Prisma

COMMENTS

STATISTICS

RECORDS

TAKE THE TEST

Title of test:

Prisma

Description:
Practice set

Author:
Nicks

Other tests from this author

Creation Date: 2021/02/25

Category: Others

Number of questions: 103

Rating:

(0)

Share the Test:

Nuevo Comentario

New Comment
NO RECORDS

Content:

Which is not a tab in the container model?. Process. Networking. File System. Memory. Configure container runtime.

An organization that uses a private cloud in a black site that has no internet connection can use which product?. Google Cloud. AWS S3 Management. Prisma Cloud Compute. Prisma Cloud.

Which registry do you use to download the Prisma Cloud Compute Defender image?. registry.redlock.com. registry.twistlock.com. registry.prisma.com. registry.paloaltonetworks.com.

What is the maximum idle timeout without using a custom value?. 30 minutes. 45 minutes. 60 minutes. 120 minutes.

Which is not a valid action in a CNAF rule?. Disable. Log. Alert. Prevent.

What is not an exposure level that would apply to a storage bucket?. Public. Partial. Conditional. Private.

Which protocol or protocols does the Cloud Native Application Firewall (CNAF) process?. LDAP. SSL. SSH. HTTP.

In which format are alert details provided to accepting systems. XML. JSON. CSV. HTTP.

Which command will get the results of a container scan?. GET /results/containers/download. POST /results/containers/download. GET /containers/download. POST /containers/download.

What is the alert state after the next scan when Prisma Cloud detects that excessive access was allowed to an AWS S3 bucket?. Open. Resolved. Closed. Detected.

What type of event do you need to log for DLP to work?. Read. Write. Upload. Download.

Which two modes are supported to secure cloud accounts? (Choose two.). Read only. Observe. Monitor. Observe & Prevent. Monitor & Protect.

Which cloud service can use DLP?. AWS S3. Azure Blob. Google Cloud. Google Cloud Messaging.

Which command will start an images scan?. GET /images/scan. POST /images/scan. GET /results/images/download. POST /results/images/download.

In Prisma Cloud Compute, which three languages can have their packages scanned for vulnerabilities in serverless? (Choose three.). JavaScript (Node.js). Go. C#. Rust. Python. Java.

Which three protocols are identified by the following RQL query? (Choose three.) protocol='TCP' AND dest.port IN (21,23,80) AND source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ). HTTP. Telnet. SSH. HTTPS. FTP.

If a Docker image raises a high severity compliance concern, what is the first digit of the compliance ID?. 2. 3. 4. 5.

You type this query: event where user = 'root'. Where would the events you see originate?. AWS. Azure. GCP. Google CLoud.

In which format does the twistcli create the configuration file for the Console when using Kubernetes?. JSON. YAML. XML. CSV.

In Prisma Cloud Compute, what is the default HTTPS port for the Console?. 443. 8083. 8443. 9443.

What is the name of the configuration file that controls a Onebox configuration?. twistlock.cfg. twistlock.json. redlock.cfg. edlock.json.

If a Docker container raises a medium severity compliance concern, what is the first digit of the compliance ID?. 2. 3. 4. 5.

What are the two external items that need to be deployed in Kubernetes together with a console? (Choose two.). a database (DB) to store the console’s state. a load balancer, which is used to expose the console to the network. an ephemeral volume (EV) for the console’s temporary data. a Kubernetes authorization engine to make sure only authorized administrators use the console. a persistent volume (PV) to store the console’s state.

How can Prisma Cloud Compute detect vulnerabilities in software installed directly rather than through a package manager?. It uses the MD5 Hash Generator of the executables to know what is running. Some apps are so popular that they are supported if you activate unpackaged scan in the web interface. Some apps are so popular that they are supported. This action is activated automatically. It uses the MD5 of executables to know what is running.

Which is not a field in the alert notification?. accountName. policyLabels. riskLevel. alertRemediationCli.

Which two criteria can you use for exceptions in a Host Vulnerability policy? (Choose two.). CVE ID. OS version. Is there a vendor fix available?. Severity. Tag.

Which two integrations can send alerts to a system that is behind dynamic source address translation? (Choose two.). Tenable. Webhooks. Email. Qualys. Slack.

Which type of Defender installation do you need for an admission controller?. Single Defender. DaemonSet. Swarm. Multiple Defender.

Which of these is not a tab in the registry details for a Docker image?. Layers. Process Info. Network Connections. Packages.

Which format do you use with a config search?. RQL. SQL. JSON query. XML query.

What is a valid tag for a Prisma Cloud Compute Docker image?. defender-20-04-177. defender.20.04.177. defender_20.04.177. defender_20_04_177.

Which cloud service can consume CloudFormation configuration files?. AWS. Azure. Google Storage. GCP.

You want to test an alert channel using /api/v1/alert-profiles/test. Which format should you use?. YAML. JSON. Python. GET.

How many queries can a policy include? How many standards?. multiple queries, multiple standards. one query, one standard. one query, multiple standards. multiple queries, one standard.

Which two alert states would be used by an administrator that is trying to hide the alerts caused by their actions?. Open. Dismissed. Resolved. Closed. Snoozed.

The OOTB policy to verify that versioning is turned on in AWS S3 buckets is applied to which two code options? (Choose two.). Terraform. CloudField. CloudFormation. Kubernetes.

Which option shows the types of cloud accounts supported by Prisma Cloud?. AWS, Azure, GCP, Alibaba, and IBM Cloud. AWS, Azure, and GCP. AWS, Azure, GCP, and Alibaba. AWS and Azure.

What are three ways to limit the applicability of a vulnerability rule? (Choose three.). scope (containers, images, etc.). apply the rule only if there is a vendor fix. operating system (Linux vs. Windows). cloud environment (AWS vs. Azure vs. GCP). exceptions to the rule by CVEs and/or tags.

Which type of virtual machine can Prisma Cloud scan without running an agent on it?. Any VM image on the three major cloud providers (AWS, Azure, and GCP) running Linux. Any VM image on the three major cloud providers (AWS, Azure, and GCP) running Windows. Amazon Machine Image (AMI) running Linux or Windows. Amazon Machine Image (AMI) running Linux.

Which configuration needs to be done to perform user entity behavior analysis with Prisma Public Cloud?. Create alert rules. Whitelist IP addresses. Configure User-ID. . Define enterprise settings.

Which two cloud providers support Load Balancers as next hop configurations for outbound connections? (Choose two.). Google Cloud Platform. Microsoft Azure. Oracle Cloud. Amazon Web Services.

Match the query type with its corresponding search: 1. Find instances that are accessible over the internet using insecure port 2. Detect risky changes executed by a root user 3. View all S3 buckets that are open to the public via bucket policy. 3. Config where. 2. Event where. 1. Network where.

Which RQL string returns a list of all Azure virtual machines that are not currently running?. config where api.name = 'azure-vm-list' AND json.rule = powerState = "off'. config where api.name = 'azure-vm-list' AND json.rule = powerState does not contain "running". config where api.name = 'azure-vm-list' AND json.rule = powerState = "running". config where api.name = 'azure-vm-list' AND json.rule = powerState contains "running".

Palo Alto Networks recommends which two options for outbound HA design in Amazon Web Services using VM-Series NGFW? (Choose two.). iLB-as-next-hop. transit gateway and security VPC with VM-Series. traditional active/standby HA on VM-Series. transit VPC and security VPC with VM-Series.

Prisma Public Cloud enables compliance monitoring and reporting by mapping which configurations to compliance standards?. RQL queries. alert rules. notification templates. Policies.

An administrator has deployed an AWS transit gateway and used multiple VPC spokes to segregate a multi-tier application. The administrator also created a security VPC with multiple VM-Series NGFWs in an active/active deployment model via ECMP using Amazon Web Services VPN-based attachments. What must be configured on the firewall to avoid asymmetric routing?. source address translation. destination address translation. port address translation. source and destination address translation.

Which two statements are true about CloudFormation? (Choose two.). CloudFormation is a procedural configuration management tool. CloudFormation templates can be used on both Amazon Web Services and Microsoft Azure. CloudFormation templates can be written in JSON or YAML. CloudFormation is a declarative orchestration tool.

Which Amazon Web Services security service can provide host vulnerability information to Prisma Public Cloud?. Shield. Inspector. GuardDuty. Amazon Web Services WAF.

Which configuration needs to be done to perform user entity behavior analysis with Prisma Public Cloud?. Create alert rules. Whitelist IP addresses. Configure User-ID. Define enterprise settings.

A customer has just launched a Palo Alto Networks VM-Series NGFW into an Amazon Web Services VPC to protect a cloud hosted application. They are experiencing unpredictable results and have identified that the interfaces on the firewall are in the incorrect order Which PAN-OS CLI command resolves this issue?. set mgmt-interface settings swap yes. set system setting mgmt-interface swap yes. set mgmt-interface swap yes. set system setting mgmt-interface-swap enable yes.

Which cloud provider supports iLB-as-next-hop?. Microsoft Azure. Alibaba Cloud. Oracle Cloud. Amazon Web Services.

The customer has an Amazon Web Services Elastic Computing Cloud that provides a service to the internet directly and needs to secure that cloud with a VM-Series NGFW. Which component handles address translation?. The servers and VM-Series NGFW have publicly accessible IP addresses for management purposes. The server VMs have private use only (RFC 1918) IPs. The VM-Series NGFW translates those addresses to publicly accessible IP addresses. The server VMs and the VM-Series NGFW have private use only (RFC 1918) IPs. Amazons cloud infrastructure translates those addresses to publicly accessible IP addresses. The server VMs have private use only (RFC 1918) IPs. Amazon's cloud infrastructure translates those addresses to publicly accessible IP addresses. The VM-Series NGFW has publicly accessible IP addresses.

Which three services can Google Cloud Security Scanner assess? (Choose three.). Google Virtual Private Cloud. App Engine. Google Kubernetes Engine. BigQuery. Compute Engine.

The VM-Series integration with Amazon GuardDuty feeds malicious IP addresses to the VMSeries NGFW using XML API to populate a Dynamic Address Group within a Security policy that blocks traffic. How does Amazon Web Services achieve this integration?. SNS. Lambda. SQS. CodeDeploy.

What are three examples of outbound traffic flow? (Choose three.). issue yum update command on an instance inside Amazon Web Services. Microsoft Windows inside Azure requesting a security patch. web server inside Amazon Web Services receiving web requests from internet. issue apt-get install command on an instance inside Amazon Web Services. outgoing Prisma Public Cloud API calls.

In which two ways does Palo Alto Networks VM orchestration help service providers automatically provision security instances and policies? (Choose two.). fully instrumented API. Aperture Orchestration Engine. VM Orchestration Policy Editor. support for Dynamic Address Groups.

What is a permanent public IP called on Amazon Web Services?. Reserved IP. PIP. EIP. Floating IP.

Which option is true about VM-Series NGFW templates available from the Palo Alto Networks GitHub repository?. Palo Alto Networks provides full support if a valid support license is in place. Support for the templates is available through Professional Services from Palo Alto Networks. Unless otherwise noted, these templates are released under an as-is. best effort support policy. The author of the template provides full support as long as the PAN-OS version specific to the template is supported.

What are the two options to dynamically register tags used by Dynamic Address Groups that are referenced in policy? (Choose two.). VM Monitoring. External Dynamic List. CFT Template. XML API.

What is required for an EC2 instance to access the internet directly from an AWS VPC?. Internet Gateway. Transit Gateway. Virtual Private Gateway. Customer Gateway.

Which three services can Google Cloud Security Scanner assess? (Choose three.). Google Kubernetes Engine. BigQuery. Compute Engine. App Engine. Google Virtual Private Cloud.

Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web Services databases''. network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role IN ('AWS RDS', 'Database')). network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('LDAP')). network where dest.resource IN (resource where role = 'Database'}. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN (resource where role IN ('AWS RDS'. 'Database')).

Which framework in Prisma Public Cloud can be used to provide general best practices when no specific legal requirements or regulatory standards need to be met?. HIPAA. CIS Benchmark. Payment Card Industry DSS V3. GDPR.

When protecting against attempts to exploit client-side and server-side vulnerabilities, what is the Palo Alto Networks best practice when using NGFW VulnerabilityProtection Profiles?. When protecting against attempts to exploit client-side and server-side vulnerabilities, what is the Palo Alto Networks best practice when using NGFW VulnerabilityProtection Profiles?. Clone the predefined Strict Profile, with packet capture settings disabled. Use the default Vulnerability Protection Profile to protect servers from all known critical, high, and medium-severity threats. Clone the predefined Strict Profile, with packet capture settings enabled.

When an on-premises NGFW (customer gateway) is used to connect to the Virtual Gateway, which two IKE profiles cannot be used? (Choose two.). Group2 / SHA-1 / AES-128-CBC / IKE-V1. Group2 / SHA-1 / AES-128-GCM / IKE-V1. Group14 / SHA-256 / AES-256-GCM / IKE-V1. Group2 / SHA-1 / AES-128-CBC. Group14 / SHA-256 / AES-256-CBC / IKE-V1.

Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web Services databases''. A. network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role IN ('AWS RDS', 'Database')). B. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('LDAP')). C. network where dest.resource IN (resource where role = 'Database'}. D. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN (resource where role IN ('AWS RDS'. 'Database').

Which three requirements are needed to register a PAYG VM-Series NGFW at the Palo Alto Networks Customer Support website? (Choose three.). Serial Number. CPU ID. Auth Code. License Key. UUID.

Which three services can Google Cloud Security Scanner assess? (Choose three.). Google Kubernetes Engine. BigQuery. Compute Engine. App Engine. Google Virtual Private Cloud.

How is license utilization displayed within the Prisma Public Cloud interface?. navigate to the CLI and run show license command. navigate to General > Licensing. navigate to Dashboard > Asset Inventory. navigate to Settings (via the gear icon) > Licensing.

can you create a custom compliance standard in Prisma Public Cloud?. Generate a new Compliance Report. Create compliance framework in a spreadsheet then import into Prisma Public Cloud. From Compliance tab, clone a default framework and customize. From Compliance tab > Compliance Standards, click "Add New.".

Which three features are not supported by VM-Series NGFWs on Azure Stack? (Choose three.). Azure Application Insight. Resource Group. Azure Security Center. Bootstrapping. ARM Template.

Can Defender upgrades be restricted to a specific window of time?. You can specify the maintenance window in the console, and then Defender upgrades will happen only during that time. No. Upgrades happen automatically. However, those upgrades do not cause downtime. You can disable auto-upgrade, and then upgrade the Defenders during the window from the web-based interface (Action > Upgrade). You can disable auto-upgrade, but then you can't upgrade the Defenders. You need to uninstall and reinstall them for the upgrade.

Where do you install an app-embedded Defender?. on the Docker containers that implement the application. on both the hosts and the images. on the images that become the Docker containers of the application. on the hosts that run the Docker containers of the application.

Which command do you use to install a container Defender on Linux?. curl. rpm. apt install. either rpm or apt install, depending on the Linux distribution.

In Prisma Cloud Compute, what is the default HTTPS port for the Console?. 9443. 443. 8083. 8443.

The TCP listener setting in a Docker Defender running on Linux allows the Defender to function as what? Choose one: a Docker proxy. an HTTP proxy. a firewall. an SSH proxy.

How do you deploy a host Defender on Windows? Choose one: Run the provided command line using PowerShell. Download an .msi package using the browser. Download an .exe command package using the browser. Run the provided command line using the old (cmd.exe) shell.

An Azure VNet has the IP network 10.0.0.0/16 with two subnets, 10.0.1.0/24 (used for web servers) and 10.0.2.0/24 (used for database servers). Which is a valid IP address to manage the VM-Series NGFW?. 10.0.2.1. 10.0.3.255. 10.0.3.1. 10.0.1.254.

Which option is defined by the creation and change of public cloud services managed in a repeatable and predictable fashion?. platform as a service. infrastructure as a service. infrastructure as code. software as code.

Which three methods can provide application-level security for a web server instance on Amazon Web Services? (Choose three.). Prisma SaaS. VM-Series firewalls. Amazon Web Services WAF. Security Groups. Traps.

Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web Services databases''. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN (resource where role IN ('AWS RDS'. 'Database')). network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('LDAP')). network where dest.resource IN (resource where role = 'Database'}. network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role IN ('AWS RDS', 'Database')).

A customer has just launched a Palo Alto Networks VM-Series NGFW into an Amazon Web Services VPC to protect a cloud hosted application. They are experiencing unpredictable results and have identified that the interfaces on the firewall are in the incorrect order Which PAN-OS CLI command resolves this issue?. set system setting mgmt-interface swap yes. set mgmt-interface swap yes. set system setting mgmt-interface-swap enable yes. set mgmt-interface settings swap yes.

An administrator deploys a VM-Series firewall into Amazon Web Services. Which attribute must be disabled on the data-plane elastic network interface for the instance to handle traffic that is not destined to its own IP address?. security group. tags. elastic ip address. source/destination checking.

Which RQL string using network query attributes returns all traffic destined for Internet or for Suspicious IPs that also exceeds 1GB?. network where publicnetwork = ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000. network where dest publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000. show traffic where destination.network = ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000. network where bytes > 1GB and destination = 'Internet IPs' OR 'Suspicious IPs'.

What configuration on AWS is required in order for VM-Series to forward traffic between its network interfaces?. Both Source and Destination Checks are disabled. Both Source and Destination Checks are enabled. Source Check is disabled and Destination Check is enabled. Source Check is enabled and Destination Check is disabled.

What is the scope of the Amazon Web Services 1AM Service?. global. VPC. zonal. regional.

Match the logging service with its cloud provider. Cloud Watch. Activity Log. Stackdriver. Monitor. Cloudtrail. Cloudaudot.

Amazon Web Services WAF can be enabled on which two resources?(Choose two.). AWS ALB. AWS CDN. AWS NLB. AWS NAT Gateway.

A client has a sensitive internet-facing application server in Microsoft Azure and is concerned about resource exhaustion because of distributed denial-of-service attacks What can be configured on the VM-Series firewall to specifically protect this server against this type of attack?. Custom threat signature. QoS Profile to limit incoming requests. Zone Protection Profile. DoS Protection Profile with specific session counts.

How can you use Prisma Public Cloud to identify Amazon EC2 instances that have been tagged as "Private?. Generate a CIS compliance report and review the "Asset Summary.". Create an RQL config query to identify resources with the tag "Private.". Create an RQL network query to identify traffic from resources tagged "Private.". Open the Asset Dashboard, filter on tags: and choose "Private.".

What are two ways to initially deploy a VM-Series NGFW in Microsoft Azure? (Choose two.). through ARM Templates in the GitHub Repository. through Solution Templates in the Azure Marketplace. through Iron Skillets in the GitHub Repository. through Expedition in the Customer Success Portal.

How can you modify a range of dates default policy in Prisma Public Cloud?. Click the Gear icon next to the policy name to open the Edit Policy dialog. Override the value and commit the configuration. Clone the existing policy and change the value. Manually create the RQL statement.

Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?. copy the Console address and set the config map for the default namespace. enable Kubernetes auditing from the Defend > Access > Kubernetes page in the Console. copy the admission controller configuration from the Console and apply it to Kubernetes. create a new namespace in Kubernetes called admission-controller.

A customer is interested in PCI requirements and needs to ensure that no privilege containers can start in the environment. Which action needs to be set for "do not use privileged containers?. Prevent. Fail. Alert. Block.

The Unusual protocol activity (Internal) network anomaly is generating too many alerts An administrator has been asked to tune it to the option that will generate the least number of events without disabling it entirely. Which strategy should the administrator use to achieve this goal?. Change the Training Threshold to Low. Set the Alert Disposition to Conservative. Disable the policy. Set Alert Disposition to Aggressive.

Which three types of classifications are available in the Data Security module? (Choose three. ). Compliance standard. Personally identifiable information. Financial information. .Malicious IP. Malware.

A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application. The application is running an NGINX container. The container is listening on port 8080 and is mapped to host port 80. Which port should the team specify in the CNAF rule to protect the application?. 443. 8080. 8888. 80.

An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS Which port will twistcli need to use to access the Prisma Compute APIs?. 8081. 443. 8084. 8083.

Which method should be used to authenticate to Prisma Cloud Enterprise programmatically?. SAML. access key. basic authentication. single sign-on.

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.). 1. 2. 3. 4.

A customer is deploying Defenders to a Fargate environment It wants to understand the vulnerabilities in the images it is deploying. How should the customer automate vulnerability scanning for images deployed to Fargate?. Embed a Fargate Defender to automatically scan for vulnerabilities. . Use Cloud Compliance to identify misconfigured AWS accounts. Set up a vulnerability scanner on the registry. Designate a Fargate Defender to serve a dedicated image scanner.

Report abuse

▲