When HTTP header logging is enabled on a URL Filtering profile, which attribute-value can be logged?

A. HTTP method

B. HTTP response status code

C. Content type

D. X-Forwarded-For

Which CLI allows you to view the names of SD-WAN policy rules that send traffic to the specified virtual SD-WAN interface, along with the performance metrics?

A. >show sdwan connection all |

B. >show sdwan path-monitor stats vif

C. >show sdwan rule vif sdwan.x

D. >show sdwan session distribution policy-name

A packet that is already associated with a current session arrives at the firewall.
What is the flow of the packet after the firewall determines that it is matched with an existing session?

A. It is sent through the fast path because session establishment is not required. If subject to content inspection, it will pass through multiple content inspection engines before egress.

B. It is sent through the slow path for further inspection. If subject to content inspection, it will pass through multiple content inspection engines before egress.

C. It is sent through the slow path for further inspection. If subject to content inspection, it will pass through a single stream-based content inspection engines before egress.

D. It is sent through the fast path because session establishment is not required. If subject to content inspection, it will pass through a single stream-based content inspection engine before egress.

Palo Alto Networks publishes updated Command-and-Control signatures.
How frequently should the related signatures schedule be set?

A. Once an hour

B. Once a day

C. Once a week

D. Once every minute

What two types of certificates are used to configure SSL Forward Proxy? (׀¡hoose two.)

A. Enterprise CA-signed certificates

B. Self-Signed certificates

C. Intermediate certificates

D. Private key certificates

What filtering criteria is used to determine what users to include as members of a dynamic user group?

A. Tags

B. Login IDs

C. Security Policy Rules

D. IP Addresses

Within the Five-Step Methodology of Zero Trust, in which step would application access and user access be defined?

A. Step 1: Define the Protect Surface

B. Step 3: Architect a Zero Trust Network

C. Step 5: Monitor and Maintain the Network

D. Step 2: Map the Protect Surface Transaction Flows

E. Step 4: Create the Zero Trust Policy

A customer is concerned about zero-day targeted attacks against its intellectual property.
Which solution informs a customer whether an attack is specifically targeted at them?

A. Cortex XDR Prevent

B. AutoFocus

C. Cortex XSOAR Community edition

D. Panorama Correlation Report

Which decryption requirement ensures that inspection can be provided to all inbound traffic routed to internal application and database servers?

A. Installation of certificates from the application server and database server on the NGFW and configuration of an SSL Inbound Decryption policy

B. Installation of a trusted root CA certificate on the NGFW and configuration of an SSL Inbound Decryption policy

C. Configuration of an SSL Inbound Decryption policy using one of the built-in certificates included in the certificate store

D. Configuration of an SSL Inbound Decryption policy without installing certificates

What action would address the sub-optimal traffic path shown in the figure?
Key:
RN - Remote Network -
SC - Service Connection -
MU GW - Mobile User Gateway -

A. Onboard a Service Connection in the Americas region

B. Remove the Service Connection in the EMEA region

C. Onboard a Service Connection in the APAC region

D. Onboard a Remote Network location in the EMEA region

What will best enhance security of a production online system while minimizing the impact for the existing network?

A. active/active high availability (HA)

B. Layer 2 interfaces

C. virtual systems

D. virtual wire

The WildFire Inline Machine Learning is configured using which Content-ID profiles?

A. Antivirus Profile

B. WildFire Analysis Profile

C. Threat Prevention Profile

D. File Blocking Profile

Which two actions can be configured in an Anti-Spyware profile to address command-and-control (C2) traffic from compromised hosts? (Choose two.)

A. Redirect

B. Alert

C. Quarantine

D. Reset

What is the correct behavior when a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from DNS service cloud in the configured lookup time?

A. NGFW discard a response from the DNS server.

B. NGFW temporarily disable DNS Security function.

C. NGFW permit a response from the DNS server.

D. NGFW resend a verdict challenge to DNS service cloud.

WildFire subscription supports analysis of which three types? (Choose three.)

A. GIF

B. 7-Zip

C. Flash

D. RPM

E. ISO

F. DMG

Which task would be identified in Best Practice Assessment tool?

A. identify the visibility and presence of command-and-control sessions

B. identify sanctioned and unsanctioned SaaS applications

C. identify the threats associated with each application

D. identify and provide recommendations for device management access

A customer is starting to understand their Zero Trust protect surface using the Palo Alto Networks Zero Trust reference architecture.
What are two steps in this process? (Choose two.)

A. Prioritize securing the endpoints of privileged users because if non-privileged user endpoints are exploited, the impact will be minimal due to perimeter controls.

B. Categorize data and applications by levels of sensitivity.

C. Gain visibility of and control over applications and functionality in the traffic flow using a port and protocol firewall.

D. Validate user identities through authentication.

A customer with a legacy firewall architecture is focused on port and protocol level security, and has heard that next generation firewalls open all ports by default.
What is the appropriate rebuttal that positions the value of a NGFW over a legacy firewall?

A. Palo Alto Networks does not consider port information, instead relying on App-ID signatures that do not reference ports

B. Default policies block all interzone traffic. Palo Alto Networks empowers you to control applications by default ports or a configurable list of approved ports on a per-policy basis

C. Palo Alto Networks keep ports closed by default, only opening ports after understanding the application request, and then opening only the application- specified ports

D. Palo Alto Networks NGFW protects all applications on all ports while leaving all ports opened by default

If a Palo Alto Networks Next-Generation Firewall (NGFW) already has Advanced Threat Prevention (ATP) enabled what is the throughput impact of also enabling Wildfire and Advanced URL Filtering (AURLF)?

A. The throughput will decrease with each additional subscription enabled.

B. The throughput will remain consistent, but the maximum number of simultaneous sessions will decrease.

C. The throughput will remain consistent regardless of the additional subscriptions enabled.

D. The throughput will decrease, but the maximum simultaneous sessions will remain consistent.

Which three platform components can identify and protect against malicious email links? (Choose three.)

A. WildFire hybrid cloud solution

B. WildFire public cloud

C. WF-500

D. M-200

E. M-600

Which PAN-OS feature should be discussed if a prospect wants to apply Security policy actions to traffic by using tags from their virtual environment?

A. Machine learning (ML)

B. Dynamic User Groups

C. URL blocking

D. MineMeld

What helps avoid split brain in active/passive HA pair deployment?

A. Use a standard traffic interface as the HA2 backup

B. Enable preemption on both firewalls in the HA pair

C. Use the management interface as the HA1 backup link

D. Use a standard traffic interface as the HA3 link

A customer with a fully licensed Palo Alto Networks firewall is concerned about threats based on domain generation algorithms (DGAs).
Which Security profile is used to configure Domain Name Security (DNS) to identify and block previously unknown DGA-based threats in real time?

A. Anti-Spyware profile

B. URL Filtering profile

C. Vulnerability Protection profile

D. WildFire Analysis profile

A customer with a legacy firewall architecture focused on port-and-protocol-level security has heard that NGFWs open all ports by default.
Which of the following statements regarding Palo Alto Networks NGFWs is an appropriate rebuttal that explains an advantage over legacy firewalls?

A. They do not consider port information, instead relying on App-ID signatures that do not reference ports.

B. They protect all applications on all ports while leaving all ports open by default.

C. They can control applications by application-default service ports or a configurable list of approved ports on a per-policy basis.

D. They keep ports closed by default, only opening after understanding the application request, and then opening only the application-specified ports.

Which three settings must be configured to enable Credential Phishing Prevention? (Choose three.)

A. validate credential submission detection

B. enable User-ID

C. define an SSL decryption rulebase

D. define URL Filtering Profile

E. Enable App-ID

Which four actions can be configured in an Anti-Spyware profile to address command-and-control traffic from compromised hosts? (Choose four.)

A. Reset

B. Quarantine

C. Drop

D. Allow

E. Redirect

F. Alert

Which three script types can be analyzed in WildFire? (Choose three.)

A. JScript

B. PythonScript

C. PowerShell Script

D. VBScript

E. MonoScript

Which three mechanisms are valid for enabling user mapping? (Choose three.)

A. client probing

B. user behavior recognition

C. reverse DNS lookup

D. domain server monitoring

E. Captive Portal

Which is the smallest Panorama solution that can be used to manage up to 2500 Palo Alto Networks Next Generation firewalls?

A. M-200

B. M-600

C. M-100

D. Panorama VM-Series

Which methods are used to check for Corporate Credential Submissions? (Choose three.)

A. Group Mapping

B. IP User Mapping

C. LDAP query

D. Domain Credential Filter

E. User ID Credential Check

What is the key benefit of Palo Alto Networks single-pass architecture (SPA) design?

A. It requires only one processor to complete all the functions within the box.

B. It allows the addition of new functions to existing hardware without affecting performance.

C. It allows the addition of new devices to existing hardware without affecting performance.

D. It decodes each network flow multiple times, therefore reducing throughput.

In Panorama, which three reports or logs will help identify the inclusion of a host / source in a command-and-control (C2) incident? (Choose three.)

A. WildFire analysis reports

B. data filtering logs

C. hotnet reports

D. threat logs

E. SaaS reports

WildFire can discover zero-day malware in which three types of traffic? (Choose three.)

A. TFTP

B. SMTP

C. DNS

D. FTP

E. HTTPS

Which action will protect against port scans from the internet?

A. Assign an Interface Management profile to the zone of the ingress interface

B. Assign Security profiles to Security policy rules for traffic sourcing from the untrust zone

C. Apply a Zone Protection profile on the zone of the ingress interface

D. Apply App-ID Security policy rules to block traffic sourcing from the untrust zone

What are two benefits of the sinkhole Internet Protocol (IP) address that DNS Security sends to the client in place of malicious IP addresses? (Choose two.)

A. It represents the remediation server that the client should visit for patching.

B. In situations where the internal DNS server is between the client and the firewall, it gives the firewall the ability to identify the clients who originated the query to the malicious domain.

C. The client communicates with it instead of the malicious IP address.

D. It will take over as the new DNS resolver for that client and prevent further DNS requests from occurring in the meantime.

Which three actions should be taken before deploying a firewall evaluation unit in the customer's environment? (Choose three.)

A. Reset the evaluation unit to factory default to ensure that data from any previous customer evaluation is removed

B. Request that the customer make port 3978 available to allow the evaluation unit to communicate with Panorama

C. Upgrade the evaluation unit to the most current recommended firmware, unless a demo of the upgrade process is planned

D. Inform the customer that they will need to provide a SPAN port for the evaluation unit assuming a TAP mode deployment

E. Set expectations around which information will be presented in the Security Lifecycle Review because sensitive information may be made visible

What allows verification of machine learning (ML) functionality for WildFire during a proof of concept?

A. Execution of the appropriate CLI command

B. Utilization of the ACC reports

C. Reviewing traffic in the traffic log

D. Checking the counters

What is an advantage public cloud WildFire has over the private WildFire appliance?

A. signatures being available within minutes to protect global users once malware has been submitted

B. generating malware reports

C. using different types of operating systems (OSs) to test malware against

D. generating antivirus and domain name system (DNS) signatures for discovered malware and assigning a Uniform Resource Locator (URL) category to malicious links

Which two features can be enabled to support asymmetric routing with redundancy on a Palo Alto Networks next-generation firewall (NGFW)? (Choose two.)

A. multiple virtual systems

B. active / active high availability (HA)

C. non-SYN first packet

D. asymmetric routing profile

What is an advantage of having WildFire machine learning (ML) capability inline on the firewall?

A. It eliminates of the necessity for dynamic analysis in the cloud.

B. It is always able to give more accurate verdicts than the cloud ML analysis, reducing false positives and false negatives,

C. It improves the CPU performance of content inspection.

D. It enables the firewall to block unknown malicious files in real time and prevent patient zero without disrupting business productivity.

What are three valid sources that are supported for user IP address mapping in Palo Alto Networks NGFW? (Choose three.)

A. RADIUS

B. Client Probing

C. Lotus Domino

D. Active Directory monitoring

E. TACACS

F. eDirectory monitoring

What are the three possible verdicts in WildFire Submissions log entries for a submitted sample? (Choose four.)

A. Benign

B. Spyware

C. Malicious

D. Phishing

E. Grayware

What are three considerations when deploying User-ID? (Choose three.)

A. Specify included and excluded networks when configuring User-ID

B. Only enable User-ID on trusted zones

C. Use a dedicated service account for User-ID services with the minimal permissions necessary

D. User-ID can support a maximum of 15 hops

E. Enable WMI probing in high security networks

Which task would be included in the Best Practice Assessment (BPA) tool?

A. Identify sanctioned and unsanctioned software-as-a-service (SaaS) applications.

B. Identify and provide recommendations for device configurations.

C. Identify the threats associated with each application.

D. Identify the visibility and presence of command-and-control (C2) sessions.

Which solution informs a customer concerned about zero-day targeted attacks whether an attack is specifically targeted at its property?

A. Panorama Correlation Report

B. AutoFocus

C. Cortex XSOAR Community Edition

D. Cortex XDR Prevent

In which step of the Palo Alto Networks Five-Step Zero Trust Methodology would an organization's critical data, applications, assets, and services (DAAS) be identified?

A. Step 1: Define the protect surface.

B. Step 4: Create the Zero Trust policy.

C. Step 3: Architect a Zero Trust network.

D. Step 2: Map the transaction flows.

Which two features are found in Palo Alto Networks NGFW but are absent in a legacy firewall product? (Choose two.)

A. Policy match is based on application

B. Traffic control is based on IP, port, and protocol

C. Traffic is separated by zones

D. Identification of application is possible on any port

Which functionality is available to firewall users with an active Threat Prevention subscription, but no WildFire license?

A. Access to the WildFire API

B. WildFire hybrid deployment

C. PE file upload to WildFire

D. 5 minute WildFire updates to threat signatures

Which three activities can the botnet report track? (Choose three.)

A. Accessing domains registered in the last 30 days

B. Visiting a malicious URL

C. Launching a P2P application

D. Detecting malware within a one-hour period

E. Initiating API calls to other applications

F. Using dynamic DNS domain providers

A customer requests that a known spyware threat signature be triggered based on a rate of occurrence, for example, 10 hits in 5 seconds.
How is this goal accomplished?

A. Create a custom spyware signature matching the known signature with the time attribute

B. Add a correlation object that tracks the occurrences and triggers above the desired threshold

C. Submit a request to Palo Alto Networks to change the behavior at the next update

D. Configure the Anti-Spyware profile with the number of rule counts to match the occurrence frequency