Ding dong

1. Which procedure is most effective for maintaining continuity and security during a Prisma Access data plane software upgrade?. Back up configurations, schedule upgrades during off-peak hours, and use a phased approach rather than attempting a network-wide rollout. Use Strata Cloud Manager (SCM) to perform dynamic upgrades automatically and simultaneously across all locations at once to ensure network-wide uniformity. Disable all security features during the upgrade to prevent conflicts and re-enable them after completion to ensure a smooth rollout process. Perform the upgrade during peak business hours, quickly address any user-reported issues, and ensure immediate troubleshooting post-rollout.

2.An NGFW administrator is updating PAN-OS on company data center firewalls managed by Panorama. Prior to installing the update, what must the administrator verify to ensure the devices will continue to be supported by Panorama?. Device telemetry is enabled. Panorama is configured as the primary device in the log collecting group for the data center firewalls. All devices are in the same template stack. Panorama is running the same or newer PAN-OS release as the one being installed.

3.In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose two.). Prisma Cloud dashboard. Strata Cloud Manager (SCM). Strata Logging Service. Service connection firewall.

4.Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two.). Cortex XSIAM. Prisma Cloud management console. Panorama. Cloud service provider's management console.

5.Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?. Explicit proxy. Client-based VPN. Enterprise browser. Clientless VPN.

6.Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two.). RADIUS profile. Incomplete certificate chains. Certificate pinning. SAML certificate.

7.Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?. Address objects. Dynamic Address Groups. Dynamic User Groups. Predefined IP addresses.

8.How does a firewall behave when SSL Inbound Inspection is enabled?. It acts transparently between the client and the internal server. It decrypts inbound and outbound SSH connections. It decrypts traffic between the client and the external server. It acts as meddler-in-the-middle between the client and the internal server.

9.When a firewall acts as an application-level gateway (ALG), what does it require in order to establish a connection?. Dynamic IP and Port (DIPP). Payload. Session Initiation Protocol (SIP). Pinholes.

10.Which security profile provides real-time protection against threat actors who exploit the misconfigurations of DNS infrastructure and redirect traffic to malicious domains?. Antivirus. URL Filtering. Vulnerability Protection. Anti-spyware.

11.Which method in the WildFire analysis report detonates unknown submissions to provide visibility into real-world effects and behavior?. Dynamic analysis. Static analysis. Intelligent Run-time Memory Analysis. Machine learning (ML).

12.How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW?. One. Two. Three. Four.

13.A cloud security architect is designing a certificate management strategy for Strata Cloud Manager (SCM) across hybrid environments. Which practice ensures optimal security with low management overhead?. Deploy centralized certificate automation with standardized protocols and continuous monitoring. Implement separate certificate authorities with independent validation rules for each cloud environment. Configure manual certificate deployment with quarterly reviews and environment-specific security protocols. Use cloud provider default certificates with scheduled synchronization and localized renewal processes.

14.Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure robust data encryption and protect sensitive information in SaaS applications?. Do not enable encryption for data-at-rest to improve performance. Use default encryption keys provided by the SaaS provider. Perform annual encryption key rotations. Enable encryption for data-at-rest and in transit, regularly update encryption keys, and use strong encryption algorithms.

15.How does Strata Logging Service help resolve ever-increasing log retention needs for a company using Prisma Access?. It increases resilience due to decentralized collection and storage of logs. Automatic selection of physical data storage regions decreases adoption time. It can scale to meet the capacity needs of new locations as business grows. Log traffic using the licensed bandwidth purchased for Prisma Access reduces overhead.

16.After a firewall is associated with Strata Cloud Manager (SCM), which two additional actions are required to enable management of the firewall from SCM? (Choose two.). Deploy a service connection for each branch site and connect with SCM. Configure NTP and DNS servers for the firewall. Configure a Security policy allowing “stratacloudmanager.paloaltonetworks.com” for all users. Install a device certificate.

17.How does Advanced WildFire integrate into third-party applications?. Through playbooks automatically sending WildFire data. Through customized reporting configured in NGFWs. Through Strata Logging Service. Through the WildFire API.

18.Which two SSH Proxy decryption profile settings should be configured to enhance the company’s security posture? (Choose two.). Block sessions when certificate validation fails. Allow sessions with legacy SSH protocol versions. Block connections that use non-compliant SSH versions. Allow sessions when decryption resources are unavailable.

19.A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region?. Set the service to be application-default. Create a Security policy for the negated region with destination address “any”. Add a Dynamic Application Group to the Security policy. Add all regions that contain private IP addresses to the source address.

20.What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)?. Open a support ticket. Set up Cloud Identity Engine. Generate a PDF summary report. Configure a dashboard.

21.Which NGFW function can be used to enhance visibility, protect, block, and log the use of Postquantum Cryptography (PQC)?. DNS Security profile. Decryption policy. Security policy. Decryption profile.

22.What is the recommended upgrade path from PAN-OS 9.1 to PAN-OS 11.2?. 9.1 → 11.0 → 11.2. 9.1 → 10.0 → 11. 9.1 → 11. 9.1 → 10.0 → 11.2.

23.Which two features can a network administrator use to troubleshoot the issue of a Prisma Access mobile user who is unable to access SaaS applications? (Choose two.). SaaS Application Risk Portal. Capacity Analyzer. GlobalProtect logs. Autonomous Digital Experience Manager (ADEM) console.

24.Which two content updates can be pushed to next-generation firewalls from Panorama? (Choose two.). Advanced URL Filtering. Applications and threats. WildFire. GlobalProtect data file.

25.A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?. Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. Create overrides for all company owned FQDNs. Configure DNS Security signature policy settings to sinkhole malicious DNS queries. Enable Advanced Threat Prevention with default settings and only focus on high-risk traffic.

26.What must be configured to successfully onboard a Prisma Access remote network using Strata Cloud Manager (SCM)?. Cloud Identity Engine. Autonomous Digital Experience Manager (ADEM). GlobalProtect agent. IPSec termination node.

27.In a Prisma SD-WAN environment experiencing voice quality degradation, which initial action is recommended?. Immediately modify path quality thresholds. Review real-time analytics of path performance. Switch all VoIP traffic to backup paths. Request an RMA of the ION devices.

28.Which action optimizes user experience across a segmented network architecture and implements the most effective method to maintain secure connectivity between branch and campus locations?. Establish site-to-site tunnels on each branch and campus firewall and have individual VLANs for each department. Configure all branch and campus firewalls to use a single shared broadcast domain. Implement SD-WAN to route all traffic based on network performance metrics and use zone protection profiles. Configure a single campus firewall to handle the routing of all branch traffic.

29.When configuring Security policies on VM-Series firewalls, which set of actions will ensure the most comprehensive Security policy enforcement?. Configure port-based policies, check threat logs weekly, conduct software updates annually, and enable decryption. Configure policies using User-ID and App-ID, enable decryption, apply appropriate security profiles to rules, and update regularly with dynamic updates. Configure all default policies provided by the firewall, use Policy Optimizer, and adjust security rules after an incident occurs. Configure a block policy for all malicious inbound traffic, configure an allow policy for all outbound traffic, and update regularly with dynamic updates.

30.Which functionality does an NGFW use to determine whether new session setups are legitimate or illegitimate?. SYN bit. SYN cookies. Random Early Detection (RED). SYN flood protection.

31.Which two security services are required for configuration of NGFW Security policies to protect against malicious and misconfigured domains? (Choose two.). Advanced Threat Prevention. SaaS Security. Advanced WildFire. Advanced DNS Security.

32.Which step is necessary to ensure an organization is using the inline cloud analysis features in its Advanced Threat Prevention subscription?. Disable anti-spyware to avoid performance impacts and rely solely on external threat intelligence. Enable SSL decryption in Security policies to inspect and analyze encrypted traffic for threats. Update or create a new anti-spyware security profile and enable the appropriate local deep learning models. Configure Advanced Threat Prevention profiles with default settings and only focus on high-risk traffic to avoid affecting network performance.

33.Which zone is available for use in Prisma Access?. Clientless VPN. Interzone. Intrazone. DMZ.

34.Which offering can be managed in both Panorama and Strata Cloud Manager (SCM)?. Autonomous Digital Experience Manager (ADEM). VM-Series Next-Generation Firewall (NGFW). Prisma SD-WAN. SaaS Security.

35.Which component of NGFW is supported in active/passive design but not in active/active design?. Single floating IP address. Using a DHCP client. Route-based redundancy. Configuring ARP load-sharing on Layer 3.

36.What key capability distinguishes Content-ID technology from conventional network security approaches?. It performs packet header analysis short of deep packet inspection. It provides single-pass application layer inspection for real-time threat prevention. It exclusively monitors network traffic volumes. It relies primarily on reputation-based filtering.

37.In a distributed enterprise implementing Prisma SD-WAN, which configuration element should be implemented first to ensure optimal traffic flow between remote sites and headquarters?. Deploy redundant ION devices at each location. Implement dynamic path selection using real-time performance metrics. Configure static routes between all the branch offices. Enable split tunneling for all branch locations.

38.Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two.). App-ID. Service. User-ID. Schedule.

39.A company has an ongoing initiative to monitor and control IT-sanctioned SaaS applications. To be successful, it will require configuration of decryption policies, along with data filtering and URL Filtering Profiles used in Security policies. Based on the need to decrypt SaaS applications, which two steps are appropriate to ensure success? (Choose two.). Configure SSL Forward Proxy. Validate which certificates will be used to establish trust. Configure SSL Inbound Inspection. Create new self-signed certificates to use for decryption.

40.A network security engineer wants to forward Strata Logging Service data to tools used by the Security Operations Center (SOC) for further investigation. In which best practice step of Palo Alto Networks Zero Trust does this fit?. Map and Verify Transactions. Implementation. Standards and Designs. Report and Maintenance.

41.A network engineer pushes specific Panorama reports of new AI URL category types to branch NGFWs. Which two report types achieve this goal? (Choose two.). SNMP. Custom. PDF summary. CSV export.

42.Which subscription sends non-file format-based traffic that matches Data Filtering Profile criteria to a cloud service to render a verdict?. Enterprise DLP. Advanced URL Filtering. SaaS Security Inline. Advanced WildFire.

43.How are policies evaluated in the AWS management console when creating a Security policy for a Cloud NGFW?. The administrator sets a rule order to determine the order in which they are evaluated. They can be dragged up or down the stack as they are evaluated. The administrator sets a rule priority to determine the order in which they are evaluated. They must be created in the order they are intended to be evaluated.

44.During a security incident investigation, which Security profile will have logs of attempted confidential data exfiltration?. File Blocking Profile. Enterprise DLP Profile. Vulnerability Protection Profile. WildFire Analysis Profile.

45.Which set of attributes is used by IoT Security to identify and classify appliances on a network when determining Device-ID?. IP address, network traffic patterns, and device type. MAC address, device manufacturer, and operating system. Hostname, application usage, and encryption method. Device model, firmware version, and user credential.

46.Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two.). WildFire. Enhanced application. Threat. URL Filtering.

47.Which action is only taken during slow path in the NGFW policy?. Session lookup. Layer 2—Layer 4 firewall processing. SSL/TLS decryption. Security policy lookup.

48.Which feature of SaaS Security will allow a firewall administrator to identify unknown SaaS applications in an environment?. App-ID Cloud Engine. App-ID. SaaS Data Security. Cloud Identity Engine.

49.How do Cloud NGFW instances get created when using AWS centralized deployments?. Cloud NGFW is placed in a vWAN with a virtual hub. They replace the internet gateway service. Selected VPCs will have Cloud NGFW workloads added to them. A security VPC will be created as transit gateways to push all traffic through the area.

50.Which GlobalProtect configuration is recommended for granular security enforcement of remote user device posture?. Configuring host information profile (HIP) checks for all mobile users. Configuring a rule that blocks the ability of users to disable GlobalProtect while accessing internal applications. Implementing multi-factor authentication (MFA) for all users attempting to access internal applications. Applying log at session end to all GlobalProtect Security policies.

51.Which AI-powered solution provides unified management and operations for NGFWs and Prisma Access?. Strata Cloud Manager (SCM). Autonomous Digital Experience Manager (ADEM). Prisma Access Browser. Panorama.

52.Which action allows an engineer to collectively update VM-Series firewalls with Strata Cloud Manager (SCM)?. Creating an update grouping rule. Scheduling software update. Creating a device grouping rule. Setting a target OS version.

53.A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment style is valid and meets the requirements in this scenario?. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. On a VM-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

54.A primary firewall in a high availability (HA) pair is experiencing a current failover issue with ICMP pings to a secondary device. Which metric should be reviewed for proper ICMP pings between the firewall pair?. Link monitoring. Non-functional state. Heartbeat polling. Bidirectional Forwarding Detection (BFD).

55.What are two recommendations to ensure secure and efficient connectivity across multiple locations in a distributed enterprise network? (Choose two.). Use Prisma Access to provide secure remote access for branch users. Employ centralized management and consistent policy enforcement across all locations. Create broad VPN policies for contractors working at branch locations. Implement a flat network design for simplified network management and reduced overhead.

56.Which two configurations are required when creating deployment profiles to migrate a perpetual VMSeries firewall to a flexible VM? (Choose two.). Choose “Fixed vCPU Models” for configuration type. Allocate the same number of vCPUs as the perpetual VM. Allow only the same security services as the perpetual VM. Deploy virtual Panorama for management.

57.What occurs when a security profile group named “default” is created on an NGFW?. It only applies to traffic that has been dropped due to the reset client action. It allows traffic to bypass all security checks by default. It negates all existing security profiles rules on new policy. It is automatically applied to all new security rules.

58.In a service provider environment, what key advantage does implementing virtual systems provide for managing multiple customer environments?. Shared threat prevention policies across all tenants. Centralized authentication for all customer domains. Unified logging across all virtual systems. Logical separation of control and Security policy.

59.An administrator wants to implement additional Cloud-Delivered Security Services (CDSS) on a data center NGFW that already has one enabled. What benefit does the NGFW’s single-pass parallel processing (SP3) architecture provide?. It allows for traffic inspection at the application level. There will be no additional performance degradation. There will be only a minor reduction in performance. It allows additional security inspection devices to be added inline.

60.How can a firewall administrator block a list of 300 unique URLs in the most time-efficient manner?. Use application filters to block the App-IDs. Use application groups to block the App-IDs. Import the list into a custom URL category. Block multiple predefined URL categories.