What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?

A. Special AWS plugins are needed for load balancing.

B. Resources are shared within the cluster.

C. Only active-passive high availability (HA) is supported.

D. High availability (HA) clusters are limited to fewer than 8 virtual appliances.

A user must be assigned one of which two roles in order to create local rulestacks in the Cloud NGFW for AWS tenant? (Choose two.)

A. LocalRuleStackAdmin

B. FirewallRulestackAdmin

C. GlobalRulestackAdmin

D. GlobalFirewallAdmin

Which three traffic flows can protect against zero-day attacks? (Choose three.)

A. Outbound

B. North-south

C. Inbound

D. Internal

E. East-west

Why are containers uniquely suitable for runtime security based on allow lists?

A. Containers have only a few defined processes that should ever be executed.

B. Developers define the processes used in containers within the Dockerfile.

C. Docker has a built-in runtime analysis capability to aid in allow listing.

D. Operations teams know which processes are used within a container.

Which two design options address split brain when configuring high availability (HA)? (Choose two.)

A. Adding a backup HA1 interface

B. Using the heartbeat backup

C. Bundling multiple interfaces in an aggregated interface group and assigning HA2

D. Sending heartbeats across the HA2 interfaces

What do tags allow a VM-Series firewall to do in a virtual environment?

A. Enable machine learning (ML).

B. Adapt Security policy rules dynamically.

C. Integrate with security information and event management (SIEM) solutions.

D. Provide adaptive reporting.

When using Ansible with PAN-OS, which type of connection method should be used?

A. OpenSSH

B. Local

C. Paramiko

D. Smart

How are CN-Series firewalls licensed?

A. Data-plane vCPU

B. Service-plane vCPU

C. Management-plane vCPU

D. Control-plane vCPU

What is required to integrate a Palo Alto Networks VM-Series firewall with Azure Orchestration?

A. Aperture orchestration engine

B. Client-ID

C. Dynamic Address Groups

D. API Key

What is the maximum number of vCPUs can software NGFW licensing support with NGFW flex licensing?

A. 16

B. 32

C. 64

D. 128

A data center experiences a power outage that results in the reboot of all ESXi servers, including the software firewall's virtual machine (VM). Subsequently, there is a notable decrease in performance. Most end users complain of being unable to access the internet. The system engineer is still able to log in to the firewall management console smoothly.
What is most likely causing this issue?

A. The firewall license has expired.

B. The dataplane disk partitions are unable to mount after the reboot.

C. There is configuration file corruption on ESXi server.

D. The last saved configuration did not save properly in the boot up partition.

Which two community-supported Palo Alto Networks templates will protect cloud workloads by using a CN-Series firewall on GKE? (Choose two.)

A. Marketplace

B. Ansible

C. Helm

D. Terraform

What is the correct sequence of events for offloading by the Intelligent Traffic Offload (ITO) service?

A. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC sends rest of flow to VM-Series for inspection

B. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC forwards flow directly to destination

C. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC forwards flow directly to destination

D. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC sends rest of flow to VM-Series for inspection

After how many days does a daily warning message start appearing within the system before a Palo Alto Networks VM-Series license expires?

A. 7

B. 14

C. 30

D. 60

How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?

A. It must be deployed as a member of a device cluster.

B. It must use a Layer 3 underlay network.

C. It must receive all forwarding lookups from the network controller.

D. It must be identified as a default gateway.

Which deployment method should a GCP administrator use to deploy a VM-Series firewall to secure east-west traffic between Virtual Private Clouds (VPCs)?

A. Internet gateway

B. Hybrid IPSec VPN

C. Segmentation gateway

D. GlobalProtect

Which type of Terraform code is commonly used to deploy infrastructure as code (IaC)?

A. Library

B. SDK

C. Module

D. Plugin

What are two environments supported by the CN-Series firewall? (Choose two.)

A. Positive K

B. OpenShift

C. OpenStack

D. Native K8

In which area of the Customer Support Portal should a firewall administrator complete the steps to deactivate an accidentally deleted VM-Series firewall and free up Software NGFW Credits?

A. Resources

B. Tools

C. Assets

D. Support Cases

How does Prisma Cloud Compute offer workload security at runtime?

A. It automatically builds an allow-list security model for every container and service.

B. It quarantines containers that demonstrate increased CPU and memory usage.

C. It automatically patches vulnerabilities and compliance issues for every container and service.

D. It works with the identity provider (IdP) to identify overprivileged containers and services, and it restricts network access.

Which two methods of Zero Trust implementation can benefit an organization? (Choose two.)

A. Compliance is validated.

B. Boundaries are established.

C. Security automation is seamlessly integrated.

D. Access controls are enforced.

A CN-Series firewall can secure traffic between which elements?

A. Host containers

B. Source applications

C. Containers

D. Pods

Intelligent Traffic Offload (ITO) requires a firewall be deployed in which mode?

A. Layer 2

B. Layer 3

C. Tap

D. Vwire

Which two public cloud platforms does the VM-Series plugin support? (Choose two.)

A. Azure

B. IBM Cloud

C. Amazon Web Services (AWS)

D. OCI

Which two statements apply to the management Cloud NGFW by AWS firewall manager? (Choose two.)

A. Availability Zone can be created.

B. Firewall policy can be included only with specified accounts and OUs.

C. Firewall policy must be applied to all accounts under the Amazon Web Services (AWS) organization.

D. Endpoints will be created via the firewall manager.

Which type of group allows sharing cloud-learned tags with on-premises firewalls?

A. Device

B. Notify

C. Address

D. Template

Which component scans for threats in allowed traffic?

A. Intelligent Traffic Offload

B. TLS decryption

C. Security profiles

D. NAT

Which two actions can be performed for VM-Series firewall licensing by an orchestration system? (Choose two.)

A. Creating a license

B. Renewing a license

C. Registering an authorization code

D. Downloading a content update

With which two private cloud environments does Palo Alto Networks have deep integrations? (Choose two.)

A. VMware NSX-T

B. Cisco ACI

C. Dell APEX

D. Nutanix

Which two valid components are used in installation of a VM-Series firewall in an OpenStack environment? (Choose two.)

A. OpenStack heat template in JSON format

B. OpenStack heat template in YAML Ain’t Markup Language (YAML) format

C. VM-Series VHD image

D. VM-Series qcow2 image

Why are VM-Series firewalls and hardware firewalls that are external to the Kubernetes cluster problematic for protecting containerized workloads?

A. They are located outside the cluster and have no visibility into application-level cluster traffic.

B. They do not scale independently of the Kubernetes cluster.

C. They are managed by another entity when located inside the cluster.

D. They function differently based on whether they are located inside or outside of the cluster.

What is a benefit of network runtime security?

A. It more narrowly focuses on one security area and requires careful customization, integration, and maintenance.

B. It removes vulnerabilities that have been baked into containers.

C. It is siloed to enhance workload security.

D. It identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists.

What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?

A. VM-Series

B. Cloud next-generation firewall (NGFW)

C. CN-Series

D. Ion-Series Ion-Series

A cloud infrastructure architect wants to monitor NGFW in production running on Amazon Web Services (AWS). It is known that the software firewalls are able to publish native PAN-OS metrics to AWS CloudWatch. The cloud infrastructure architect is unable to browse any firewall metrics on CloudWatch.
Which two features are needed to remediate this issue? (Choose two.)

A. IAM policy with action = “cloudwatch:PutMetricData”

B. IAM policy with action = “cloudwatch:SharetMetricData”

C. CloudWatch Monitoring with namespace = VMseries

D. CloudWatch Monitoring with namespace = aws

What is the minimum number of management interfaces created when the Google Cloud Platform (GCP) Marketplace deploys an instance of the VM-Series firewall?

A. 1

B. 2

C. 3

D. 4

Which Cloud NGFW for AWS deployment method requires traffic to pass through an AWS Transit Gateway?

A. East-west

B. Centralized

C. Inter VPC

D. Distributed

What is a benefit of CN-Series firewalls securing traffic between pods and other workload types?

A. It protects data center and internet gateway deployments.

B. It allows for automatic deployment, provisioning, and immediate policy enforcement without any manual intervention.

C. It ensures consistent security across the entire environment.

D. It allows extension of Zero Trust Network Security to the most remote locations and smallest branches.

What must be done in Panorama to enable the CN-MGMT to connect to Panorama?

A. Auth Code activation on Kubernetes plugin

B. Set Up Panorama in Management Only mode

C. Reboot Panorama

D. Set up High Availability (HA)

Which two statements apply to the VM-Series plugin? (Choose two.)

A. It can manage capabilities common to both VM-Series firewalls and hardware firewalls.

B. It can be upgraded independently of PAN-OS.

C. It enables management of cloud-specific interactions between VM-Series firewalls and supported public cloud platforms.

D. It can manage Panorama plugins.

In order to calculate the total number of Software NGFW Credits for an upcoming virtualization project in ESXi, which two pieces of information are needed? (Choose two.)

A. Number of VM-Series firewalls

B. Memory consumption for each VM-Series firewall

C. Number of interfaces on each VM-Series firewall

D. Number of vCPU on each VM-Series firewall

Considering the following information, what are two paths an engineer can follow to implement route tagging with 32-bit decimal notation on existing software firewalls? (Choose two.)
• A network engineer has already deployed a few instances of it.
• The consultant team has recommended using the advanced routing engine to support this functionality.

A. Select Device > Sessions, click “Advanced Routing” and click “Reboot Device”

B. init-cfg.txt op-command-modes=advance-routing:enable

C. set deviceconfig setting advanced-routing yes

D. Select Device > Setup > Sessions, click “ARE” and click “Reboot Device”

Which solution is best for securing an EKS environment?

A. VM-Series single host

B. CN-Series high availability (HA) pair

C. PA-Series using load sharing

D. API orchestration

What are three attributes monitored by the Panorama AWS plugin? (Choose three.)

A. Private DNS name

B. Subnet ID

C. IAM instance profile

D. VPC ID

E. Public DNS name

Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?

A. HA-Series

B. CN-Series

C. PA-Series

D. VM-Series

What can software next-generation firewall (NGFW) credits be used to provision?

A. Remote browser isolation

B. Virtual Panorama appliances

C. Migrating NGFWs from hardware to VMs

D. Enablement of DNS security

Which feature must be configured in an NSX environment to ensure proper operation of a VM-Series firewall in order to secure east-west traffic?

A. Deployment of the NSX DFW

B. VMware Information Sources

C. User-ID agent on a Windows domain server

D. Device groups within VMware Services Manager

What is the maximum number of Kubernetes clusters Panorama can support?

A. 8

B. 16

C. 32

D. 64

Which two components are required for Intelligent Traffic Offload (ITO) on a VM-Series firewall? (Choose two.)

A. PAN-OS 10.1 or later

B. VM-Series plugin 2.1.0 or later

C. VM-Series plugin 3.1.0 or later

D. PAN-OS 9.1 or later

Which protocol is used for communicating between VM-Series firewalls and a gateway load balancer in Amazon Web Services (AWS)?

A. VRLAN

B. Geneve

C. GRE

D. VMLAN

What are the two appropriate routing settings required to deploy software firewall integration with Amazon Web Service (AWS) GWLB? (Choose two.)

A. Route table with ALB subnet association – Add route destined to 0.0.0.0/0 with target as NAT Gateway

B. Route table with ALB subnet association – Add route destined to 0.0.0.0/0 with target as IGW

C. Route table with IGW edge association – Add route destined to ALB with target as GWLBE

D. Route table with GWLBE subnet association – Add route destined to 0.0.0.0/0 with target as IGW