FCAJEH

A company has four branch offices between Canada Central and Canada East which use the same IPsec termination node and have QoS configured with customized bandwidth per site. An engineer wants to onboard a new branch office on the same IPsec termination node. What is the QoS behavior for the new branch office?. Cannot be added to existing QoS configuration. Automatically distributed to $25\%$ for each site. Unallocated until manually assigned. Automatically distributed to $20\%$ for each site.

An organization deploys the Prisma Access Browser (PAB) to secure web access from diverse endpoints, including personal devices where IT has limited control. To maintain a strong and proactive security posture across these varied environments, why is the use of PAB device posture attributes, such as OS version, file system encryption, and device type, considered essential?. It allows administrators to identify and restrict access based on OS version and browser type on unmanaged devices. It permits PAB to function as a standalone endpoint detection and response (EDR) solution. It enables the administrators of PAB to independently perform OS and browser patching on unmanaged devices. It provides the administrators of PAB the ability to enable disk encryption on all endpoints.

An employee reports being unable to use any video conferencing features across various web-based collaboration tools. However, colleagues not using the Prisma Access Browser (PAB) can use these features without any problem. Which two policy rule types or categories control this configuration? (Choose two.). Browser Security Controls. Network Security Controls. Browser Customization Controls. Access & Data Controls.

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to-business (B2B) partners to its data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to internally hosted proprietary applications running on non-standard ports. There are overlapping prefixes advertised by the B2B partners. Which two actions will meet the customer requirements for the B2B connections? (Choose two.). Advertise the corresponding network prefixes using eBGP or static routes. Configure service connections for data center connectivity. NAT the traffic at the customer premises equipment (CPE). Configure remote networks with NAT pools for each of the B2B connections.

An engineer deploys a new branch connected to Prisma Access. From the customer premises equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted packets are not coming back from Prisma Access. Which Strata Logging Service log facility should the engineer review to determine why Phase 2-encrypted traffic is not being received?. Traffic logs. System logs. Decrypt logs. Tunnel logs.

Which configuration change will allow an organization using Prisma Access (Managed by Panorama) to minimize the consumption of Strata Logging Service storage due to a high volume of asymmetric traffic flows on its data center?. Disable traffic logging on the service connection. Configure a log forwarding profile on the service connection to filter out asymmetric traffic. Reduce the log retention period for Strata Logging Service. Disable the log forwarding profile for the service connection.

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?. Command Center. SASE Health Dashboard. Log Viewer. Branch Site Monitor.

Secure Inbound Access has been configured to allow access to an RDP application at a branch location, as shown in the image below. After a successful commit, return traffic from the application is not reaching the internet user. What is causing the return traffic to fail?. Source NAT is enabled, but the branch location's CPE does not have a route back to the eBGP Router ID of the Inbound Access Remote Network Node. The "Allow inbound flows to other Remote Networks over the Prisma Access backbone" checkbox is selected. Source NAT is enabled, but the branch location's CPE does not have a route back to the Service Endpoint Address of the Inbound Access Remote Network Node. The Remote Network Security policy source zone is configured as "Untrust".

Which advanced AI-powered functionality does Strata Copilot provide to enhance the capabilities of Prisma Access security teams?. Initial configuration of Prisma Access using a natural language interface. Customized guidance for resolving issues through recommended next steps. Automated remediation of misconfigured Security policies. Real-time traffic analysis for automated threat prevention.

10 What is the flow impact of updating the Cloud Services plugin on existing traffic flows in Prisma Access?. They will experience latency during the plugin upgrade process. They will automatically terminate when the upgrade begins. They will be unaffected only if Panorama is deployed in high availability (HA) mode. They will be unaffected because the plugin upgrade is transparent to users.

An engineer configures IPsec tunnels for two remote network locations; however, users are experiencing intermittent connectivity issues across the tunnels. Which action will allow the engineer to receive notifications when the IPsec tunnels are down or experiencing instability?. Set up the operational health dashboard to email alerts for remote network IPsec tunnel issues. Select the IPsec tunnel monitoring and notifications checkbox when configuring the remote network IPsec tunnels. Create a new notification profile specifying conditions for remote network IPsec tunnels. Create a tunnel log notification rule to alert on specified remote network IPsec tunnel conditions.

How can an engineer use risk score customization in SaaS Security Inline to limit the use of unsanctioned SaaS applications by employees within a Security policy?. Increase the risk score for all SaaS applications to automatically block unwanted applications. Build an application filter using unsanctioned SaaS as the category. Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications. Build an application filter using unsanctioned SaaS as the characteristic.

Which two statements apply when a customer has a large branch office with employees who all arrive and log in within a five-minute time period? (Choose two.). Maximum pending TCP DNS requests is 64. DNS results are only cached for frequently used hostnames. Maximum number of TCP DNS retries is 3. DNS results are cached for 300 seconds.

In an explicit proxy deployment where no agent can be used on the endpoint, which authentication method is supported with mobile users?. LDAP. Kerberos. SAML. SSO.

A network administrator is enabling users, via Prisma Access Browser (PAB), to securely access internal web applications hosted exclusively within the organization's private data center. Which two Prisma Access infrastructure components are primarily configured to establish the necessary connection pathways from Prisma Access to these internal data center resources? (Choose two.). Explicit Proxy. ZTNA Connector. Privileged Remote Access. Service Connection.

What is the network impact when a Prisma Access service connection is set as a dedicated service connection for traffic steering?. It maintains its zone as Trust and continues to participate in both internal and external BGP routing. It changes its zone to Untrust, applies source NAT to forwarded traffic, and no longer participates in BGP routing. It maintains its zone as Trust; however, it disables all Security policies, allowing unrestricted traffic flow through the dedicated service connection. It applies destination NAT to forwarded traffic, maintains its BGP routing configurations, and allows traffic from both Trust and Untrust zones.

When using the traffic replication feature in Prisma Access, where is the mirrored traffic directed for analysis?. Dedicated cloud storage location. Specified internal security appliance. Strata Cloud Manager (SCM). Panorama.

An administrator is configuring a dedicated visitor sign-in kiosk in the main corporate office using Prisma Access Browser (PAB). A key security requirement is to ensure the device is locked down, which includes preventing users from creating paper copies of any on-screen information. The policy must specifically apply to this fixed-location kiosk. Which two PAB match criteria will enforce these restrictions on the kiosk? (Choose two.). Defining the policy scope based on location, specifying the location of the corporate offices. Configuring the kiosk control, which prevents printing. Defining the policy scope based on networks, specifying the corporate public IP range or CIDR. Configuring the print control as the specific data control for the rule.

How can the Prisma Access Browser (PAB) Extension extend an organization's web security posture to managed devices that are not connected to a VPN for browser-based access to company-sanctioned web applications?. It tunnels all endpoint traffic on unmanaged devices, ensuring all device traffic is secured. It incorporates remote browser isolation (RBI) for the endpoint, running web sessions in a contained environment on any browser. It optimizes network performance for browser traffic to Prisma Access for all operating systems and browsers. It enforces consistent web access and data control policies directly within the browser, regardless of device management status.

How can an engineer verify that only the intended changes will be applied when modifying Prisma Access policy configuration in Strata Cloud Manager (SCM)?. Review the SCM portal for blue circular indicators next to each configuration menu item and ensure that only the intended areas of configuration have this indicator. Open the push dialogue in SCM to preview all changes that would be pushed to Prisma Access. Compare the candidate configuration and the most recent version under "Config Version Snapshots.". Select the most recent job under Operations ->Push Status to view the pending changes that would apply to Prisma Access.

Which two configurations must be enabled to allow App Acceleration for SaaS applications? (Choose two.). Acceleration agent for the client machines. Forward Trust Certificate for the CA certificate. Trusted Root CA for the CA certificate. QoS for user traffic.

Which two configurations will enable multiple paths from the MU-SPN to different SC-CAN elements inside the backplane of the Prisma Access tenant? (Choose two.). Panorama Managed Tenants - Asymmetric Routing with Load Sharing. Strata Cloud Managed Tenants - Asymmetric Routing with Load Sharing and enable Mobile User Network Redundancy. Strata Cloud Managed Tenants - Asymmetric Routing with Load Sharing. Panorama Managed Tenants - Asymmetric Routing with Load Sharing and enable Mobile User Network Redundancy.

A financial institution needs to prevent employees from easily moving textual information from secure financial portals accessed using Prisma Access Browser (PAB) directly into other applications on their workstations. The goal is to stop the practice of selecting data within the browser and then inserting that selected content into external documents or programs. Which PAB control should be configured to disable this particular method of data transference?. Data loss prevention (DLP). Data Transfer. Clipboard. Webpage Data Masking.

Which Cloud Identity Engine capability will create a Security policy that uses Microsoft Entra ID attributes as the source identification?. Attribute Group Mapping. Entra ID Group Attribute. Cloud Dynamic User Group. Entra ID Cloud Group.

An administrator needs to enforce access to all applications via Prisma Access Browser (PAB) for unmanaged or non-compliant devices. Configuration of which two enforcement actions will ensure all access to applications only happens through PAB? (Choose two.). Use the PAB Extension to redirect traffic through Prisma Access. Use Device Posture to allow or block traffic. Use Account Protection for non SSO-enabled applications. For SSO-enabled applications, configure Enforce SSO.

Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?. The GlobalProtect agent may be used to distribute pre-logon certificates. A public certificate authority (CA) must sign and validate all certificates used. The certificate used for pre-logon must include both Subject and Subject-Alt fields. Certificates must be deployed in the Machine Certificate Store.

A user connected to Prisma Access reports that traffic is intermittently denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing the VPN connection restores the user's access. What are two reasons for this behavior? (Choose two.). "Collect HIP data" needs to be enabled in the configuration. Firewall loses user mapping due to missed HIP report checks. HIP-enforced policy is scheduled for certain hours of the day. User mapping is learned from sources other than gateway authentication.

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header. Which option will prevent this form of attack?. SSL Decryption to "Block sessions on SNI mismatch with Server Certificate (SAN/CN)". Advanced URL Filtering and block the "Malicious Behavior" category. Advanced URL Filtering and block "SNI mismatch with Server Certificate (SAN/CN)". Advanced Threat Prevention option to block "Domain Fronting".

Which statement applies when enabling multitenancy in Prisma Access (Managed by Panorama)?. Each tenant is allocated its own dedicated Prisma Access instances with compute resources that are not shared across tenants. Service connection licenses will be assigned only to the first tenant, and these service connections can be shared with the other tenants. A single tenant cannot consist solely of mobile users or solely of remote networks. There is flexibility to manage different tenants using separate Panoramas, which allows for better organization and management of the multiple tenants.

An engineer is troubleshooting split-tunneling on a Palo Alto Networks VPN client. The local LAN interface is on the 192.168.1.0/24 network, and the Prisma Access Mobile User IP Pool is configured as 172.16.72.0/23 in Strata Cloud Manager (SCM). Based on the image below, which statement regarding the split-tunneling configuration for the VPN client is valid?. 192.168.5.95/32 has been explicitly configured as an exclude route. 172.16.73.1/32 has been explicitly configured as an exclude route. 9.9.9.9/32 has been explicitly configured as an include route. 10.10.10.10/32 has been explicitly configured as an include route.

What will cause a connector to fail to establish a connection with the cloud gateway during the deployment of a new ZTNA Connector in a data center?. There is a high latency in the network connection. There is a misconfiguration in the DNS settings on the connector. The connector is using a dynamic IP address. The connector is deployed behind a double NAT.

With Prisma Access deployed, which two actions can a company take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.). Enable the Egress IP API endpoint in Prisma Access. Download a client certificate to authenticate to the Egress IP API. Copy the Egress IP API Key in the service infrastructure settings. Configure a webhook to receive notifications of IP address changes.

How can role-based access control (RBAC) for Prisma Access (Managed by Strata Cloud Manager) be used to grant each member of a security team full administrative access to manage the Security policy in a single tenant while restricting access to other tenants in a multitenant deployment?. Add the team to the Child Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator. Add the team to the Parent Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator. Add the team to the Child Tenant, select All Apps & Services, and set the role to Security Administrator. Add the team to the Parent Tenant, select the Prisma Access Configuration Scope, and set the role to Security Administrator.

A company is migrating from NGFW-hosted GlobalProtect to Prisma Access Mobile Users. The authentication method will change from LDAP with Windows Active Directory Domain Controllers to SAML with Microsoft Entra ID. After configuring and applying the SAML Authentication Profile to the Mobile Users configuration, the migrated group-based Security policies are no longer functioning. Which User-ID setting must be updated for the group-based Security policies to begin functioning?. Change the SAML Authentication profile Username Modifier to %USERDOMAIN%\%USERINPUT%. Migrate group mapping to Cloud Identity Engine using an agent to query the Windows Active Directory Domain Controllers. Configure a redistribution profile to send user-to-group mapping from the GlobalProtect firewalls to Prisma Access. Modify the group mapping settings by updating the User Attributes to include "userPrincipalName.".

An employee is traveling to a country where their employer has not deployed a Prisma Access gateway. Which two mobile user gateways will the VPN client connect to automatically? (Choose two.). Global fallback. Regional fallback. Local zone. Backup.

How can QoS in Prisma Access handle Differentiated Services Code Point (DSCP) markings?. It relies on Security policies for the DSCP markings, and tags should be disabled on ingress traffic. It can either mark ingress traffic using a Security policy or honor DSCP markings set by an on-premises device. It relies on manual bandwidth allocation without any DSCP markings or Security policies. It uses DSCP markings from on-premises devices but does not allow for any marking of ingress traffic into Prisma Access.

Strata Logging Service is configured to forward logs to an external syslog server; however, a month later, there is a disruption on the syslog server. Which action will send the missing logs to the external syslog server?. Export the logs from Strata Logging Service, and then manually import them to the syslog server. Configure a replay profile with the affected time range and associate it with the affected syslog server profile. Delete the affected syslog server profile and create a new one. Configure a log filter under the syslog server profile with the affected time range.

What must be configured to accurately report an application's availability when onboarding a discovered application for ZTNA Connector?. udp ping. tcp ping. https ping. icmp ping.

An organization wants Prisma Access Browser (PAB) users to authenticate to public cloud services, such as Microsoft 365, using its existing corporate IdP (e.g., Azure AD). Which integration is essential to enable this automated single sign-on (SSO) experience for public cloud applications accessed via PAB?. Cloud Identity Engine integration with the corporate IdP. Configuration of individual user authentication tokens within the PAB profile. Deployment of a browser-specific SSO extension. Direct integration of the browser with Microsoft's Conditional Access policies.

Which two common decryption challenges can be overcome by using Prisma Access Browser (PAB)? (Choose two.). Pinned certificates. Certificate transparency. OCSP stapling. Mutual authentication.

Which two Prisma Access Browser (PAB) configurations will provide a contractor SSH access to an internal system? (Choose two.). Configure Internal Application entries, Configure Access & Data Control policy. Configure Remote Connection Application entries, Configure Access & Data Control policy. Enable Remote Connections. Enable Internal Connections.

When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?. Merge individual devices into a single device with multiple interfaces. Delete all duplicate devices, keeping only those discovered using their management IP addresses. Add the duplicate entries to the ignore list in IoT Security. Create a custom role to merge devices with the same hostname and operating system.

All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive the following error message: Error: Prisma Access Portal Authentication Failed using CIE-SAML with message "400 Bad Request" Which action will identify the root cause of this error?. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked.

An engineer has configured a new remote network connection using BGP for route advertisements. The IPSec tunnel has been established, but the BGP peer is not up. Which two elements must the engineer validate to solve the issue? (Choose two.). MRAI timers. Advertise Default Route checkbox. Secret. Peer AS number.

What are two advantages the Prisma Access Browser (PAB) offers in providing consistent security for accessing web-based resources across corporate-managed laptops and personal devices, as well as contractors using devices issued by third parties? (Choose two.). It provides all users on any devices secure access to the internet with enhanced security and threat prevention capabilities for encrypted traffic. It applies an encryption layer to protect all browser assets with a trusted encryption chain that is independent of the operating system. It enforces SSL Forward Proxy decryption to enable inspection of encrypted traffic, allowing for enhanced security and threat prevention capabilities. It routes all traffic to Prisma Access to perform deep packet inspection of encrypted traffic, allowing for enhanced security and threat prevention capabilities.

A company is using Prisma Access with Cloud Identity Engine for user-based policies. Which two system configurations will dynamically grant users access to specific projects based on their group membership in Microsoft Entra ID? (Choose two.). In the Cloud Identity Engine, add the Microsoft Entra ID directory as an IdP and configure the required user group mappings for each project. Implement an authentication sequence in Prisma Access that prioritizes Cloud Identity Engine authentication for users belonging to project-specific groups. Configure Dynamic Privilege Access settings in Prisma Access and associate the user groups with the corresponding project IP address pools. Create a custom application in Microsoft Entra ID representing each project and configure SSO with the Cloud Identity Engine.

Which overlay protocol must a customer premises equipment (CPE) device support when terminating a partner interconnect-based Colo-Connect in Prisma Access?. IPSec. GRE. DTLS. Geneve.

What is the impact of selecting the "Disable Server Response Inspection" checkbox after confirming that a Security policy rule has a threat protection profile configured?. The threat protection profile will override the "Disable Server Response Inspection" for all traffic from the server to the client. All traffic from the server to the client will bypass threat inspection. Only HTTP traffic from the server to the client will bypass threat inspection. The threat protection profile will override the "Disable Server Response Inspection" only for HTTP traffic from the server to the client.

Where are tags applied to control access to generative AI when implementing AI Access Security?. To generative AI applications for identifying sanctioned, tolerated, or unsanctioned applications. To user devices for identifying and controlling which generative AI applications they can access. To security rules for defining which types of generative AI applications are allowed or blocked. To generative AI URL categories for classifying trusted and untrusted generative AI websites.

An engineer configures a Security policy for traffic originating at branch locations in the Remote Networks configuration scope. After committing the configuration and reviewing the logs, the branch traffic is not matching the Security policy. Which statement explains the branch traffic behavior?. The source address was configured with an address object including the branch location prefixes. The source zone was configured as "Trust.". The traffic is matching a Security policy in the Prisma Access configuration scope. The Security policy did not meet best practice standards and was automatically removed.

Which statement applies when enabling multitenancy in Prisma Access (Managed by Panorama)?. Service connection licenses will be assigned only to the first tenant, and these service connections can be shared with the other tenants. There is flexibility to manage different tenants using separate Panoramas, which allows for better organization and management of the multiple tenants. A single tenant cannot consist solely of mobile users or solely of remote networks. Each tenant is allocated its own dedicated Prisma Access instances with compute resources that are not shared across tenants.

A network administrator is enabling users, via Prisma Access Browser (PAB), to securely access internal web applications hosted exclusively within the organization's private data center. Which two Prisma Access infrastructure components are primarily configured to establish the necessary connection pathways from Prisma Access to these internal data center resources? (Choose two.). Privileged Remote Access. Service Connection. Explicit Proxy. ZTNA Connector.

Which feature can help address a customer concern about the length of time it takes to update their SaaS allowed IP addresses while onboarding to Prisma Access?. Dynamic IP pooling. DNS-based load balancing. Traffic steering. Dedicated IP addresses.

During a deployment of Prisma Access (Managed by Strata Cloud Manager) for mobile users, a SAML authentication type and authentication profile in the Cloud Identity Engine application is successfully created. Using this SAML authentication, what is a valid next step to configure authentication for mobile users?. Perform a full commit to Strata Cloud Manager so the Cloud Identity Engine profiles get Synchronized from the application. Permit the Cloud Identity Engine service account RBAC access to the mobile user folder in Strata Cloud Manager. In Strata Cloud Manager, create a new authentication type of “Cloud Identity Engine.”. Create a SAML authentication profile in Strata Cloud Manager and link it to the Cloud Identity Engine profile.

A customer using Prisma Access (Managed by Panorama) wants to monitor traffic patterns across all remote networks and use Strata Logging Service to gather insights on network usage. An engineer notices that some network data is missing from the Application Command Center (ACC). What should the engineer do to ensure complete data visibility?. Reconfigure the Prisma Access remote networks to log directly to Panorama instead of using Strata Logging Service. Verify that the Panorama web interface has been configured to aggregate logs from both the Panorama data and RN-SPNs. Enable the Use Data for Pre-Defined Reports' setting in the Logging and Reporting configuration on Panorama. Ensure that log forwarding profiles are applied to all Prisma Access policies and directed to Strata.

An engineer configures User-ID redistribution from an on-premises firewall connected to Prisma Access (Managed by Panorama) using a service connection. After committing the configuration, traffic from remote network connections is still not matching the correct user-based policies. Which two configurations need to be validated? (Choose two.). Ensure the Remote_Network_Template is selected when adding the User-ID Agent in Panorama. Confirm there is a Security policy configured in Prisma Access to allow the communication on port 5007. Confirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall. Ensure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama.

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers. * The solution must meet these requirements: * The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. * The branch locations must have internet filtering and data center connectivity. * The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports. * The security team must have access to manage the mobile user and access to branch locations. * The network team must have access to manage only the partner access. Which two components can be provisioned to enable data center connectivity over the internet? (Choose two.). ZTNA Connector. SD-WAN Connector. Service connections. Colo-Connect.

An engineer has configured a Web Security rule that restricts access to certain web applications for a Specific user group. During testing, the rule does not take effect as expected, and the users can still access Blocked web applications. What is a reason for this issue?. The rule was created with improper threat management settings. The rule was created in the wrong scope, affecting only GlobalProtect users instead of all users. The rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule. The rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

How can a senior engineer use Strata Cloud Manager (SCM) to ensure that junior engineers are able to create compliant policies while preventing the creation of policies that may result in security gaps?. Use security checks under posture settings and set the action to “deny” for all checks that do not Meet the compliance standards. Configure role-based access controls (RBACs) for all junior engineers to limit them to creating policies in a disabled state, manually review the policies, and enable them using a senior engineer role. Configure an auto tagging rule in SCM to trigger a Security policy review workflow based on a security rule tag, then instruct junior engineers to use this tag for all new Security policies. Run a Best Practice Assessment (BPA) at regular intervals and manually revert any policies not meeting company compliance standards.

Which feature will fetch user and group information to verify whether a group from the Cloud Identity Engine is present on a security processing node (SPN)?. SASE Health Dashboard. User Activity Insights. Prisma Access Locations. Region Activity Insights.

Based on the image below, which two statements describe the reason and action required to resolve The errors? (Choose two.). The client is misconfigured. The server has pinned certificates. Create a do not decrypt rule for the hostname “google.com.”. Create a do not decrypt rule for the hostname “certificates.godaddy.com.”.

n addition to creating a Security policy, how can an AI Access Security be used to prevent users from uploading financial information to ChatGPT?. Apply File Blocking to stop file uploads containing financial information. Configure an Enterprise DLP rule to block uploads containing financial information. Add the ChatGPT domains using URL Filtering to block uploads containing financial information. Apply a vulnerability profile to stop attempts to exploit system flaws or gain unauthorized access to financial systems.

A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links. With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region. Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region. Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.

An intern is tasked with changing the Anti-Spyware Profile used for security rules defined in the GlobalProtect folder. All security rules are using the Default Prisma Profile. The intern reports that the options are greyed out and cannot be modified when selecting the Default Prisma Profile. Based on the image below, which action will allow the intern to make the required modifications?. Modify the existing anti-spyware. Request edit access for the GlobalProtect scope. Change the configuration scope to Prisma Access and modify the profile group. Create a new profile, because default profile groups cannot be modified.

After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?. Verify from the routing table. Enable dump level logs on GlobalProtect Application. Verify zoom.us is resolved by the tunnel assigned DNS server. Ping zoom.us from the CLI.

What is the purpose of embargo rules in Prisma Access?. Rate-limiting connections originating from specific countries. Allowing traffic only from specific countries. Blocking connections from specific countries. Blocking traffic from Russia. China, and North Korea only.

How can a network security team be granted full administrative access to a tenant's configuration While restricting access to other tenants by using role-based access control (RBAC) for Panorama Managed Prisma Access in a ultitenant environment?. Create an Access Domain and restrict access to only the Device Groups and Templates for the Target tenant. Create a custom role enabling all privileges within the specific tenant's scope and assign it to the security team's user accounts. Create a custom role with Device Group and Template privileges and assign it to the security team's. Set the administrative accounts for the security team to the "Superuser" role.

Which policy configuration in Prisma Access Browser (PAB) will protect an organization from malicious BYOD and minimize the impact on the user experience?. One that blocks file exchange. One for session recording. One that blocks elements such as screen scrapers. One that allows access to applications with data masking or watermarking.

A large retailer has deployed all of its stores with the same IP address subnet. An engineer is onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the engineer selects the “Overlapping Subnets” checkbox. Which Remote Network flow is supported after onboarding in this scenario?. To private applications. To the internet. To remote network. To mobile users.

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile Users, branch locations, and business-to- business (B2B) partners to their data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports. The security team must have access to manage the mobile user and access to branch locations. The network team must have access to manage only the partner access. How can the engineer configure mobile users and branch locations to meet the requirements?. Use GlobalProtect and Remote Networks to filter internet traffic and provide access to data center resources using service connections. Use Explicit Proxy to filter internet traffic and provide access to data center resources using service connections. Use GlobalProtect to filter internet traffic and provide access to data center resources using service connections. Use Explicit Proxy and Remote Networks to filter internet traffic and provide access to data center resources using service connections.

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile Users, branch locations, and business-to- business (B2B) partners to their data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports. The security team must have access to manage the mobile user and access to branch locations. The network team must have access to manage only the partner access. Which two options will allow the engineer to support the requirements? (Choose two.). Configure the CPE with Static Routes pointing to Prisma Access Infrastructure and Mobile User routes. Enable eBGP for dynamic routing and configure RemoteNetworks. Configure Remote Networks and define the branch IP subnets using Static Routes. Enable Remote Networks Advertise Default Route.

When configuring Remote Browser Isolation (RBI) with Prisma Access (Managed by Strata Cloud Manager), which element is required to define the protected URLs for mobile users?. A URL access management profile with site access set to “Isolate” applied to a Security policy. A DNS Security profile applied to a Security policy with the action of “Isolate” for the target remote browser DNS categories. An RBI profile applied to the URL access management profile. A Security policy with the target URL categories and set the action to “Isolate”.

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports. The security team must have access to manage the mobile user and access to branch locations. The network team must have access to manage only the partner access. How should Prisma Access be implemented to meet the customer requirements?. Deploy two Prisma Access instances - the first with mobile users, remote networks, and private access for all internal connection types, and the second with remote networks and private application access for B2B connections - and use the Strata Multitenant Cloud Manager Prisma Access configuration scope to manage access. Deploy a Prisma Access instance with mobile users, remote networks, and private access for all connection types, and use the Prisma Access Configuration scope to manage all access. Deploy two Prisma Access instances - the first with mobile users, remote networks, and private access for all internal connection types, and the second with remote networks and private application access for B2B connections - and use the specific configuration scope for the connection type to manage access. Deploy a Prisma Access instance with mobile users, remote networks, and private access for all connection types, and use the specific configuration scope for the connection type to manage access.