Which two actions can a systems engineer take to discover how Palo Alto Networks can bring value to a customer's business when they show interest in adopting Zero Trust? (Choose two.)

Ask the customer about their internal business flows, such as how their users interact with applications and data across the infrastructure.

Ask the customer about their approach to Zero Trust, explaining that it is a strategy more than it is something they purchase.

Explain how Palo Alto Networks can place virtual NGFWs across the customer's network to ensure assets and traffic are seen and controlled.

Use the Zero Trust Roadshow package to demonstrate to the customer how robust Palo Alto Networks capabilities are in meeting Zero Trust.

A large global company plans to acquire 500 NGFWs to replace its legacy firewalls and has a specific requirement for centralized logging and reporting capabilities. What should a systems engineer recommend?

Combine Panorama for firewall management with Palo Alto Networks' cloud-based Strata Logging Service to offer scalability for the company's logging and reporting infrastructure.

Use Panorama for firewall management and to transfer logs from the 500 firewalls directly to a third-party SIEM for centralized logging and reporting.

Highlight the efficiency of PAN-OS, which employs AI to automatically extract critical logs and generate daily executive reports, and confirm that the purchase of 500 NGFWs is sufficient.

Deploy a pair of M-1000 log collectors in the customer data center, and route logs from all

Which initial action can a network security engineer take to prevent a malicious actor from using a file-sharing application for data exfiltration without impacting users who still need to use file-sharing applications?

Use App-ID to limit access to file-sharing applications based on job functions.

Use DNS Security to limit access to file-sharing applications based on job functions.

Use DNS Security to block all file-sharing applications and uploading abilities.

Use App-ID to block all file-sharing applications and uploading abilities.

Regarding APIs, a customer RFP states: "The vendor's firewall solution must provide an API with an enforcement mechanism to deactivate API keys after two hours." How should the response address this clause?

Yes - The default setting must be changed from no limit to 120 minutes.

Yes - This is the default setting for API keys.

No - The PAN-OS XML API does not support keys.

No - The API keys can be made, but there is no method to deactivate them based on time.

An existing customer wants to expand their online business into physical stores for the first time. The customer requires NGFWs at the physical store to handle SD-WAN, security, and data protection needs, while also mandating a vendor-validated deployment method. Which two steps are valid actions for a systems engineer to take? (Choose two.)

Recommend the customer purchase Palo Alto Networks or partner-provided professional services to meet the stated requirements.

Create a bespoke deployment plan with the customer that reviews their cloud architecture, store footprint, and security requirements.

Use Golden Images and Day 1 configuration to create a consistent baseline from which the customer can efficiently work.

Use the reference architecture "On-Premises Network Security for the Branch Deployment Guide" to achieve a desired architecture.

Which three descriptions apply to a perimeter firewall? (Choose three.)

Network layer protection for the outer edge of a network

Primarily securing north-south traffic entering and leaving the network

Guarding against external attacks

Power utilization less than 500 watts sustained

Securing east-west traffic in a virtualized data center with flexible resource allocation

While responding to a customer RFP, a systems engineer (SE) is presented the question, "How do PANW firewalls enable the mapping of transactions as part of Zero Trust principles?" Which two narratives can the SE use to respond to the question? (Choose two.)

Explain how the NGFW can be placed in the network so it has visibility into every traffic flow.

Describe how Palo Alto Networks NGFW Security policies are built by using users, applications, and data objects.

Emphasize Zero Trust as an ideology, and that the customer decides how to align to Zero Trust principles.

Reinforce the importance of decryption and security protections to verify traffic that is not malicious.

A current NGFW customer has asked a systems engineer (SE) for a way to prove to their internal management team that its NGFW follows Zero Trust principles. Which action should the SE take?

Help the customer build reports that align to their Zero Trust plan in the "Monitor > Manage Custom Reports" tab.

Use the "Monitor > PDF Reports" node to schedule a weekly email of the Zero Trust report to the internal management team.

Use a third-party tool to pull the NGFW Zero Trust logs, and create a report that meets the customer's needs.

Use the "ACC" tab to help the customer build dashboards that highlight the historical tracking of the NGFW enforcing policies.

A company with Palo Alto Networks NGFWs protecting its physical data center servers is experiencing a performance issue on its Active Directory (AD) servers due to high numbers of requests and updates the NGFWs are placing on the servers. How can the NGFWs be enabled to efficiently identify users without overloading the AD servers?

Configure Cloud Identity Engine to learn the users' IP address-user mappings from the AD authentication logs.

Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect Windows SSO to gather user information.

Configure data redistribution to redistribute IP address-user mappings from a hub NGFW to the other spoke NGFWs.

Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect agents to gather user information.

As a team plans for a meeting with a new customer in one week, the account manager prepares to pitch Zero Trust. The notes provided to the systems engineer (SE) in preparation for the meeting read: "Customer is struggling with security as they move to cloud apps and remote users." What should the SE recommend to the team in preparation for the meeting?

Lead with the account manager pitching Zero Trust with the aim of convincing the customer that the team's approach meets their needs.

Design discovery questions to validate custom

A prospective customer wants to validate an NGFW solution and seeks the advice of a systems engineer (SE) regarding a design to meet the following stated requirements: "We need an NGFW that can handle 72 Gbps inside of our core network. Our core switches only have up to 40 Gbps links available to which new devices can connect. We cannot change the IP address structure of the environment, and we need protection for threat prevention, DNS, and perhaps sandboxing." Which hardware and architecture/design recommendations should the SE make?

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

PA-5445 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-3 mode that include 40Gbps interfaces on both sides of the path.

PA-5430 or larger to cover the bandwidth need and the link types; Architect aggregate interface groups in Layer-2 or virtual wire mode that include 2 x 40Gbps interfaces on both sides of the path.

The efforts of a systems engineer (SE) with an industrial mining company account have yielded interest in Palo Alto Networks as part of its effort to incorporate innovative design into operations using robots and remote-controlled vehicles in dangerous situations. A discovery call confirms that the company will receive control signals to its machines over a private mobile network using radio towers that connect to cloud-based applications that run the control programs. Which two sets of solutions should the SE recommend?

That 5G Security be enabled and architected to ensure the cloud computing is not compromised in the commands it is sending to the onsite machines.

That IoT Security be included for visibility into the machines and to ensure that other devices connected to the network are identified and given risk and behavior profiles.

That Cloud NGFW be included to protect the cloud-based applications from external access into the cloud service provider hosting them.

That an Advanced CDSS bundle (Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering) be procured to ensure the design receives advanced protection.

There are no Advanced Threat Prevention log events in a company's SIEM instance. However, the systems administrator has confirmed that the Advanced Threat Prevention subscription is licensed and that threat events are visible in the threat logs on the firewall. Which action should the systems administrator take next?

Ensure the Security policy rules that use Advanced Threat Prevention are set for log forwarding to the correct SIEM.

Enable the company's Threat Prevention license.

Check with the SIEM vendor to verify that Advanced Threat Prevention logs are reaching the company's SIEM instance.

Have the SIEM vendor troubleshoot its software.

A customer asks a systems engineer (SE) how Palo Alto Networks can claim it does not lose throughput performance as more Cloud-Delivered Security Services (CDSS) subscriptions are enabled on the firewall. Which two concepts should the SE explain to address the customer's concern? (Choose two.)

Management Data Plane Separation

A prospective customer has provided specific requirements for an upcoming firewall purchase, including the need to process a minimum of 200,000 connections per second while maintaining at least 15 Gbps of throughput with App-ID and Threat Prevention enabled. What should a systems engineer do to determine the most suitable firewall for the customer?

Download the firewall sizing tool from the Palo Alto Networks support portal.

Upload 30 days of customer firewall traffic logs to the firewall calculator tool on the Palo Alto Networks support portal.

Use the online product configurator tool provided on the Palo Alto Networks website.

Use the product selector tool available on the Palo Alto Networks website.

According to a customer's CIO, who is upgrading PAN-OS versions, "Finding issues and then engaging with your support people requires expertise that our operations team can better utilize elsewhere on more valuable tasks for the business." The upgrade project was initiated in a rush because the company did not have the appropriate tools to indicate that their current NGFWs were reaching capacity. Which two actions by the Palo Alto Networks team offer a long-term solution for the customer? (Choose two.)

Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool.

e Palo Alto Networks team offer a long-term solution for the customer? (Choose two.)

Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool.

Propose AIOps Premium within Strata Cloud Manager (SCM) to address the company's issues from within the existing technology.

Suggest the inclusion of training into the proposal so that the operations team is informed and confident in working on their firewalls.

Inform the CIO that the new enhanced security features they will gain from the PAN-OS upgrades will fix any future problems with upgrading and capacity.

A prospective customer is concerned about stopping data exfiltration, data infiltration, and command-and-control (C2) activities over port 53. Which subscription(s) should the systems engineer recommend?

App-ID and Data Loss Prevention

Advanced Threat Prevention and Advanced URL Filtering

Which statement appropriately describes performance tuning Intrusion Prevention System (IPS) functions on a Palo Alto Networks NGFW running Advanced Threat Prevention?

Create a new threat profile to use only signatures needed for the environment.

Leave all signatures turned on because they do not impact performance.

Work with TAC to run a debug and receive exact measurements of performance utilization for the IPS.

To increase performance, disable any threat signatures that do not apply to the environment.

A systems engineer (SE) successfully demonstrates NGFW managed by Strata Cloud Manager (SCM) to a company. In the resulting planning phase of the proof of value (POV), the CISO requests a test that shows how the security policies are either meeting, or are progressing toward meeting, industry standards such as Critical Security Controls (CSC), and how the company can verify that it is effectively utilizing the functionality purchased. During the POV testing timeline, how should the SE verify that the POV will meet the CISO's request?

Near the end, pull a Security Lifecycle Review (SLR) in the POV and create a report for the customer.

At the beginning, work with the customer to create custom dashboards and reports for any information required, so reports can be pulled as needed by the customer.

Near the end, the customer pulls information from these SCM dashboards: Best Practices, CDSS Adoption, and NGFW Feature Adoption.

At the beginning, use PANhandler golden images that are designed to align to compliance and to turning on the features for the CDSS subscription being tested.

Which three use cases are specific to Policy Optimizer? (Choose three.)

Discovering applications on the network and transitions to application-based policy over time

Converting broad rules based on application filters into narrow rules based on application groups

Enabling migration from port-based rules to application-based rules

Discovering 5-tuple attributes that can be simplified to 4-tuple attributes

Automating the tagging of rules based on historical log data

A security engineer has been tasked with protecting a company's on-premises web servers but is not authorized to purchase a web application firewall (WAF). Which Palo Alto Networks solution will protect the company from SQL injection zero-day, command injection zero-day, Cross-Site Scripting (XSS) attacks, and IIS exploits?

Advanced Threat Prevention and PAN-OS 11.x

Threat Prevention and PAN-OS 11.x

Threat Prevention, Advanced URL Filtering, and PAN-OS 10.2 (and higher)

Advanced WildFire and PAN-OS 10.0 (and higher)

When a customer needs to understand how Palo Alto Networks NGFWs lower the risk of exploitation by newly announced vulnerabilities known to be actively attacked, which solution and functionality delivers the most value?

Advanced Threat Prevention's command injection and SQL injection functions use inline deep learning against zero-day threats.

Advanced URL Filtering uses machine learning (ML) to learn which malicious URLs are being utilized by the attackers, then block the resulting traffic.

Single Pass Architecture and parallel processing ensure traffic is efficiently scanned against any enabled Cloud-Delivered Security Services (CDSS) subscription.

WildFire loads custom OS images to ensure that the sandboxing catches any activity that would affect the customer's environment.

What are three valid Panorama deployment options? (Choose three.)

As a virtual machine (ESXi, Hyper-V, KVM)

With a cloud service provider (AWS, Azure, GCP)

As a dedicated hardware appliance (M-100, M-200, M-500, M-600)

As a container (Docker, Kubernetes, OpenShift)

On a Raspberry Pi (Model 4, Model 400, Model 5)

What does Policy Optimizer allow a systems engineer to do for an NGFW?

Identify Security policy rules with unused applications

Recommend best practices on new policy creation

Show unused licenses for Cloud-Delivered Security Services (CDSS) subscriptions and firewalls

Act as a migration tool to import policies from third-party vendors

What is the minimum configuration to stop a Cobalt Strike Malleable C2 attack inline and in real time?

Advanced Threat Prevention and PAN-OS 10.2

Next-Generation CASB on PAN-OS 10.1

Threat Prevention and Advanced WildFire with PAN-OS 10.0

DNS Security, Threat Prevention, and Advanced WildFire with PAN-OS 9.x

Which two statements clarify the functionality and purchase options for Palo Alto Networks AIOps for NGFW? (Choose two.)

It is offered in two license tiers: a free version and a premium version.

It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process.

It is offered in two license tiers: a commercial edition and an enterprise edition.

It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process.

Which two tools should a systems engineer use to showcase the benefit of an evaluation that a customer has just concluded?

Security Lifecycle Review (SLR)

What is the recommended architecture to synchronize the company's AD with Palo Alto Networks firewalls?

Configure a group mapping profile with an include group list.

Configure a group mapping profile with custom filters for LDAP attributes that are mapped to the user roles.

Configure a group mapping profile, without a filter, to synchronize all groups.

Configure NGFWs to synchronize with the AD after deploying the Cloud Identity Engine (CIE) and agents.

Which two actions should a systems engineer take when a customer is concerned about how to remain aligned to Zero Trust principles as they adopt additional security features over time? (Choose two)

Apply decryption where possible to inspect and log all new and existing traffic flows.

Use the Best Practice Assessment (BPA) tool to measure progress toward Zero Trust principles.

Turn on all licensed Cloud-Delivered Security Services (CDSS) subscriptions in blocking mode for all policies.

Use the Policy Optimizer tool to understand security rules allowing users to bypass decryption.

Which three tools can a prospective customer use to evaluate Palo Alto Networks products to assess where they will fit in the existing architecture? (Choose three)

Security Lifecycle Review (SLR)

Which two statements correctly describe best practices for sizing a firewall deployment with decryption enabled? (Choose two.)

SSL decryption traffic amounts vary from network to network.

Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms.

Large average transaction sizes consume more processing power to decrypt.

Rivest-Shamir-Adleman (RSA) certificate authentication method (not the RSA key exchange algorithm) consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure.

A prospective customer is interested in Palo Alto Networks NGFWs and wants to evaluate the ability to segregate its internal network into unique BGP environments. Which statement describes the ability of NGFWs to address this need?

It can be addressed by creating multiple eBGP autonomous systems.

It cannot be addressed because PAN-OS does not support it.

It can be addressed with BGP confederations.

It cannot be addressed because BGP must be fully meshed internally to work.

Palo Alto Networks Quiz

Authored by Marien Bassene

Engineering

5th Grade

Used 4+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

53 questions

Show all answers

MULTIPLE SELECT QUESTION

30 sec • 1 pt

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and dat A. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf. Which two supported sources for identity are appropriate for this environment? (Choose two.)

Captive portal

User-ID agents configured for WMI client probing

GlobalProtect with an internal gateway deployment

Cloud Identity Engine synchronized with Entra ID

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges: "Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important." Which recommendations should the SE make?

Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.

VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.

VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A customer claims that Advanced WildFire miscategorized a file as malicious and wants proof, because another vendor has said that the file is benign. How could the systems engineer assure the customer that Advanced WildFire was accurate?

Review the threat logs for information to provide to the customer.

Use the WildFire Analysis Report in the log to show the customer the malicious actions the file took when it was detonated.

Open a TAG ticket for the customer and allow support engineers to determine the appropriate action.

Do nothing because the customer will realize Advanced WildFire is right.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

Which three known variables can assist with sizing an NGFW appliance? (Choose three.)

Connections per second

Max sessions

Packet replication

App-ID firewall throughput

Telemetry enabled

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which statement applies to the default configuration of a Palo Alto Networks NGFW?

Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall.

The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone.

The default policy action allows all traffic unless explicitly denied.

The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A company has multiple business units, each of which manages its own user directories and identity providers (IdPs) with different domain names. The company's network security team wants to deploy a shared GlobalProtect remote access service for all business units to authenticate users to each business unit's IdP. Which configuration will enable the network security team to authenticate GlobalProtect users to multiple SAML IdPs?

GlobalProtect with multiple authentication profiles for each SAML IdP

Multiple authentication mode Cloud Identity Engine authentication profile for use on the GlobalProtect portals and gateways

Authentication sequence that has multiple authentication profiles using different authentication methods

Multiple Cloud Identity Engine tenants for each business unit

MULTIPLE SELECT QUESTION

30 sec • 1 pt

Device-ID can be used in which three policies? (Choose three.)

Security

Decryption

Policy-based forwarding (PBF)

SD-WAN

Quality of Service (QoS)

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Popular Resources on Wayground

20 questions

"What is the question asking??" Grades 3-5

Quiz

•

1st - 5th Grade

20 questions

“What is the question asking??” Grades 6-8

Quiz

•

6th - 8th Grade

10 questions

Fire Safety Quiz

Quiz

•

12th Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

34 questions

STAAR Review 6th - 8th grade Reading Part 1

Quiz

•

6th - 8th Grade

20 questions

“What is the question asking??” English I-II

Quiz

•

9th - 12th Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

47 questions

8th Grade Reading STAAR Ultimate Review!

Quiz

•

8th Grade

Discover more resources for Engineering

20 questions

"What is the question asking??" Grades 3-5

Quiz

•

1st - 5th Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

12 questions

What makes Nebraska's government unique?

Quiz

•

4th - 5th Grade

76 questions

STAAR Mixed Review (Print Review)

Quiz

•

3rd - 7th Grade

16 questions

Graphing - First Quadrant

Quiz

•

5th Grade

35 questions

STAAR Review 5th Reading

Quiz

•

5th Grade

22 questions

ELA Review

Quiz

•

5th Grade

34 questions

5th Grade Science STAAR Review 2

Quiz

•

5th Grade

Palo Alto Networks Quiz

A customer claims that Advanced WildFire miscategorized a file as malicious and wants proof, because another vendor has said that the file is benign. How could the systems engineer assure the customer that Advanced WildFire was accurate?

Which three known variables can assist with sizing an NGFW appliance? (Choose three.)

Which statement applies to the default configuration of a Palo Alto Networks NGFW?

Device-ID can be used in which three policies? (Choose three.)

The PAN-OS User-ID integrated agent is included with PAN-OS software and comes in which two forms? (Choose two.)

Which two actions can a systems engineer take to discover how Palo Alto Networks can bring value to a customer's business when they show interest in adopting Zero Trust? (Choose two.)

A large global company plans to acquire 500 NGFWs to replace its legacy firewalls and has a specific requirement for centralized logging and reporting capabilities. What should a systems engineer recommend?

Access all questions and much more by creating a free account

Popular Resources on Wayground

Discover more resources for Engineering