Which is not a tab in the container model? Process Networking File System Memory Configure container runtime.
An organization that uses a private cloud in a black site that has no internet connection can use which product? Google Cloud AWS S3 Management Prisma Cloud Compute Prisma Cloud.
Which registry do you use to download the Prisma Cloud Compute Defender image? registry.redlock.com registry.twistlock.com registry.prisma.com registry.paloaltonetworks.com.
What is the maximum idle timeout without using a custom value? 30 minutes 45 minutes 60 minutes 120 minutes.
Which is not a valid action in a CNAF rule? Disable Log Alert Prevent.
What is not an exposure level that would apply to a storage bucket? Public Partial Conditional Private.
Which protocol or protocols does the Cloud Native Application Firewall (CNAF) process? LDAP SSL SSH HTTP.
In which format are alert details provided to accepting systems XML JSON CSV HTTP.
Which command will get the results of a container scan? GET /results/containers/download POST /results/containers/download GET /containers/download POST /containers/download.
What is the alert state after the next scan when Prisma Cloud detects that excessive access was allowed to an AWS S3 bucket? Open Resolved Closed Detected.
What type of event do you need to log for DLP to work? Read Write Upload Download.
Which two modes are supported to secure cloud accounts? (Choose two.) Read only Observe Monitor Observe & Prevent Monitor & Protect.
Which cloud service can use DLP? AWS S3 Azure Blob Google Cloud Google Cloud Messaging.
Which command will start an images scan? GET /images/scan POST /images/scan GET /results/images/download POST /results/images/download.
In Prisma Cloud Compute, which three languages can have their packages scanned for vulnerabilities in serverless? (Choose three.) JavaScript (Node.js) Go C# Rust Python Java.
Which three protocols are identified by the following RQL query? (Choose three.)
protocol='TCP' AND dest.port IN (21,23,80) AND source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) HTTP Telnet SSH HTTPS FTP.
If a Docker image raises a high severity compliance concern, what is the first digit of the compliance ID? 2 3 4 5.
You type this query: event where user = 'root'. Where would the events you see originate? AWS Azure GCP Google CLoud.
In which format does the twistcli create the configuration file for the Console when using Kubernetes? JSON YAML XML CSV.
In Prisma Cloud Compute, what is the default HTTPS port for the Console? 443 8083 8443 9443.
What is the name of the configuration file that controls a Onebox configuration? twistlock.cfg twistlock.json redlock.cfg edlock.json.
If a Docker container raises a medium severity compliance concern, what is the first digit of the compliance ID? 2 3 4 5.
What are the two external items that need to be deployed in Kubernetes together with a console? (Choose two.) a database (DB) to store the console’s state a load balancer, which is used to expose the console to the network an ephemeral volume (EV) for the console’s temporary data a Kubernetes authorization engine to make sure only authorized administrators use the console a persistent volume (PV) to store the console’s state.
How can Prisma Cloud Compute detect vulnerabilities in software installed directly rather than through a package manager? It uses the MD5 Hash Generator of the executables to know what is running. Some apps are so popular that they are supported if you activate unpackaged scan in the web interface. Some apps are so popular that they are supported. This action is activated automatically. It uses the MD5 of executables to know what is running.
Which is not a field in the alert notification? accountName policyLabels riskLevel alertRemediationCli.
Which two criteria can you use for exceptions in a Host Vulnerability policy? (Choose two.) CVE ID OS version Is there a vendor fix available? Severity Tag.
Which two integrations can send alerts to a system that is behind dynamic source address translation? (Choose two.) Tenable Webhooks Email Qualys Slack.
Which type of Defender installation do you need for an admission controller? Single Defender DaemonSet Swarm Multiple Defender.
Which of these is not a tab in the registry details for a Docker image? Layers Process Info Network Connections
Packages.
Which format do you use with a config search? RQL SQL JSON query
XML query.
What is a valid tag for a Prisma Cloud Compute Docker image? defender-20-04-177 defender.20.04.177 defender_20.04.177 defender_20_04_177.
Which cloud service can consume CloudFormation configuration files? AWS Azure Google Storage
GCP.
You want to test an alert channel using /api/v1/alert-profiles/test. Which format should you use? YAML JSON Python GET.
How many queries can a policy include? How many standards? multiple queries, multiple standards one query, one standard one query, multiple standards multiple queries, one standard.
Which two alert states would be used by an administrator that is trying to hide the alerts caused by their actions? Open Dismissed Resolved Closed Snoozed.
The OOTB policy to verify that versioning is turned on in AWS S3 buckets is applied to which two code options? (Choose two.) Terraform CloudField CloudFormation Kubernetes.
Which option shows the types of cloud accounts supported by Prisma Cloud? AWS, Azure, GCP, Alibaba, and IBM Cloud AWS, Azure, and GCP AWS, Azure, GCP, and Alibaba AWS and Azure.
What are three ways to limit the applicability of a vulnerability rule? (Choose three.) scope (containers, images, etc.) apply the rule only if there is a vendor fix operating system (Linux vs. Windows) cloud environment (AWS vs. Azure vs. GCP) exceptions to the rule by CVEs and/or tags.
Which type of virtual machine can Prisma Cloud scan without running an agent on it? Any VM image on the three major cloud providers (AWS, Azure, and GCP) running Linux Any VM image on the three major cloud providers (AWS, Azure, and GCP) running Windows Amazon Machine Image (AMI) running Linux or Windows Amazon Machine Image (AMI) running Linux.
Which configuration needs to be done to perform user entity behavior analysis with Prisma Public
Cloud? Create alert rules. Whitelist IP addresses. Configure User-ID . Define enterprise settings.
Which two cloud providers support Load Balancers as next hop configurations for outbound
connections? (Choose two.) Google Cloud Platform Microsoft Azure Oracle Cloud Amazon Web Services.
Match the query type with its corresponding search:
1. Find instances that are accessible over the internet using insecure port
2. Detect risky changes executed by a root user
3. View all S3 buckets that are open to the public via bucket policy 3. Config where 2. Event where 1. Network where.
Which RQL string returns a list of all Azure virtual machines that are not currently running? config where api.name = 'azure-vm-list' AND json.rule = powerState = "off' config where api.name = 'azure-vm-list' AND json.rule = powerState does not contain "running" config where api.name = 'azure-vm-list' AND json.rule = powerState = "running" config where api.name = 'azure-vm-list' AND json.rule = powerState contains "running".
Palo Alto Networks recommends which two options for outbound HA design in Amazon Web Services
using VM-Series NGFW? (Choose two.) iLB-as-next-hop transit gateway and security VPC with VM-Series traditional active/standby HA on VM-Series transit VPC and security VPC with VM-Series.
Prisma Public Cloud enables compliance monitoring and reporting by mapping which configurations to compliance standards? RQL queries alert rules notification templates Policies.
An administrator has deployed an AWS transit gateway and used multiple VPC spokes to segregate a multi-tier application. The administrator also created a security VPC with multiple VM-Series NGFWs in an
active/active deployment model via ECMP using Amazon Web Services VPN-based attachments. What must be configured on the firewall to avoid asymmetric routing?
source address translation destination address translation port address translation source and destination address translation.
Which two statements are true about CloudFormation? (Choose two.) CloudFormation is a procedural configuration management tool. CloudFormation templates can be used on both Amazon Web Services and Microsoft Azure CloudFormation templates can be written in JSON or YAML CloudFormation is a declarative orchestration tool.
Which Amazon Web Services security service can provide host vulnerability information to Prisma Public Cloud? Shield Inspector GuardDuty Amazon Web Services WAF.
Which configuration needs to be done to perform user entity behavior analysis with Prisma Public Cloud? Create alert rules. Whitelist IP addresses Configure User-ID Define enterprise settings.
A customer has just launched a Palo Alto Networks VM-Series NGFW into an Amazon Web
Services VPC to protect a cloud hosted application. They are experiencing unpredictable results and
have identified that the interfaces on the firewall are in the incorrect order Which PAN-OS CLI
command resolves this issue? set mgmt-interface settings swap yes set system setting mgmt-interface swap yes set mgmt-interface swap yes set system setting mgmt-interface-swap enable yes.
Which cloud provider supports iLB-as-next-hop? Microsoft Azure Alibaba Cloud Oracle Cloud Amazon Web Services.
The customer has an Amazon Web Services Elastic Computing Cloud that provides a service to
the internet directly and needs to secure that cloud with a VM-Series NGFW.
Which component handles address translation? The servers and VM-Series NGFW have publicly accessible IP addresses for management purposes. The server VMs have private use only (RFC 1918) IPs. The VM-Series NGFW translates those
addresses to publicly accessible IP addresses.
The server VMs and the VM-Series NGFW have private use only (RFC 1918) IPs. Amazons cloud
infrastructure translates those addresses to publicly accessible IP addresses The server VMs have private use only (RFC 1918) IPs. Amazon's cloud infrastructure translates
those addresses to publicly accessible IP addresses. The VM-Series NGFW has publicly accessible IP
addresses.
Which three services can Google Cloud Security Scanner assess? (Choose three.) Google Virtual Private Cloud App Engine Google Kubernetes Engine BigQuery Compute Engine.
The VM-Series integration with Amazon GuardDuty feeds malicious IP addresses to the VMSeries NGFW using XML API to populate a Dynamic Address Group within a Security policy that blocks
traffic.
How does Amazon Web Services achieve this integration? SNS Lambda SQS CodeDeploy.
What are three examples of outbound traffic flow? (Choose three.) issue yum update command on an instance inside Amazon Web Services Microsoft Windows inside Azure requesting a security patch web server inside Amazon Web Services receiving web requests from internet issue apt-get install command on an instance inside Amazon Web Services outgoing Prisma Public Cloud API calls.
In which two ways does Palo Alto Networks VM orchestration help service providers automatically
provision security instances and policies? (Choose two.) fully instrumented API Aperture Orchestration Engine VM Orchestration Policy Editor support for Dynamic Address Groups.
Which two statements are true about CloudFormation? (Choose two.) CloudFormation is a procedural configuration management tool. CloudFormation templates can be used on both Amazon Web Services and Microsoft Azure CloudFormation templates can be written in JSON or YAML CloudFormation is a declarative orchestration tool.
What is a permanent public IP called on Amazon Web Services? Reserved IP PIP EIP Floating IP.
Which option is true about VM-Series NGFW templates available from the Palo Alto Networks GitHub
repository? Palo Alto Networks provides full support if a valid support license is in place. Support for the templates is available through Professional Services from Palo Alto Networks. Unless otherwise noted, these templates are released under an as-is. best effort support policy The author of the template provides full support as long as the PAN-OS version specific to the
template is supported.
What are the two options to dynamically register tags used by Dynamic Address Groups that are
referenced in policy? (Choose two.) VM Monitoring External Dynamic List CFT Template XML API.
What is required for an EC2 instance to access the internet directly from an AWS VPC? Internet Gateway Transit Gateway Virtual Private Gateway Customer Gateway.
Which three services can Google Cloud Security Scanner assess? (Choose three.) Google Kubernetes Engine BigQuery Compute Engine App Engine Google Virtual Private Cloud.
Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web
Services databases'' network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role
IN ('AWS RDS', 'Database')) network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN
(resource where role IN ('LDAP')) network where dest.resource IN (resource where role = 'Database'} network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN
(resource where role IN ('AWS RDS'. 'Database'))
.
Which framework in Prisma Public Cloud can be used to provide general best practices when no specific
legal requirements or regulatory standards need to be met? HIPAA CIS Benchmark Payment Card Industry DSS V3 GDPR.
When protecting against attempts to exploit client-side and server-side vulnerabilities, what is the Palo Alto Networks best practice when using NGFW VulnerabilityProtection Profiles? When protecting against attempts to exploit client-side and server-side vulnerabilities, what is the Palo Alto Networks best practice when using NGFW VulnerabilityProtection Profiles? Clone the predefined Strict Profile, with packet capture settings disabled Use the default Vulnerability Protection Profile to protect servers from all known critical, high, and medium-severity threats Clone the predefined Strict Profile, with packet capture settings enabled.
When an on-premises NGFW (customer gateway) is used to connect to the Virtual Gateway, which two IKE profiles cannot be used? (Choose two.) Group2 / SHA-1 / AES-128-CBC / IKE-V1 Group2 / SHA-1 / AES-128-GCM / IKE-V1 Group14 / SHA-256 / AES-256-GCM / IKE-V1 Group2 / SHA-1 / AES-128-CBC Group14 / SHA-256 / AES-256-CBC / IKE-V1.
Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web Services databases'' A. network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role IN ('AWS RDS', 'Database')) B. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('LDAP')) C. network where dest.resource IN (resource where role = 'Database'} D. network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN (resource where role IN ('AWS RDS'. 'Database').
Which three requirements are needed to register a PAYG VM-Series NGFW at the Palo Alto Networks Customer Support website? (Choose three.) Serial Number CPU ID Auth Code License Key UUID.
Which three services can Google Cloud Security Scanner assess? (Choose three.) Google Kubernetes Engine BigQuery Compute Engine App Engine Google Virtual Private Cloud.
How is license utilization displayed within the Prisma Public Cloud interface? navigate to the CLI and run show license command navigate to General > Licensing navigate to Dashboard > Asset Inventory navigate to Settings (via the gear icon) > Licensing.
can you create a custom compliance standard in Prisma Public Cloud? Generate a new Compliance Report. Create compliance framework in a spreadsheet then import into Prisma Public Cloud. From Compliance tab, clone a default framework and customize. From Compliance tab > Compliance Standards, click "Add New.".
Which three features are not supported by VM-Series NGFWs on Azure Stack? (Choose three.) Azure Application Insight Resource Group Azure Security Center Bootstrapping ARM Template.
Can Defender upgrades be restricted to a specific window of time? You can specify the maintenance window in the console, and then Defender upgrades will happen only during that time. No. Upgrades happen automatically. However, those upgrades do not cause downtime. You can disable auto-upgrade, and then upgrade the Defenders during the window from the web-based interface (Action > Upgrade). You can disable auto-upgrade, but then you can't upgrade the Defenders. You need to uninstall and reinstall them for the upgrade.
Where do you install an app-embedded Defender? on the Docker containers that implement the application on both the hosts and the images on the images that become the Docker containers of the application on the hosts that run the Docker containers of the application.
Which command do you use to install a container Defender on Linux? curl rpm apt install either rpm or apt install, depending on the Linux distribution.
In Prisma Cloud Compute, what is the default HTTPS port for the Console? 9443 443 8083 8443.
The TCP listener setting in a Docker Defender running on Linux allows the Defender to function as what?
Choose one: a Docker proxy an HTTP proxy a firewall an SSH proxy.
How do you deploy a host Defender on Windows?
Choose one: Run the provided command line using PowerShell. Download an .msi package using the browser. Download an .exe command package using the browser. Run the provided command line using the old (cmd.exe) shell.
An Azure VNet has the IP network 10.0.0.0/16 with two subnets, 10.0.1.0/24 (used for web servers) and
10.0.2.0/24 (used for database servers). Which is a valid IP address to manage the VM-Series NGFW? 10.0.2.1 10.0.3.255 10.0.3.1 10.0.1.254.
Which option is defined by the creation and change of public cloud services managed in a repeatable and predictable fashion? platform as a service infrastructure as a service infrastructure as code software as code.
Which three methods can provide application-level security for a web server instance on Amazon Web Services? (Choose three.) Prisma SaaS VM-Series firewalls Amazon Web Services WAF Security Groups Traps.
Which option is true about VM-Series NGFW templates available from the Palo Alto Networks GitHub repository? Palo Alto Networks provides full support if a valid support license is in place. Support for the templates is available through Professional Services from Palo Alto Networks. Unless otherwise noted, these templates are released under an as-is. best effort support policy. The author of the template provides full support as long as the PAN-OS version specific to the template is supported.
Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon Web Services databases'' network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest resource IN (resource where role IN ('AWS RDS'. 'Database')) network where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('LDAP')) network where dest.resource IN (resource where role = 'Database'} network where source.publicnetwork IN ('Suspicious IPs') and dest.resource IN (resource where role IN ('AWS RDS', 'Database')).
A customer has just launched a Palo Alto Networks VM-Series NGFW into an Amazon Web Services VPC to protect a cloud hosted application. They are experiencing unpredictable results and have identified that the interfaces on the firewall are in the incorrect order Which PAN-OS CLI command resolves this issue? set system setting mgmt-interface swap yes set mgmt-interface swap yes set system setting mgmt-interface-swap enable yes set mgmt-interface settings swap yes.
An administrator deploys a VM-Series firewall into Amazon Web Services. Which attribute must be disabled on the data-plane elastic network interface for the instance to handle traffic that is not destined to its own IP address? security group tags elastic ip address source/destination checking.
Which RQL string using network query attributes returns all traffic destined for Internet or for Suspicious IPs that also exceeds 1GB? network where publicnetwork = ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000 network where dest publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000 show traffic where destination.network = ('Internet IPs', 'Suspicious IPs') AND bytes > 1000000000 network where bytes > 1GB and destination = 'Internet IPs' OR 'Suspicious IPs'.
What configuration on AWS is required in order for VM-Series to forward traffic between its network interfaces? Both Source and Destination Checks are disabled Both Source and Destination Checks are enabled Source Check is disabled and Destination Check is enabled Source Check is enabled and Destination Check is disabled.
What is the scope of the Amazon Web Services 1AM Service? global VPC zonal regional.
Match the logging service with its cloud provider. Cloud Watch Activity Log Stackdriver Monitor Cloudtrail Cloudaudot.
Amazon Web Services WAF can be enabled on which two resources?(Choose two.) AWS ALB AWS CDN AWS NLB AWS NAT Gateway.
A client has a sensitive internet-facing application server in Microsoft Azure and is concerned about resource exhaustion because of distributed denial-of-service attacks What can be configured on the VM-Series firewall to specifically protect this server against this type of attack? Custom threat signature QoS Profile to limit incoming requests Zone Protection Profile DoS Protection Profile with specific session counts.
How can you use Prisma Public Cloud to identify Amazon EC2 instances that have been tagged as "Private? Generate a CIS compliance report and review the "Asset Summary." Create an RQL config query to identify resources with the tag "Private." Create an RQL network query to identify traffic from resources tagged "Private." Open the Asset Dashboard, filter on tags: and choose "Private.".
What are two ways to initially deploy a VM-Series NGFW in Microsoft Azure? (Choose two.) through ARM Templates in the GitHub Repository through Solution Templates in the Azure Marketplace through Iron Skillets in the GitHub Repository through Expedition in the Customer Success Portal.
How can you modify a range of dates default policy in Prisma Public Cloud? Click the Gear icon next to the policy name to open the Edit Policy dialog Override the value and commit the configuration. Clone the existing policy and change the value. Manually create the RQL statement.
Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an
admission controller? copy the Console address and set the config map for the default namespace enable Kubernetes auditing from the Defend > Access > Kubernetes page in the Console copy the admission controller configuration from the Console and apply it to Kubernetes create a new namespace in Kubernetes called admission-controller.
A customer is interested in PCI requirements and needs to ensure that no privilege containers
can start in the environment. Which action needs to be set for "do not use privileged containers? Prevent Fail Alert Block.
The Unusual protocol activity (Internal) network anomaly is generating too many alerts An
administrator has been asked to tune it to the option that will generate the least number of events
without disabling it entirely.
Which strategy should the administrator use to achieve this goal? Change the Training Threshold to Low Set the Alert Disposition to Conservative Disable the policy Set Alert Disposition to Aggressive.
Which three types of classifications are available in the Data Security module? (Choose three. ) Compliance standard Personally identifiable information Financial information .Malicious IP Malware.
A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web
application.
The application is running an NGINX container. The container is listening on port 8080 and is mapped
to host port 80.
Which port should the team specify in the CNAF rule to protect the application? 443 8080 8888 80.
An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator
also has configured a load balancer in TCP passthrough mode to listen on the same ports as the
default Prisma Compute Console configuration
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS
Which port will twistcli need to use to access the Prisma Compute APIs? 8081 443 8084 8083
.
Which method should be used to authenticate to Prisma Cloud Enterprise programmatically? SAML access key basic authentication single sign-on.
Which order of steps map a policy to a custom compliance standard?
(Drag the steps into the correct order of occurrence, from the first step to the last.) 1 2 3 4.
A customer is deploying Defenders to a Fargate environment It wants to understand the
vulnerabilities in the images it is deploying. How should the customer automate vulnerability scanning for images deployed to Fargate? Embed a Fargate Defender to automatically scan for vulnerabilities . Use Cloud Compliance to identify misconfigured AWS accounts
Set up a vulnerability scanner on the registry
Designate a Fargate Defender to serve a dedicated image scanner.
|
