Palo Alto Networks NetSec-Pro

Which functionality does an NGFW use to determine whether new session setups are legitimate or illegitimate?. SYN flood protection. Random Early Detection (RED). SYN bit. SYN cookies.

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?. Configure DNS Security signature policy settings to sinkhole malicious DNS queries. Create a decryption policy rule to decrypt DNS-over-TLS/port 853 traffic. Enable Advanced Threat Prevention with default settings and only focus on high-risk traffic. Create overrides for all company owned FQDNS.

Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two). WildFire. Enhanced application. Threat. Traffic.

A primary firewall in a high availability (HA) pair is experiencing a current failover issue with ICMP pings to a secondary device. Which metric should be reviewed for proper ICMP pings between the firewall pair?. Non-functional state. Heartbeat polling. Link monitoring. Bidirectional Forwarding Detection (BFD).

In a service provider environment, what key advantage does implementing virtual systems provide for managing multiple customer environments?. Unified logging across all virtual systems. Shared threat prevention policies across all tenants. Centralized authentication for all customer domains. Logical separation of control and Security policy.

Which security profile provides real-time protection against threat actors who exploit the misconfigurations of DNS infrastructure and redirect traffic to malicious domains?. Anti-spyware. Vulnerability Protection. URL Filtering. Antivirus.

During a security incident investigation, which Security profile will have logs of attempted confidential data exfiltration?. Enterprise DLP Profile. Vulnerability Protection Profile. WildFire Analysis Profile. File Blocking Profile.

What is the recommended upgrade path from PAN-OS 9.1 to PAN-OS 11.2?. 9.1 -> 11.2. 9.1 -> 11.0 -> 11.2. 9.1 -> 10.0 -> 11.0 -> 11.2. 9.1 -> 10.0 -> 11.0 -> 11.1 -> 11.2.

In a distributed enterprise implementing Prisma SD-WAN, which configuration element should be implemented first to ensure optimal traffic flow between remote sites and headquarters?. Configure static routes between all the branch offices. Enable split tunneling for all branch locations. Implement dynamic path selection using real-time performance metrics. Deploy redundant ION devices at each location.

What key capability distinguishes Content-ID technology from conventional network security approaches?. It relies primarily on reputation-based filtering. It exclusively monitors network traffic volumes. It provides single-pass application layer inspection for real-time threat prevention. It performs packet header analysis short of deep packet inspection.

Which GlobalProtect configuration is recommended for granular security enforcement of remote user device posture?. Configuring a rule that blocks the ability of users to disable GlobalProtect while accessing internal applications. Implementing multi-factor authentication (MFA) for all users attempting to access internal applications. Applying log at session end to all GlobalProtect Security policies. Configuring host information profile (HIP) checks for all mobile users.

What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)?. Configure a dashboard. Open a support ticket. Setup Cloud Identity Engine. Generate a PDF summary.

What occurs when a security profile group named "default" is created on an NGFW?. It is automatically applied to all new security rules. It only applies to traffic that has been dropped due to the reset client action. It allows traffic to bypass all security checks by default. It negates all existing security profiles rules on new policy.

Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two). Service. User-ID. Schedule. App-ID.

After a firewall is associated with Strata Cloud Manager (SCM), which two additional actions are required to enable management of the firewall from SCM? (Choose two). Install a device certificate. Deploy a service connection for each branch site and connect with SCM. Configure NTP and DNS servers for the firewall. Configure a Security policy allowing "stratacloudmanager.paloaltonetworks.com" for all users.

A company has an ongoing initiative to monitor and control IT-sanctioned SaaS applications. To be successful, it will require configuration of decryption policies, along with data filtering and URL Filtering Profiles used in Security policies. Based on the need to decrypt SaaS applications, which two steps are appropriate to ensure success? (Choose two). Validate which certificates will be used to establish trust. Configure SSL Inbound Inspection. Create new self-signed certificates to use for decryption. Configure SSL Forward Proxy.

How does Advanced WildFire integrate into third-party applications?. Through customized reporting configured in NGFWs. Through Strata Logging Service. Through the WildFire API. Through playbooks automatically sending WildFire data.

How does Strata Logging Service help resolve ever-increasing log retention needs for a company using Prisma Access?. Increases resilience due to decentralized collection and storage of logs. It can scale to meet the capacity needs of new locations as business grows. Log traffic using the licensed bandwidth purchased for Prisma Access reduces overhead. Automatic selection of physical data storage regions decreases adoption time.

When configuring Security policies on VM-Series firewalls, which set of actions will ensure the most comprehensive Security policy enforcement?. Configure default policies provided by the firewall, use Policy Optimizer, and adjust security rules after an incident occurs. Configure a block policy for all malicious, inbound traffic, configure an allow policy for all outbound traffic, and update regularly with dynamic updates. Configure port-based policies, check threat logs weekly, conduct software updates annually, and enable decryption. Configure policies using User-ID and App-ID, enable decryption, apply appropriate security profiles to rules, and update regularly with dynamic updates.

Which action optimizes user experience across a segmented network architecture and implements the most effective method to maintain secure connectivity between branch and campus locations?. Establish site-to-site tunnels on each branch and campus firewall and have individual VLANs for each department. Configure a single campus firewall to handle the routing of all branch traffic. Implement SD-WAN to route all traffic based on network performance metrics and use zone protection profiles. Configure all branch and campus firewalls to use a single shared broadcast domain.

Which two features can a network administrator use to troubleshoot the issue of a Prisma Access mobile user who is unable to access SaaS applications? (Choose two.). Capacity Analyzer. SaaS Application Risk Portal. Autonomous Digital Experience Manager (ADEM) console. GlobalProtect logs.

Which method in the WildFire analysis report detonates unknown submissions to provide visibility into real-world effects and behavior?. Static analysis. Machine learning (ML). Intelligent Run-time Memory Analysis. Dynamic analysis.

Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure robust data encryption and protect sensitive information in SaaS applications?. Do not enable encryption for data-at-rest to improve performance Use strong encryption algorithms Avoid frequent encryption key updates to minimize disruptions. Enable encryption for data-at-rest and in-transit Regularly update encryption keys Use strong encryption algorithms. Encrypt only the most critical data to ensure compliance with regulations Use simple encryption methods Ensure the SaaS provider's default security settings are being used. Do not enable encryption for data-at-rest to improve performance Use default encryption keys provided by the SaaS provider Perform annual encryption key rotations.

Which two SSH Proxy decryption profile settings should be configured to enhance the company's security posture? (Choose two). Block connections that use non-compliant SSH versions. Allow sessions with legacy SSH protocol versions. Block sessions when certificate validation fails. Allow sessions when decryption resources are unavailable.

An NGFW administrator is updating PAN-OS on company data center firewalls managed by Panorama. Prior to installing the update, what must the administrator verify to ensure the devices will continue to be supported by Panorama?. All devices are in the same template stack. Device telemetry is enabled. Panorama is configured as the primary device in the log collecting group for the data center. Panorama is running the same or newer PAN-OS release as the one being installed firewall.

Which offering can be managed in both Panorama and Strata Cloud Manager (SCM)?. VM-Series Next-Generation Firewall (NGFW). Autonomous Digital Experience Manager (ADEM). Prisma SD-WAN. SaaS Security.

Which two security services are required for configuration of NGFW Security policies to protect against malicious and misconfigured domains? (Choose two). Advanced WildFire. Advanced DNS Security. Advanced Threat Prevention. SaaS Security.

Which action allows an engineer to collectively update VM-Series firewalls with Strata Cloud Manager (SCM)?. Creating an update grouping rule. Scheduling software update. Setting a target OS version. Creating a device grouping rule.

How can a firewall administrator block a list of 300 unique URLs in the most time-efficient manner?. Use application filters to block the App-IDs. Import the list into a custom URL category. Block multiple predefined URL categories. Use application groups to block the App-IDs.

Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two). Allocate the same number of vCPUs as the perpetual VM. Allow only the same security services as the perpetual VM. Deploy virtual Panorama for management. Choose "Fixed vCPU Models" for configuration type.

How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW?. Four. Three. One. Two.

An administrator wants to implement additional Cloud-Delivered Security Services (CDSS) on a data center NGFW that already has one enabled. What benefit does the NGFW's single-pass parallel processing (SP3) architecture provide?. It allows for traffic inspection at the application level. It allows additional security inspection devices to be added inline. There will be only a minor reduction in performance. There will be no additional performance degradation.

Which procedure is most effective for maintaining continuity and security during a Prisma Access data plane software upgrade?. Back up configurations, schedule upgrades during off-peak hours, and use a phased approach rather than attempting a network-wide rollout. Perform the upgrade during peak business hours, quickly address any user-reported issues, and ensure immediate troubleshooting post-rollout. Disable all security features during the upgrade to prevent conflicts and re-enable them after completion to ensure a smooth rollout process. Use Strata Cloud Manager (SCM) to perform dynamic upgrades automatically and simultaneously across all locations at once to ensure network wide uniformity.

Which action is only taken during slow path in the NGFW policy?. Layer 2-Layer 4 firewall processing. Security policy lookup. Session lookup. SSL/TLS decryption.

How does a firewall behave when SSL Inbound Inspection is enabled?. It decrypts inbound and outbound SSL connections. It decrypts traffic between the client and the external server. It acts transparently between the client and the internal server. It acts as middle-man-in-the-middle between the client and the internal server.

Which AI-powered solution provides unified management and operations for NGFWs and Prisma Access?. Prisma Access Browser. Autonomous Digital Experience Manager (ADEM). Panorama. Strata Cloud Manager (SCM).

A netwrok engineer pushes specific Panorama report of new AI URL category types to branch NGFWs. Which two report types achieve this goal? (Choose two). AI. PDF Summary. Custom. SNMP.

How are policies evaluated in the AWS management console when creating a Security policy for a Cloud NGFW?. They must be created in the order they are intended to be evaluated. The administrator sets a rule order to determine the order in which they are evaluated. They can be dragged up or down the stack as they are evaluated. The administrator sets a rule priority to determine the order in which they are evaluated.

Which component of NGFW is supported in active/passive design but not in active/active design?. Configuring ARP load-sharing on Layer 3. Route-based redundancy. Using a DHCP client. Single floating IP address.

When a firewall acts as an application-level gateway (ALG), what does it require in order to establish a connection?. Dynamic IP and Port (DIPP). Session Initiation Protocol (SIP). Pinholes. Payload.

What must be configured to successfully onboard a Prisma Access remote network using Strata Cloud Manager (SCM)?. IPSec termination nodes. Autonomous Digital Experience Manager (ADEM). Cloud Identity Engine. GlobalProtect agent.

A network security engineer wants to forward Strata Logging Service data to tools used by the Security Operations Center (SOC) for further investigation. In which best practice step of Palo Alto Networks Zero Trust does this fit?. Report and Maintenance. Implementation. Standards and best practices. Map and Verify Transactions.

Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two.). Prisma Cloud management console. Cloud service provider's management console. Cortex XSIAM. Panorama.

What are two recommendations to ensure secure and efficient connectivity across multiple locations in a distributed enterprise network? (Choose two). Create broad VPN policies for contractors working at branch locations. Imprement a flat network design for simplified network management and reduced overheard. Use Prisma Access to provide secure remote access for branch users. Employ centralized management and consistent policy enforcement across all locations.

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two). Certificate pinning. SAML certificate. Incomplete certificate chains. RADIUS profile.

Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?. Explicit proxy. Clientless VPN. Enterprise browser. Client-based VPN.

Which NGFW function can be used to enhance visibility, protect, block, and log the use of Post-Quantum Cryptography (PQC)?. Security policy. Decryption policy. Decryption profile. DNS Security profile.

In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose two.). Strata Cloud Manager (SCM). Service connection firewall. Strata Logging Service. Prisma Cloud dashboard.

Which zone is available for use in Prisma Access?. Intrazone. Clientless VPN. Interzone. DMZ.

In a Prisma SD-WAN environment experiencing voice quality degradation, which initial action is recommended?. Immediately modify path quality thresholds. Review real-time analytics of path performance. Request an RMA of the ION devices. Switch all Voice traffic to backup paths.

Which feature of SaaS Security will allow a firewall administrator to identify unknown SaaS applications in an environment?. App-ID. Cloud Identity Engine. SaaS Data Security. App-ID Cloud Engine.

Which set of attributes is used by IoT Secuirty to identify and classify appliances on a network when determining Device ID?. MAC Address, device manufacturer, and operating system. IP address, network traffic patterms, and device type. Device model, firmware version, and user credential. Hostname, application usage, and encryption method.

Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?. Address objects. Dynamic Address Groups. Dynamic User Groups. Predefined IP addresses.

Which set of attributes is used by IoT Security to identify and classify appliances on a network when determining Device-ID?. They replace the internet gateway service. Cloud NGFW is placed in a vWAN with a virtual hub. A security VPC will be created as transit gateways to push all traffic through the area. Selected VPCs will have Cloud NGFW workloads added to them.

Which two content updates can be pushed to next-generation firewalls from Panorama? (Choose two.). Applications and threats. WildFire. GlobalProtect data file. Advanced URL Filtering.

Which subscription sends non-file format-based traffic that matches Data Filtering Profile criteria to a cloud service to render a verdict?. SaaS Security Inline. Advanced URL Filtering. Enterprise DLP. Advanced WildFire.

A cloud security architect is designing a certificate management strategy for Strata Cloud Manager (SCM) across hybrid environments. Which practice ensures optimal security with low management overhead?. Implement separate certificate authorities with independent validation rules for each cloud environment. Deploy centralized certificate automation with standardized protocols and continuous monitoring. Configure manual certificate deployment with quarterly reviews and environment specific security protocols. Use cloud provider default certificates with scheduled synchronization and localized renewal processes.

Which step is necessary to ensure an organization is using the inline cloud analysis features in its Advanced Threat Prevention subscription?. Update or create a new anti-spyware security profile and enable the appropriate local deep learning models. Configure Advanced Threat Prevention profiles with default settings and only focus on high-risk traffic to avoid affecting network performance. Disable anti-spyware to avoid performance impacts and rely solely on external threat intelligence. Enable SSL decryption in Security policies to inspect and analyze encrypted traffic for threats.

A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region?. Add all regions that contain private IP addresses to the source address. Set the service to be application-default. Add a Dynamic Application Group to the Security policy. Create a Security policy for the negated region with destination address "any".

A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment choice is valid and meets the requirements in this scenario?. On a VM-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

Which profile can help prevent the transmission of sensitive information to internet applications?. URL Filtering. Anti-spyware. Antivirus. Data Filtering.

Within which security profile is the DNS sinkholing action enabled?. Antivirus. DoS Protection. File Blocking. Anti-spyware.

When a rule has been set up to block uploading all Portable Executable (PE) files, which type of log will display blocked files that attempt to traverse the network?. Threat. URL Filtering. Data filtering. Traffic.

How do template stacks help manage firewall configurations in Panorama?. By creating template variables for permanent configurations in firewalls. By grouping templates across multiple firewalls. By creating a diagram of the network for a view of all firewalls. By handling firmware updates across multiple firewalls.

An administrator is responsible for updating which component of Prisma Access?. VPN client. Management plane. Data plane. Content updates.

A Prisma Access administrator wants to attach the same set of Security policies to each new rule created. How can the administrator automate the profiles to be attached to new rules?. Create a security profile group and name it "default". Use Policy Analyzer after creating the new rules. Create profiles for each CDSS and name them "default". Use AIOps to automate the security profile group attachment.

Which two modes should be enabled on the GlobalProtect agent to allow a subset of users to connect directly to SaaS and internal applications while allowing the remaining users to connect through third-party VPN? (Choose two). Tunnel. Clientless. Proxy. Remote desktop protocol (RDP).

When adding a Zero Touch Provisioning (ZTP) firewall to Panorama, when can the firewall be powered on?. After activating registration and completing license deployment profile. During license activation. After all required installation and setup procedures are completed. During installation.

Which NGFW tool should be reviewed when a management team wants feedback on how to reduce the attack surface of their network security deployment and how it maps to the Center for Internet Security (CIS) critical Security Controls?. Command Center. Best Practice Assessment (BPA). Policy Optimizer. Executive summary report.

How do Cloud NGFW instances get created when using AWS centralized deployments?. They replace the internet gateway service. A security VPC will be created as transit gateways to push all traffic through the area. Selected VPCs will have Cloud NGFW workloads added to them. They are placed in a vWAN with a virtual hub.

Which two frameworks are compared in the Compliance Summary dashboard of Strata Cloud Manager (SCM)? (Choose two.). NIST. GDPR. CIS. PCI-DSS (v4.0).

Which Security policy on a data center NGFW will block intrazone traffic in Zone Colorado for the Dynamic User Group "Testers" and custom application "Payment System"?. Source Zone = Colorado Destination Zone = Any Users = Testers Application = Payment System Action = Deny. Source Zone = Colorado Destination Zone = Colorado Users = Testers Application = Any Action = Deny. Source & Destination Zone = Colorado Users = Testers Application = Any Action = Deny. Source & Destination Zone = Colorado Users = Testers Application = Payment System Action = Deny.

How does PAN-OS identify App-IDs to perform application-layer inspection?. From multiple classification mechanisms—application signatures, application protocol decoding, and heuristics. From periodic updates that categorize web traffic based on domain names, focusing on web browsing activities. From predefined static rules based on IP addresses and ports configured by the administrator. From inspection of SSL certificates, cloud-based metadata, and manual application classification by the administrator.

Which two features are supported when using traffic steering rules for remote network deployment on Prisma Access? (Choose two). Dynamic Address Group. Remote desktop protocol (RDP). External dynamic list. Bidirectional Forwarding Detection (BFD).

Where does an administrator update the collection of infected hosts in Strata Cloud Manager (SCM) when isolating an identified endpoint from a network?. Host information profile (HIP). Quarantine devices. Quarantined device list. Actions.

In which order is Prisma SD-WAN dynamic path selection performed?. 1. Determine link quality 2. Measure link capacity 3. Measure application performance 4. Determine potential paths based on policy. 1. Determine potential paths based on policy 2. Determine link quality 3. Measure application performance 4. Measure link capacity. 1. Determine potential paths based on policy 2. Measure application performance 3. Determine link quality 4. Measure link capacity. 1. Measure link capacity 2. Measure application performance 3. Determine link quality 4. Determine potential paths based on policy.

Which file type does Advanced WildFire support for inline analysis to detect advanced malware?. PDF. JAR. PE. APK.

By default, how often are signatures updated for firewalls with Advanced WildFire?. In real-time. Within 5-10 minutes. Within 24-48 hours. Once a week.

Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two.). Panorama. Cortex XSIAM. Prisma Cloud management console. Cloud service provider (CSP) management console.

In which security profile is credential phishing prevention implemented?. Antivirus. Vulnerability Protection. Anti-spyware. URL Filtering.

What are two indications that a packet has been processed into a fast path session? (Choose two). Previous packets of the same session have been identified. Content and application inspection is recognized. Security policy lookup is initiated. Initial forwarding lookup is using a FIB.

A firewall administrator wants to enable host information profiles (HIPs) to collect information from corporate hosts by using GlobalProtect. Which two details will the administrator be able to collect from the host? (Choose two). Host memory consumption. Antivirus definitions. Disk encryption. WAN statistics.

In which order does an NGFW process URL categories for Security policy?. 1. Custom URL categories 2. Predefined categories 3. External dynamic lists. 1. External dynamic lists 2. Custom URL categories 3. Predefined categories. 1. Custom URL categories 2. External dynamic lists 3. Predefined categories. 1. Predefined categories 2. External dynamic lists 3. Custom URL categories.

Why would a packet be processed through the slow path on an NGFW?. It does not require application identification or user identification. It only needs basic NAT and Security policy enforcement. It is part of a new or unestablished session. It is part of an already established session.

When physical ION devices are allocated, in which two states are they displayed on the Prisma SD-WAN web interface under Devices? (Choose two.). Standby. Needs attention. Offline. Unclaimed.