Which service, when enabled, provides inbound traffic protection?

A. Advanced URL Filtering (AURLF)

B. Threat Prevention

C. Data loss prevention (DLP)

D. DNS Security

What does GlobalProtect gateway use to determine which resources a compliant device should be accessing and a non-compliant device should not be accessing?

A. VPN posture

B. Device posture

C. Host information profile (HIP)

D. Host posture

When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network's gateway IP address?

A. ARP load sharing

B. Floating IP address

C. HSRP

D. VRRP

Which tool or actions should users employ to estimate the amount of flex credits for VM-Series and CN-Series deployment?

A. Cloud NGFW for AWS Pricing Estimator

B. Open up a support case

C. Software NGFW Flex Credits Calculator

D. Software NGFW Credit Estimator

A data center experiences a power outage that results in the reboot of all ESXi servers, including the software firewall's virtual machine (VM). Subsequently, there is a notable decrease in performance. Most end users complain of being unable to access the internet. The system engineer is still able to log in to the firewall management console smoothly.
What is most likely causing this issue?

A. The firewall license has expired.

B. The dataplane disk partitions are unable to mount after the reboot.

C. There is configuration file corruption on ESXi server.

D. The last saved configuration did not save properly in the boot up partition.

After configuring a new software VM-Series firewall, the network team cannot detect any traffic being transmitted or received on the correct VLAN of the network switch. However, they are able to ping the management IP. Which two actions should be taken to troubleshoot this issue? (Choose two.)

A. Use tcpdump.

B. Debug flow create.

C. Check the port groups and port mapping on the hypervisor.

D. Show counter global filter.

Which technology allows for granular control of east-west traffic in a software-defined network?

A. Routing

B. Microsegmentation

C. MAC Access Control List

D. Virtualization

To which service does the Cloud NGFW for Azure send its logs?

A. Kinesis Data Firehose

B. S3 Bucket

C. CloudWatch Log Group

D. Log Analytics Workspace

To troubleshoot a missing or expired license for a CN-Series firewall, which Panorama CLI command should be used?

A. requests tech-support dump

B. requests plugins vm-series list-dp-pods

C. requests plugins kubernetes get-node-license-info

D. requests plugins kubernetes get-license-tokens

Which path should be followed to set up K8s cluster monitoring?

A. Panorama > Plugins > General > Kubernetes > Setup

B. Panorama > Plugins > Kubernetes > Setup > General

C. Panorama > Plugins > Kubernetes > General > Setup

D. Panorama > Plugins > Setup > Kubernetes > General

A user must be assigned one of which two roles in order to create local rulestacks in the Cloud NGFW for AWS tenant? (Choose two.)

A. LocalRuleStackAdmin

B. FirewallRulestackAdmin

C. GlobalRulestackAdmin

D. GlobalFirewallAdmin

Considering the following information, what are two paths an engineer can follow to implement route tagging with 32-bit decimal notation on existing software firewalls? (Choose two.)
• A network engineer has already deployed a few instances of it.
• The consultant team has recommended using the advanced routing engine to support this functionality.

A. Select Device > Sessions, click “Advanced Routing” and click “Reboot Device”

B. init-cfg.txt op-command-modes=advance-routing:enable

C. set deviceconfig setting advanced-routing yes

D. Select Device > Setup > Sessions, click “ARE” and click “Reboot Device”

What must be obtained to deploy a pay-as-you-go (PAYG) based VM-Series firewall in Amazon Web Services (AWS) through the marketplace?

A. MAC address

B. Amazon Machine Image (AMI)

C. Amazon auth code

D. PAN-OS update

What is the valid command to setup the cluster for CN-series firewall HSF Deployment and to prepare the extend permissions for service account?

A. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f plugin-deploy-serviceaccount.yaml kubectl apply -f pan-mgmt-serviceaccount.yaml

B. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

C. kubectl apply -f plugin-deploy-serviceaccount.yamlkubectl -n kube-system get secretskubectl apply -f pan-mgmt-serviceaccount.yamlkubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json

D. kubectl -n kube-system get secretskubectl -n kube-system get secrets (secrets-from-above-command) -o json >> cred.json kubectl apply -f pan-mgmt-serviceaccount.yaml kubectl apply -f plugin-deploy-serviceaccount.yaml

How does Prisma Cloud Compute offer workload security at runtime?

A. It automatically builds an allow-list security model for every container and service.

B. It quarantines containers that demonstrate increased CPU and memory usage.

C. It automatically patches vulnerabilities and compliance issues for every container and service.

D. It works with the identity provider (IdP) to identify overprivileged containers and services, and it restricts network access.

Where do CN-Series devices obtain a VM-Series authorization key?

A. Panorama

B. Local installation

C. GitHub

D. Customer Support Portal

What can software next-generation firewall (NGFW) credits be used to provision?

A. Remote browser isolation

B. Virtual Panorama appliances

C. Migrating NGFWs from hardware to VMs

D. Enablement of DNS security

How many tokens are consumed for each vCPU used in a CN-Series firewall?

A. 1

B. 2

C. 4

D. 8

What is a benefit of CN-Series firewalls securing traffic between pods and other workload types?

A. It protects data center and internet gateway deployments.

B. It allows for automatic deployment, provisioning, and immediate policy enforcement without any manual intervention.

C. It ensures consistent security across the entire environment.

D. It allows extension of Zero Trust Network Security to the most remote locations and smallest branches.

Using what two commands can an engineer confirm that the installation of the CN-series firewall as a K8S service on the production GKE cluster was successful after it was protected by the cloud workloads on GKE and YAML was downloaded to completed the setup? (Choose two.)

A. kubectl get pods -f app=pan-cn-mgmt -n kube-system

B. kubectl get pods -l app=pan-mgmt -n kube-system

C. kubectl get pods -n kube-system -l app=pan-ngfw -o wide

D. kubectl get pods app=pan-cn-ngfw -o wide

Which service enables a firewall or Panorama to download App-IDs for unknown SaaS applications from the cloud?

A. App-ID Cloud Engine

B. Application Library

C. Application machine learning (ML) Engine

D. App-ID Database Engine

Which type of group allows sharing cloud-learned tags with on-premises firewalls?

A. Device

B. Notify

C. Address

D. Template

An engineer is setting up tags in Panorama, but it is not working. How can the engineer verify the issue while viewing the Amazon Web Services (AWS) plugin logs from the CLI?

A. less aws-plugin plugin_aws.log

B. tail plugins-log plugin_aws_ret.log

C. less plugins-log

D. tail aws-plugin

Intelligent Traffic Offload (ITO) requires a firewall be deployed in which mode?

A. Layer 2

B. Layer 3

C. Tap

D. Vwire

Which deployment method should a GCP administrator use to deploy a VM-Series firewall to secure east-west traffic between Virtual Private Clouds (VPCs)?

A. Internet gateway

B. Hybrid IPSec VPN

C. Segmentation gateway

D. GlobalProtect

What are the three required ethernet interfaces to deploy the VM-Series in AWS as a centralized model? (Choose three.)

A. Private interface for traffic to the GWLB

B. Private interface for traffic from the GWLB

C. Public interface for outbound traffic

D. Public interface for inbound traffic

E. Management interface

Which Cloud NGFW for AWS deployment method requires traffic to pass through an AWS Transit Gateway?

A. East-west

B. Centralized

C. Inter VPC

D. Distributed

Which two public cloud platforms does the VM-Series plugin support? (Choose two.)

A. Azure

B. IBM Cloud

C. Amazon Web Services (AWS)

D. OCI

Which two statements apply to the management Cloud NGFW by AWS firewall manager? (Choose two.)

A. Availability Zone can be created.

B. Firewall policy can be included only with specified accounts and OUs.

C. Firewall policy must be applied to all accounts under the Amazon Web Services (AWS) organization.

D. Endpoints will be created via the firewall manager.

What are three valid deployment options for Panorama in Amazon Web Services (AWS)? (Choose three.)

A. Panorama in AWS for management and log collection

B. Panorama in AWS and Panorama on-premises for a high availability (HA) array

C. Panorama in AWS CN-Series form factor for management and log collection

D. Panorama in AWS with Cortex Data Lake

E. On-premises Panorama with log collectors in AWS

Which type of Terraform code is commonly used to deploy infrastructure as code (IaC)?

A. Library

B. SDK

C. Module

D. Plugin

Which two community-supported Palo Alto Networks templates will protect cloud workloads by using a CN-Series firewall on GKE? (Choose two.)

A. Marketplace

B. Ansible

C. Helm

D. Terraform

How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?

A. It must be deployed as a member of a device cluster.

B. It must use a Layer 3 underlay network.

C. It must receive all forwarding lookups from the network controller.

D. It must be identified as a default gateway.

Which two deployment modes of VM-Series firewalls are supported across NSX-T? (Choose two.)

A. Prism Central

B. Bootstrap

C. Service Cluster

D. Host-based

What are two environments supported by the CN-Series firewall? (Choose two.)

A. Positive K

B. OpenShift

C. OpenStack

D. Native K8

When using Ansible with PAN-OS, which type of connection method should be used?

A. OpenSSH

B. Local

C. Paramiko

D. Smart

In which area of the Customer Support Portal should a firewall administrator complete the steps to deactivate an accidentally deleted VM-Series firewall and free up Software NGFW Credits?

A. Resources

B. Tools

C. Assets

D. Support Cases

A system engineer is working on the Proof of Concept (POC) for Cloud Next-Generation Firewall (NGFW) for Azure using an existing Panorama setup. However, connection with the Cloud NGFW instance. What could be the cause of this issue?

A. There has not been an upgrade to the PAN-OS 10.2.

B. Cloud NGFW plugin has not been installed.

C. Valid device certificate is missing.

D. Necessary ports 8443 and 443 for communication between Cloud NGFW and Panorama are blocked.

Which component scans for threats in allowed traffic?

A. Intelligent Traffic Offload

B. TLS decryption

C. Security profiles

D. NAT

Which automation tools should be used to create policies for Cloud NGFW for AWS?

A. Ansible, Terraform, and Panorama Console

B. Panorama Console and Panorama API only

C. Terraform, Panorama Console, and Panorama API

D. Panorama API, Ansible, Terraform, and Panorama Console

When deploying a firewall in Amazon Web Services (AWS) utilizing the orchestration through Panorama, which plugin is required?

A. vm_series-2.0.1 or later

B. cloud_services-3.2.0 or later

C. aws-3.0.1 or later

D. aws-5.0.1 or later

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

A. Edit the IP address of all of the affected VMs.

B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

After how many days does a daily warning message start appearing within the system before a Palo Alto Networks VM-Series license expires?

A. 7

B. 14

C. 30

D. 60

A system engineer managing a deployment of CN-Series with Panorama (software version 11.0) installs the Kubernetes Plugin. When the installation is complete, templates are present. What are the names of two of these templates and for what are they used? (Choose two.)

A. K8S-Network-Setup used for daemonset

B. K8S-Network-Setup-V2 used for Kubernetes as a service deployment

C. K8S-Network-Setup-V3 used for Kubernetes as a service deployment

D. K8S-Network-Setup-V3 used for CNF daemonset

What do tags allow a VM-Series firewall to do in a virtual environment?

A. Enable machine learning (ML).

B. Adapt Security policy rules dynamically.

C. Integrate with security information and event management (SIEM) solutions.

D. Provide adaptive reporting.

To list NGFW pods connected to a management plane, which Panorama CLI command should be used?

A. requests plugins kubernetes get-node-license-info

B. requests plugins kubernetes get-license-tokens

C. requests plugins vm-series list-dp-pods

D. requests tech-support dump

The Cloud NGFW for AWS can capture and save which three types of logs? (Choose three.)

A. Threat

B. WildFire submissions

C. Decryption

D. URL Filtering

E. Traffic

Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)

A. Heartbeat polling

B. Ping monitoring

C. Session polling

D. Link monitoring

Which two design options address split brain when configuring high availability (HA)? (Choose two.)

A. Adding a backup HA1 interface

B. Using the heartbeat backup

C. Bundling multiple interfaces in an aggregated interface group and assigning HA2

D. Sending heartbeats across the HA2 interfaces

What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?

A. VM-Series

B. Cloud next-generation firewall (NGFW)

C. CN-Series

D. Ion-Series Ion-Series