Palo Alto: Network Security Professional

Which Cloud-Delivered Security Service helps to prevent data leakage?. Data Loss Prevention (DLP). IoT Security. WildFire. URL Filtering.

Which Two SSH Proxy decryption profile settings should be configured to enhance the company's security posture? (Choose two). Block sessions when certificate validation fails. Allow sessions when decryption resources are unavailable. Block connections that use non-compliant SSH versions. Allow sessions with legacy SSH protocol versions.

What is the purpose of configuring a decryption policy rule on a Palo Alto NGFW?. To support user credential phishing protection. To block all outbound HTTPS connections. To inspect and enforce security on SSL/TLS traffic. To redirect encrypted traffic to third-party appliances.

During a security incident investigation, which security profile will have logs of attempted cofidential data exfiltration?. Wildfire Analysis Profile. File Blocking Profile. Enterprise DLP Profile. Vulnerability Protection Profile.

How does Advanced WildFire integrate into third-party applications?. Through playbooks automatically sending WildFire data. Through customized reporting configured in NGFWs. Through the WildFire API. Through Strata Logging Service.

A hospital system allows mobile medical imaging trailers to connect directly to the internal network of its various campuses. The network security team is concerned about this direct connection and wants to begin implementing a Zero Trust approach in the at network. Which solution provides cost-effective network segmentation and security enforcement in this scenario?. Configure access control lists on the campus core switches to control and inspect traffic based on image size, type, and frequency. Manually inspect large images like holograms and MRIs, but permit smaller images to pass freely through the campus core firewalls. Configure separate zones to isolate the imaging trailer's traffic and apply enforcement using the existing campus core firewalls. Deploy edge firewalls at each campus entry point to monitor and control various traffic types through direct connection with the trailers.

Which of the following are considered best practices for network hardening on Palo Alto firewalls? (Choose two). User-ID and Device-ID-based policies. Disable logging. Enable unused administrative interfaces. Segment networks using zones.

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two). Incomplete certificate chains. RADIUS profile. Certificate pinning. SAML certificate.

A network administrator obtains a Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?. Configure DNS Security signature policy settings to sinkhole malicious DNS queries. Create a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic. Enable Advanced Threat Prevention with default settings and only focus on high-risk traffic. Create overrides for all company owned FQDNs.

Which GlobalProtect configuration is recommended for granular security enforcement of remote user device posture?. Configuring a rule that blocks the ability of users to disable GlobalProtect while accessing internal applications. Configuring host information profile (HIP) checks for all mobile users. Applying log at session end to all GlobalProtect Security policies. Implementing multi-factor authentication (MFA) for all users attempting to access internal applications.

Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two). Allow only the same security services as the perpetual VM. Choose "Fixed vCPU Models" for configuration type. Allocate the same number of vCPUs as the perpetual VM. Deploy virtual Panorama for management.

Which offering can be managed in both Panorama and Strata Cloud Manager (SCM)?. Prisma SD-WAN. VM-Series Next-Generation Firewall (NGFW). Autonomous Digital Experience Manager (ADEM). SaaS Security.

Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure robust data encryption and protect sensitive information in SaaS applications?. Use default encryption keys provided by the SaaS provider. Do not enable encryption for data-at-rest to improve performance. Enable encryption for data-at-rest and in transit, regularly update encryption keys, and use strong encryption algorithms. Perform annual encryption key rotations.

Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?. Dynamic User Groups. Predefined IP addresses. Dynamic Address Groups. Address objects.

How do Cloud NGFW instances get created when using AWS centralized deployments?. A security VPC will be created as transit gateway to push all traffic through the area. They replace the internet gateway service. Cloud NGFW is placed in a vWAN with a virtual hub. Selected VPCs will have Cloud NGFW workloads added to them.

A NGFW administrator is updating PAN-OS on company data center firewalls managed by Panorama. Prior to installing the update, what must the administrator verify to ensure the devices will continue to be supported by Panorama?. Panorama is running the same or newer PAN-OS release as the one being installed. Device telemetry is enabled. All devices are in the same template stack. Panorama is configured as the primary device in the log collecting group for the data center firewalls.

Which functionality does a NGFW use to determine whether new session setups are legitimate or illegitimate?. SYN flood protection. SYN cookies. SYN bit. Random Early Detection (RED).

What should be reviewed when log forwarding from an NGFW to Strata Logging Service becomes disconnected?. Auth codes. Decryption profile. Device certificates. Software warranty.

Which method in the WildFire analysis report detonates unknown submissions to provide visibility into real-world effects and behavior?. Static analysis. Machine learning (ML). Intelligent Run-time Memory Analysis. Dynamic analysis.

Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two). Threat. URL Filtering. WildFire. Enhanced application.

A company currently uses Prisma Access for its mobile users. A new use case is discovered in which mobile users will need to access an internal site, but there is no existing network communication between the mobile users and the internal site. Which Prisma Access functionality needs to be deployed to enable routing between the mobile users and the internal site?. Service connection. Autonomous Digital Experience Manager (ADEM). Security processing node. Interconnect license.

In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose two). Strata Cloud Manager (SCM). Strata Logging Service. Service connection firewall. Prisma Cloud dashboard.

Which set of attributes is used by IoT Security to identify and classify appliances on a network when determining Device-ID?. Device model, firmware version, and user credential. MAC address, device manufacturer, and operating system. IP address, network traffic patterns, and device type. Hostname, application usage, and encryption method.

A company has an ongoing initiative to monitor and control IT-sanctioned SaaS applications. To be successful, it will require configuration of decryption policies, along with data filtering and URL Filtering Profiles used in Security policies. Based on the need to decrypt SaaS applications, which two steps are appropriate to ensure success? (Choose two). Create new self-signed certificates to use for decryption. Configure SSL Forward Proxy. Configure SSL Inbound Inspection. Validate which certificates will be used to establish trust.

Which network design for internet of things (IoT) Security allows traffic mirroring from the switch to a TAP interface on the firewall to monitor traffic not otherwise seen?. Firewall as DHCP relay. Firewall outside DHCP path. Firewall in DHCP path. DHCP server on firewall.

Which AI-powered solution provides unified management and operations for NGFWs and Prisma Access?. Panorama. Autonomous Digital Experience Manager (ADEM). Strata Cloud Manager (SCM). Prisma Access Browser.

Which zone is available for use in Prisma Access?. Clientless VPN. Interzone. Intrazone. DMZ.

Which Security profile should be queried when investigating logs for upload attempts that were recently blocked due to sensitive information leaks?. Data Filtering. Anti-spyware. URL Filtering. Antivirus.

An administrator wants to implement additional Cloud-Delivered Security Services (CDSS) on a data center NGFW that already has one enabled. What benefit does the NGFW's single-pass parallel processing (SP3) architecture provide?. There will be no additional performance degradation. It allows additional security inspection devices to be added inline. There will be only a minor reduction in performance. It allows for traffic inspection at the application level.

Based on the image below, which source IP address will be seen in the data filtering logs of the Cloud NGFW for AWS with the default rulestack settings?. 20.10.10.15. 20.10.10.16. 10.1.1.3. 10.1.1.2.

A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region?. Create a Security policy for the negated region with destination address “any”. Set the service to be application-default. Add all regions that contain private IP addresses to the source address. Add a Dynamic Application Group to the Security policy.

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two). Incomplete certificate chains. SAML certificate. RADIUS profile. Certificate pinning.

An IT security administrator is maintaining connectivity and security between on-premises infrastructure, private cloud, and public cloud environments in Strata Cloud Manager (SCM). Which set of practices must be implemented to effectively manage certificates and ensure secure communication across these segmented environments?. Use self-signed certificates for all environments. Renew certificates manually once a year. Avoid automating certificate management to maintain control. Implement different certificate authorities (CAs) for each environment. Use default certificate settings. Renew certificates only when they expire to reduce overhead and complexity. Use a centralized certificate management solution. Regularly renew and update certificates. Employ strong encryption protocols. Rely on the cloud provider's default certificates. Avoid renewing certificates to reduce overhead and complexity. Manage certificate deployment manually.

A cloud security architect is designing a certificate management strategy for Strata Cloud Manager (SCM) across hybrid environments. Which practice ensures optimal security with low management overhead?. Implement separate certificate authorities with independent validation rules for each cloud environment. Use cloud provider default certificates with scheduled synchronization and localized renewal processes. Configure manual certificate deployment with quarterly reviews and environment-specific security protocols. Deploy centralized certificate automation with standardized protocols and continuous monitoring.

Which action allows an engineer to collectively update VM-Series firewalls with Strata Cloud Manager (SCM)?. Setting a target OS version. Creating a device grouping rule. Creating an update grouping rule. Scheduling software update.

How does a firewall behave when SSL Inbound Inspection is enabled?. It acts transparently between the client and the internal server. It decrypts traffic between the client and the external server. It acts as meddler-in-the-middle between the client and the internal server. It decrypts inbound and outbound SSH connections.

When a firewall acts as an application-level gateway (ALG), what does it require in order to establish a connection?. Payload. Dynamic IP and Port (DIPP). Pinholes. Session Initiation Protocol (SIP).

How does Strata Logging Service help resolve ever-increasing log retention needs for a company using Prisma Access?. It can scale to meet the capacity needs of new locations as business grows. It increases resilience due to decentralized collection and storage of logs. Automatic selection of physical data storage regions decreases adoption time. Log traffic using the licensed bandwidth purchased for Prisma Access reduces overhead.

A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment style is valid and meets the requirements in this scenario?. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. On a VM-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

Which step is necessary to ensure an organization is using the inline cloud analysis features in its Advanced Threat Prevention subscription?. Update or create a new anti-spyware security profile and enable the appropriate local deep learning models. Configure Advanced Threat Prevention profiles with default settings and only focus on high-risk traffic to avoid affecting network performance. Disable anti-spyware to avoid performance impacts and rely solely on external threat intelligence. Enable SSL decryption in Security policies to inspect and analyze encrypted traffic for threats.

What is the primary role of Advanced DNS Security in protecting against DNS-based threats?. It replaces traditional DNS servers with more reliable and secure ones. It automatically redirects all DNS traffic through encrypted tunnels. It uses machine learning (ML) to detect and block malicious domains in real-time. It centralizes all DNS management and simplifies policy creation.

Which of the following are considered best practices for network hardening on Palo Alto firewalls? (Choose two). Use User-ID and Device-ID-based policies. Disable logging. Enable unused administrative interfaces. Segment networks using zones.

A network engineer pushes specific Panorama reports of new AI URL category types to branch NGFWs. Which two report types achieve this goal? (Choose two). Custom. PDF summary. SNMP. CSV export.

In conjunction with Advanced URL Filtering, which feature can be enabled after username-to-IP mapping is set up?. Host information prole (HIP). Credential phishing prevention. Indexed data matching. Client probing.

What is the most efficient way in Strata Cloud Manager (SCM) to apply a Security policy to all ten firewalls in one data center?. Create a folder that groups the ten firewalls together, then create the Security policy at that configuration scope. Create the Security policy on each firewall individually. Set the configuration scope to "Global" and create the Security policy. Create the Security policy at any configuration scope, then clone it to the ten firewalls.

Which NGFW function can be used to enhance visibility, protect, block, and log the use of Postquantum Cryptography (PQC)?. DNS Security profile. Decryption policy. Security policy. Decryption profile.

Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?. Clientless VPN. Explicit proxy. Enterprise browser. Client-based VPN.

In which mode should an ION device be configured at a newly acquired site to allow site traffic to be audited without steering traffic?. Analytics. Access. Control. Disabled.

Which two cloud deployment high availability (HA) options would cause a firewall administrator to use Cloud NGFW? (Choose two). Automated autoscaling. Deployed with load balancers. Terraform to automate HA. Dedicated vNIC for HA.

Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two). Service. App-ID. Schedule. User-ID.

Which two policies in Strata Cloud Manager (SCM) will ensure the personal data of employees remains private while enabling decryption for mobile users in Prisma Access? (Choose two). No Decryption. SSH Decryption. SSL Inbound Inspection. SSL Forward Proxy.

How can a firewall administrator block a list of 300 unique URLs in the most time-efficient manner?. Use application filters to block the App-IDs. Use application groups to block the App-IDs. Block multiple predefined URL categories. Import the list into a custom URL category.

Which two logging types help troubleshoot remote user access issues? (Choose two). HIP Match Logs. GlobalProtect Logs. Zone Protection Logs. Threat Logs.

How does Panorama improve reporting capabilities of an organization's next-generation firewall deployment?. By automating all Security policy creations for multiple firewalls. By aggregating and analyzing logs from multiple firewalls. By replacing the need for individual firewall deployment. By pushing out all firewall policies from a single physical appliance.

A security administrator is adding a new sanctioned cloud application to SaaS Data Security. After authentication, how does the tool gain API access for monitoring?. It generates a certificate and sends it to the cloud application for TLS decryption and inspection. It establishes an encrypted key pair with the cloud application to safely transmit user data. It receives a token from the cloud application for establishing and maintaining a secure connection. It transmits the configured SAML user prole to the cloud application for security event attribution.

What is the main security benefit of adding a CN-Series firewall to an existing VM-Series firewall deployment when the customer is using containers?. It monitors and logs trac outside the container itself. It provides perimeter threat detection and inspection outside the container itself. It prevents lateral threat movement within the container itself. It enables core zone segmentation within the container itself.

In Prisma SD-WAN, what is the recommended initial action when VoIP traffic experiences high latency and packet loss during business hours?. Configure a new VPN gateway connection. Monitor real-time path performance metrics. Disable the most recently created path quality. Add new link tags to existing interfaces.

Which method can be used by an administrator to view and respond to alerts generated by Advanced Threat Prevention?. Threat logs in Strata Cloud Manager. Prisma SD-WAN monitor. Incident response in Cortex XDR. Threat Vault dashboard.

Which two pieces of information are needed prior to deploying server certificates from a trusted third-party certificate authority (CA) to GlobalProtect components? (Choose two). Subject Alternative Name (SAN). Certificate and key files. Passphrase for private key. Encrypted private key and certificate (PKCS12).

In a distributed enterprise implementing Prisma SD-WAN, which configuration element should be implemented first to ensure optimal traffic flow between remote sites and headquarters?. Implement dynamic path selection using real-time performance metrics. Deploy redundant ION devices at each location. Enable split tunneling for all branch locations. Configure static routes between all the branch offices.

Which action optimizes user experience across a segmented network architecture and implements the most effective method to maintain secure connectivity between branch and campus locations?. Implement SD-WAN to route all traffic based on network performance metrics and use zone protection profiles. Configure all branch and campus firewalls to use a single shared broadcast domain. Establish site-to-site tunnels on each branch and campus firewall and have individual VLANs for each department. Configure a single campus firewall to handle the routing of all branch traffic.

In a service provider environment, what key advantage does implementing virtual systems provide for managing multiple customer environments?. Logical separation of control and Security policy. Shared threat prevention policies across all tenants. Centralized authentication for all customer domains. Unified logging across all virtual systems.

Infrastructure performance issues and resource constraints have prompted a firewall administrator to monitor hardware NGFW resource statistics. Which AIOps feature allows the administrator to review these statistics for each firewall in the environment?. Capacity Analyzer. Security Posture Insights. Host Information Profile (HIP). Policy Analyzer.

Which two features can a network administrator use to troubleshoot the issue of a Prisma Access mobile user who is unable to access SaaS applications? (Choose two). SaaS Application Risk Portal. Capacity Analyzer. GlobalProtect logs. Autonomous Digital Experience Manager (ADEM) console.

How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW?. One. Two. Three. Four.

Which action in the Customer Support Portal is required to generate authorization codes for Software NGFWs?. Create a deployment profile. Use the Enterprise Support Agreement (ESA) authorization code. Download authorization codes from the public cloud marketplace. Register the device with the cloud service provider.

Which two functions are supported by the Cloud Identity Engine in Prisma Access? (Choose two). User group mapping from multiple directories. Decryption of TLS 1.3 traffic. Centralized DNS filtering. Cross-platform user authentication.

What occurs when a security profile group named “default” is created on an NGFW?. It is automatically applied to all new security rules. It only applies to traffic that has been dropped due to the reset client action. It allows traffic to bypass all security checks by default. It negates all existing security profiles rules on new policy.

What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)?. Set up Cloud Identity Engine. Generate a PDF summary report. Open a support ticket. Configure a dashboard.

Which subscription sends non-file format-based traffic that matches Data Filtering Profile criteria to a cloud service to render a verdict?. Enterprise DLP. Advanced WildFire. Saas Security Inline. Advanced URL FIltering.

At a minimum, which action must be taken to ensure traffic coming from outside an organization to the DMZ can access the DMZ zone for a company using private IP address space?. Configure static NAT for all incoming traffic. Create policies only for pre-NAT addresses and any destination zone. Configure NAT policies on the pre-NAT addresses and post-NAT zone. Create NAT policies on post-NAT addresses for all traffic destined for DMZ.

Which two profile types are available in NGFW security policies? (Choose two). File Blocking. DNS Forwarder. SSL VPN. Anti-Spyware.

After a firewall is associated with Strata Cloud Manager (SCM), which two additional actions are required to enable management of the firewall from SCM? (Choose two). Configure NTP and DNS servers for the firewall. Configure a Security policy allowing stratacloudmanager.paloaltonetworks.com" for all users. Install a device certificate. Deploy a service connection for each branch site and connect with SC.

What must be configured to successfully onboard a Prisma Access remote network using Strata Cloud Manager (SCM)?. Autonomous Digital Experience Manager (ADEM). Cloud Identity Engine. GlobalProtect agent. IPSec termination node.

Which statement best demonstrates a fundamental difference between Content-ID and traditional network security methods?. Traditional methods provide comprehensive application layer inspection. Content-ID focuses on blocking malicious IP addresses and ports. Content-ID inspects traffic at the application layer to provide real-time threat protection. Traditional methods block specfic applications using signatures.

What additional feature is included in Premium GlobalProtect subscriptions?. URL Filtering. Always-On VPN with HIP checks. Secure Decryption Proxy. Threat Prevention.

Which step is required before onboarding remote networks in Prisma Access using Strata Cloud Manager?. Set up WildFire profiles for each site. Allocate bandwidth per location. Associate a mobile user location. Configure a GlobalProtect portal.

Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two). Panorama. Cortex XSIAM. Prisma Cloud management console. Cloud service provider's management console.

Which role does Panorama play in centralized firewall management?. Automates software upgrades across multiple vendors. Manages policy configurations and template stacks. Serves as a content delivery node. Acts as a local firewall log collector.

Which two types of tunnels are supported for Prisma Access remote network connections? (Choose two). SSL VPN. VXLAN. IPsec. GRE.

When a user works primarily from a remote location but reports to the corporate office several times a month, what does GlobalProtect use to determine if the user should connect to an internal gateway?. External host detection. ICMP ping to Panorama management interface. User login credentials. Reverse DNS lookup of preconfigured host IP.

A company uses Prisma Access to provide secure connectivity for mobile users to access its corporate-sanctioned Google Workspace and wants to block access to all unsanctioned Google Workspace environments. What would an administrator configure in the snippet to achieve this goal?. Dynamic User Groups. URL category. Tenant restriction. Dynamic Address Groups.

Which Prisma Access component is responsible for secure connectivity between mobile users and the cloud infrastructure?. GlobalProtect gateway. Service connection. Remote network. Mobile user gateway.

Which action is only taken during slow path in the NGFW policy?. SSL/TLS decryption. Security policy lookup. Layer 2-Layer 4 firewall processing. Session lookup.

Which products can be managed by both SCM and Panorama? (Choose two). VM-Series. Cortex Data Lake. Prisma SD-WAN ION. CN-Series.

How are content updates downloaded and installed for Cloud NGFWs?. From the Customer Support Portal. Automatically. Through Panorama. Through the management console.

In SSL Forward Proxy, what role does the firewall play in handling encrypted traffic?. It forces the client to bypass decryption. It uses SSH tunneling to analyze SSL. It allows encrypted traffic to pass without inspection. It acts as a Certificate Authority and decrypts client-side SSL traffic.

Which feature of SaaS Security will allow a firewall administrator to identify unknown SaaS applications in an environment?. App-ID Cloud Engine. Cloud Identity Engine. SaaS Data Security. App-ID.

Which tool will help refine a security rule by specifying the applications it has viewed in past weeks?. Custom Reporting. Security Lifecycle Review (SLR). Policy Optimizer. Autonomous Digital Experience Management (ADEM).

What are two recommendations to ensure secure and efficient connectivity across multiple locations in a distributed enterprise network? (Choose two). Employ centralized management and consistent policy enforcement across all locations. Use Prisma Access to provide secure remote access for branch users. Implement a flat network design for simplified network management and reduced overhead. Create broad VPN policies for contractors working at branch locations.

Which feature is available in both Panorama and Strata Cloud Manager (SCM)?. Template stacks. O Configuration snippets. Plug-ins. Policy Optimizer.

A firewall administrator wants to segment the network traffic and prevent noncritical assets from being able to access critical assets on the network. Which action should the administrator take to ensure the critical assets are in a separate zone from the noncritical assets?. Create an allow Security policy with "any" set for both the source and destination zones. Assign a single interface to multiple security zones. Logically separate physical and virtual interfaces to control the traffic that passes across the interface. Create a deny Security policy with "any" set for both the source and destination zones.

What ensures that CDSS have the latest threat intelligence?. Automatic dynamic updates from Palo Alto Networks. Local policy refresh. SD-WAN optimization. Manual log parsing.

Which two features are available in Strata Cloud Manager (SCM)? (Choose two). AIOps-driven security best practice recommendations. Centralized decryption key generation. GlobalProtect Portal Hosting. Real-time logging and visualization.

Which two Cloud-Delivered Security Services (CDSS) are focused on endpoint and network threat detection? (Choose two). Data Loss Prevention (DLP). WildFire. Cortex XDR. URL Filtering.

What does a Security Profile typically include in Palo Alto NGFW?. User authentication methods. Antivirus and vulnerability protection. VPN configuration. Routing protocols.

What is a key benefit of using security profiles in a Palo Alto firewall policy rule?. It disables session-based policies. It speeds up routing decisions. It prevents the application of QoS tags. It enables threat detection and prevention for allowed traffic.

What key capability distinguishes Content-ID technology from conventional network security approaches?. It performs packet header analysis short of deep packet inspection. It exclusively monitors network traffic volumes. It relies primarily on reputation-based filtering. It provides single-pass application layer inspection for real-time threat prevention.

Which type of traffic can a firewall use for proper classification and visibility of internet of things (IoT) devices?. RTP. RADIUS. SSH. DHCP.

Which two security profiles must be updated to prevent data exfiltration in outbound traffic on NGFWs? (Choose two). Data Filtering. File Blocking. Antivirus. DoS Protection.

What is a benefit of virtual systems for multitenancy?. Logical separation of management and inspection. Parallel inspection of all tenants. Unified management. Traffic separation between network segments.

Which action must a firewall administrator take to incorporate custom vulnerability signatures into current security policies?. Create custom objects. Download threat updates. Create custom policies. Download WildFire updates.

Why would an enterprise architect use a Zero Trust Network Access (ZTNA) connector instead of a service connection for private application access?. It functions as the attachment point for IPSec-based connections to remote site or branch networks. It controls trac from the mobile endpoint to any of the organization's internal resources. It automatically discovers private applications and suggests Security Policy rules for them. It supports trac sourced from on-premises or public cloud-based resources to mobile users and remote networks.

An administrator has imported a pair of firewalls to Panorama under the same template stack. As a part of the template stack, the administrator wants to create a high availability (HA) template to be shared by the firewalls. Which dynamic component should the administrator use when setting the Peer HA1 IP address?. Template variable. Dynamic Address Group. Address object. Template stack.

How are policies evaluated in the AWS management console when creating a Security policy for a Cloud NGFW?. They must be created in the order they are intended to be evaluated. The administrator sets a rule order to determine the order in which they are evaluated. The administrator sets a rule priority to determine the order in which they are evaluated. They can be dragged up or down the stack as they are evaluated.

When configuring Security policies on VM-Series firewalls, which set of actions will ensure the most comprehensive Security policy enforcement?. Configure policies using User-ID and App-ID, enable decryption, apply appropriate security profiles to rules, and update regularly with dynamic updates. Configure all default policies provided by the firewall, use Policy Optimizer, and adjust security rules after an incident occurs. Configure port-based policies, check threat logs weekly, conduct software updates annually, and enable decryption. Configure a block policy for all malicious inbound traffic, configure an allow policy for all outbound traffic, and update regularly with dynamic updates.

Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?. Enterprise browser. Explicit proxy. Clientless VPN. Client-based VPN.

What feature ensures smooth upgrades in Prisma Access without interrupting service?. Disabling all policies before upgrade. Zero-downtime upgrade architecture. Backup-based deployment. Multi-phase firmware staging.

What does a Dynamic Address Group (DAG) provide in policy enforcement?. Fixed source IP mapping. Real-time user identification. Tag-based membership for automatic policy updates. Static groupings for NAT rules.

Which method allows an NGFW to inspect and enforce policies on non-standard applications and ports?. App-ID. User-ID. Zone-based Firewalling. URL Filtering.

What is a common reason why decryption fails for certain HTTPS sites during SSL Forward Proxy?. Traffic is on UDP. Certificate pinning is in use. The website uses HTTP. Too many active users.

In which situation would you configure SSL Forward Proxy instead of SSL Inbound Inspection?. To inspect encrypted traffic between internal clients and external servers. To decrypt incoming traffic to an internal web server. To forward logs to external SIEM. To analyze email attachments using WildFire.

Which component must be updated first to ensure successful PAN-OS upgrades in a Panorama-managed environment?. Content updates. WildFire signatures. Device Support file. Panorama software version.

Which two practices are recommended for SSL Forward Proxy decryption? (Choose two). Use certificates signed by a trusted CA. Decrypt all traffic without exception. Exclude sensitive traffic from decryption. Use self-signed certificates.

Which two security services are required for configuration of NGFW Security policies to protect against malicious and misconfigured domains? (Choose two). Advanced Threat Prevention. Advanced WildFire. Advanced DNS Security. SaaS Security.

How do zones enhance security in a Palo Alto NGFW deployment?. By enforcing logging for all interfaces. By creating dynamic routing paths. By segmenting traffic and enabling granular policy enforcement. By limiting the need for SSL decryption.

Which two content updates can be pushed to next-generation firewalls from Panorama? (Choose two). GlobalProtect data files. Applications and threats. WildFire. Advanced URL Filtering.

Which component of NGFW is supported in active/active: design but not in active/passive design?. Using a DHCP client. Single floating IP address. Route-based redundancy. Configuring ARP load-sharing on Layer 3.

After a Best Practice Assessment (BPA) is complete, it is determined that dynamic updates for Cloud-Delivered Security Services (CDSS) used by company branch offices do not match recommendations. The snippet used for dynamic updates is currently set to download and install updates weekly. Knowing these devices have the Precision AI bundle, which two statements describe how the settings need to be adjusted in the snippet? (Choose two). Applications and threats should be updated daily. WildFire should be updated every five minutes. URL filtering should be updated hourly. Antivirus should be updated daily.

Which security profile provides real-time protection against threat actors who exploit the misconfigurations of DNS infrastructure and redirect traffic to malicious domains?. Anti-spyware. Antivirus. Vulnerability Protection. URL Filtering.

A network security engineer wants to forward Strata Logging Service data to tools used by the Security Operations Center (SOC) for further investigation. In which best practice step of Palo Alto Networks Zero Trust does this fit?. Implementation. Report and Maintenance. Map and Verify Transactions. Standards and Designs.

A network administrator is using DNAT to map two servers to one public IP address. Traffic will be directed to a specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic. Which two sets of Security policy rules will accomplish this configuration? (Choose two). Source: Untrust (Any) Destination: Untrust - Application(s): web-browsing - Action: allow. Source: Untrust (Any) Destination: DMZ - Application(s): ssh - Action: allow. Source: Untrust (Any) Destination: Trust - Application(s): web-browsing, ssh Action: allow. Source: Untrust (Any) Destination: DMZ - Application(s): web-browsing - Action: allow.

A primary firewall in a high availability (HA) pair is experiencing a current failover issue with ICMP pings to a secondary device. Which metric should be reviewed for proper ICMP pings between the firewall pair?. Link monitoring. Heartbeat polling. Non-functional state. Bidirectional Forwarding Detection (BFD).

What are two ways to create an App-ID for unknown applications? (Choose two). Create a security profile that maps the signature to the unknown application. Provide a packet capture to Palo Alto Networks and request an App-ID. Use WildFire API to map signatures to the unknown application. Create a custom application by using signatures.