Advanced WildFire Quiz (100 Qs - 10 Pages + Results/Explanations)

Page 1 of 10

1. What is the primary goal of Advanced WildFire?

a) To perform basic antivirus scanning on the firewall.

b) Detection and prevention of zero-day malware using multiple analysis techniques.

c) To provide URL filtering based on categories.

d) To manage firewall policies centrally.

Advanced WildFire uses a combination of dynamic/static analysis and Intelligent Run-time Memory Analysis specifically to detect and prevent unknown, zero-day threats.

2. What does the basic WildFire service (included with the NGFW without a subscription) allow the firewall to do?

a) Forward all supported file types and get real-time signature updates.

b) Forward only PE files and get 5-minute signature updates.

c) Forward only PE files and retrieve signatures with Antivirus/Threat Prevention updates (every 24-48 hours).

d) Access the full WildFire API and perform Intelligent Run-time Memory Analysis.

The basic, included service has limitations: only PE file forwarding is supported, and signature updates are tied to the less frequent AV/Threat Prevention updates.

3. Which subscription is required to enable Intelligent Run-time Memory Analysis?

a) Basic WildFire service.

b) Standard WildFire subscription.

c) Advanced WildFire subscription (PAN-OS 10.0+).

d) Standalone WildFire API subscription.

Intelligent Run-time Memory Analysis is the key differentiating feature unlocked specifically by the Advanced WildFire subscription (on supported PAN-OS versions).

4. What is the primary purpose of the Standalone WildFire API subscription?

a) To provide enhanced signature updates to firewalls.

b) To allow access to WildFire analysis capabilities via API for tools like SOAR, without needing a PANW firewall for forwarding.

c) To enable WildFire analysis on a private cloud appliance.

d) To unlock Advanced WildFire Inline ML on the firewall.

This subscription decouples WildFire analysis from firewall forwarding, enabling integration with external security tools via the API.

5. With a standard WildFire subscription on PAN-OS 10.0+, what is the BEST PRACTICE for receiving signature updates?

a) Configure 5-minute updates.

b) Configure Real-Time updates.

c) Rely only on the daily Antivirus/Threat Prevention updates.

d) Manually check for updates via the portal.

Real-time updates, available with the subscription and PAN-OS 10.0+, provide the fastest access to newly generated signatures, minimizing exposure time.

6. What does Advanced WildFire Inline ML primarily analyze on the firewall dataplane?

a) PE, ELF, MS Office, OOXML, Mach-O, PowerShell, and shell scripts.

b) Only encrypted traffic patterns.

c) Network session metadata like IP addresses and ports.

d) APK and Java files only.

Inline ML uses machine learning models directly on the firewall's dataplane to classify specific file types (like executables, scripts, and office documents) in real-time without sending them to the cloud initially.

7. Which file type requires NO WildFire subscription for the firewall to forward it for analysis?

a) PDF files.

b) Microsoft Office files.

c) Portable Executable (PE) files.

d) Email links.

Forwarding PE files is part of the basic WildFire service included with the NGFW; all other supported file types require a subscription for forwarding.

8. What are the four possible verdicts WildFire can assign to a sample?

a) Malicious, Suspicious, Unknown, Clean.

b) Benign, Grayware, Phishing, Malicious.

c) Allowed, Blocked, Alert, Reset.

d) Virus, Worm, Trojan, Spyware.

WildFire classifies samples into these four categories based on its analysis: safe (Benign), annoying but not directly harmful (Grayware), credential-stealing (Phishing), or harmful (Malicious).

9. Which WildFire analysis method involves executing unknown samples in a custom-built, evasion-resistant virtual environment?

a) Static Analysis.

b) Machine Learning.

c) Dynamic Unpacking.

d) Dynamic Analysis.

Dynamic analysis, often called sandboxing, involves running the sample in a controlled environment (virtual machine) to observe its actual behavior and effects.

10. Which operating system analysis environment is ONLY available in the Advanced WildFire public cloud (not private cloud)?

a) Microsoft Windows 7 64-bit.

b) Microsoft Windows 10 64-bit.

c) Mac OS X, Android, and Linux.

d) Microsoft Windows XP 32-bit.

Analysis environments for non-Windows operating systems (Mac, Android, Linux) are exclusively provided by the public cloud infrastructure.

Page 2 of 10

11. What is the primary benefit of Advanced WildFire Inline Cloud Analysis (requires PAN-OS 11.1+ and Advanced WildFire license)?

a) Real-time cloud analysis and blocking of *never-before-seen* PE files before they infect the client.

b) Enhanced analysis of MS Office documents on the firewall dataplane.

c) Faster signature generation for known malware.

d) Support for analyzing encrypted ZIP files.

This feature sends PE files to the cloud for immediate ML analysis, allowing detection and blocking of zero-day threats that don't have signatures yet, potentially holding the download during analysis.

12. Where is Advanced WildFire Inline ML configured on the firewall?

a) In the Security Policy rule action.

b) Under Device > Setup > WildFire.

c) Within an Antivirus Security Profile.

d) In the WildFire Analysis Security Profile.

Inline ML models are applied as part of the Antivirus inspection process on the dataplane, hence configured within the Antivirus profile.

13. What type of sample is typically classified with a "Grayware" verdict?

a) Viruses and Trojans.

b) Files that are safe and exhibit no malicious behavior.

c) Adware, spyware, and Browser Helper Objects (BHOs).

d) Links leading to sites designed to steal user credentials.

Grayware represents software that is intrusive or unwanted but doesn't typically cause direct harm like malware. Adware and spyware fit this definition.

14. What is the maximum number of times a firewall will decode nested compressed/encoded files before forwarding?

a) One time.

b) Two times.

c) Three times.

d) Four times.

The firewall has a limit of four levels of decoding for nested archives or encoded files to prevent resource exhaustion attacks (like zip bombs).

15. Which password must be used for encrypting RAR files if you want the WildFire cloud to decrypt and analyze them upon manual submission?

a) `paloalto`

b) `infected` or `virus`

c) `malware`

d) `wildfire`

Using the standard industry passwords `infected` or `virus` allows automated systems like WildFire to decrypt and analyze samples submitted for research or analysis purposes, following common safe-handling procedures.

16. How does the firewall handle forwarding of complete ZIP archive files?

a) It forwards the complete ZIP file directly if the archive type is enabled.

b) It decodes the ZIP, and forwards individual files inside if they match profile criteria; it cannot forward the complete ZIP itself.

c) It requires a special license to forward complete ZIP files.

d) It only forwards ZIP files if they are password-protected with "infected".

The firewall extracts supported file types from within ZIP archives (up to 4 levels deep) and forwards those individual files if they are unknown. It doesn't forward the entire .zip container itself.

17. Which WildFire deployment option involves forwarding files to an appliance hosted on the corporate network?

a) Advanced WildFire Public Cloud.

b) WildFire Private Cloud.

c) WildFire Hybrid Cloud (partially).

d) WildFire FedRAMP Cloud.

A private cloud deployment uses a dedicated WildFire appliance (WF-500, etc.) within the organization's network perimeter for local sample analysis.

18. Are WildFire signatures generated by regional public clouds shared globally?

a) Yes, public cloud signatures and verdicts are shared globally (except for private cloud verdicts).

b) No, signatures generated in a regional cloud stay within that region.

c) Only if the firewall has an Advanced WildFire license.

d) Only signatures for PE files are shared globally.

The global threat intelligence network ensures that protections generated in any public cloud region benefit all WildFire customers worldwide. Private cloud verdicts remain local unless cloud intelligence is enabled for known samples/malware forwarding.

19. Which FedRAMP-authorized cloud is designated as FedRAMP High and restricted to Federal, DoD, or approved DIB customers?

a) Advanced WildFire Government Cloud (gov-cloud...).

b) Advanced WildFire Public Sector Cloud (pubsec-cloud...).

c) WildFire: U.S. Government Cloud (wildfire.gov...).

d) All FedRAMP clouds are FedRAMP High.

FedRAMP High has stringent security requirements. The Advanced WildFire Government Cloud (gov-cloud...) meets this standard and is specifically for customers with those high-security needs.

20. Can FedRAMP clouds (like Advanced WildFire Government Cloud) be used concurrently with the global or regional public clouds on the SAME firewall device?

a) Yes, using a hybrid cloud configuration.

b) No, FedRAMP clouds cannot be mixed with global/regional clouds on the same device.

c) Yes, but only if using separate Virtual Systems.

d) Only the FedRAMP Moderate clouds can be mixed.

Due to the distinct security boundaries and operational requirements, a single firewall cannot be configured to simultaneously use both a FedRAMP environment and a standard commercial public cloud.

Page 3 of 10

21. Which WildFire cloud environment is being decommissioned as of November 30, 2024, with new customers recommended to use the Public Sector Cloud instead?

a) Advanced WildFire Government Cloud.

b) Advanced WildFire Public Sector Cloud.

c) WildFire: U.S. Government Cloud.

d) Advanced WildFire Global Cloud (U.S.).

The older FedRAMP Moderate cloud (wildfire.gov...) is being phased out in favor of the newer Advanced WildFire Public Sector Cloud which offers enhanced features.

22. What functionality is specifically mentioned as NOT available in the WildFire: U.S. Government Cloud (the one being decommissioned)?

a) Forwarding of PE files.

b) Analysis of PDF files.

c) Bare Metal Analysis, Script file analysis, Portal Access, Advanced WildFire Analysis.

d) Real-time signature updates.

This older FedRAMP environment lacked several features compared to the commercial public clouds, including advanced analysis types, portal access, and script analysis.

23. According to the File Type Support table, which file type is analyzed by the Advanced WildFire Public Cloud but NOT the WildFire U.S. Government Cloud?

a) Portable executable files (PE).

b) Microsoft Office files.

c) Script files (BAT, JS, VBS, PS1, HTA).

d) PDF files.

The support table explicitly shows script files are supported for analysis in the public cloud but not in the older U.S. Government cloud.

24. For which file types is Dynamic Analysis supported ONLY in the Advanced WildFire Global (U.S.) and Europe Cloud regions?

a) PDF files.

b) PE files.

c) All MacOSX files.

d) Linux ELF files.

The footnote in the support table indicates that while some static analysis for macOS files is broader, full dynamic analysis is limited to the US and EU public cloud regions.

25. Which listed file type extension is NOT supported for WildFire forwarding according to the "Supported File Types (Complete List)" table?

a) .elf

b) .dmg

c) .ps1

d) .xml

The comprehensive list marks XML files with "No" under Forwarding Support, meaning the firewall doesn't automatically forward them based on type, unlike ELF, DMG, or PS1.

26. In the WildFire example scenario, why was the firewall able to inspect the traffic to Dropbox even though Dropbox uses SSL?

a) Dropbox does not use SSL for file transfers.

b) The firewall was configured with SSL decryption enabled.

c) WildFire can inherently inspect SSL traffic without decryption.

d) The file itself was not encrypted.

SSL/TLS Forward Proxy decryption allows the firewall to inspect the content of encrypted sessions, which is essential for finding threats hidden within them.

27. After WildFire identifies a file as malicious in the example scenario, what is the immediate next step taken by the firewall based on its configuration?

a) It automatically deletes the file from the user's desktop.

b) It downloads a signature and immediately blocks the file.

c) It sends a WildFire log back to the firewall, which triggers an alert to the administrator via log forwarding.

d) It quarantines the user's machine.

WildFire analysis results in a log entry on the firewall. If log forwarding is configured (as in the example), this log triggers actions like sending alerts. Signature generation/download happens subsequently.

28. According to the "Get Started with Advanced WildFire" workflow, what is the FIRST step mentioned?

a) Get your Advanced WildFire or WildFire subscription.

b) Decide on the deployment type (Public/Gov Cloud).

c) Confirm the license is active on the firewall.

d) Configure the WildFire Analysis profile.

Ensuring you have the necessary subscription (or understanding the limitations of the basic service) is the foundational first step before configuration.

29. What is the recommended best practice for the File Size limit setting for PE files in the WildFire General Settings?

a) Set it to the default value (typically smaller).

b) Set it to the maximum size limit (e.g., 10 MB or 16MB depending on PAN-OS).

c) Set it to 1 MB.

d) Disable size limits for PE files.

The recommendation specifically calls out setting the PE file size limit to the maximum allowed by the platform, as malicious executables can sometimes be larger, while other file types are generally recommended to stay at default limits to preserve forwarding capacity.

30. What is the recommended best practice for the WildFire Analysis profile configuration?

a) Create a custom profile forwarding only PE and PDF files.

b) Use the default WildFire Analysis profile or set a custom profile to forward 'Any' file type.

c) Create separate profiles for uploads and downloads.

d) Only forward files from specific trusted applications.

Using the 'default' profile or setting 'Any' file type ensures that as Palo Alto Networks adds support for new file types, the firewall automatically starts forwarding them without requiring manual profile updates.

Page 4 of 10

31. For PAN-OS 9.1 and earlier, what is the recommended frequency (Recurrence) for checking for WildFire signature updates?

a) Every Minute.

b) Every 5 Minutes.

c) Every 15 Minutes.

d) Real-time.

Since signatures were released every 5 minutes in older versions, checking every minute ensures the firewall gets the latest available signatures with minimal delay. Real-time is the recommendation for 10.0+.

32. Which additional license is required to block user access to malicious and phishing sites identified by WildFire email/URL analysis?

a) Threat Prevention license.

b) Advanced WildFire license.

c) PAN-DB URL Filtering license (or Advanced URL Filtering).

d) GlobalProtect license.

WildFire identifies malicious/phishing links and categorizes them. The URL Filtering license is needed to enforce policy (e.g., block access) based on these PAN-DB categories.

33. What is a quick way mentioned to confirm the firewall is successfully forwarding *benign* files (as a troubleshooting step)?

a) Check the Threat logs for entries.

b) Run the `show wildfire status` CLI command.

c) Temporarily enable "Report Benign Files" and check the Monitor > WildFire Submissions log.

d) Check the WildFire portal dashboard.

Since benign files aren't logged by default, enabling this option temporarily allows you to see entries in the WildFire Submissions log, confirming the forwarding mechanism is working.

34. According to Best Practices, which other subscription works together with WildFire to provide comprehensive threat detection and prevention?

a) URL Filtering.

b) Threat Prevention.

c) GlobalProtect.

d) SD-WAN.

Threat Prevention uses signatures (including those from WildFire) to block known threats (viruses, spyware, vulnerabilities), complementing WildFire's focus on unknown threats.

35. Why is forwarding decrypted SSL traffic for WildFire analysis considered a best practice?

a) It improves firewall performance.

b) To allow WildFire to analyze potentially malicious files hidden within encrypted traffic.

c) It is required for real-time signature updates.

d) It enables the Standalone WildFire API.

Malware is frequently delivered over encrypted channels (HTTPS, SMTPS, etc.). Without decryption, the firewall cannot extract files from this traffic to send them for WildFire analysis.

36. What potential issue can arise if you significantly increase file size limits beyond the defaults for high-volume file types?

a) It can cause the firewall to crash.

b) It drastically improves the malware catch rate.

c) The firewall might reach its file-forwarding capacity and skip forwarding some (potentially malicious) smaller files.

d) It disables the WildFire private cloud option.

Each firewall model has a maximum rate of files it can forward per minute and a queue size. Sending many large files can overwhelm this capacity, causing subsequent files (which could be malicious) to be dropped from the queue.

37. If a firewall is located between the submitting firewall and the WildFire cloud, which TCP port needs to be allowed for file submission, report retrieval, etc.?

a) 80

b) 10443

c) 443

d) 22

Port 443 (standard HTTPS) is used for the primary communication channel between the firewall and the WildFire cloud for most operations, including sample submission and report retrieval. Port 10443 is used for Dynamic Updates.

38. On a PA-7000 Series firewall, what must be configured first to enable sample forwarding if an LFC is present?

a) Configure a data port on the LFC as a Log Card interface.

b) Configure the management port for sample forwarding.

c) Assign a dedicated IP address to the WildFire service.

d) Increase the reserved drive space.

PA-7000 series firewalls require a specific data plane interface (on an NPC or the dedicated Log Forwarding Card if available) to be designated for log/sample forwarding, taking precedence over the management port.

39. In a WildFire Analysis profile rule, what does setting the 'Direction' to 'both' achieve?

a) Forwards files to both the public and private cloud.

b) Forwards files only if they are detected in both upload and download directions.

c) Forwards files matching the criteria regardless of whether they are being uploaded or downloaded.

d) Enables analysis for both IPv4 and IPv6 traffic.

The direction setting controls whether the rule applies to files being sent from the internal network outwards (upload), from the external network inwards (download), or in either direction (both).

40. Which user role is required to enable the "Allow Forwarding of Decrypted Content" setting?

a) Device Administrator.

b) Network Administrator.

c) Superuser.

d) Audit Administrator.

This setting impacts potentially sensitive decrypted data, so it requires the highest administrative privilege level (superuser) to enable.

Page 5 of 10

41. What is the prerequisite PAN-OS version for enabling Advanced WildFire Inline Cloud Analysis?

a) PAN-OS 10.0 or later.

b) PAN-OS 10.2 or later.

c) PAN-OS 11.1 or later.

d) PAN-OS 9.1 or later.

Inline Cloud Analysis is a newer feature introduced in PAN-OS 11.1, requiring both the specific OS version and an Advanced WildFire license.

42. In the WildFire Analysis profile, when enabling Inline Cloud Analysis, which file type is currently supported for this specific feature?

a) Only PE (portable executable).

b) PE and ELF files.

c) All file types supported by standard WildFire.

d) MS Office and PDF files.

Currently, Inline Cloud Analysis focuses on Portable Executable (PE) files for real-time cloud ML detection, as these are common malware vectors.

43. What is the recommended action setting for Advanced WildFire Inline Cloud Analysis for optimal security?

a) Allow.

b) Alert.

c) Block.

d) Reset-client.

To prevent potentially malicious files detected by Inline Cloud Analysis from reaching the endpoint, the recommended action is 'block'.

44. If Advanced WildFire Inline Cloud Analysis exceeds its configured Max Latency timeout, what happens if "Allow on Max Latency" is *deselected*?

a) The file is allowed through, and an alert is logged.

b) The file transfer is blocked.

c) The file is sent for standard WildFire analysis instead.

d) The firewall ignores the timeout and waits indefinitely.

Deselecting "Allow on Max Latency" means prioritizing security over availability in case of timeouts; the firewall will block the transfer if a verdict isn't received within the time limit.

45. When configuring proxy settings for Inline Cloud Services via the PAN-OS GUI (11.2.3+), what is the minimum required password length?

a) 5 characters.

b) 6 characters.

c) 7 characters.

d) 8 characters.

The configuration notes specify a minimum length of 7 characters for the secure proxy password used for inline cloud services.

46. What is the recommended setting for "Allow HTTP partial response" under Content-ID settings for maximum security, and why?

a) Enable it, to ensure application compatibility.

b) Disable it, to prevent clients from resuming downloads after a session is terminated due to malware detection.

c) It does not matter for WildFire functionality.

d) Enable it only for specific trusted source IPs.

Disabling this prevents clients using HTTP Range requests from bypassing a block action by starting a new session to download the remaining parts of a file after the initial session was blocked due to malware detection.

47. Which subscription(s) are required to enable Advanced WildFire Inline ML (on-dataplane ML)?

a) Only the Advanced WildFire subscription.

b) An active Advanced WildFire OR standard WildFire subscription.

c) Only the standard WildFire subscription.

d) No subscription is required, only Threat Prevention.

Inline ML functionality, although running locally, requires the threat intelligence updates and model support provided by either the standard or Advanced WildFire subscription.

48. Which firewall models are explicitly mentioned as NOT supporting Advanced WildFire Inline ML?

a) PA-220 and PA-400 series.

b) PA-7000 series.

c) VM-50 and VM-50L.

d) PA-5200 series.

The VM-50 and VM-50L models are specifically excluded from Inline ML support, likely due to resource constraints.

49. When creating a file exception for Advanced WildFire Inline ML based on a threat log entry, what information is primarily used for the exception?

a) The file hash.

b) The filename.

c) The source IP address.

d) The threat ID (ml-virus).

File exceptions for Inline ML rely on the unique file hash (SHA256 usually) to specifically identify the file to be excluded from ML analysis, preventing overly broad exceptions based on filename or threat ID.

50. What is the purpose of "Hold Mode for Real-Time Signature Lookup"?

a) To hold files indefinitely until manual review.

b) To hold the file transfer temporarily while checking the real-time signature cloud, potentially blocking known malware before the first byte is delivered.

c) To hold signature updates until a specific maintenance window.

d) To hold configuration commits until WildFire connectivity is verified.

Hold mode introduces a brief delay to query the cloud for a signature before allowing the file transfer to proceed, offering a chance to block known threats immediately upon detection during the lookup.

Page 6 of 10

51. Which PAN-OS version is required to use "Hold Mode for Real-Time Signature Lookup"?

a) PAN-OS 10.0 or later.

b) PAN-OS 11.1 or later.

c) PAN-OS 11.0.2 or later.

d) PAN-OS 10.2 or later.

This specific hold mode feature was introduced in PAN-OS version 11.0.2.

52. What is the recommended "Action On Real Time WildFire Signature Timeout" when Hold Mode is enabled?

a) Allow.

b) Reset-Both.

c) Alert.

d) Drop.

If the signature lookup times out during hold mode, resetting the connection (Reset-Both) is recommended to prevent potentially malicious files from getting through due to the timeout, prioritizing security.

53. Where is "Hold for WildFire Real Time Signature Look Up" enabled within an individual profile?

a) In the Antivirus profile, under the Action tab.

b) In the WildFire Analysis profile, under Inline Cloud Analysis.

c) In the URL Filtering profile.

d) Under Device > Setup > ContentID.

While the global timeout is configured under Device Setup, the decision to actually *use* hold mode for traffic matching a policy is enabled within the specific Antivirus profile applied to that policy.

54. What is the default FQDN used by the firewall to connect to the Content Cloud for WildFire service requests?

a) wildfire.paloaltonetworks.com

b) hawkeye.services-edge.paloaltonetworks.com

c) content.paloaltonetworks.com

d) updates.paloaltonetworks.com

Hawkeye is the underlying service edge infrastructure used for various cloud services, including content delivery and potentially WildFire interactions. The default setting resolves to the nearest instance.

55. What potential issue is mentioned if you configure a Content Cloud FQDN for a region different from your own (e.g., EU admin choosing APAC FQDN)?

a) Decreased performance.

b) Increased latency.

c) Potential violation of data residency / privacy regulations (like GDPR).

d) Incompatibility with certain WildFire features.

Manually selecting a Content Cloud FQDN forces data (including potentially sensitive traffic payloads for analysis) to that specific region, which could conflict with data sovereignty laws like GDPR if the region is outside required boundaries.

56. When downloading a WildFire malware test file (e.g., PE test file), what must be temporarily disabled if SSL decryption is enabled on the firewall?

a) The WildFire Analysis profile.

b) The Antivirus profile.

c) The *.wildfire.paloaltonetworks.com entry in the SSL Decryption Exclusion list.

d) The Threat Prevention profile.

If *.wildfire... is excluded from decryption, the firewall won't decrypt the HTTPS connection to download the test file, preventing the test from working correctly if decryption is generally enabled.

57. What verdict will the official WildFire malware test files always receive?

a) Benign.

b) Grayware.

c) Malware.

d) Phishing.

These files are specifically designed to trigger a 'malware' verdict to allow administrators to safely test the end-to-end WildFire forwarding and detection process.

58. Which CLI command is used to verify the firewall's connection status to the WildFire clouds and see total forwarded file counts?

a) `show wildfire status`

b) `show wildfire statistics`

c) `debug wildfire upload-log`

d) `show system resources`

This command provides a summary of the WildFire connection state (e.g., Idle means connected and ready) and overall counters for forwarded files.

59. Why might using the `show wildfire statistics` command be particularly useful for verifying email link forwarding?

a) It shows the content of the email links.

b) Because benign/grayware email links are not typically logged in WildFire Submissions, but this command shows forwarding counters (FWD_CNT...).

c) It displays the verdict for each forwarded link.

d) It separates email link statistics from file statistics.

Since the main WildFire Submissions log often omits benign/grayware links to avoid excessive logging, checking the specific forwarding counters in `show wildfire statistics` confirms if *any* links are being batched and uploaded.

60. What is the purpose of the `debug wildfire upload-log` command?

a) To view the current WildFire configuration.

b) To view a log of specific samples the firewall has forwarded for analysis, including those still pending a verdict.

c) To initiate a manual upload of a file to WildFire.

d) To clear the WildFire forwarding queue.

This debug command provides a detailed trace of individual file uploads, useful for troubleshooting specific forwarding issues or checking the status of a file before its official verdict appears in the main logs.

Page 7 of 10

61. What is required to initiate a Sample Removal Request from the WildFire cloud?

a) Contacting Palo Alto Networks support via phone.

b) Creating a text file with SHA256 or MD5 hashes (up to 100) and uploading it via the WildFire portal settings.

c) Using a specific CLI command on the firewall.

d) Submitting a request through the FedRAMP PMO.

The process involves preparing a list of hashes and using the self-service option within the WildFire portal's settings menu.

62. What happens if you request removal of a sample hash that is not unique to your environment (i.e., seen from other sources)?

a) The file sample is completely deleted from the WildFire cloud.

b) The removal request is rejected entirely.

c) Only the session and upload data associated with your account for that sample is removed; the file itself may remain.

d) A manual review by Palo Alto Networks is triggered.

To maintain the integrity of the global threat database, only the link between your account and the sample (session/upload data) is removed if the sample exists elsewhere. The sample file itself isn't deleted if others have submitted it.

63. According to the table, which platform has the highest maximum files per minute forwarding capacity?

a) PA-5400 Series.

b) VM-700.

c) PA-7000 Series.

d) PA-3400 Series.

The PA-7000 series chassis, designed for high throughput, has the highest listed file forwarding capacity at 300 files/minute.

64. What happens if a firewall reaches its Reserved Drive Space limit for queuing WildFire samples?

a) It overwrites the oldest samples in the queue.

b) It cancels forwarding of new files to WildFire until more space is available.

c) It automatically increases the reserved drive space.

d) It sends an alert to the administrator but continues queuing.

The reserved space acts as a buffer. Once full, the firewall stops accepting new files for forwarding to prevent overwhelming its storage, prioritizing stability.

65. Where can WildFire analysis reports be accessed?

a) Only on the firewall that submitted the sample.

b) Only on the WildFire portal.

c) On the submitting firewall (via WildFire Submissions logs), the WildFire portal (for public cloud/API submissions), Strata Cloud Manager (for Prisma Access), and via the WildFire API.

d) Only via the WildFire API.

Reports are available through multiple interfaces depending on the submission method and management platform: locally on the NGFW, centrally via the portal or Strata Cloud Manager, or programmatically via the API.

66. In the WildFire Analysis Report details, what does the "File Signer" field indicate?

a) The firewall that submitted the file.

b) The entity that digitally signed the file for authenticity.

c) The user who downloaded the file.

d) The Palo Alto Networks analyst who reviewed the file.

This field shows information from the file's digital certificate, indicating the publisher or entity that signed the code, which can be a factor in trust assessment.

67. Which hash values does WildFire typically generate and display in its analysis report?

a) Only MD5.

b) Only SHA-256.

c) SHA-1, SHA-256, and MD5.

d) SHA-256 and SHA-512.

WildFire calculates and reports these three common cryptographic hash values, which serve as unique fingerprints for the analyzed file.

68. What information is specifically mentioned as NOT being included in a WildFire report viewed for a file manually uploaded via the portal or API?

a) File hash values.

b) The WildFire verdict.

c) Session information (like Attacker/Source and Victim/Destination).

d) Dynamic analysis results.

Since manually uploaded files don't traverse the firewall as part of a network session, there is no associated session data (IPs, ports, user, application) to include in the report.

69. In which part of the WildFire Analysis Report can you typically find information about registry key modifications or file creation/deletion?

a) File Information.

b) Session Information.

c) Behavior Summary (under Dynamic Analysis, specifically Host Activity).

d) Coverage Status.

The Host Activity section within the Dynamic Analysis results details the actions the sample took on the simulated host system, including filesystem and registry interactions.

70. What is the purpose of the "Report an Incorrect Verdict" link in the WildFire Analysis Report?

a) To delete the sample from the WildFire cloud.

b) To submit the sample to the Palo Alto Networks threat team for re-analysis if you believe the verdict is a false positive or false negative.

c) To download the sample file.

d) To view VirusTotal information for the sample.

This provides a direct mechanism for users to provide feedback on verdicts they believe are incorrect, helping Palo Alto Networks improve the accuracy of WildFire analysis.

Page 8 of 10

71. By default, which WildFire verdicts generate entries in the WildFire Submissions log on the firewall?

a) Only Malicious.

b) Malicious and Phishing.

c) Malicious and Phishing (Files only - Benign/Grayware files and all links require specific enabling).

d) All verdicts (Benign, Grayware, Phishing, Malicious).

The default logging focuses on definite threats (Malicious/Phishing files). Logging for less severe verdicts (Benign/Grayware files) or less numerous entries (links) needs explicit configuration.

72. Where do you configure the firewall to include email header information (sender, recipient, subject) in WildFire logs and reports?

a) In the Log Forwarding profile.

b) In the WildFire Analysis profile.

c) Under Device > Setup > WildFire > Session Information Settings.

d) In the Antivirus profile.

Control over which pieces of session metadata (including email headers) are forwarded to the WildFire cloud is managed under the main WildFire setup section.

73. Can the firewall forward WildFire logs for *blocked* files to an email account using a Log Forwarding profile?

a) Yes, for all verdict types.

b) Yes, but only for malicious verdicts.

c) No, the firewall does not forward logs for blocked files via email.

d) Only if the file is also classified as grayware.

There's a specific limitation mentioned that prevents logs corresponding to files that were blocked by the firewall (regardless of verdict) from being forwarded via the email action in log forwarding profiles.

74. In the WildFire Submissions log on the firewall, what determines the 'Severity' level assigned (e.g., Low, High, Informational)?

a) Only the WildFire verdict.

b) Only the Action taken by the firewall (allow/block).

c) A combination of the WildFire verdict and the Action taken by the firewall.

d) The file type being analyzed.

Severity provides context. A malicious file that was allowed through (High) is more critical than a malicious file that was blocked (Informational). Similarly, allowed grayware (Low) is less critical than allowed malware.

75. What is a known limitation when viewing WildFire Analysis Reports directly in the firewall web interface using Mozilla Firefox?

a) Reports cannot be downloaded as PDF.

b) Reports may not display correctly in Firefox versions newer than v54.

c) Session information is hidden in Firefox.

d) Dynamic analysis details are unavailable in Firefox.

Due to changes in how newer Firefox versions render certain elements, the integrated report view in PAN-OS might have display issues. Using another browser or the PDF/portal view is recommended.

76. Can you view WildFire analysis reports for samples submitted by a WildFire *private* appliance on the public WildFire portal?

a) Yes, all reports are synchronized globally.

b) Only if the WildFire appliance has the 'cloud intelligence' feature enabled (for malware samples forwarded from the appliance).

c) No, private appliance reports are never visible on the public portal.

d) Yes, but only for benign samples.

The public portal only shows data submitted to it. For private appliance submissions to appear, the appliance needs to forward them (typically only malware samples) to the public cloud using the cloud intelligence feature.

77. When configuring email alerts on the WildFire portal, can you receive alerts for files that were *blocked* by the firewall?

a) Yes, for all verdicts.

b) No, the portal does not send alerts for blocked files.

c) Yes, but only if the verdict was malicious.

d) Only if the file was manually uploaded.

Portal alerts focus on files that WildFire analyzed, regardless of the firewall's action. There's a separate note indicating portal alerts aren't sent for blocked files.

78. Who can create WildFire portal user accounts to grant access to specific firewall data?

a) Any user with portal access.

b) A super user (the registered owner of the device/account).

c) Palo Alto Networks support staff.

d) Only users with an existing Palo Alto Networks support account.

Account administration, including granting portal access to others for associated devices, is typically handled by the primary account owner (superuser) via the Support Portal.

79. What restriction applies to the email addresses used when adding WildFire portal users?

a) They must belong to the same company domain.

b) They must already be associated with a Palo Alto Networks support account.

c) They cannot be from free web-based email accounts (like Gmail, Hotmail, Yahoo).

d) They must end in `.gov` or `.mil`.

This restriction likely aims to ensure users added for portal access are associated with legitimate organizations rather than potentially transient personal accounts.

80. On the WildFire portal's Reports page, what options are available for filtering the displayed reports?

a) Only by date and time.

b) Only by file name or hash value.

c) By Source (manual upload or specific firewall) and WildFire Verdict (any, benign, malware, etc.).

d) Only by firewall serial number.

The portal allows filtering by how the sample was submitted (firewall serial number or manual) and by the analysis result (verdict), in addition to searching by name/hash.

Page 9 of 10

81. What analysis technique specifically identifies variants of known threats by comparing feature sets against dynamic classification systems?

a) Static Analysis.

b) Machine Learning.

c) Dynamic Analysis.

d) Intelligent Run-time Memory Analysis.

Machine Learning excels at identifying slightly modified versions (variants) of known malware by recognizing patterns and features shared with known malicious families.

82. Dynamic Unpacking, used for files encrypted with custom/open source methods, is available in which WildFire environment?

a) All WildFire public clouds and the private cloud.

b) Only the WildFire private cloud.

c) Advanced WildFire global cloud only.

d) All FedRAMP clouds.

This advanced technique requires specific resources and is currently limited to the main global public cloud infrastructure.

83. Which version of Windows analysis environment is supported ONLY as an OPTION for the WildFire private cloud?

a) Windows 7 64-bit.

b) Windows 10 64-bit.

c) Windows XP 32-bit and Windows 7 32-bit.

d) Windows 11.

Support for older/32-bit Windows environments is maintained as an option primarily for private cloud deployments where specific legacy systems might still be relevant.

84. Does the WildFire private cloud support multi-version analysis of client applications (e.g., different Adobe Reader versions)?

a) Yes, it has the same capabilities as the public cloud.

b) No, the private cloud does not support multi-version analysis.

c) Only if the cloud intelligence feature is enabled.

d) Only for Microsoft Office files.

Maintaining multiple versions of various applications for analysis requires significant resources, a capability primarily found in the large-scale public cloud infrastructure.

85. How are the cloud inline ML detection models for Advanced WildFire Inline Cloud Analysis updated?

a) Through manual uploads by the administrator.

b) Via firewall content updates.

c) Seamlessly in the cloud without requiring content updates or feature release support.

d) Only when the firewall PAN-OS is upgraded.

A key benefit of cloud-based analysis is that the detection models reside and are updated centrally by Palo Alto Networks, requiring no updates on the customer's firewall.

86. How are the on-dataplane models for Advanced WildFire Inline ML (in the Antivirus profile) updated?

a) Automatically via the cloud, no action needed.

b) Via content releases downloaded to the firewall.

c) Through PAN-OS upgrades only.

d) By manually uploading model files.

Since these ML models run directly on the firewall's dataplane, they need to be delivered to the firewall, which is done via the standard content update mechanism.

87. Does the WildFire private appliance support the "phishing" verdict for links?

a) Yes, same as the public cloud.

b) No, it continues to classify phishing links as "malicious".

c) Yes, but only if cloud intelligence is enabled.

d) No, it classifies them as "grayware".

The specific 'phishing' verdict distinction is a feature of the public cloud; the private appliance uses the broader 'malicious' category for such links.

88. How does WildFire handle analysis of multi-stage malware files?

a) It analyzes only the initial payload.

b) It processes files referenced by the malware independently, delivering verdicts/protections for each stage, with the overall verdict based on any malicious content found.

c) It waits until all stages are analyzed before providing any verdict.

d) It requires manual submission of each stage separately.

WildFire attempts to follow the execution chain, analyzing secondary payloads dropped or downloaded by the initial file, providing verdicts for each component as analysis completes.

89. How often does the firewall forward email links to WildFire for analysis?

a) Instantly, as each link is detected.

b) In batches of 100 links or every two minutes, whichever limit is hit first.

c) Once per hour.

d) Only when the `debug wildfire upload-log` command is run.

To optimize forwarding and processing, email links are collected and sent in batches based on either count or time interval.

90. What underlying service aggregates threat details from PAN-DB and other sources to provide more accurate verdicts for URL analysis via the WildFire API?

a) Advanced WildFire Inline ML.

b) Intelligent Run-time Memory Analysis.

c) The URL analyzers operating in the Advanced WildFire global cloud.

d) The Threat Prevention signature engine.

WildFire's URL analysis leverages dedicated analyzers in the cloud that correlate data from multiple sources, including PAN-DB, email links, and other feeds, for comprehensive assessment.

Page 10 of 10

91. If you do NOT have an Advanced WildFire subscription, how quickly are new WildFire signatures typically made available?

a) Real-time.

b) Every 5 minutes.

c) Within 24-48 hours, as part of the antivirus update (requires Threat Prevention license).

d) They are never made available without a subscription.

Without a WildFire subscription, the signatures generated by WildFire are bundled into the standard Antivirus/Threat Prevention updates, which have a slower release cadence (24-48 hours).

92. Which Advanced WildFire cloud deployment is specifically designed to adhere to EU data privacy regulations?

a) Advanced WildFire Global Cloud (U.S.).

b) Advanced WildFire Europe Cloud (hosted in The Netherlands).

c) Advanced WildFire UK Cloud.

d) Advanced WildFire Germany Cloud.

The Europe Cloud (eu.wildfire...) ensures that submitted samples and associated data remain within EU borders to comply with regulations like GDPR.

93. What is the primary function of a WildFire Hybrid Cloud deployment?

a) To use both Inline ML and Inline Cloud Analysis simultaneously.

b) To allow a firewall to forward some samples to a public cloud and others to a private cloud appliance.

c) To synchronize signatures between the public and private clouds.

d) To provide API access alongside firewall forwarding.

Hybrid deployments offer flexibility, allowing organizations to keep sensitive files for local analysis on a private appliance while sending less sensitive or unsupported types to the public cloud.

94. Which action in the Antivirus profile allows WildFire Inline ML inspection but overrides stricter actions (like block/reset) to only generate an alert?

a) enable (inherit per-protocol actions).

b) alert-only (override more strict actions to alert).

c) disable (for all protocols).

d) default.

The 'alert-only' setting for Inline ML models allows visibility into potential threats detected by ML without immediately blocking traffic, useful during initial deployment or tuning.

95. What is the recommended way to bypass Advanced WildFire Inline ML for a specific legitimate internal application file identified as a false positive?

a) Create a signature exception based on the 'ml-virus' Threat ID.

b) Disable the 'Windows Executables' model entirely in the Antivirus profile.

c) Create a WildFire Inline ML file exception using the file's hash.

d) Create a custom application signature for the application.

Using the file hash provides a precise way to exclude a specific file from Inline ML analysis, avoiding the overly broad impact of disabling a model or using a potentially changing Threat ID.

96. What is the default timeout value (in milliseconds) for the WildFire Real Time Signature Lookup when Hold Mode is enabled?

a) 500 ms.

b) 1000 ms.

c) 2000 ms.

d) 5000 ms.

The default 1000ms (1 second) timeout provides a balance between waiting for a cloud verdict and minimizing user impact.

97. What does the CLI command `show mlav cloud-status` verify?

a) The firewall's connection status to the main WildFire cloud.

b) The firewall's connectivity status to the Inline ML cloud service (ml.service.paloaltonetworks.com).

c) The status of the Inline ML models installed on the firewall.

d) The license status for Advanced WildFire Inline ML.

This command specifically checks the connectivity to the backend service responsible for supporting the on-dataplane Inline ML feature.

98. What specific information from a WildFire Analysis Report is mentioned as being helpful for desktop support to determine if a user system is infected?

a) The file hash and verdict.

b) Details on files created/modified, processes spawned, and registry changes.

c) The source IP address and application used.

d) The VirusTotal coverage status.

The behavioral analysis (file, process, registry activity) provides concrete indicators of compromise (IOCs) that support teams can look for on the potentially infected machine.

99. What feature allows a WildFire private appliance to quickly get verdicts for known samples by checking the public cloud first?

a) Real-time Updates.

b) Hybrid Cloud Deployment.

c) Cloud Intelligence (when enabled on the appliance).

d) Standalone API access.

Cloud Intelligence allows the private appliance to leverage the global knowledge base for known samples, saving its own analysis resources for truly unknown files specific to the organization.

100. In the WildFire Submissions log, an entry with verdict 'Malicious' and action 'Allow' would typically have which severity level?

a) Critical.

b) High.

c) Medium.

d) Informational.

A known malicious file being allowed through the firewall represents a significant security event, hence the 'High' severity classification.

Advanced WildFire Knowledge Quiz