Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?

A. Advanced URL Filtering (AURLF)

B. Cortex Data Lake

C. DNS Security

D. Panorama VM-Series plugin

When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network's gateway IP address?

A. ARP load sharing

B. Floating IP address

C. HSRP

D. VRRP

When using Ansible with PAN-OS, which type of connection method should be used?

A. OpenSSH

B. Local

C. Paramiko

D. Smart

Which two valid components are used in installation of a VM-Series firewall in an OpenStack environment? (Choose two.)

A. OpenStack heat template in JSON format

B. OpenStack heat template in YAML Ain’t Markup Language (YAML) format

C. VM-Series VHD image

D. VM-Series qcow2 image

A CN-Series firewall can secure traffic between which elements?

A. Host containers

B. Source applications

C. Containers

D. Pods

What is the maximum number of Kubernetes clusters Panorama can support?

A. 8

B. 16

C. 32

D. 64

Using what two commands can an engineer confirm that the installation of the CN-series firewall as a K8S service on the production GKE cluster was successful after it was protected by the cloud workloads on GKE and YAML was downloaded to completed the setup? (Choose two.)

A. kubectl get pods -f app=pan-cn-mgmt -n kube-system

B. kubectl get pods -l app=pan-mgmt -n kube-system

C. kubectl get pods -n kube-system -l app=pan-ngfw -o wide

D. kubectl get pods app=pan-cn-ngfw -o wide

Which two deployment modes of VM-Series firewalls are supported across NSX-T? (Choose two.)

A. Prism Central

B. Bootstrap

C. Service Cluster

D. Host-based

Which two design options address split brain when configuring high availability (HA)? (Choose two.)

A. Adding a backup HA1 interface

B. Using the heartbeat backup

C. Bundling multiple interfaces in an aggregated interface group and assigning HA2

D. Sending heartbeats across the HA2 interfaces

A cloud infrastructure architect wants to monitor NGFW in production running on Amazon Web Services (AWS). It is known that the software firewalls are able to publish native PAN-OS metrics to AWS CloudWatch. The cloud infrastructure architect is unable to browse any firewall metrics on CloudWatch.
Which two features are needed to remediate this issue? (Choose two.)

A. IAM policy with action = “cloudwatch:PutMetricData”

B. IAM policy with action = “cloudwatch:SharetMetricData”

C. CloudWatch Monitoring with namespace = VMseries

D. CloudWatch Monitoring with namespace = aws

Regarding network segmentation, which two steps are involved in the configuration of a default route to an internet router? (Choose two.)

A. Select the Static Routes tab, then click Add.

B. Select Network > Interfaces.

C. Select the Config tab, then select New Route from the Security Zone Route drop-down menu.

D. Select Network > Virtual Router, then select the default link to open the Virtual Router dialog.

How are Palo Alto Networks Next-Generation Firewalls (NGFWs) deployed within a Cisco ACI architecture?

A. SDN code hooks can help detonate malicious file samples designed to detect virtual environments.

B. Traffic can be automatically redirected using static address objects.

C. Service graphs are configured to allow their deployment.

D. VXLAN or NVGRE traffic is terminated and inspected for translation to VLANs.

In order to calculate the total number of Software NGFW Credits for an upcoming virtualization project in ESXi, which two pieces of information are needed? (Choose two.)

A. Number of VM-Series firewalls

B. Memory consumption for each VM-Series firewall

C. Number of interfaces on each VM-Series firewall

D. Number of vCPU on each VM-Series firewall

To get the current auth code applied to a CN-Series firewall, which Panorama CLI command should be used?

A. requests plugins kubernetes get-license-tokens

B. requests plugins kubernetes get-node-license-info

C. requests tech-support dump

D. requests plugins vm-series list-dp-pods

Which software firewall would assist a prospect who is interested in securing extensive DevOps deployments?

A. CN-Series

B. Ion-Series

C. Cloud next-generation firewall (NGFW)

D. VM-Series

Which path should be followed to set up K8s cluster monitoring?

A. Panorama > Plugins > General > Kubernetes > Setup

B. Panorama > Plugins > Kubernetes > Setup > General

C. Panorama > Plugins > Kubernetes > General > Setup

D. Panorama > Plugins > Setup > Kubernetes > General

Which service enables a firewall or Panorama to download App-IDs for unknown SaaS applications from the cloud?

A. App-ID Cloud Engine

B. Application Library

C. Application machine learning (ML) Engine

D. App-ID Database Engine

What is a benefit of network runtime security?

A. It more narrowly focuses on one security area and requires careful customization, integration, and maintenance.

B. It removes vulnerabilities that have been baked into containers.

C. It is siloed to enhance workload security.

D. It identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists.

Which two factors lead to improved return on investment for prospects interested in Palo Alto Networks virtualized next-generation firewalls (NGFWs)? (Choose two.)

A. Decreased likelihood of data breach

B. Reduced operational expenditures

C. Reduced time to deploy

D. Reduced insurance premiums

Which two licensing options provide the application visibility and control feature in a VM-Series deployment? (Choose two.)

A. Palo Alto Networks Cloud Storage

B. PAYG

C. BYOL

D. AWS Marketplace

Organizations using multiple public and private cloud platforms can deploy and configure the VM-Series using which three toolsets? (Choose three.)

A. Panorama

B. Terraform

C. Github

D. Ansible

E. CloudFormation

Considering the following information, what are two paths an engineer can follow to implement route tagging with 32-bit decimal notation on existing software firewalls? (Choose two.)
• A network engineer has already deployed a few instances of it.
• The consultant team has recommended using the advanced routing engine to support this functionality.

A. Select Device > Sessions, click “Advanced Routing” and click “Reboot Device”

B. init-cfg.txt op-command-modes=advance-routing:enable

C. set deviceconfig setting advanced-routing yes

D. Select Device > Setup > Sessions, click “ARE” and click “Reboot Device”

Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?

A. HA-Series

B. CN-Series

C. PA-Series

D. VM-Series

How are CN-Series firewalls licensed?

A. Data-plane vCPU

B. Service-plane vCPU

C. Management-plane vCPU

D. Control-plane vCPU

What is the structure of the YAML Ain't Markup Language (YAML) file repository?

A. Deployment_Type/Kubernetes/Environment

B. Kubernetes/Deployment_Type/Environment

C. Kubernetes/Environment/Deployment_Type

D. Environment/Kubernetes/Deployment_Type

What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?

A. VM-Series

B. Cloud next-generation firewall (NGFW)

C. CN-Series

D. Ion-Series Ion-Series

Which component scans for threats in allowed traffic?

A. Intelligent Traffic Offload

B. TLS decryption

C. Security profiles

D. NAT

Which two public cloud platforms does the VM-Series plugin support? (Choose two.)

A. Azure

B. IBM Cloud

C. Amazon Web Services (AWS)

D. OCI

What are three attributes monitored by the Panorama AWS plugin? (Choose three.)

A. Private DNS name

B. Subnet ID

C. IAM instance profile

D. VPC ID

E. Public DNS name

What is created by the Panorama plugin as part of the infrastructure setup in Amazon Web Services (AWS) cloud?

A. Route tables and Security VPC with GWLB Endpoints only

B. AWS Transit Gateway, route tables, and NAT Gateway subnets

C. NAT Gateway subnets, Security VPC with GWLB Endpoints, and route tables

D. Security VPC with GWLB endpoints, NAT Gateway subnets, and AWS Transit Gateway

Which two components are required for Intelligent Traffic Offload (ITO) on a VM-Series firewall? (Choose two.)

A. PAN-OS 10.1 or later

B. VM-Series plugin 2.1.0 or later

C. VM-Series plugin 3.1.0 or later

D. PAN-OS 9.1 or later

In the Cloud NGFW for Amazon Web Services (AWS) centralized inbound deployment architecture, what is the next hop for the traffic after it passes through the application load balancer (ALB)?

A. Ingress VPC TGW ENI

B. Internet gateway

C. Egress VPC TGW ENI

D. AWS Transit Gateway •

Which type of group allows sharing cloud-learned tags with on-premises firewalls?

A. Device

B. Notify

C. Address

D. Template

Which two criteria are required to deploy VM-Series firewalls in high availability (HA)? (Choose two.)

A. Assignment of identical licenses and subscriptions

B. Deployment on a different host

C. Configuration of asymmetric routing

D. Deployment on same type of hypervisor

Which PAN-OS feature allows for automated updates to address objects when VM-Series firewalls are setup as part of an NSX deployment?

A. Boundary automation

B. Hypervisor integration

C. Bootstrapping

D. Dynamic Address Group

A user must be assigned one of which two roles in order to create local rulestacks in the Cloud NGFW for AWS tenant? (Choose two.)

A. LocalRuleStackAdmin

B. FirewallRulestackAdmin

C. GlobalRulestackAdmin

D. GlobalFirewallAdmin

Which solution is best for securing an EKS environment?

A. VM-Series single host

B. CN-Series high availability (HA) pair

C. PA-Series using load sharing

D. API orchestration

Which protocol is used for communicating between VM-Series firewalls and a gateway load balancer in Amazon Web Services (AWS)?

A. VRLAN

B. Geneve

C. GRE

D. VMLAN

What must be done in Panorama to enable the CN-MGMT to connect to Panorama?

A. Auth Code activation on Kubernetes plugin

B. Set Up Panorama in Management Only mode

C. Reboot Panorama

D. Set up High Availability (HA)

With the Panorama plugin for VM-Series installed. Panorama can collect a predefined set of attributes from which services in Amazon Web Services (AWS) as tags and populate it in the VM-Series firewall?

A. Load balancers

B. VPCs

C. Transit gateways

D. EC2 instances

Where do CN-Series devices obtain a VM-Series authorization key?

A. Panorama

B. Local installation

C. GitHub

D. Customer Support Portal

What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?

A. Special AWS plugins are needed for load balancing.

B. Resources are shared within the cluster.

C. Only active-passive high availability (HA) is supported.

D. High availability (HA) clusters are limited to fewer than 8 virtual appliances.

What needs to be configured to deploy VM-Series firewalls in Azure as an Active/Active High Availability (HA) pair?

A. Active/Active HA is not supported in Azure

B. HA3 Link

C. Floating IP Address

D. HA1 and HA2 Link

An engineer is setting up tags in Panorama, but it is not working. How can the engineer verify the issue while viewing the Amazon Web Services (AWS) plugin logs from the CLI?

A. less aws-plugin plugin_aws.log

B. tail plugins-log plugin_aws_ret.log

C. less plugins-log

D. tail aws-plugin

What is the maximum number of vCPUs can software NGFW licensing support with NGFW flex licensing?

A. 16

B. 32

C. 64

D. 128

Which two elements of the Palo Alto Networks platform architecture enable security orchestration in a software-defined network (SDN)? (Choose two.)

A. Full set of APIs enabling programmatic control of policy and configuration

B. VXLAN support for network-layer abstraction

C. Dynamic Address Groups to adapt Security policies dynamically

D. NVGRE support for advanced VLAN integration

What is a benefit of CN-Series firewalls securing traffic between pods and other workload types?

A. It protects data center and internet gateway deployments.

B. It allows for automatic deployment, provisioning, and immediate policy enforcement without any manual intervention.

C. It ensures consistent security across the entire environment.

D. It allows extension of Zero Trust Network Security to the most remote locations and smallest branches.

Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)

A. Heartbeat polling

B. Ping monitoring

C. Session polling

D. Link monitoring

Which type of Terraform code is commonly used to deploy infrastructure as code (IaC)?

A. Library

B. SDK

C. Module

D. Plugin

Which automation tools should be used to create policies for Cloud NGFW for AWS?

A. Ansible, Terraform, and Panorama Console

B. Panorama Console and Panorama API only

C. Terraform, Panorama Console, and Panorama API

D. Panorama API, Ansible, Terraform, and Panorama Console