What is the valid command to setup the cluster for CN-series firewall HSF Deployment and to prepare the extend permissions for service account?

A. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f plugin-deploy-serviceaccount.yaml kubectl apply -f pan-mgmt-serviceaccount.yaml

B. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

C. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl -n kube-system get secretskubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

D. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f pan-mgmt-serviceaccount.yaml kubectl apply -f plugin-deploy-serviceaccount.yaml

The Cloud NGFW for AWS can capture and save which three types of logs? (Choose three.)

A. Threat

B. WildFire submissions

C. Decryption

D. URL Filtering

E. Traffic

Which type of group allows sharing cloud-learned tags with on-premises firewalls?

A. Device

B. Notify

C. Address

D. Template

Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?

A. HA-Series

B. CN-Series

C. PA-Series

D. VM-Series

Which PAN-OS feature allows for automated updates to address objects when VM-Series firewalls are setup as part of an NSX deployment?

A. Boundary automation

B. Hypervisor integration

C. Bootstrapping

D. Dynamic Address Group

When deploying a firewall in Amazon Web Services (AWS) utilizing the orchestration through Panorama, which plugin is required?

A. vm_series-2.0.1 or later

B. cloud_services-3.2.0 or later

C. aws-3.0.1 or later

D. aws-5.0.1 or later

Which two community-supported Palo Alto Networks templates will protect cloud workloads by using a CN-Series firewall on GKE? (Choose two.)

A. Marketplace

B. Ansible

C. Helm

D. Terraform

Using what two commands can an engineer confirm that the installation of the CN-series firewall as a K8S service on the production GKE cluster was successful after it was protected by the cloud workloads on GKE and YAML was downloaded to completed the setup? (Choose two.)

A. kubectl get pods -f app=pan-cn-mgmt -n kube-system

B. kubectl get pods -l app=pan-mgmt -n kube-system

C. kubectl get pods -n kube-system -l app=pan-ngfw -o wide

D. kubectl get pods app=pan-cn-ngfw -o wide

What are the three required ethernet interfaces to deploy the VM-Series in AWS as a centralized model? (Choose three.)

A. Private interface for traffic to the GWLB

B. Private interface for traffic from the GWLB

C. Public interface for outbound traffic

D. Public interface for inbound traffic

E. Management interface

Which Cloud NGFW for AWS deployment method requires traffic to pass through an AWS Transit Gateway?

A. East-west

B. Centralized

C. Inter VPC

D. Distributed

After configuring a new software VM-Series firewall, the network team cannot detect any traffic being transmitted or received on the correct VLAN of the network switch. However, they are able to ping the management IP. Which two actions should be taken to troubleshoot this issue? (Choose two.)

A. Use tcpdump.

B. Debug flow create.

C. Check the port groups and port mapping on the hypervisor.

D. Show counter global filter.

In the Cloud NGFW for Amazon Web Services (AWS) centralized inbound deployment architecture, what is the next hop for the traffic after it passes through the application load balancer (ALB)?

A. Ingress VPC TGW ENI

B. Internet gateway

C. Egress VPC TGW ENI

D. AWS Transit Gateway •

A data center experiences a power outage that results in the reboot of all ESXi servers, including the software firewall's virtual machine (VM). Subsequently, there is a notable decrease in performance. Most end users complain of being unable to access the internet. The system engineer is still able to log in to the firewall management console smoothly.
What is most likely causing this issue?

A. The firewall license has expired.

B. The dataplane disk partitions are unable to mount after the reboot.

C. There is configuration file corruption on ESXi server.

D. The last saved configuration did not save properly in the boot up partition.

What is the correct sequence of events for offloading by the Intelligent Traffic Offload (ITO) service?

A. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC sends rest of flow to VM-Series for inspection

B. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC forwards flow directly to destination

C. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC forwards flow directly to destination

D. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC sends rest of flow to VM-Series for inspection

Which two statements apply to the management Cloud NGFW by AWS firewall manager? (Choose two.)

A. Availability Zone can be created.

B. Firewall policy can be included only with specified accounts and OUs.

C. Firewall policy must be applied to all accounts under the Amazon Web Services (AWS) organization.

D. Endpoints will be created via the firewall manager.

Which two factors lead to improved return on investment for prospects interested in Palo Alto Networks virtualized next-generation firewalls (NGFWs)? (Choose two.)

A. Decreased likelihood of data breach

B. Reduced operational expenditures

C. Reduced time to deploy

D. Reduced insurance premiums

Which plugin is used to create and push device group-based policies to the Cloud NGFW?

A. Panorama AWS

B. Zero Touch Provisioning (ZTP)

C. Panorama Interconnect «•

D. Cloud Services

A manager wants to enhance the performance of a Palo Alto Networks VM-Series firewall. How can the use of CLI increase the number of cores in the dataplane?

A. Use init-cfg.txt with parameter “plugin-op-commands=dp-cores:.

B. Use cfg.txt with parameter “plugin-op-commands=dp-cores:.

C. Request vm_series dp-cores .

D. Request plugins vm_series dp-cores .

In which area of the Customer Support Portal should a firewall administrator complete the steps to deactivate an accidentally deleted VM-Series firewall and free up Software NGFW Credits?

A. Resources

B. Tools

C. Assets

D. Support Cases

Which two statements apply to the VM-Series plugin? (Choose two.)

A. It can manage capabilities common to both VM-Series firewalls and hardware firewalls.

B. It can be upgraded independently of PAN-OS.

C. It enables management of cloud-specific interactions between VM-Series firewalls and supported public cloud platforms.

D. It can manage Panorama plugins.

A system engineer managing a deployment of CN-Series with Panorama (software version 11.0) installs the Kubernetes Plugin. When the installation is complete, templates are present. What are the names of two of these templates and for what are they used? (Choose two.)

A. K8S-Network-Setup used for daemonset

B. K8S-Network-Setup-V2 used for Kubernetes as a service deployment

C. K8S-Network-Setup-V3 used for Kubernetes as a service deployment

D. K8S-Network-Setup-V3 used for CNF daemonset

Intelligent Traffic Offload (ITO) requires a firewall be deployed in which mode?

A. Layer 2

B. Layer 3

C. Tap

D. Vwire

Which component scans for threats in allowed traffic?

A. Intelligent Traffic Offload

B. TLS decryption

C. Security profiles

D. NAT

Which two design options address split brain when configuring high availability (HA)? (Choose two.)

A. Adding a backup HA1 interface

B. Using the heartbeat backup

C. Bundling multiple interfaces in an aggregated interface group and assigning HA2

D. Sending heartbeats across the HA2 interfaces

When using Ansible with PAN-OS, which type of connection method should be used?

A. OpenSSH

B. Local

C. Paramiko

D. Smart

What is created by the Panorama plugin as part of the infrastructure setup in Amazon Web Services (AWS) cloud?

A. Route tables and Security VPC with GWLB Endpoints only

B. AWS Transit Gateway, route tables, and NAT Gateway subnets

C. NAT Gateway subnets, Security VPC with GWLB Endpoints, and route tables

D. Security VPC with GWLB endpoints, NAT Gateway subnets, and AWS Transit Gateway

Which software firewall would help a prospect interested in securing an environment with Kubernetes?

A. KN-Series

B. ML-Series

C. VM-Series

D. CN-Series

To troubleshoot a missing or expired license for a CN-Series firewall, which Panorama CLI command should be used?

A. requests tech-support dump

B. requests plugins vm-series list-dp-pods

C. requests plugins kubernetes get-node-license-info

D. requests plugins kubernetes get-license-tokens

Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?

A. Advanced URL Filtering (AURLF)

B. Cortex Data Lake

C. DNS Security

D. Panorama VM-Series plugin

Which deployment method should a GCP administrator use to deploy a VM-Series firewall to secure east-west traffic between Virtual Private Clouds (VPCs)?

A. Internet gateway

B. Hybrid IPSec VPN

C. Segmentation gateway

D. GlobalProtect

Which technology allows for granular control of east-west traffic in a software-defined network?

A. Routing

B. Microsegmentation

C. MAC Access Control List

D. Virtualization

What are two environments supported by the CN-Series firewall? (Choose two.)

A. Positive K

B. OpenShift

C. OpenStack

D. Native K8

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

A. Edit the IP address of all of the affected VMs.

B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

A user must be assigned one of which two roles in order to create local rulestacks in the Cloud NGFW for AWS tenant? (Choose two.)

A. LocalRuleStackAdmin

B. FirewallRulestackAdmin

C. GlobalRulestackAdmin

D. GlobalFirewallAdmin

Which port / interface must be assigned as the HA2 link when deploying VM-Series firewalls in High Availability (HA) on Amazon Web Services (AWS)?

A. HA2

B. MGT port

C. HSCI port

D. Ethernet1/1

Why are containers uniquely suitable for runtime security based on allow lists?

A. Containers have only a few defined processes that should ever be executed.

B. Developers define the processes used in containers within the Dockerfile.

C. Docker has a built-in runtime analysis capability to aid in allow listing.

D. Operations teams know which processes are used within a container.

Which path should be followed to set up K8s cluster monitoring?

A. Panorama > Plugins > General > Kubernetes > Setup

B. Panorama > Plugins > Kubernetes > Setup > General

C. Panorama > Plugins > Kubernetes > General > Setup

D. Panorama > Plugins > Setup > Kubernetes > General

How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?

A. It must be deployed as a member of a device cluster.

B. It must use a Layer 3 underlay network.

C. It must receive all forwarding lookups from the network controller.

D. It must be identified as a default gateway.

What do tags allow a VM-Series firewall to do in a virtual environment?

A. Enable machine learning (ML).

B. Adapt Security policy rules dynamically.

C. Integrate with security information and event management (SIEM) solutions.

D. Provide adaptive reporting.

With the Panorama plugin for VM-Series installed. Panorama can collect a predefined set of attributes from which services in Amazon Web Services (AWS) as tags and populate it in the VM-Series firewall?

A. Load balancers

B. VPCs

C. Transit gateways

D. EC2 instances

How are CN-Series firewalls licensed?

A. Data-plane vCPU

B. Service-plane vCPU

C. Management-plane vCPU

D. Control-plane vCPU

To which service does the Cloud NGFW for Azure send its logs?

A. Kinesis Data Firehose

B. S3 Bucket

C. CloudWatch Log Group

D. Log Analytics Workspace

In order to calculate the total number of Software NGFW Credits for an upcoming virtualization project in ESXi, which two pieces of information are needed? (Choose two.)

A. Number of VM-Series firewalls

B. Memory consumption for each VM-Series firewall

C. Number of interfaces on each VM-Series firewall

D. Number of vCPU on each VM-Series firewall

What is the default log destination for S3 bucket in the Cloud NGFW CloudFormation template (CFT) that is launched to set up the tenant?

A. Cloud NGFW

B. PaloAltoCloudNGFW

C. PANWCloudNGFW

D. Cortex Data Lake

Regarding network segmentation, which two steps are involved in the configuration of a default route to an internet router? (Choose two.)

A. Select the Static Routes tab, then click Add.

B. Select Network > Interfaces.

C. Select the Config tab, then select New Route from the Security Zone Route drop-down menu.

D. Select Network > Virtual Router, then select the default link to open the Virtual Router dialog.

Considering the following information, what are two paths an engineer can follow to implement route tagging with 32-bit decimal notation on existing software firewalls? (Choose two.)
• A network engineer has already deployed a few instances of it.
• The consultant team has recommended using the advanced routing engine to support this functionality.

A. Select Device > Sessions, click “Advanced Routing” and click “Reboot Device”

B. init-cfg.txt op-command-modes=advance-routing:enable

C. set deviceconfig setting advanced-routing yes

D. Select Device > Setup > Sessions, click “ARE” and click “Reboot Device”

What is the structure of the YAML Ain't Markup Language (YAML) file repository?

A. Deployment_Type/Kubernetes/Environment

B. Kubernetes/Deployment_Type/Environment

C. Kubernetes/Environment/Deployment_Type

D. Environment/Kubernetes/Deployment_Type

How is traffic directed to a Palo Alto Networks firewall integrated with Cisco ACI?

A. By using contracts between endpoint groups that send traffic to the firewall using a shared policy

B. Through a virtual machine (VM) monitor domain

C. Through a policy-based redirect (PBR)

D. By creating an access policy

What does GlobalProtect gateway use to determine which resources a compliant device should be accessing and a non-compliant device should not be accessing?

A. VPN posture

B. Device posture

C. Host information profile (HIP)

D. Host posture

What must be obtained to deploy a pay-as-you-go (PAYG) based VM-Series firewall in Amazon Web Services (AWS) through the marketplace?

A. MAC address

B. Amazon Machine Image (AMI)

C. Amazon auth code

D. PAN-OS update