Which software firewall would help a prospect interested in securing an environment with Kubernetes?

A. KN-Series

B. ML-Series

C. VM-Series

D. CN-Series

What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?

A. Special AWS plugins are needed for load balancing.

B. Resources are shared within the cluster.

C. Only active-passive high availability (HA) is supported.

D. High availability (HA) clusters are limited to fewer than 8 virtual appliances.

How is traffic directed to a Palo Alto Networks firewall integrated with Cisco ACI?

A. By using contracts between endpoint groups that send traffic to the firewall using a shared policy

B. Through a virtual machine (VM) monitor domain

C. Through a policy-based redirect (PBR)

D. By creating an access policy

Which two routing options are supported by VM-Series? (Choose two.)

A. OSPF

B. RIP

C. BGP

D. IGRP

Regarding network segmentation, which two steps are involved in the configuration of a default route to an internet router? (Choose two.)

A. Select the Static Routes tab, then click Add.

B. Select Network > Interfaces.

C. Select the Config tab, then select New Route from the Security Zone Route drop-down menu.

D. Select Network > Virtual Router, then select the default link to open the Virtual Router dialog.

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

A. Edit the IP address of all of the affected VMs.

B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

Which three traffic flows can protect against zero-day attacks? (Choose three.)

A. Outbound

B. North-south

C. Inbound

D. Internal

E. East-west

What is the correct sequence of events for offloading by the Intelligent Traffic Offload (ITO) service?

A. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC sends rest of flow to VM-Series for inspection

B. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC forwards flow directly to destination

C. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC forwards flow directly to destination

D. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC sends rest of flow to VM-Series for inspection

Which type of group allows sharing cloud-learned tags with on-premises firewalls?

A. Device

B. Notify

C. Address

D. Template

Which two statements apply to the management Cloud NGFW by AWS firewall manager? (Choose two.)

A. Availability Zone can be created.

B. Firewall policy can be included only with specified accounts and OUs.

C. Firewall policy must be applied to all accounts under the Amazon Web Services (AWS) organization.

D. Endpoints will be created via the firewall manager.

When using Ansible with PAN-OS, which type of connection method should be used?

A. OpenSSH

B. Local

C. Paramiko

D. Smart

What is the default log destination for S3 bucket in the Cloud NGFW CloudFormation template (CFT) that is launched to set up the tenant?

A. Cloud NGFW

B. PaloAltoCloudNGFW

C. PANWCloudNGFW

D. Cortex Data Lake

What is a benefit of network runtime security?

A. It more narrowly focuses on one security area and requires careful customization, integration, and maintenance.

B. It removes vulnerabilities that have been baked into containers.

C. It is siloed to enhance workload security.

D. It identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists.

What are two environments supported by the CN-Series firewall? (Choose two.)

A. Positive K

B. OpenShift

C. OpenStack

D. Native K8

Where do CN-Series devices obtain a VM-Series authorization key?

A. Panorama

B. Local installation

C. GitHub

D. Customer Support Portal

Which deployment method should a GCP administrator use to deploy a VM-Series firewall to secure east-west traffic between Virtual Private Clouds (VPCs)?

A. Internet gateway

B. Hybrid IPSec VPN

C. Segmentation gateway

D. GlobalProtect

Which automation tools should be used to create policies for Cloud NGFW for AWS?

A. Ansible, Terraform, and Panorama Console

B. Panorama Console and Panorama API only

C. Terraform, Panorama Console, and Panorama API

D. Panorama API, Ansible, Terraform, and Panorama Console

Which tool or actions should users employ to estimate the amount of flex credits for VM-Series and CN-Series deployment?

A. Cloud NGFW for AWS Pricing Estimator

B. Open up a support case

C. Software NGFW Flex Credits Calculator

D. Software NGFW Credit Estimator

Which two criteria are required to deploy VM-Series firewalls in high availability (HA)? (Choose two.)

A. Assignment of identical licenses and subscriptions

B. Deployment on a different host

C. Configuration of asymmetric routing

D. Deployment on same type of hypervisor

What is created by the Panorama plugin as part of the infrastructure setup in Amazon Web Services (AWS) cloud?

A. Route tables and Security VPC with GWLB Endpoints only

B. AWS Transit Gateway, route tables, and NAT Gateway subnets

C. NAT Gateway subnets, Security VPC with GWLB Endpoints, and route tables

D. Security VPC with GWLB endpoints, NAT Gateway subnets, and AWS Transit Gateway

To list NGFW pods connected to a management plane, which Panorama CLI command should be used?

A. requests plugins kubernetes get-node-license-info

B. requests plugins kubernetes get-license-tokens

C. requests plugins vm-series list-dp-pods

D. requests tech-support dump

Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?

A. HA-Series

B. CN-Series

C. PA-Series

D. VM-Series

Which feature must be configured in an NSX environment to ensure proper operation of a VM-Series firewall in order to secure east-west traffic?

A. Deployment of the NSX DFW

B. VMware Information Sources

C. User-ID agent on a Windows domain server

D. Device groups within VMware Services Manager

What do tags allow a VM-Series firewall to do in a virtual environment?

A. Enable machine learning (ML).

B. Adapt Security policy rules dynamically.

C. Integrate with security information and event management (SIEM) solutions.

D. Provide adaptive reporting.

Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?

A. Advanced URL Filtering (AURLF)

B. Cortex Data Lake

C. DNS Security

D. Panorama VM-Series plugin

A user must be assigned one of which two roles in order to create local rulestacks in the Cloud NGFW for AWS tenant? (Choose two.)

A. LocalRuleStackAdmin

B. FirewallRulestackAdmin

C. GlobalRulestackAdmin

D. GlobalFirewallAdmin

Which port / interface must be assigned as the HA2 link when deploying VM-Series firewalls in High Availability (HA) on Amazon Web Services (AWS)?

A. HA2

B. MGT port

C. HSCI port

D. Ethernet1/1

Why are containers uniquely suitable for runtime security based on allow lists?

A. Containers have only a few defined processes that should ever be executed.

B. Developers define the processes used in containers within the Dockerfile.

C. Docker has a built-in runtime analysis capability to aid in allow listing.

D. Operations teams know which processes are used within a container.

A system engineer is working on the Proof of Concept (POC) for Cloud Next-Generation Firewall (NGFW) for Azure using an existing Panorama setup. However, connection with the Cloud NGFW instance. What could be the cause of this issue?

A. There has not been an upgrade to the PAN-OS 10.2.

B. Cloud NGFW plugin has not been installed.

C. Valid device certificate is missing.

D. Necessary ports 8443 and 443 for communication between Cloud NGFW and Panorama are blocked.

Intelligent Traffic Offload (ITO) requires a firewall be deployed in which mode?

A. Layer 2

B. Layer 3

C. Tap

D. Vwire

Which two valid components are used in installation of a VM-Series firewall in an OpenStack environment? (Choose two.)

A. OpenStack heat template in JSON format

B. OpenStack heat template in YAML Ain’t Markup Language (YAML) format

C. VM-Series VHD image

D. VM-Series qcow2 image

How many tokens are consumed for each vCPU used in a CN-Series firewall?

A. 1

B. 2

C. 4

D. 8

Using what two commands can an engineer confirm that the installation of the CN-series firewall as a K8S service on the production GKE cluster was successful after it was protected by the cloud workloads on GKE and YAML was downloaded to completed the setup? (Choose two.)

A. kubectl get pods -f app=pan-cn-mgmt -n kube-system

B. kubectl get pods -l app=pan-mgmt -n kube-system

C. kubectl get pods -n kube-system -l app=pan-ngfw -o wide

D. kubectl get pods app=pan-cn-ngfw -o wide

What are three attributes monitored by the Panorama AWS plugin? (Choose three.)

A. Private DNS name

B. Subnet ID

C. IAM instance profile

D. VPC ID

E. Public DNS name

What must be obtained to deploy a pay-as-you-go (PAYG) based VM-Series firewall in Amazon Web Services (AWS) through the marketplace?

A. MAC address

B. Amazon Machine Image (AMI)

C. Amazon auth code

D. PAN-OS update

In which area of the Customer Support Portal should a firewall administrator complete the steps to deactivate an accidentally deleted VM-Series firewall and free up Software NGFW Credits?

A. Resources

B. Tools

C. Assets

D. Support Cases

What is the valid command to setup the cluster for CN-series firewall HSF Deployment and to prepare the extend permissions for service account?

A. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f plugin-deploy-serviceaccount.yaml kubectl apply -f pan-mgmt-serviceaccount.yaml

B. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

C. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl -n kube-system get secretskubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

D. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f pan-mgmt-serviceaccount.yaml kubectl apply -f plugin-deploy-serviceaccount.yaml

What is required to integrate a Palo Alto Networks VM-Series firewall with Azure Orchestration?

A. Aperture orchestration engine

B. Client-ID

C. Dynamic Address Groups

D. API Key

A system engineer managing a deployment of CN-Series with Panorama (software version 11.0) installs the Kubernetes Plugin. When the installation is complete, templates are present. What are the names of two of these templates and for what are they used? (Choose two.)

A. K8S-Network-Setup used for daemonset

B. K8S-Network-Setup-V2 used for Kubernetes as a service deployment

C. K8S-Network-Setup-V3 used for Kubernetes as a service deployment

D. K8S-Network-Setup-V3 used for CNF daemonset

Which two factors lead to improved return on investment for prospects interested in Palo Alto Networks virtualized next-generation firewalls (NGFWs)? (Choose two.)

A. Decreased likelihood of data breach

B. Reduced operational expenditures

C. Reduced time to deploy

D. Reduced insurance premiums

What needs to be configured to deploy VM-Series firewalls in Azure as an Active/Active High Availability (HA) pair?

A. Active/Active HA is not supported in Azure

B. HA3 Link

C. Floating IP Address

D. HA1 and HA2 Link

Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)

A. Heartbeat polling

B. Ping monitoring

C. Session polling

D. Link monitoring

Which two components are required for Intelligent Traffic Offload (ITO) on a VM-Series firewall? (Choose two.)

A. PAN-OS 10.1 or later

B. VM-Series plugin 2.1.0 or later

C. VM-Series plugin 3.1.0 or later

D. PAN-OS 9.1 or later

In the Cloud NGFW for AWS distributed outbound architecture model, what is the first hop the traffic takes from the source?

A. Internet gateway

B. Cloud NGFW

C. NGFW endpoint

D. NAT gateway

Which PAN-OS feature allows for automated updates to address objects when VM-Series firewalls are setup as part of an NSX deployment?

A. Boundary automation

B. Hypervisor integration

C. Bootstrapping

D. Dynamic Address Group

Which component allows the flexibility to add network resources but does not require making changes to existing policies and rules?

A. Content-ID

B. External dynamic list (EDL)

C. App-ID

D. Dynamic address group

A cloud infrastructure architect wants to monitor NGFW in production running on Amazon Web Services (AWS). It is known that the software firewalls are able to publish native PAN-OS metrics to AWS CloudWatch. The cloud infrastructure architect is unable to browse any firewall metrics on CloudWatch.
Which two features are needed to remediate this issue? (Choose two.)

A. IAM policy with action = “cloudwatch:PutMetricData”

B. IAM policy with action = “cloudwatch:SharetMetricData”

C. CloudWatch Monitoring with namespace = VMseries

D. CloudWatch Monitoring with namespace = aws

What can software next-generation firewall (NGFW) credits be used to provision?

A. Remote browser isolation

B. Virtual Panorama appliances

C. Migrating NGFWs from hardware to VMs

D. Enablement of DNS security

Which protocol is used for communicating between VM-Series firewalls and a gateway load balancer in Amazon Web Services (AWS)?

A. VRLAN

B. Geneve

C. GRE

D. VMLAN

After how many days does a daily warning message start appearing within the system before a Palo Alto Networks VM-Series license expires?

A. 7

B. 14

C. 30

D. 60