the GUI path for configuring an IP address or default gateway for the Palo Alto management interface? - CORRECT ANSWER Device > Setup > Interfaces
What are *two* firewall management methods?
A) CLI
B) RDP
C) VPN
D) XML API - CORRECT ANSWER *A)* CLI
*D)* XML API
Which *two* devices are used to connect a computer to the firewall for management purposes?
A) rollover cable
B) serial cable
C) RJ-45 Ethernet cable
D) USB cable - CORRECT ANSWER *B)* serial cable
*C)* RJ-45 Ethernet cable
What is the default IP address on the *MGT interface* of a Palo Alto Networks firewall?
A) 192.168.1.1
B) 192.168.1.254
C) 10.0.0.1
D) 10.0.0.254 - CORRECT ANSWER *A)* 192.168.1.1
What are the *two* default services that are available on the MGT interface?
A) HTTPS
B) SSH
C) HTTP
D) Telnet - CORRECT ANSWER *A)* HTTPS
*B)* SSH
T/F:
Service route traffic has Security policy rules applied against it. - CORRECT ANSWER True
Service routes may be used to forward which *two* traffic types out a data port?
A) External Dynamic Lists
B) MineMeld
C) Skype
D) Palo Alto Networks updates - CORRECT ANSWER *A)* External Dynamic Lists
*D)* Palo Alto Networks updates
Where do candidate configurations reside? - CORRECT ANSWER Candidate configurations reside in memory on the *control plane*.
Where do running configurations reside? - CORRECT ANSWER Running configurations reside in memory on the *data plane*.
Which file format is used for importing and exporting candidate configurations? - CORRECT ANSWER *.xml*
How do you undo a candidate configuration? - CORRECT ANSWER Using the *revert to last saved configuration* option.
What operation is necessary to write the candidate configuration to the running configuration? - CORRECT ANSWER *commit*
When firewall commits are queued, which commits does the firewall prioritize? - CORRECT ANSWER Commits that the firewall initiates automatically, such as FQDN refreshes.
What is the GUI path for managing firewall configurations? - CORRECT ANSWER *Device > Setup > Operations*
What is the name of the file that stores the firewall's running configuration? - CORRECT ANSWER *running-config.xml*
What are the *five* configuration management options? - CORRECT ANSWER 1) Revert
2) Save
3) Load
4) Export
5) Import
T/F:
The firewall creates a timestamped version of the running configuration whenever a commit is made. - CORRECT ANSWER True
Which command backs up configuration files to a remote network device?
A) import
B) load
C) copy
D) export - CORRECT ANSWER *D)* export
The command *load named configuration snapshot* overwrites the current candidate configuration with which *three* items?
A) custom-named candidate configuration snapshot (instead of the default snapshot)
B) custom-named running configuration that you imported
C) snapshot.xml
D) current running configuration (running-config.xml)
E) Palo Alto Networks updates - CORRECT ANSWER *A)* custom-named candidate configuration snapshot (instead of the default snapshot)
*B)* custom-named running configuration that you imported
*E)* Palo Alto Networks updates
What is the path used to download the latest firewall updates? - CORRECT ANSWER *Device > Dynamic Updates*
T/F:
System updates do not require a firewall reboot. - CORRECT ANSWER False
Which *three* actions should you complete before you upgrade to a newer version of software?
A) Review the release notes to determine any impact of upgrading to a newer version of software.
B) Ensure the firewall is connected to a reliable power source.
C) Export the device state.
D) Create and externally store a backup before you upgrade. - CORRECT ANSWER *A)* Review the release notes to determine any impact of upgrading to a newer version of software.
*B)* Ensure the firewall is connected to a reliable power source.
*D)* Create and externally store a backup before you upgrade.
Before you install the maintenance or feature release, which release is required to be installed? - CORRECT ANSWER The x.0 base release.
For example, to upgrade from 7.x.y to 8.x.y, download both 8.0 and 8.x.y. 8.0 automatically is installed when you install 8.x.y.
What's a quick way to verify that the firewall is passing traffic, after finishing an upgrade? - CORRECT ANSWER Select *Monitor > Session Browser* and verify that you are seeing new sessions.
What is the *shortest* time interval that you can configure a Palo Alto Networks firewall to download WildFire updates?
A) 1 minute
B) 5 minutes
C) 15 minutes
D) 60 minutes - CORRECT ANSWER *A)* 1 minute
What is the publishing interval for WildFire updates, with a valid WildFire license?
A) 1 minute
B) 5 minutes
C) 15 minutes
D) 60 minutes - CORRECT ANSWER *B)* 5 minutes
T/F:
A Palo Alto Networks firewall automatically provides a backup of the configuration during a software upgrade. - CORRECT ANSWER True
If you have a Threat Prevention subscription but not a WildFire subscription, how long must you wait for the WildFire signatures to be added into the antivirus update?
A) 1 to 2hours
B) 2 to 4hours
C) 10 to 12 hours
D) 12 to 48 hours - CORRECT ANSWER *D)* 12 to 48 hours
Which of the following is *not* a way to download software?
A) over the MGT interface on the control plane
B) over a data interface on the data plane
C) upload from a computer
D) from the Palo Alto Networks Customer Support Portal
E) from the PAN-DB database
F) from Panorama - CORRECT ANSWER *E)* from the PAN-DB databaseE) from the PAN-DB database
How can you tell whether a user account is local? - CORRECT ANSWER If the account has *no* authentication profile, then it is a local account.
What are the *two* admin user role types? - CORRECT ANSWER 1) Role Based
2) Dynamic
Where would you find the username, IP, and time for a past change made to the firewall? - CORRECT ANSWER *Configuration logs* display entries for changes to the firewall configuration.
Name at least *three* authentication types that PAN-OS software supports. - CORRECT ANSWER 1) None
2) Local Database
3) RADIUS
4) LDAP
5) TACACS+
6) SAML
7) Kerberos
Which *two* statements are true about a Role Based Admin Role profile role?
A) It is a built-in role.
B) It can be used for CLI commands.
C) It can be used for XML API.
D) Superuser is an example. - CORRECT ANSWER *B)* It can be used for CLI commands.
*C)* It can be used for XML API.
Note: Role based profiles are customized, not default; and superuser is not one of them.
Which *two* Dynamic Admin Role types are available on the PAN-OS software?
A) superuser
B) superadmin
C) deviceuser
D) device administrator (read-only) - CORRECT ANSWER *A)* superuser
*D)* device administrator (read-only)
Which type of profile does an Authentication Sequence include?
A) Security
B) Authorization
C) Admin
D) Authentication - CORRECT ANSWER *D)* Authentication
An Authentication Profile includes which other type of profile?
A) Server
B) Admin
C) Customized
D) Built-in - CORRECT ANSWER *A)* Server
T/F:
Dynamic Admin Roles are called "dynamic" because you can customize them. - CORRECT ANSWER False
What is used to override global Minimum Password Complexity Requirements?
A) Authentication Profile
B) Local Profile
C) Password Role
D) Password Profile - CORRECT ANSWER *D)* Password Profile
T/F:
Zone names are not case sensitive. - CORRECT ANSWER False
What are the *two* requirements for creating zones? - CORRECT ANSWER 1) Zone Name
2) Zone Type
What is *intrazone traffic*? - CORRECT ANSWER Intrazone traffic is traffic that flows between interfaces that exist within the same zone.
For Example:
Traffic flowing from one server in the datacenter zone to another server in the datacenter zone.
What is the default action for interzone traffic? - CORRECT ANSWER Deny
What are the *five* zone types? - CORRECT ANSWER 1) TAP
2) Layer 2
3) Layer 3
4) Virtual Wire
5) Tunnel
Which *two* default zones are included with the PAN-OS software?
A) Interzone
B) Extrazone
C) Intrazone
D) Extranet - CORRECT ANSWER *A)* Interzone
*C)* Intrazone
The *External* zone type is used to pass traffic between which type of objects?
A) Layer 2 interfaces
B) Layer 3 interfaces
C) virtual routers
D) virtual systems - CORRECT ANSWER *D)* virtual systems
Which *two* statements about interfaces are correct?
A) Interfaces must be configured before you can create a zone.
B) Interfaces do not have to be configured before you can create a zone.
C) An interface can belong to only one zone.
D) An interface can belong to multiple zones. - CORRECT ANSWER *B)* Interfaces do not have to be configured before you can create a zone.
*C)* An interface can belong to only one zone.
Which three interface types can belong in a Layer 3 zone?
A) loopback
B) Layer 3
C) tunnel
D) virtual wire - CORRECT ANSWER *A)* loopback
*B)* Layer 3
*C)* tunnel
What are used to control traffic through zones?
A) access lists
B) security policy lists
C) security policy rules
D) access policy rules - CORRECT ANSWER *C)* security policy rules
What are the main *five* interfaces types for PAN-OS software? - CORRECT ANSWER 1) Tap
2) Virtual Wire
3) Layer 2
4) Layer 3
5) HA
What does a *decrypt mirror* interface do? - CORRECT ANSWER This feature enables decrypted traffic from a firewall to be copied and sent to a traffic collection tool that can receive raw packet captures, such as NetWitness or Solera, for archiving and analysis.
What does a *tap* interface do? - CORRECT ANSWER A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port.
This mirrored traffic is forwarded by a switch port to a firewall's Tap interface and is analyzed for App-ID, User-ID, Content-ID, and other traffic, just like any other normal data traffic that would pass through the firewall.
T/F:
TAP interfaces must be assigned to a Tap zone. - CORRECT ANSWER True
What actions can be taken on *tap* traffic? - CORRECT ANSWER None.
Tap traffic is not managed, and cannot be blocked, allowed, or shaped.
What is the function of a *log card* data port? - CORRECT ANSWER A log card data port performs log forwarding for syslog, email, Simple Network Management Protocol (SNMP), and WildFire file forwarding.
Note:
One data port on a PA-7000 must be configured as a log card interface because the MGT interface cannot handle all the logged traffic.
What does a *virtual wire* interface do when it receives a frame or packet for Layer 2 or Layer 3 addresses for switching or routing purposes? - CORRECT ANSWER Traffic passing over a virtual wire does not receive routing or switching, but the virtual wire applies any *security* or *NAT policy rules* before passing an allowed frame or packet over the virtual wire to the second Virtual Wire interface and on to the network device connected to it.
T/F:
A virtual wire can bind two physical Ethernet interfaces of the same medium (both either copper or fiber), but cannot bind a copper interface to a fiber interface. - CORRECT ANSWER False
A virtual wire can bind any combination of copper or fiber medium over it's two interfaces.
What is a virtual wire *subinterface*? - CORRECT ANSWER Virtual Wire subinterfaces are used to separate traffic into different zones.
These subinterfaces can do things like route traffic from various VLANs or subnets to various zones.
Traffic *A* is moving between two Palo Alto interfaces of the same VLAN and same zone.
Traffic *B* is moving between two Palo Alto interfaces of the same VLAN and but different zones.
What occurs differently with traffic *B* when it arrives at the Palo Alto? - CORRECT ANSWER Traffic *B* will be inspected by security policy rules, while traffic *A* is intrazone traffic and would be allowed by default.
Which firewall *tab* contains options that enable you to configure Layer 3 interface settings? - CORRECT ANSWER The *Advanced* tab.
What are some of the configurable *Layer 3* interface settings? - CORRECT ANSWER 1) MTU
2) static ARP
3) LLDP
4) IPv6 NDP
5) link speed
6) duplex settings
What are some uses for the Palo Alto *loopback* interfaces? - CORRECT ANSWER 1) DNS sinkholes.
2) GlobalProtect service interfaces (portals and gateways).
3) Routing identification.
Which of the following interfaces can be used for managing a firewall?
A) Tap
B) Virtual Wire
C) Layer 2
D) Layer 3 - CORRECT ANSWER *D)* Layer 3
Note: Firewall management through a layer 3 interface requires an interface management profile.
What is the purpose of an interface management profile? - CORRECT ANSWER An interface management profile protects the firewall from unauthorized access by defining the protocols, services, and IP addresses that a firewall Layer 3 interface permits for management traffic.
T/F:
A single Layer 3 interface can be assigned multiple IPv4 addresses. - CORRECT ANSWER True
Note: The IPs should not be in the same subnet.
What's the path for adding a virtual router? - CORRECT ANSWER *Network > Virtual Routers > Add*
What is the main difference between Layer 3 *interfaces* and Layer 3 *subinterfaces*? - CORRECT ANSWER Layer 3 subinterfaces are used for 802.1Q VLANs.
Which *two* actions can be done with a Tap interface?
A) encrypt traffic
B) decrypt traffic
C) allow or block traffic
D) log traffic - CORRECT ANSWER *B)* decrypt traffic
*D)* log traffic
Which *two* actions can be done with a Virtual Wire interface?
A) NAT
B) route
C) switch
D) log traffic - CORRECT ANSWER *A)* NAT
*D)* log traffic [Show Less]