CPA

Question #:1 - [Object Configuration and Application] What is the function of a "Service" object in a Palo Alto Networks firewall configuration?. To define the Layer 7 App-ID signatures. To define the Layer 4 protocol (TCP/UDP) and port numbers. To specify the URL categories to be blocked. To set the QoS priority for specific traffic.

Question #:2 - [Policy Creation and Management] To comply with new regulations, a company requires all traffic logs related to the "HR-App" application across all Security policies be sent to a compliance syslog server. A Log Forwarding profile already exists to send logs to a default syslog server. What is the most efficient process for configuring an NGFW to comply with the new regulations without disrupting existing traffic logs being sent to the default syslog server?. Edit the existing Log Forwarding profile by adding a new match list consisting of Log Forwarding filter for the application named "HR-App" to direct logs to the compliance syslog server. Create a new Log Forwarding profile, update the profile with the details of the compliance syslog server and attach the profile to the relevant Security policy rule. Edit the existing Log Forwarding profile, add a new entry, use the filter builder to match on application "HR-App," and add the details for the compliance syslog server. Create a Log Forwarding profile and enable the predefined filter for "Application" In the associated dropdown, select or create a new application object with the name "HR-App," and add the details for the compliance syslog server.

Question #:3 - [Policy Creation and Management] A financial company is deploying NGFWs with the Advanced SD-WAN subscription to improve uptime and bandwidth across thousands of ATMs. The company requires that traffic flows to the internal application needed by the ATMs always use the path with the lowest latency and packet loss. Which unique SD-WAN rule parameters meet this criteria?. Application/Service: "Internal Application for ATMs" # Path Selection: "Best Available Path" in Traffic Distribution Profile. Application/Service: "Internal Application for ATMs" & "Management" in Path Quality Profile # Path Selection "Any.". Application/Service: "Internal Application for ATMs" # Path Selection "Weighted Distribution" in Traffic Distribution Profile. Application/Service: "Internal Application for ATMs" & "ATM Path(Custom)" in Path Quality Profile # Path Selection "Any.".

Question #:4 - [Policy Creation and Management] Which action ensures that sensitive information such as medical records, financial transactions, and legal communications are not decrypted and that they maintain strong security?. Create a log forwarding filter to exclude sensitive information. Disable decryption globally to avoid exposing sensitive data. Create an SSL Inbound Inspection policy to identify users sending sensitive information. Create a no-decrypt policy for traffic matching specific URL categories.

Question #:5 - [Object Configuration and Application] How often should external dynamic lists be updated to ensure effective Security policy enforcement?. Once a week. As new threats are identified. Once a month. As frequently as the external source updates.

Question #:6 - [Object Configuration and Application] An analyst is configuring a "WildFire Analysis Profile." Which file types can be sent to the WildFire cloud for sandbox analysis?. Only .exe and .msi files. Only Microsoft Office documents. All file types supported by the Content-ID engine, including PDFs and APKs. Only encrypted files that cannot be decrypted locally.

Question #:7 - [Centralized Operations and Management] In Panorama, which feature allows an analyst to group multiple Template Stacks together to push a common set of network configurations to a large number of firewalls simultaneously?. Device Groups. Variables. Template Groups. Managed Collectors.

Question #:8 - [Object Configuration and Application] An analyst needs to create a security rule to allow access to a specific web application that identifies itself as "web-browsing" but uses a custom, non-standard port of TCP 9000. Which configuration ensures the App-ID engine can still inspect this traffic?. Change the Service to "application-default.". Create a custom Service object for TCP 9000 and use it in the rule. Use an Application Override rule for port 9000. Change the application to "any" and the service to TCP 9000.

Question #:9 - [Object Configuration and Application] What is an important consideration when defining custom data patterns for data loss prevention (DLP) on Palo Alto Networks platforms? (Choose one answer). They do not require regular updates once deployed. They are less effective than predefined patterns and should be avoided. They should be specific and tested to minimize false positives and false negatives. They should be as broad as possible to cover all potential data types.

Question #:10 - [Policy Creation and Management] DNS rewrite can only be configured on a NAT rule with which type of destination address translation?. Dynamic IP and Port (DIPP). Dynamic IP (with session distribution). Static IP. Dynamic IP.

Question #:11 - [Policy Creation and Management] An organization wants to decrypt outbound traffic to ensure no malware is hidden in HTTPS sessions. Which type of decryption policy must be configured on the firewall to act as a "Man-in-the-Middle"?. SSL Inbound Inspection. SSH Proxy. SSL Forward Proxy. Decryption Broker.

Question #:12 - [Monitoring and Troubleshooting] Which log type should be checked first using Log Viewer when a user reports being unable to access a specific website?. Firewall/URL. Firewall/Traffic. Firewall/Threat. Firewall/DNS Security.