Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:

"Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important."

Which recommendations should the SE make?

A.

Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

B.

Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.

C.

VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.

D.

VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems.

Full Access
Question # 5

Device-ID can be used in which three policies? (Choose three.)

A.

Security

B.

Decryption

C.

Policy-based forwarding (PBF)

D.

SD-WAN

E.

Quality of Service (QoS)

Full Access
Question # 6

Which two products can be integrated and managed by Strata Cloud Manager (SCM)? (Choose two)

A.

Prisma SD-WAN

B.

Prisma Cloud

C.

Cortex XDR

D.

VM-Series NGFW

Full Access
Question # 7

Which two statements correctly describe best practices for sizing a firewall deployment with decryption enabled? (Choose two.)

A.

SSL decryption traffic amounts vary from network to network.

B.

Large average transaction sizes consume more processing power to decrypt.

C.

Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms.

D.

Rivest-Shamir-Adleman (RSA) certificate authentication method (not the RSA key exchange algorithm) consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure.

Full Access
Question # 8

A prospective customer wants to validate an NGFW solution and seeks the advice of a systems engineer (SE) regarding a design to meet the following stated requirements:

"We need an NGFW that can handle 72 Gbps inside of our core network. Our core switches only have up to 40 Gbps links available to which new devices can connect. We cannot change the IP address structure of the environment, and we need protection for threat prevention, DNS, and perhaps sandboxing."

Which hardware and architecture/design recommendations should the SE make?

A.

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

B.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

C.

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

D.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

Full Access
Question # 9

What does Policy Optimizer allow a systems engineer to do for an NGFW?

A.

Recommend best practices on new policy creation

B.

Show unused licenses for Cloud-Delivered Security Services (CDSS) subscriptions and firewalls

C.

Identify Security policy rules with unused applications

D.

Act as a migration tool to import policies from third-party vendors

Full Access
Question # 10

Which use case is valid for Palo Alto Networks Next-Generation Firewalls (NGFWs)?

A.

Code-embedded NGFWs provide enhanced internet of things (IoT) security by allowing PAN-OS code to be run on devices that do not support embedded virtual machine (VM) images.

B.

Serverless NGFW code security provides public cloud security for code-only deployments that do not leverage virtual machine (VM) instances or containerized services.

C.

IT/OT segmentation firewalls allow operational technology resources in plant networks to securely interface with IT resources in the corporate network.

D.

PAN-OS GlobalProtect gateways allow companies to run malware and exploit prevention modules on their endpoints without installing endpoint agents.

Full Access
Question # 11

The efforts of a systems engineer (SE) with an industrial mining company account have yielded interest in Palo Alto Networks as part of its effort to incorporate innovative design into operations using robots and remote-controlled vehicles in dangerous situations. A discovery call confirms that the company will receive control signals to its machines over a private mobile network using radio towers that connect to cloud-based applications that run the control programs.

Which two sets of solutions should the SE recommend?

A.

That 5G Security be enabled and architected to ensure the cloud computing is not compromised in the commands it is sending to the onsite machines.

B.

That Cloud NGFW be included to protect the cloud-based applications from external access into the cloud service provider hosting them.

C.

That IoT Security be included for visibility into the machines and to ensure that other devices connected to the network are identified and given risk and behavior profiles.

D.

That an Advanced CDSS bundle (Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering) be procured to ensure the design receives advanced protection.

Full Access
Question # 12

Which two compliance frameworks are included with the Premium version of Strata Cloud Manager (SCM)? (Choose two)

A.

Payment Card Industry (PCI)

B.

National Institute of Standards and Technology (NIST)

C.

Center for Internet Security (CIS)

D.

Health Insurance Portability and Accountability Act (HIPAA)

Full Access
Question # 13

As a team plans for a meeting with a new customer in one week, the account manager prepares to pitch Zero Trust. The notes provided to the systems engineer (SE) in preparationfor the meeting read: "Customer is struggling with security as they move to cloud apps and remote users." What should the SE recommend to the team in preparation for the meeting?

A.

Lead with the account manager pitching Zero Trust with the aim of convincing the customer that the team's approach meets their needs.

B.

Design discovery questions to validate customer challenges with identity, devices, data, and access for applications and remote users.

C.

Lead with a product demonstration of GlobalProtect connecting to an NGFW and Prisma Access, and have SaaS security enabled.

D.

Guide the account manager into recommending Prisma SASE at the customer meeting to solve the issues raised.

Full Access
Question # 14

A company has multiple business units, each of which manages its own user directories and identity providers (IdPs) with different domain names. The company’s network security team wants to deploy a shared GlobalProtect remote access service for all business units to authenticate users to each business unit's IdP.

Which configuration will enable the network security team to authenticate GlobalProtect users to multiple SAML IdPs?

A.

GlobalProtect with multiple authentication profiles for each SAML IdP

B.

Multiple authentication mode Cloud Identity Engine authentication profile for use on the GlobalProtect portals and gateways

C.

Authentication sequence that has multiple authentication profiles using different authentication methods

D.

Multiple Cloud Identity Engine tenants for each business unit

Full Access
Question # 15

An existing customer wants to expand their online business into physical stores for the first time. The customer requires NGFWs at the physical store to handle SD-WAN, security, and data protection needs, while also mandating a vendor-validated deployment method. Which two steps are valid actions for a systems engineer to take? (Choose two.)

A.

Recommend the customer purchase Palo Alto Networks or partner-provided professional services to meet the stated requirements.

B.

Use Golden Images and Day 1 configuration to create a consistent baseline from which the customer can efficiently work.

C.

Create a bespoke deployment plan with the customer that reviews their cloud architecture, store footprint, and security requirements.

D.

Use the reference architecture "On-Premises Network Security for the Branch Deployment Guide" to achieve a desired architecture.

Full Access
Question # 16

A company with a large Active Directory (AD) of over 20,000 groups has user roles based on group membership in the directory. Up to 1,000 groups may be used in Security policies. The company has limited operations personnel and wants to reduce the administrative overhead of managing the synchronization of the groups with their firewalls.

What is the recommended architecture to synchronize the company's AD with Palo Alto Networks firewalls?

A.

Configure a group mapping profile with custom filters for LDAP attributes that are mapped to the user roles.

B.

Configure a group mapping profile, without a filter, to synchronize all groups.

C.

Configure a group mapping profile with an include group list.

D.

Configure NGFWs to synchronize with the AD after deploying the Cloud Identity Engine (CIE) and agents.

Full Access
Question # 17

A prospective customer is concerned about stopping data exfiltration, data infiltration, and command-and-control (C2) activities over port 53.

Which subscription(s) should the systems engineer recommend?

A.

Threat Prevention

B.

App-ID and Data Loss Prevention

C.

DNS Security

D.

Advanced Threat Prevention and Advanced URL Filtering

Full Access
Question # 18

Which two methods are valid ways to populate user-to-IP mappings? (Choose two.)

A.

XML API

B.

Captive portal

C.

User-ID

D.

SCP log ingestion

Full Access