Which two subscriptions should be recommended to a customer who is deploying VM-Series firewall s to a private data center but is concerned about protecting data-center resources from malware and lateral movement? (Choose two.)
- A . Intelligent Traffic Offload
- B . Threat Prevention
- C . WildFire
- D . SD-WAN
Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)
- A . Heartbeat polling
- B . Ping monitoring
- C . Session polling
- D . Link monitoring
Which technology allows for granular control of east-west traffic in a software-defined network?
- A . Routing
- B . Microsegmentation
- C . MAC Access Control List
- D . Virtualization
Which solution is best for securing an EKS environment?
- A . VM-Series single host
- B . CN-Series high availability (HA) pair
- C . PA-Series using load sharing
- D . API orchestration
A CN-Series firewall can secure traffic between which elements?
- A . Host containers
- B . Source applications
- C . Containers
- D . Pods
Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?
- A . Advanced URL Filtering (AURLF)
- B . Cortex Data Lake
- C . DNS Security
- D . Panorama VM-Series plugin
Which of the following can provide application-level security for a web-server instance on Amazon Web Services (AWS)?
- A . VM-Series firewall s
- B . Hardware firewall s
- C . Terraform templates
- D . Security groups
Which two statements apply to the VM-Series plugin? (Choose two.)
- A . It can manage capabilities common to both VM-Series firewall s and hardware firewall s.
- B . It can be upgraded independently of PAN-OS.
- C . It enables management of cloud-specific interactions between VM-Series firewall s and supported public cloud platforms.
- D . It can manage Panorama plugins.
What can software next-generation firewall (NGFW) credits be used to provision?
- A . Remote browser isolation
- B . Virtual Panorama appliances
- C . Migrating NGFWs from hardware to VMs
- D . Enablement of DNS security
How is traffic directed to a Palo Alto Networks firewall integrated with Cisco ACI?
- A . By using contracts between endpoint groups that send traffic to the firewall using a shared policy
- B . Through a virtual machine (VM) monitor domain
- C . Through a policy-based redirect (PBR)
- D . By creating an access policy
Which protocol is used for communicating between VM-Series firewall s and a gateway load balancer in Amazon Web Services (AWS)?
- A . VRLAN
- B . Geneve
- C . GRE
- D . VMLAN
Which two elements of the Palo Alto Networks platform architecture enable security orchestration in a software-defined network (SDN)? (Choose two.)
- A . Full set of APIs enabling programmatic control of policy and configuration
- B . VXLAN support for network-layer abstraction
- C . Dynamic Address Groups to adapt Security policies dynamically
- D . NVGRE support for advanced VLAN integration
Which component scans for threats in allowed traffic?
- A . Intelligent Traffic Offload
- B . TLS decryption
- C . Security profiles
- D . NAT
Which two deployment modes of VM-Series firewall s are supported across NSX-T? (Choose two.)
- A . Prism Central
- B . Bootstrap
- C . Service Cluster
- D . Host-based
A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?
- A . Edit the IP address of all of the affected VMs.
- B . Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.
- C . Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).
- D . Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.
How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?
- A . It must be deployed as a member of a device cluster.
- B . It must use a Layer 3 underlay network.
- C . It must receive all forwarding lookups from the network controller.
- D . It must be identified as a default gateway.
Which component allows the flexibility to add network resources but does not require making changes to existing policies and rules?
- A . Content-ID
- B . External dynamic list (EDL)
- C . App-ID
- D . Dynamic address group
Which PAN-OS feature allows for automated updates to address objects when VM-Series firewall s are setup as part of an NSX deployment?
- A . Boundary automation
- B . Hypervisor integration
- C . Bootstrapping
- D . Dynamic Address Group
Which two factors lead to improved return on investment for prospects interested in Palo Alto Networks virtualized next-generation firewall s (NGFWs)? (Choose two.)
- A . Decreased likelihood of data breach
- B . Reduced operational expenditures
- C . Reduced time to deploy
- D . Reduced insurance premiums
Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewall s to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?
- A . HA-Series
- B . CN-Series
- C . PA-Series
- D . VM-Series
What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?
- A . VM-Series
- B . Cloud next-generation firewall (NGFW)
- C . CN-Series
- D . Ion-Series Ion-Series
What do tags allow a VM-Series firewall to do in a virtual environment?
- A . Enable machine learning (ML).
- B . Adapt Security policy rules dynamically.
- C . Integrate with security information and event management (SIEM) solutions.
- D . Provide adaptive reporting.
Which two methods of Zero Trust implementation can benefit an organization? (Choose two.)
- A . Compliance is validated.
- B . Boundaries are established.
- C . Security automation is seamlessly integrated.
- D . Access controls are enforced.
Which two actions can be performed for VM-Series firewall licensing by an orchestration system? (Choose two.)
- A . Creating a license
- B . Renewing a license
- C . Registering an authorization code
- D . Downloading a content update
What are two environments supported by the CN-Series firewall ? (Choose two.)
- A . Positive K
- B . OpenShift
- C . OpenStack
- D . Native K8
Why are VM-Series firewall s and hardware firewall s that are external to the Kubernetes cluster problematic for protecting containerized workloads?
- A . They are located outside the cluster and have no visibility into application-level cluster traffic.
- B . They do not scale independently of the Kubernetes cluster.
- C . They are managed by another entity when located inside the cluster.
- D . They function differently based on whether they are located inside or outside of the cluster.
What is a benefit of network runtime security?
- A . It more narrowly focuses on one security area and requires careful customization, integration, and maintenance.
- B . It removes vulnerabilities that have been baked into containers.
- C . It is siloed to enhance workload security.
- D . It identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists.
What is a design consideration for a prospect who wants to deploy VM-Series firewall s in an Amazon Web Services (AWS) environment?
- A . Special AWS plugins are needed for load balancing.
- B . Resources are shared within the cluster.
- C . Only active-passive high availability (HA) is supported.
- D . High availability (HA) clusters are limited to fewer than 8 virtual appliances.
Which three NSX features can be pushed from Panorama in PAN-OS? (Choose three.)
- A . Security group assignment of virtual machines (VMs)
- B . Security groups
- C . Steering rules
- D . User IP mappings
- E . Multiple authorization codes
When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network’s gateway IP address?
- A . ARP load sharing
- B . Floating IP address
- C . HSRP
- D . VRRP
Which two design options address split brain when configuring high availability (HA)? (Choose two.)
- A . Adding a backup HA1 interface
- B . Using the heartbeat backup
- C . Bundling multiple interfaces in an aggregated interface group and assigning HA2
- D . Sending heartbeats across the HA2 interfaces
Where do CN-Series devices obtain a VM-Series authorization key?
- A . Panorama
- B . Local installation
- C . GitHub
- D . Customer Support Portal
Which offering can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication?
- A . OCSP
- B . Secure Sockets Layer (SSL) Inbound Inspection
- C . Advanced URL Filtering (AURLF)
- D . WildFire
Which Palo Alto Networks firewall provides network security when deploying a microservices-based application?
- A . PA-Series
- B . CN-Series
- C . VM-Series
- D . HA-Series
What is the appropriate fi le format for Kubernetes applications?
- A . .yaml
- B . .exe
- C . .json
- D . .xml
Which offering inspects encrypted outbound traffic?
- A . WildFire
- B . TLS decryption
- C . Content-ID
- D . Advanced URL Filtering (AURLF)
Which two features of CN-Series firewall s protect east-west traffic between pods in different trust zones? (Choose two.)
- A . Intrusion prevention system (IPS)
- B . Communication with Panorama
- C . External load balancer (ELB)
- D . Layer 7 visibility
Which component can provide application-based segmentation and prevent lateral threat movement?
- A . DNS Security
- B . NAT
- C . URL Filtering
- D . App-ID
What does the number of required flex credits for a VM-Series firewall depend on?
- A . vCPU allocation
- B . IP address allocation
- C . Network interface allocation
- D . Memory allocation
Which element protects and hides an internal network in an outbound flow ?
- A . DNS sinkholing
- B . User-ID
- C . App-ID
- D . NAT
Which software firewall would help a prospect interested in securing an environment with Kubernetes?
- A . KN-Series
- B . ML-Series
- C . VM-Series
- D . CN-Series
Which two valid components are used in installation of a VM-Series firewall in an OpenStack environment? (Choose two.)
- A . OpenStack heat template in JSON format
- B . OpenStack heat template in YAML Ain’t Markup Language (YAML) format
- C . VM-Series VHD image
- D . VM-Series qcow2 image
Which software firewall would assist a prospect who is interested in securing extensive DevOps deployments?
- A . CN-Series
- B . Ion-Series
- C . Cloud next-generation firewall (NGFW)
- D . VM-Series
How does a CN-Series firewall prevent ex fi ltration?
- A . It employs custom-built signatures based on hash.
- B . It distributes incoming virtual private cloud (VPC) traffic across the pool of VM-Series firewall s.
- C . It provides a license deactivation API key.
- D . It inspects outbound traffic content and blocks suspicious activity.
What helps avoid split brain in active-passive high availability (HA) pair deployment?
- A . Using a standard traffic interface as the HA2 backup
- B . Enabling preemption on both firewall s in the HA pair
- C . Using the management interface as the HA1 backup link
- D . Using a standard traffic interface as the HA3 link