A CN-Series firewall can secure traffic between which elements?

A. Host containers

B. Source applications

C. Containers

D. Pods

Which technology allows for granular control of east-west traffic in a software-defined network?

A. Routing

B. Microsegmentation

C. MAC Access Control List

D. Virtualization

Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)

A. Heartbeat polling

B. Ping monitoring

C. Session polling

D. Link monitoring

Which protocol is used for communicating between VM-Series firewalls and a gateway load balancer in Amazon Web Services (AWS)?

A. VRLAN

B. Geneve

C. GRE

D. VMLAN

Which two actions can be performed for VM-Series firewall licensing by an orchestration system? (Choose two.)

A. Creating a license

B. Renewing a license

C. Registering an authorization code

D. Downloading a content update

Which two statements apply to the VM-Series plugin? (Choose two.)

A. It can manage capabilities common to both VM-Series firewalls and hardware firewalls.

B. It can be upgraded independently of PAN-OS.

C. It enables management of cloud-specific interactions between VM-Series firewalls and supported public cloud platforms.

D. It can manage Panorama plugins.

What are two environments supported by the CN-Series firewall? (Choose two.)

A. Positive K

B. OpenShift

C. OpenStack

D. Native K8

What can software next-generation firewall (NGFW) credits be used to provision?

A. Remote browser isolation

B. Virtual Panorama appliances

C. Migrating NGFWs from hardware to VMs

D. Enablement of DNS security

Which two methods of Zero Trust implementation can benefit an organization? (Choose two.)

A. Compliance is validated.

B. Boundaries are established.

C. Security automation is seamlessly integrated.

D. Access controls are enforced.

Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?

A. Advanced URL Filtering (AURLF)

B. Cortex Data Lake

C. DNS Security

D. Panorama VM-Series plugin

What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?

A. VM-Series

B. Cloud next-generation firewall (NGFW)

C. CN-Series

D. Ion-Series Ion-Series

Which solution is best for securing an EKS environment?

A. VM-Series single host

B. CN-Series high availability (HA) pair

C. PA-Series using load sharing

D. API orchestration

What do tags allow a VM-Series firewall to do in a virtual environment?

A. Enable machine learning (ML).

B. Adapt Security policy rules dynamically.

C. Integrate with security information and event management (SIEM) solutions.

D. Provide adaptive reporting.

Auto scaling templates for which type of firewall enable deployment of a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to Amazon Web Services (AWS) application workloads?

A. HA-Series

B. CN-Series

C. PA-Series

D. VM-Series

Which PAN-OS feature allows for automated updates to address objects when VM-Series firewalls are setup as part of an NSX deployment?

A. Boundary automation

B. Hypervisor integration

C. Bootstrapping

D. Dynamic Address Group

Which two factors lead to improved return on investment for prospects interested in Palo Alto Networks virtualized next-generation firewalls (NGFWs)? (Choose two.)

A. Decreased likelihood of data breach

B. Reduced operational expenditures

C. Reduced time to deploy

D. Reduced insurance premiums

Which component allows the flexibility to add network resources but does not require making changes to existing policies and rules?

A. Content-ID

B. External dynamic list (EDL)

C. App-ID

D. Dynamic address group

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

A. Edit the IP address of all of the affected VMs.

B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?

A. It must be deployed as a member of a device cluster.

B. It must use a Layer 3 underlay network.

C. It must receive all forwarding lookups from the network controller.

D. It must be identified as a default gateway.

Which two deployment modes of VM-Series firewalls are supported across NSX-T? (Choose two.)

A. Prism Central

B. Bootstrap

C. Service Cluster

D. Host-based

Which two elements of the Palo Alto Networks platform architecture enable security orchestration in a software-defined network (SDN)? (Choose two.)

A. Full set of APIs enabling programmatic control of policy and configuration

B. VXLAN support for network-layer abstraction

C. Dynamic Address Groups to adapt Security policies dynamically

D. NVGRE support for advanced VLAN integration

Which component scans for threats in allowed traffic?

A. Intelligent Traffic Offload

B. TLS decryption

C. Security profiles

D. NAT

How is traffic directed to a Palo Alto Networks firewall integrated with Cisco ACI?

A. By using contracts between endpoint groups that send traffic to the firewall using a shared policy

B. Through a virtual machine (VM) monitor domain

C. Through a policy-based redirect (PBR)

D. By creating an access policy

Which two routing options are supported by VM-Series? (Choose two.)

A. OSPF

B. RIP

C. BGP

D. IGRP

Why are VM-Series firewalls and hardware firewalls that are external to the Kubernetes cluster problematic for protecting containerized workloads?

A. They are located outside the cluster and have no visibility into application-level cluster traffic.

B. They do not scale independently of the Kubernetes cluster.

C. They are managed by another entity when located inside the cluster.

D. They function differently based on whether they are located inside or outside of the cluster.

How are CN-Series firewalls licensed?

A. Data-plane vCPU

B. Service-plane vCPU

C. Management-plane vCPU

D. Control-plane vCPU

Which feature must be configured in an NSX environment to ensure proper operation of a VM-Series firewall in order to secure east-west traffic?

A. Deployment of the NSX DFW

B. VMware Information Sources

C. User-ID agent on a Windows domain server

D. Device groups within VMware Services Manager

What is the structure of the YAML Ain't Markup Language (YAML) file repository?

A. Deployment_Type/Kubernetes/Environment

B. Kubernetes/Deployment_Type/Environment

C. Kubernetes/Environment/Deployment_Type

D. Environment/Kubernetes/Deployment_Type

Which two public cloud platforms does the VM-Series plugin support? (Choose two.)

A. Azure

B. IBM Cloud

C. Amazon Web Services (AWS)

D. OCI

How does Prisma Cloud Compute offer workload security at runtime?

A. It automatically builds an allow-list security model for every container and service.

B. It quarantines containers that demonstrate increased CPU and memory usage.

C. It automatically patches vulnerabilities and compliance issues for every container and service.

D. It works with the identity provider (IdP) to identify overprivileged containers and services, and it restricts network access.

With which two private cloud environments does Palo Alto Networks have deep integrations? (Choose two.)

A. VMware NSX-T

B. Cisco ACI

C. Dell APEX

D. Nutanix

Which software firewall would assist a prospect who is interested in securing extensive DevOps deployments?

A. CN-Series

B. Ion-Series

C. Cloud next-generation firewall (NGFW)

D. VM-Series

Which software firewall would help a prospect interested in securing an environment with Kubernetes?

A. KN-Series

B. ML-Series

C. VM-Series

D. CN-Series

Which two valid components are used in installation of a VM-Series firewall in an OpenStack environment? (Choose two.)

A. OpenStack heat template in JSON format

B. OpenStack heat template in YAML Ain’t Markup Language (YAML) format

C. VM-Series VHD image

D. VM-Series qcow2 image

Where do CN-Series devices obtain a VM-Series authorization key?

A. Panorama

B. Local installation

C. GitHub

D. Customer Support Portal

Which two design options address split brain when configuring high availability (HA)? (Choose two.)

A. Adding a backup HA1 interface

B. Using the heartbeat backup

C. Bundling multiple interfaces in an aggregated interface group and assigning HA2

D. Sending heartbeats across the HA2 interfaces

When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network's gateway IP address?

A. ARP load sharing

B. Floating IP address

C. HSRP

D. VRRP

What is required to integrate a Palo Alto Networks VM-Series firewall with Azure Orchestration?

A. Aperture orchestration engine

B. Client-ID

C. Dynamic Address Groups

D. API Key

Which three NSX features can be pushed from Panorama in PAN-OS? (Choose three.)

A. Security group assignment of virtual machines (VMs)

B. Security groups

C. Steering rules

D. User IP mappings

E. Multiple authorization codes

Regarding network segmentation, which two steps are involved in the configuration of a default route to an internet router? (Choose two.)

A. Select the Static Routes tab, then click Add.

B. Select Network > Interfaces.

C. Select the Config tab, then select New Route from the Security Zone Route drop-down menu.

D. Select Network > Virtual Router, then select the default link to open the Virtual Router dialog.

What is a benefit of network runtime security?

A. It more narrowly focuses on one security area and requires careful customization, integration, and maintenance.

B. It removes vulnerabilities that have been baked into containers.

C. It is siloed to enhance workload security.

D. It identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists.

Why are containers uniquely suitable for runtime security based on allow lists?

A. Containers have only a few defined processes that should ever be executed.

B. Developers define the processes used in containers within the Dockerfile.

C. Docker has a built-in runtime analysis capability to aid in allow listing.

D. Operations teams know which processes are used within a container.

What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?

A. Special AWS plugins are needed for load balancing.

B. Resources are shared within the cluster.

C. Only active-passive high availability (HA) is supported.

D. High availability (HA) clusters are limited to fewer than 8 virtual appliances.

A manager wants to enhance the performance of a Palo Alto Networks VM-Series firewall. How can the use of CLI increase the number of cores in the dataplane?

A. Use init-cfg.txt with parameter “plugin-op-commands=dp-cores:.

B. Use cfg.txt with parameter “plugin-op-commands=dp-cores:.

C. Request vm_series dp-cores .

D. Request plugins vm_series dp-cores .

Which two community-supported Palo Alto Networks templates will protect cloud workloads by using a CN-Series firewall on GKE? (Choose two.)

A. Marketplace

B. Ansible

C. Helm

D. Terraform

Which two licensing options provide the application visibility and control feature in a VM-Series deployment? (Choose two.)

A. Palo Alto Networks Cloud Storage

B. PAYG

C. BYOL

D. AWS Marketplace

With the Panorama plugin for VM-Series installed. Panorama can collect a predefined set of attributes from which services in Amazon Web Services (AWS) as tags and populate it in the VM-Series firewall?

A. Load balancers

B. VPCs

C. Transit gateways

D. EC2 instances

Which type of Terraform code is commonly used to deploy infrastructure as code (IaC)?

A. Library

B. SDK

C. Module

D. Plugin

Organizations using multiple public and private cloud platforms can deploy and configure the VM-Series using which three toolsets? (Choose three.)

A. Panorama

B. Terraform

C. Github

D. Ansible

E. CloudFormation

A data center experiences a power outage that results in the reboot of all ESXi servers, including the software firewall's virtual machine (VM). Subsequently, there is a notable decrease in performance. Most end users complain of being unable to access the internet. The system engineer is still able to log in to the firewall management console smoothly.
What is most likely causing this issue?

A. The firewall license has expired.

B. The dataplane disk partitions are unable to mount after the reboot.

C. There is configuration file corruption on ESXi server.

D. The last saved configuration did not save properly in the boot up partition.