JEHG-PA
|
|
Título del Test:
![]() JEHG-PA Descripción: Examen - De - PA Guia estudio |



| Comentarios |
|---|
NO HAY REGISTROS |
|
A technology company is deploying its own AI applications on a Google Kubernetes Engine (GKE) cluster. The development team is concerned about protecting the complex, microservices-based AI stack from both internal and external threats: such as data poisoning and lateral movement between containerized components. Which solution should be proposed to address these concerns?. AI Access Security with Advanced URL Filtering. AI Access Security with App-ID Cloud Engine. Prisma AIRS Network Intercept. Prisma AIRS API Intercept. An architect is reviewing a use case with the following requirements: Visibility on the health of an end user's path for the five most critical applications Metrics on the impact of endpoint health for application Centralized call quality analytics from Zoom video conferencing solution Insights into the supporting protocols, such as DNS Support 600 users on Windows desktops in a single sales office. Which solution should be recommended to meet these requirements?. Remote networks with ADEM enabled and an ION device. GlobalProtect with a Prisma Access portal configured and ADEM enabled. Prisma SD-WAN using the native application dashboard and link quality monitoring. Prisma Browser or the Prisma Browser extension with RUM metrics. A large organization uses Palo Alto Networks VM-Series firewalls deployed across multiple availability zones in Microsoft Azure. These are managed by an Azure Virtual Machine Scale Set (VMSS) and integrated with an Azure Load Balancer for high availability (HA) traffic inspection within a Transit VNet. The security team needs to perform a critical PAN-OS software upgrade across the entire fleet of firewalls with the requirement of minimal application downtime. Following Palo Alto Networks best practices for highly available cloud deployments, what is the recommended approach for safely performing this software upgrade with the least downtime?. Update the image in an Azure VMSS and then initiate an upgrade of the instances. Configure Azure Load Balancer probes to handle the health check failover during upgrades. Provision a new, parallel VMSS with the new PAN-OS version, validate it, and redirect traffic from the old VMSS to the new one. Use Azure Update Manager to push the PAN-OS upgrade package directly to all firewall instances simultaneously during a scheduled maintenance window. A global organization has fully adopted Prisma Access to provide security for its mobile workforce and remote offices, and user identity is managed in Okta. The security team wants to create consistent Security policies that grant access to specific SaaS applications based on a users' departments, regardless of whether they work from home or a from branch office connected via an SD-WAN device Which architecture ensures that consistent user-to-group mapping is available to Prisma Access for policy enforcement in this use case?. Install the Palo Alto Networks User-ID agent and configure it to sync user information from Okta to Prisma Access. Deploy Panorama to manage Prisma Access and configure it to pull user and group information from Okta via the Cloud Identity Engine. Configure SAML federation between Prisma Access and Okta to provide user identity for every web request. Configure each remote office SD-WAN device and each user’s GlobalProtect client to query Okta directly for user information. An organization wants to migrate to an SSE model using Prisma Access for hybrid workforce connectivity. Following bandwidth analysis, network engineers have identified high-bandwidth requirements (>2 Gbps) sustained throughput to the data center for privately hosted applications (e.g., three tier applications active FTP and SMB file servers, EDR toolsets). Business continuity for the organization requires the ability to use multiple cloud providers for private-application connectivity, ensuring no single cloud provider outage can disrupt operations. The network operations team has expressed concerns about migrating to SSE with legacy routing technical debt noting multiple redistribution protocols in place across the environment. Which two network connectivity methods will meet the business requirements to access private applications from Prisma Access? (Choose two.). ZTNA Connectors. Colo-Connect. Cloud gateways. Service connections. A global organization plans to implement a full Zero Trust network solution to evolve its security architecture and is deciding between SASE and traditional firewall edge solutions. The organization currently has a WAN solution with all traffic backhauled to a central set of data centers and requires that branch-to-branch traffic be permitted for all 721 branch locations. What is a crucial consideration as the solutions architect plans the end architecture for this organization?. PAN-OS SD-WAN should be used for full mesh deployments of 100 or more sites that require full security capabilities. Prisma Access does not support direct branch-to-branch traffic, but requires traffic to be routed by a service connection. Prisma SD-WAN supports partial mesh architectures with App-ID, Threat, and DNS Security for direct branch-to-branch traffic. Explicit proxy may be used in conjunction with Prisma Browser or а РАС file to access applications on a remote network. An organization plans to deploy a full SASE architecture consisting of Prisma SD-WAN IONs at branches and data centers alongside Prisma Access remote networks, service connections, and mobile users. The business office team requires that traffic from global remote offices to public cloud is of highest criticality, and this traffic should have the greatest service-level agreement (SLA) and QoS priority while still maintaining a balance of threat inspection. Which recommendation should the architect make to provide the lowest latency, highest throughput, and greatest resilience for the applications?. Prisma Access Agent or а РАС file explicit proxy configuration connecting the end user devices directly to Prisma Access with a service connection to the public cloud provider. Prisma Access remote networks with service connections directly to the cloud environment using IPSec and either static or dynamic routing. Prisma SD-WAN IONs deployed within the cloud environment using BGP-to-peer to the internal route tables of the application. Prisma SD-WAN ION deployed at both branch and private data center with a direct private link between the private data center and the public cloud provider. A cloud engineer has implemented a security solution with a VM-Series firewall in a GCP centralized VPC to secure traffic between two spoke VPCs, but there is no communication between the spokes. Which missed implementation step may cause this behavior?. Security policy rule allowing inter-spoke traffic. Peering connection between the two spoke VPCs. Source NAT policy for traffic initiated from one spoke to the other. Specific no-NAT policy rule for traffic between the spoke CIDR ranges. An organization uses Microsoft Entra ID and wants to strictly enforce a requirement that remote users accessing highly sensitive SaaS applications can only do so when originating from Prisma Browser. Which unique identifier must be configured within the Entra ID Conditional Access policy to effectively confirm and enforce that the access request is specifically originating from Prisma Browser and preventing standard web browsers from circumventing the Zero Trust Network Access (ZTNA) control?. List of known egress IP addresses associated with Prisma Browser’s cloud proxy infrastructure. Unique device token or Device-ID issued by Prisma Browser and validated by Entra ID. Certificate thumbprint of Prisma Browser’s secure workspace key used for session encryption. GlobalProtect mobile application installed on the user's endpoint. An IoT sensor should be deployed in the path between the IoT device and which infrastructure component for comprehensive profiling coverage?. IoT Gateway. DNS server. SNMP Collector. DHCP server. The network security architect leading a Zero Trust migration has successfully completed identifying and classifying all mission-critical Data, Applications, Assets, and Services (DAAS). The architect must now gather the necessary data to inform the technical design of the micro-perimeters and the placement of the VM-Series virtual firewalls in Azure. According to the Palo Alto Networks Zero Trust implementation methodology, what is the mandatory next step to gather the necessary data for designing the segmentation and the placement of security controls?. Identify the five essential components to be validated. Create the Zero Trust policy using the Kipling Method. Map the transaction flows to and from the protect surface. Monitor and maintain the network by inspecting and logging all traffic flows. Which custom component can mitigate the risk associated with an organization’s sales staff filling out a customer intake PDF form that contains corporate confidential information?. App-ID matching distinct components of the PDF applied using a security rule. Document type using trainable classifiers applied using a profile. Threat signature blocking the file based on a hash of the PDF. File blocking rule unique matching header or byte-code of the PDF. A large organization is building a hybrid AI environment. The plan is to develop proprietary machine learning (ML) models on-premises in a VMware NSX environment and create separate, cloud-native AI applications in a Google Kubernetes Engine (GKE) cluster environment. The CISO has requested a single solution that can offer runtime protection and visibility for the two environments. Which Prisma AIRS component or form factor should a security architect recommend to this customer?. AI Agent Security installed on each individual virtual machine (VM) and container across both environments to provide host-level protection. Prisma AIRS Network Intercept deployed as security virtual appliances in both environments. Prisma AIRS SaaS platform to ingest telemetry from both environments without requiring local enforcement points. AI Security Posture Management (AI-SPM) scanner to connect to both on-premises and cloud environments to scan for misconfigurations. An organization is designing the Prisma Access service connections for its data centers. Each data center has 10 Gb redundant links to the internet. Each data center will need to support a minimum of 1.5 Gbps of throughput from Prisma Access connected users and branches. Which diagram depicts a solution that meets the requirements of this use case?. A. B. C. D. An organization with offices throughout the world has an SD-WAN solution in which all traffic is backhauled to a central set of data centers. Many of the offices have IoT / OT devices. Which IoT Security requirement must be taken into consideration by the security architect when determining which Zero Trust network solution will help this organization evolve its security architecture?. Either a Prisma SD-WAN ION or an NGFW device must be present for accurate IoT / ОТ detection. A local sensor must be deployed as either an agent on the DHCP server or as a container on the virtual infrastructure. All DHCP requests must traverse the Prisma SD-WAN fabric for IoT / ОТ detection. The organization must have local NGFW for enforcement. A retail organization wants to sanction the use of a particular third-party SaaS-based AI application for inventory management. This application will need network layer data access to the organization’s internal supply chain database with confidential information highly secured in its own DMZ. The implementation is delayed because the CISO is concerned that the sanctioned third-party AI application could get compromised and then used to exfiltrate customer PH from the internal database. Which solution will address the CISO's concern?. Prisma AIRS with the AI agent deployed on the database server to monitor for unauthorized access attempts. Prisma AIRS with AI Security content updates to inspect the model's behavior and block anomalous database queries. AI Access Security with an App-ID Cloud Engine subscription to precisely identify and then block the inventory management application entirely. AI Access Security with an Enterprise DLP subscription to identify and block the PII within the traffic to and from the SaaS application. Which factor must be taken into consideration when determining whether an NGFW edge architecture or a SASE architecture is appropriate to recommend to a customer planning to implement a Zero Trust Network Access (ZTNA) solution?. ZTNA requires User-ID and Group-ID information that is not available in Prisma SD-WAN. ZTNA can be implemented regardless of the whether an NGFW or SASE solution is selected. ZTNA revolves around an agent on the endpoint and does not influence the overall NGFW or SASE architecture. ZTNA is a component of SASE and can only be implemented with Prisma Access. An organization has selected Prisma SD-WAN ION devices for use at branch offices and is working to build a low-level design for its sites. A typical branch site has a 10 Mbps MPLS with fiber LC-SR, and an RJ-45 Ethernet 50 Mbps DIA internet circuit. There are 75 workstations and a stacked core switch that supports LACP, M-LAG, BGP, and OSPF will be used. The core switch is the default gateway for all local VLANs. The final design will determine the selection of the appropriate model and accessories for the site. Which statement applies to the Prisma SD-WAN architecture in this use case?. MPLS underlay paths cannot be used as an active path alongside internet overlay path. Connectivity over the MPLS will be lost when the device that terminates it loses power. High availability (HA) for the LAN side connectivity can at most support two interfaces using LAG / LACP. Only a default route can be advertised on a LAN-side BGP peering from the ION. An architect is designing a security solution for a large AWS environment with numerous application virtual private clouds (VPCs). These applications have diverse and sometimes conflicting inbound security requirements, making a single, unified ruleset challenging to create and maintain. The solution must secure inbound traffic for different application groups while also centrally securing all outbound and east-west traffic via an AWS Transit Gateway. Which design model recommendation will simplify rule complexity for inbound traffic while meeting all security requirements?. Transit Gateway model focused on establishing connectivity by creating a full mesh of direct peering connections between all application VPCs. Combined model using dedicated inbound NGFWs for logical application groups and a central NGFW for east-west and outbound traffic. Isolated model deploying a separate non-connected security VPC for each application VPC. Centralized model to consolidating all security functions by directing all inbound, outbound, and east-west traffic through a single, shared security VPC. A security architect needs to design a log collection architecture for a large organization with hundreds of firewalls distributed across multiple geographic regions. The primary requirement is to ensure that if a single Log Collector in any region fails, logs from the firewalls in that region will automatically be sent to another available Log Collector without manual intervention. What is the recommended Panorama feature to achieve this level of log collection resilience?. Log Collector Group for each geographic region. Storage capacity increase on each individual Log Collector. Load balancer to distribute logs across all Log Collectors. Log Collectors deployed in a high availability (HA) pair. A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment. The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach: Zero Trust Gaps - Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments. The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups. Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access. If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets. Cloud Blind Spots - The organization uses Azure for its production environments and hosts applications that contain sensitive customer data. Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health. Remote User Access -Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency. Traditional VPN is used for remote employees. The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection. Visibility and Logging - Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented. Data Security Concern - Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance. Ingress Security - Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points. The current Microsoft Azure NGFW architecture will not support the increased traffic with the new applications being migrated. Which architectural solution will provide scalable inspection?. Decommission the firewall pair and use a multi-region deployment of Azure VPN gateways to manage VNet-to-VNet connections. Migrate to a load balancer-based autoscaling firewall cluster that uses User-Defined Routes (UDRs) to traffic to multiple concurrent firewall instances for inspection. Keep the active/passive firewall only for north-south traffic and rely entirely on Azure Network Security Groups (NSGs) for east-west traffic inspection. Maintain the Azure active/passive design and use Azure scale sets to vertically scale the firewall size to handle all current and anticipated future east-west traffic. A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment. The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach: Zero Trust Gaps - Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments. The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups. Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access. If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets. Cloud Blind Spots - The organization uses Azure for its production environments and hosts applications that contain sensitive customer data. Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health. Remote User Access - Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency. Traditional VPN is used for remote employees. The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection. Visibility and Logging - Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented. Data Security Concern - Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance. Ingress Security - Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points. The organization needs to ensure data security and prevent the leakage of sensitive product design files since it is migrating to SaaS and cloud environments. How would implementing a Next-Generation CASB (CASB-X) capability address the concerns in the scenario?. By replacing the reliance on VLANs and IP address-based Access Control Lists (ACLs) by enforcing a user-to-application microsegmentation policy based on identity. By providing data loss prevention (DLP) features to scan data-at-rest and data-in-transit in sanctioned SaaS and cloud applications. By continuously monitoring user behavior and device health from a central control point to prevent lateral movement if an attacker compromises an endpoint. By applying URL filtering and malware prevention to all traffic destined for unsanctioned or risky cloud applications, reducing the attack surface. A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment. The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach: Zero Trust Gaps - Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments. The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups. Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access. If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets. Cloud Blind Spots - The organization uses Azure for its production environments and hosts applications that contain sensitive customer data. Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health. Remote User Access - Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency. Traditional VPN is used for remote employees. The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection. Visibility and Logging - Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented. Data Security Concern - Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance. Ingress Security - Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points. Which solution will improve resilience and reduce operational overhead in this scenario?. Vertically scaling the existing HA solution with enough capacity for the new applications. Cloud NGFW integrated into the existing virtual network (VNet) design. Centralized VM-Series NGFW deployed in the existing virtual network (VNet). Distributed VM-Series NGFW in a new virtual network (VNet). An organization wants to modernize its legacy branch architecture. The existing architecture is rigid, complex, and ill-suited for a cloud-first strategy, creating high operational costs and latency. The four core data centers are strategically located in Dallas, Toronto, London and Tokyo, and they are interconnected by a dedicated MPLS backbone providing reliable connectivity but incurring significant costs and offering limited bandwidth scalability. Branches rely on MPLS or site-to-site VPN to connect to the nearest geographical data center. All internet-bound traffic from the branches is backhauled to the data center egress firewalls. This creates latency for SaaS applications and increases bandwidth strain on the MPLS links. The organization requires a proposal for a new WAN architecture for branch connectivity with the goal of improving security posture and SaaS application access as well as supporting local internet breakout for all branch devices, including IoT. Which two implementations will achieve the goal of modernizing the branch architecture? (Choose two.). NGFW at each branch with Large Scale VPN (LSVPN) for data center access and Direct Internet Access (DIA). SD-WAN using on-premises NGFWs for Direct Internet Access (DIA). SSE with Prisma Access for mobile users and service connections. SASE with Prisma Access for remote networks and service connections. An organization wants to modernize its legacy branch architecture. The existing architecture is rigid, complex, and ill-suited for a cloud-first strategy, creating high operational costs and latency. The four core data centers are strategically located in Dallas, Toronto, London and Tokyo, and they are interconnected by a dedicated MPLS backbone providing reliable connectivity but incurring significant costs and offering limited bandwidth scalability. Branches rely on MPLS or site-to-site VPN to connect to the nearest geographical data center. All internet-bound traffic from the branches is backhauled to the data center egress firewalls. This creates latency for SaaS applications and increases bandwidth strain on the MPLS links. What is the primary security posture enhancement that can be achieved in this use case by offloading data center backhaul to a PAN-OS SD-WAN model with local internet breakout for SaaS traffic?. Reduced attack surface on the MPLS / DC edge by removing unnecessary SaaS flows. Improved resilience by allowing path diversity with DIA, LTE, or broadband. Better segmentation within the branch LAN allowing for isolation of user groups or devices locally. Better visibility and granular control at the branch firewall. A global organization is modernizing its data center and private cloud infrastructure. The environment consists of: A Nutanix AHV cluster hosting critical east-west application workloads A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps) A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic. VM-Series on Nutanix AHV - Resource Allocation Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload. VM-Series on VMware ESXi - NUMA and vCPU Placement In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required. Operational Integration and High Availability With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks. The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns. Which resource allocation strategy should the architect use for the VM-Series virtual machine (VM)?. Enable memory overcommitment (ballooning) on the VM to allow the hypervisor to reclaim unused memory for other workloads. Implement CPU and memory reservation for the VM, pinning it to specific physical cores and reserving 100% of its allocated RAM. Use thin provisioning for the VM’s virtual disks to save storage space and allow for flexible growth. Configure the VM with a high-priority setting in the AHV scheduler to ensure it gets preferential access to CPU cycles. A global organization is modernizing its data center and private cloud infrastructure. The environment consists of: A Nutanix AHV cluster hosting critical east-west application workloads A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps) A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic. VM-Series on Nutanix AHV - Resource Allocation Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload. VM-Series on VMware ESXi - NUMA and vCPU Placement In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required. Operational Integration and High Availability With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks. The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns. While using the VM-Series to build the NFV environment, which configuration should the architect use?. SR-IOV-enabled network interfaces and DPDK mode enabled. SR-IOV-enabled network interfaces and standard Linux bridge networking. Virtio drivers connected to an Open vSwitch (OVS) bridge. Virtio drivers and DPDK mode enabled. A global organization is modernizing its data center and private cloud infrastructure. The environment consists of: A Nutanix AHV cluster hosting critical east-west application workloads A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps) A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic. VM-Series on Nutanix AHV - Resource Allocation Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload. VM-Series on VMware ESXi - NUMA and vCPU Placement In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required. Operational Integration and High Availability With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west nspection bottlenecks. The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns. Which PAN-OS feature will meet the CISO’s need for north-south traffic inspection?. High-density DAC/QSFP ports for flexible network connectivity. Dedicated out-of-band management port for separating management and data traffic. Dual redundant, hot-swappable power supplies for HA. Dedicated hardware crypto engines for offloading SSL/TLS decryption and IPSec processing. A global organization is modernizing its data center and private cloud infrastructure. The environment consists of: A Nutanix AHV cluster hosting critical east-west application workloads A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps) A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic. VM-Series on Nutanix AHV - Resource Allocation Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload. VM-Series on VMware ESXi - NUMA and vCPU Placement In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required. Operational Integration and High Availability With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks. The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns. To optimize throughput and minimize latency, what is recommended to configure the vCPUs and NUMA for this deployment?. Ensure that all vCPUs assigned to the VM’s data plane reside on a single physical NUMA node. Assign vCPUs from multiple NUMA nodes to allow the VM to access more memory. Configure the number of vCPUs to be greater than the number of physical cores on the host in order to use the ESXi scheduler. Enable hyperthreading on the physical host and assign all logical cores from a single physical core to the VM-Series. An organization is in the process of building a network infrastructure that is cloud first. Part of the revised architecture includes Prisma Access as demonstrated in the diagram below. The organization has selected Strata Cloud Manager (SCM) as the management method for Prisma Access and NGFWs deployed at the data center and in public cloud environments. There are 150 NGFWs in place that are used to terminate service connections and segment networks as well as to secure the data center and public cloud resources. One of the resilience requirements is to provide highly available directory services and authentication for the NGFW and Prisma Access deployment. Which two configurations meet the design and customer requirements in this scenario? (Choose two.). Firewalls connected to LDAP servers and Prisma Access connected to the Cloud Identity Engine with connections to the LDAP servers for directory services. Firewalls and Prisma Access for mobile users with RADIUS authentication. Firewalls and Prisma Access connected to the Cloud Identity Engine with connections to Entra ID for directory services. Firewalls and Prisma Access for mobile users configured with SAML authentication. An organization is in the process of building a network infrastructure that is cloud first. Part of the revised architecture includes Prisma Access as demonstrated in the diagram below. The organization has selected Strata Cloud Manager (SCM) as the management method for Prisma Access and NGFWs deployed at the data center and in public cloud environments. There are 150 NGFWs in place that are used to terminate service connections and segment networks as well as to secure the data center and public cloud resources. One of the resilience requirements is to provide highly available directory services and authentication for the NGFW and Prisma Access deployment. Which traffic flow is valid for administrators connecting network equipment over SSH hosted in the data center?. Prisma Browser → Service Connection → Data Center → Target Application. Prisma Browser → Mobile User SPN → Service Connection → Data Center → Target Application. Prisma Browser → Explicit Proxy → Service Connection → Data Center → Target Application. Prisma Browser → Explicit Proxy → Mobile User SPN → Service Connection → Data Center → Target Application. An organization is in the process of building a network infrastructure that is cloud first. Part of the revised architecture includes Prisma Access as demonstrated in the diagram below. The organization has selected Strata Cloud Manager (SCM) as the management method for Prisma Access and NGFWs deployed at the data center and in public cloud environments. There are 150 NGFWs in place that are used to terminate service connections and segment networks as well as to secure the data center and public cloud resources. One of the resilience requirements is to provide highly available directory services and authentication for the NGFW and Prisma Access deployment. The organization wants to be able to track Prisma Access users on the on-premises firewalls and remote networks. Which configuration meets the design and organization requirements?. Firewalls will connect to each node of a Panorama high availability (HA) pair to retrieve user information, and remote networks will receive the user context from the Cloud Identity Engine. Each firewall and remote network will be configured to retrieve user information from each of the Prisma Access SC-CANs. Each firewall and remote network will be configured to retrieve user information from each of the Prisma Access MU-SPNs. Firewalls will connect to a regional set of redistribution firewalls connected to the SC-CANs and RN-SPN will connect to each SC-CAN to retrieve the user information. An organization has a directive to adopt a Zero Trust framework focused on using identity and role-based access groups, device security and content inspection across all Security policies. To achieve this goal, an Enterprise License Agreement (ELA) was purchased, including Advanced Threat Prevention, IoT Security, and GlobalProtect. The current security architecture uses Panorama to manage 60 NGFWs — a mix of PA-3240, PA-1410, and PA-440. Sites with PA-3240s host private application resources in the trust data center zone All sites have an untrust zone for internet access and a users zone for managed and unmanaged endpoint devices. A transit mesh zone exists to establish site-to-site connectivity through PAN-OS SD-WAN. Privately hosted applications include web servers, SMB and NFS file servers and hosted Active Directory. The organization is in the process of adopting group mapping restrictions to these private applications, with daily additions of groups. It is also planning to build AI applications to assist the data teams with complex queries that will be hosted in the large offices containing data centers and is exploring hosting in the public cloud. The organization uses on-premises Exchange, Dropbox, Zoom, and ChatGPT. There are a number of shadow SaaS applications that require further investigation. Users have been using Google Drive to upload confidential files within the organization by using their personal logins IoT devices on the network are associated on their own VLAN on the users zone. Using Device Security, all IoT devices have been categorized by asset profiles with medium or high confidence, policy sets imported into Panorama, and a default deny applied to the IoT networks. The organization has rolled out SSL decryption and is using URL categorization for the majority of content filtering. Malicious categories, unknown and high-risk websites are blocked, with the remainder of sites set to alert. Which action should the architect recommend to restrict the confidential file exfiltration present in the organization's environment using existing technology?. In Prisma Browser create an access security rule and a data security rule preventing file-upload unsanctioned file-sharing applications. Using SaaS Security, enable tenant restrictions, preventing personal logins from using unsanctioned applications. Using App-ID, create a policy denying google- drive-web-upload. Using Enterprise DLP, create custom data patterns notifying confidential data, and block the custom data pattern from being uploaded. An organization has a directive to adopt a Zero Trust framework focused on using identity and role-based access groups, device security and content inspection across all Security policies. To achieve this goal, an Enterprise License Agreement (ELA) was purchased, including Advanced Threat Prevention, IoT Security, and GlobalProtect. The current security architecture uses Panorama to manage 60 NGFWs — a mix of PA-3240, PA-1410, and PA-440. Sites with PA-3240s host private application resources in the trust data center zone All sites have an untrust zone for internet access and a users zone for managed and unmanaged endpoint devices. A transit mesh zone exists to establish site-to-site connectivity through PAN-OS SD-WAN. Privately hosted applications include web servers, SMB and NFS file servers and hosted Active Directory. The organization is in the process of adopting group mapping restrictions to these private applications, with daily additions of groups. It is also planning to build AI applications to assist the data teams with complex queries that will be hosted in the large offices containing data centers and is exploring hosting in the public cloud. The organization uses on-premises Exchange, Dropbox, Zoom, and ChatGPT. There are a number of shadow SaaS applications that require further investigation. Users have been using Google Drive to upload confidential files within the organization by using their personal logins. IoT devices on the network are associated on their own VLAN on the users zone. Using Device Security, all IoT devices have been categorized by asset profiles with medium or high confidence, policy sets imported into Panorama, and a default deny applied to the IoT networks. The organization has rolled out SSL decryption and is using URL categorization for the majority of content filtering. Malicious categories, unknown and high-risk websites are blocked, with the remainder of sites set to alert. Which deployment method should the architect suggest for enabling User-ID based rules, restricting or allowing access as close to the source as possible, while minimizing operational overhead?. Panorama device template for data redistribution, referencing primary and secondary Panoramas as the User-ID agent. Panorama device template with a group mapping profile with group allow list to reduce group update time on the firewalls. Cloud Directory via SCIM to sync user groups to the Cloud Identity Engine and the firewalls. Cloud Identity agent to sync user groups to the Cloud Identity Engine and the firewalls. A global manufacturing organization with 50,000 employees spanning 35 countries designs advanced industrial equipment and owns significant intellectual property. The organization operates in a highly competitive market where protecting trade secrets is critical to maintaining market advantage. Over the past 18 months, the CISO discovered that employees across the organization have adopted hundreds of GenAI applications to improve productivity. Engineers use AI coding assistants to accelerate product development sales teams use AI tools to generate proposals, and customer service representatives use chatbots to draft responses. While this adoption has driven innovation, it has also created significant security risks. A security audit reveals sensitive CAD files uploaded to image-generation services, proprietary source code shared with public coding assistants, and confidential customer information used in prompts. The audit identifies over 300 different GenAI applications in use, most of which had not been formally reviewed or approved. The customer service department has also been developing internal AI applications, including a customer service copilot built on a cloud large language model (LLM) platform, an internal knowledge management assistant, and a code review tool. These internal applications access sensitive databases, customer records and internal APIs — creating additional security concerns about exploitation or misuse. The organization has a distributed workforce in which 60% of employees work remotely or in hybrid arrangements, accessing corporate resources and AI applications from various locations using managed and unmanaged devices. Existing network security infrastructure lacks AI-specific security capabilities. Organization leadership wants to enable AI-driven innovation while implementing comprehensive security controls. The CISO has been tasked with developing an organization-wide GenAI governance program that protects sensitive assets without hindering productivity. The program must address both external AI applications employees are using and internal AI applications being developed by IT. Which architectural approach best aligns with the organization’s strategic objectives to enable AI innovation and protect sensitive assets?. Rely on existing perimeter firewalls and VPN concentrators applying standard URL filtering and data loss prevention (DLP) policies for AI traffic. Segment network zones within each data center to isolate AI workloads from critical IP address repositories and monitor east-west traffic. Deploy a cloud-delivered security platform with AI-aware controls integrated with identity and device posture. Block external GenAI applications at the firewall and empower employees to use internally developed AI applications. A global manufacturing organization with 50,000 employees spanning 35 countries designs advanced industrial equipment and owns significant intellectual property. The organization operates in a highly competitive market where protecting trade secrets is critical to maintaining market advantage. Over the past 18 months, the CISO discovered that employees across the organization have adopted hundreds of GenAI applications to improve productivity. Engineers use AI coding assistants to accelerate product development sales teams use AI tools to generate proposals, and customer service representatives use chatbots to draft responses. While this adoption has driven innovation, it has also created significant security risks. A security audit reveals sensitive CAD files uploaded to image-generation services, proprietary source code shared with public coding assistants, and confidential customer information used in prompts. The audit identifies over 300 different GenAI applications in use, most of which had not been formally reviewed or approved. The customer service department has also been developing internal AI applications, including a customer service copilot built on a cloud large language model (LLM) platform, an internal knowledge management assistant, and a code review tool. These internal applications access sensitive databases, customer records and internal APIs — creating additional security concerns about exploitation or misuse. The organization has a distributed workforce in which 60% of employees work remotely or in hybrid arrangements, accessing corporate resources and AI applications from various locations using managed and unmanaged devices. Existing network security infrastructure lacks AI-specific security capabilities. Organization leadership wants to enable AI-driven innovation while implementing comprehensive security controls. The CISO has been tasked with developing an organization-wide GenAI governance program that protects sensitive assets without hindering productivity. The program must address both external AI applications employees are using and internal AI applications being developed by IT. In which two ways would Prisma AIRS secure AI agents deployed across multiple cloud platforms in this scenario? (Choose two.). By supporting API Intercept for Multicloud deployments since Network Intercept cannot be deployed in the network architectures of different cloud providers. By providing Network Intercept inline in multicloud network architectures to monitor AI agent traffic, and API Intercept as Security as Code (SaC) to scan prompts and responses before they reach models. By offering Network Intercept for infrastructure-level protection across any cloud platform and API Intercept for application-level security embedded directly in agent code. By requiring separate product installations for each cloud platform with AWS-specific agents for Bedrock and GCP-specific agents for Vertex AI that cannot share policies. A global manufacturing organization with 50,000 employees spanning 35 countries designs advanced industrial equipment and owns significant intellectual property. The organization operates in a highly competitive market where protecting trade secrets is critical to maintaining market advantage. Over the past 18 months, the CISO discovered that employees across the organization have adopted hundreds of GenAI applications to improve productivity. Engineers use AI coding assistants to accelerate product development sales teams use AI tools to generate proposals, and customer service representatives use chatbots to draft responses. While this adoption has driven innovation, it has also created significant security risks. A security audit reveals sensitive CAD files uploaded to image-generation services, proprietary source code shared with public coding assistants, and confidential customer information used in prompts. The audit identifies over 300 different GenAI applications in use, most of which had not been formally reviewed or approved. The customer service department has also been developing internal AI applications, including a customer service copilot built on a cloud large language model (LLM) platform, an internal knowledge management assistant, and a code review tool. These internal applications access sensitive databases, customer records and internal APIs — creating additional security concerns about exploitation or misuse. The organization has a distributed workforce in which 60% of employees work remotely or in hybrid arrangements, accessing corporate resources and AI applications from various locations using managed and unmanaged devices. Existing network security infrastructure lacks AI-specific security capabilities. Organization leadership wants to enable AI-driven innovation while implementing comprehensive security controls. The CISO has been tasked with developing an organization-wide GenAI governance program that protects sensitive assets without hindering productivity. The program must address both external AI applications employees are using and internal AI applications being developed by IT. Which enforcement solution can the CISO recommend to control GenAI data exfiltration?. Implement Prisma AIRS. Implement AI Access Security. Configure User-ID and App-ID on the perimeter NGFWs. Configure Prisma AIRS to monitor for data exfiltration within the AI application prompts. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution. Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications. Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents. Data exfiltration and insider risk have been identified as the primary threats for this class of user. Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot. Which statement applies in the context of securing the developers’ applications?. Mobile users, remote networks, and explicit proxy all provide the same Cloud-Delivered Security Services (CDSS) capabilities. GlobalProtect mobile users and explicit proxy users share the same configuration scope for policy configuration. ZTNA Connector requires DNS for all applications it publishes and does not permit direct IP address-based access. Explicit proxy on ramps can only provide security for HTTP, HTTPS, and proxy-aware applications. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution. Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications. Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents. Data exfiltration and insider risk have been identified as the primary threats for this class of user. Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot. Which solution should be suggested to mitigate the security risk and meet the concerns of the sales team?. Use the standalone WildFire Agent on the endpoint to maintain security for large and unknown file downloads. Migrate end users to Prisma Browser for all work applications and apply data protection rules to all enterprise applications. Provide end users scoped access to Strata Cloud Manager (SCM) and require them to configure split tunneling for applications they need to bypass. Automate uploads of files to the Enterprise DLP submissions portal so all files undergo data inspection regardless of connectivity method. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution. Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications. Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents. Data exfiltration and insider risk have been identified as the primary threats for this class of user. Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot. Which two parameters should the architect take into account regarding GlobalProtect gateway selection? (Choose two.). Gateway geo IP mapping. Gateway priority. Proximity to users. Proximity to destination resources. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution. Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications. Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents. Data exfiltration and insider risk have been identified as the primary threats for this class of user. Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot. Which two solutions will help mitigate the risk to the sales staff? (Choose two.). Forwarding profiles in Prisma Access Agent with end users granted route control access to bypass specific domains without disabling the agent. GlobalProtect in hybrid mode to provide explicit proxy-based secure web gateway (SWG) protection even when the tunnel is disconnected. Network enforcement feature on GlobalProtect to restrict access to high-risk URL categories. Endpoint DLP on Prisma Access Agent to ensure organization data is not exfiltrated. A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed. All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation. Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps. Segmentation is a mandatory requirement with enclaves based on region, device type, and function. Which architectural component ensures the IoT storage, integrity, and non-repudiation of this granular risk data for auditing purposes?. NGFW’s session table, which is encrypted with the master key. Strata Logging Service for cloud storage of the security logs and device telemetry. GlobalProtect agent to collect device posture and to locally log all critical CVE scores. Panorama log collector using its local database with a 90-day retention policy. A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed. All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation. Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps. Segmentation is a mandatory requirement with enclaves based on region, device type, and function. In which two ways should the organization architect for isolation of IoT with groupings based on the device types? (Choose two.). Device-ID based policies. Vendor OUI-based policy. CVE risk scoring-based policy. Dynamic address groups. A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed. All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation. Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps. Segmentation is a mandatory requirement with enclaves based on region, device type, and function. A firewall has been configured in tap mode for visibility into the traffic for profiling Inconsistencies in the profiling have been observed with a mix of behaviors. What are two possible root causes for the behavior? (Choose two.). The devices are deployed behind a NAT device. Asymmetric routing is providing visibility into TX but not RX traffic. Hard coded MAC addresses cannot be properly profiled. MAC spoofing is occurring on the network. A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed. All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation. Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps. Segmentation is a mandatory requirement with enclaves based on region, device type, and function. Which off-ramp should an architect recommend to meet the requirements of the organization?. ZTNA Connector. Service Connection. GCP Network Cloud Connector. Colo-Connect. |




