Sopademelancia34

Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two answers). A. Panorama. B. Cortex XSIAM. C. Cloud service providers management console. D. Prisma Cloud management console.

Whichh two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two answers). A. Schedule. B. Service. C. App-ID. D. User-ID.

An NGFW administrator is updating PAN-OS on company data center firewalls managed by Panorama. Prior to installing the update, what must the administrator verify to ensure the devices will continue to be supported by Panorama? (Choose one answer). A. Panorama is running the samer or newer PAN-OS release as the one being installed. B. All devices are in the same template stack. C. Panorama is configured as the primary device in the log collecting group for the data center firewalls. D. Device telemetry is enable.

In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose two answers). A. Prisma Cloud dashboard. B. Service connection firewall. C. Strata logging Service. D. Strata Cloud Manager (SCM).

How does a firewall behave when SSL inboud Inspection is enabled? (Choose one answer). A. It acts as meddler-in-the-middle between the client and the internal server. B. It acts transparently between the client and the internal server. C. It decrypts traffic between the client and the external server. D. It decrypts inbound and outbound SSH connections.

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service? (Choose one answer). A. Enable Advanced Threat Prevention with default settings and only focus on high-risk traffic. B. Configure DNS Security signature policy settings to sinkhole malicious DNS queries. C. Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. D. Create overrides for all company owened FQDNs.

A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment style is valid and meets the requirements in this scenario? ( Choose one answer). A. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. B. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. C. On a PA-Seires NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. D. On a VM-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two answers). A. Enhanced application. B. Threat. C. WildFire. D. Traffic.

Which offering can be managed in both Panorama and Strata Cloud Manager (SCM)? (Choose one answer). A. VM-Series Next-Generation Firewall (NGFW). B. Autonomous Digital Experience Manager (ADEM). C. Prisma SD-WAN. D. SaaS Security.

When configuring Security policies on VM-Series firewalls, which set of actions will ensure the most comprehensive Security policy enforcement? (Choose one answer). A. Configure policies using User-ID and App-ID, anable decryption, apply appropriate security profiles to rules, and update regulary with dynamic updates. B. Configure a block policy for all malicious inbound traffic, configure an allow policy for all outbound traffic, and update regularly with dynamic updates. C. Configure port-based policies, check threat logs weekly, conduct software updates annyally, and enable decryption. D. Configure all default policies provided by the firewall, use Policy Optimizer, and adjust security rules after an incident occurs.

What must be configured to successfully onboard a Prisma Access remote network using Strata Cloud Manager (SCM)? (Choose one answer). A. Cloud Identity Engine. B. Autonomous Digital Experience Manager (ADEM). C. Global Protect agent. D. IPSec termination node.

Which feature of SaaS Security will allow a firewall administrator to identify unknown SaaS applications in an environment? (Choose one answer). A. SaaS Data Security. B. Cloud Identity Engine. C. App-ID Cloud Engine. D. App-ID.

Which two features can a network administrator use to troubleshoot the issue of a Prisma Access mobile user who is unable to access SaaS applications ? (Choose two answers). A. SaaS Application Risk Porta. B. Autonomous Digital Experience Manager (ADEM) console. C. Capacity Analyzer. D. Global Protect logs.

In a Prisma SD-WAN environment experiencing voice quality degradation, which initial action is recommended? (Choose one answer). A. Immediately modify path quality thresholds. B. Request an RMA of the ION devices. C. Switch all VoIP traffic to backup paths. D. Review real-time analytics of path performance.

How does Advanced WildFire integrate into third-party applications? (Choose one answer). A. Through Strata Logging Service. B. Through customized reporting configured in NGFWs. C. Through playbooks automatically sending WildFire data. D. Through the WildFire API.

A network security engineer wants to forward Strata Logging Service data to tools used by the Security Operations Center (SOC) for further investigation In which best practice step of Palo Alto Networks Zero Trust does this fit? (Choose one answer). A. Map and Verify Transactions. B. Report and Maintenance. C. Standards an Designs. D. Implementation.

In a Service provider enviroment, what key advantage does implementing virtual systems provide for managing multiple customer environments? (Choose one answer). A. Shared threat prevention policies. B. Centralized authentication for all customer domains. C. Unified logging across all virtual systems. D. Logical separation of control and Security policy.

Which NGFW function can be used to enhance visibility, protect, block, and log the use of Post-quantum Cryptography (PQC)? (Choose one answer). A. Security policy. B. DNS Security profile. C. Decryption policy. D. Decryption profile.

A primary firewall in a high availability (HA) pair is experiencing a current failover issue with ICMP pings to a secondary device. Which metric should be reviewed for proper ICMP pings between the firewall pair? (Choose one answer). A. Non-functional state. B. Link monitoring. C. Heartbeat polling. D. Bidirectional Forwarding Detection (BFD).

How can a firewall administrator block a list of 300 unique URLs in the most time-efficient manner? (Choose one answer). A. Use application filters to block the App-IDs. B. Block multiple predefined URL categories. C. Use application group to block the App-IDs. D. Import the list into a custom URL category.

Which firewall attribute can an engineer use to simplify rule creation and automatically adpt to changes in serve roles or security posture based on log events? (Choose one answer). A. Dynamic User Groups. B. Predefined IP addresses. C. Dynamic Address Groups. D. Address objects.

Which functionality does an NGFW use to determine whether new session setups are lefitimate or illegitimate? (Choose one answer). A. SYN bit. B. SYN cookies. C. SYN flood protection. D. Random Early Detection (RED).

When a firewall acts as an application-level gateway (ALG), what does it require in order to establish a connection? (Choose one answer). A. Session Initiation Protocol (SIP). B. Pinholes. C. Payload. D. Dynamic IP and Port (DIPP).

Which security profile provides real-time protection against threat actors who exploit the misconfigurations of DNS infrastructure and redirect traffic to malicious domains? (Choose one answer). A. URL Filtering. B. Vulnerability Protection. C. Anti-spyware. D. Antivirus.

During a security incident investigation, which Security profile will have logs attempted confidential data exfiltration? (Choose one answer). A. File Blocking Profile. B. WildFire Analysis Profile. C. Vulnerability Protection Profile. D. Enterprise DLP Profile.

After a Firewall is associated with Strata Cloud Manager (SCM), which two additional actions are required to enable management of the firewall from SCM? (Choose two answers). A. Configure a Security policy allowing "stratacloudmanager.paloaltonetworks.com" for all users. B. Deploy a service connection for each branch site and connect with SCM. C. Install a device certifcate. D. Configure NTP and DNS servers for the firewall.

A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region? (Choose one answer). A. Add all regions that contain private IP addresses to the source address. B. Set the service to be application-default. C. Create a Security policy for the negated region with destination address "any". D. Add a Dynamic Application Group to the Security policy.

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two answers). A. Certificate pinning. B. RADIUS profile. C. SAML certificate. D. Incomplete certificate chains.

What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)? (Choose one answer). A. Set up Cloud Identity Engine. B. Generate a PDF summary report. C. Open a support ticket. D. Configure a dashboard.

In a distributed enterprise implementing Prisma SD-WAN, which configuration element should be implemented first to ensure optimal traffic flow between remote sites and headquarters? (Choose one answer). A. Deploy redundant ION devices at each location. B. Configure static routes between all the branch offices. C. Enable split tunneling for all branch locations. D. Implement dynamic path selection using real-time performance metrics.

What key capability distinguishes Content-ID technology from conventional network security approaches? (Choose one answer). A. It provides single-pass application layer inspection for real-time threat prevention. B. It performs packet header analysis short of deep packet inspection. C. It exclusively, monitors network traffic volumes. D. It relies primarily on reputation-based Filtering.

Which two content updates can br pushed to next-generation firewalls from Panorama? (Choose two answers). A. Applications and Threats. B. WildFire. C. Global Protect data file. D. Advanced URL Filtering.

What occurs when a security profile group named "default" is created on an NGFW? (Choose one answer). A. It negates all existing security profiles rules on new policy. B. It is automatically applied to all new security rules. C. It only applies to traffic that has been dropped due to the reset client action. D. It allows traffic to bypass all security checks by default.

Which action optimizes user experience acress a segmented network architecture and implements the most effective method to maintain secure connectivity between branch and campus locations? (Choose one answer). A. Establish site-to-site tunnels on each branch and campus firewall and have individual VLANs for each departament. B. Configure all branch and campus firewalls to use a single shared broadcast domain. C. Implement SD-WAN to route all traffic based on network performance metrics and use zone protection profiles. D. Configure a single campus firewall to handle the routing of all branch traffic.

How does Strata Logging Service help resolve ever-incresing log retention needs for a company using Prisma Access? (Choose one answer). A. Automatic selection of physical data storage regions decreases adoption time. B. Log traffic using the licensed bandwidth purchased for Prisma Access reduces overhead. C. It increases resilience due to decentralized collection and storage of logs. D. It can scale to meet the capacity needs of new locations as business grows.

Which Global Protect configuration is recommended for granular security enforcement of remote user device posture? (Choose one answer). A. Configuring host information profile (HIP) checks for all mobile users. B. Configuring a rule that blocks the ability of users to disable Global Protect while accessing internal applications. C. Applying log at session end to all Global Protect Security policies. D. Implementing multi-factor authentication (MFA) for all users attempting to access internal applications.

How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW? (Choose one answer). A. One. B. Two. C. Three. D. Four.

Which step is necessary to ensure an organization is using the inline cloud analysis features in its Advanced Threat Prevention subscriotion? (Choose one answer). A. Disable anti-spyware to avoid performance impacts and rely solely on external threat intelligence. B. Update or create a new anti-spyware security profile and enable the appropriate local deep learning models. C. Configure Advanced Threat Prevention profiles with default settings and only focus on high-risk traffic to avoid affecting network performance. D. Enable SSL decryption in Security policies to inspect and analyze encrypted traffic for threats.

Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce? (Choose one answer). A. Client-based VPN. B. Enterprise Browser. C. Clientless VPN. D. Explicit proxy.

Which two SSH Proxy decryption profile settings should be configured to enhance the companys security posture? (Choose two answers). A. Block connections that use non-compliant SSG versions. B. Allow sessions with legacy SSH protocol versions. C. Allow sessions when decryption resources are unavailable. D. Block sessions when certificate validation fails.

Which component of NGFW is supported in active/passive design but not in active/active design? (Choose one answer). A. Single floating IP address. B. Configuring ARP load-sharing on Layer 3. C. Using a DHCP client. D. Route-based redundancy.

Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure robust data encryption and protect sensitive information in SaaS applications? (Choose one answer). A. Encrypt only the most critical data to ensure compliance with regulations. Use simples encryption methods. Ensure the SaaS providers default security settings are being used. B. Enable encryption for data-at-rest and in transit. Regularly update encryption keys. Use Strong encryption algorithms. C. Do not enable encryption for data-at-rest to improve performance. Use default encryption keys provided by the SaaS provider. Perfom annual encryption key rotations. D. Do not enable encrypion for data-at-rest to improve performance. Use strong encryption algorithms, Avoid frequent encryption key updates to minimize disruptions.

How are policies evaluated in the AWS Management Console when creating a Security Policy for a Cloud NGFW? (Choose one answer). A. The administrator sets a rule order to determine the order in which they are evaluated. B. They must be created in the order they are intended to be evaluated. C. They can be dragged up or down the stack as they are evaluated. D. The administrator sets a rule priority to determine the order in which they are evaluated.

A network engineer pushes specific Panorama reports of new AI URL category types to branch NGFWs. Which two report types achieve this goal?. A. PDF summary. B. Custom. C. AI. D. SNMP.

Which set of attributes is used by IoT Security to identify and classify appliances on a network determining Device-ID? (Choose one answer). A.Device model, firmware version, and user credential. B. Hostname, application usage, and encryption method. C. IP address, network traffic patterns, and device type. D. MAC address, device manufacturer, and operanting system.

Which procedure is most effective for maintaining continuity and security during a Prisma Access data plane software upgrade? (Choose one answer). A. Use Strata Cloud Manager (SCM) to perform dynamic upgrades automatically and simultaneously acress all locations at once to ensure network-wide uniformity. B. Disable all security features during the upgrade to prevent conflicts and re-enable them after completion to ensure a smooth rollout process. C. Back up configurations, schedule upgrades during off-peak hours, and use a phased approach rather than attempting a network-wide rollout. D. Perform the upgrade during peak business hours, quicky address any user-reported issues, and ensure immediate troubleshooting port-rollout.

Which action is only taken during slow path in the NGFW policy? (Choose one answer). A. Session lookup. B. SSL/TLS decryption. C. Layer 2-Layer 4 firewall processing. D. Security policy lookup.

An administrator wants to implement additional Cloud-Delivered Security Services (CDSS) on a data center NGFW that already has one enabled. What benefit does the NGFWs single-pass parallel pocessing (SP3) architecture provide? (Choose one answer). A. There will be only a minor reduction in performance. B. It allows additional security inspection devices to be added inline. C. It allows for traffic inspection at the application level. D. There will be no additional performance degradation.

A cloud security architect is designing a certificate management strategy for Strata Cloud Manager (SCM) acress hybrid environments. Which practice ensures optimal security with low management overhead? (Choose one answer). A. Deploy centralized certificate automation with standardized protocols and continuous monitoring. B. Implement separate certificate authorities with independent validation rules for each cloud environment. C. Use cloud provider default certificates with scheduled synchronization and localized renewal processes. D. Configure manual certificate deployment with quarterly reviews and environment-specific security protocols.

Which AI-powered solution provides unified management and operations for NGFWs and Prisma Access? (Choose one answer). A. Prisma Access Browser. B. Autonomous Digital Experience Manager (ADEM). C. Panarama. D. Strata Cloud Manager (SCM).

A company has an ongoing initiative to monitor and control IT-sanctioned SaaS applications. To be successful, it will require configuration of decryption policies, along with data filtering and URL Filtering Profiles used in Security policies. Based on the need to decrypt SaaS applications, which two steps are appropriate to ensure success? (Choose two answers). A. Validate which certificates will be used to establish trust. B. Configure SSL Forward Proxy. C. Create new self-signed certificates to use for decryption. D. Configure SSL Inbound Inspection.

Which subscription sends non-file format-based traffic that matches Data Filtering Profile criteria to a cloud service to render a verdict? (Choose one answer). A. Enterprise DLP. B. SaaS Security Inline. C. Advanced WildFire. D. Advanced URL Filtering.

Which two security services are required for configuration of NGFW Security policies to protect against malicious and misconfigured domains? (Choose two answers). A. Advanced DNS Security. B. Advanced Threat Prevention. C. Advanced WildFire. D. SaaS Security.

Which method in the WildFire analysis report detonates unknown submissions to provide visibility into real-world effects and behabior? (Choose one answer). A. Machine learning (ML). B. Dynamic analysis. C. Static analysis. D. Intelligent Run-time Memory Analysis.

Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two answers). A. Allow only the same security services as the perpetual VM. B. Choose "Fixed vCPU Models" for configuration type. C. Allocate the same number of vCPUs as the perpetual VM. D. Deploy virtual Panorama for management.

What are two recommendations to ensure secure and efficient connectivity across multiple locations in a distributed enterprise network? (Choose two answer). A. Create broad VPN policies for contractors working at branch locations. B. Employ centralized management and consistent policy enforcement across all locations. C. Implement a flat network design fr simplified network mnagement and reduced overhead. D. Use Prisma Access to provide secure remote access for branch users.

What is the recommend upgrade path from PAN-OS 9.1 to PAN-OS 11.2? (Choose one answer). A. 9.1 -> 11.2. B. 91 -> 11.0 -> 11.2. C. 9.1 -> 10.0 0> 11.0 -> 11.2. D. 9.1 -> 10.0 -> 11.0 -> 11.1 -> 11.2.

Which action allows an enginner to collectively update VM-Series firewalls with Strata Cloud Manager (SCM)? (Choose one answer). A. Creating an update grouping rule. B. Scheduling software update. C. Creating a device grouping rule. D. Setting a target OS version.

Which zone is available for use in Prisma Access? (Choose one answer). A. Interzone. B. DMZ. C. Intrazone. D. Clientless VPN.

How do Cloud NGFW instances get created when using AWS centralized deployments? (Choose one answer). A. A security VPC will be created as transit gateways to push all traffic through the area. B. Cloud NGFW is placed in a vWAN with a virtual hub. C. They replace the internet gateway service. D. Selected VPCs will have Cloud NGFW workloads added to them.