When a firewall acts as an application-level gateway (ALG), what does it require in order to establish
a connection?
A
Explanation:
When a firewall functions as an Application-Level Gateway (ALG), it intercepts, inspects, and
dynamically manages traffic at the application layer of the OSI model. The primary role of an ALG is
to provide deep packet inspection (DPI), address translation, and protocol compliance enforcement.
To establish a connection successfully, an ALG requires a pinhole—a temporary, dynamically created
rule that allows the firewall to permit the return traffic necessary for specific applications (e.g., VoIP,
FTP, and SIP-based traffic). These pinholes are essential because many applications dynamically
negotiate port numbers, making static firewall rules ineffective.
For example, when a Session Initiation Protocol (SIP) application initiates a connection, the firewall
dynamically opens a pinhole to allow the SIP media stream (RTP) to pass through while maintaining
security controls. Once the session ends, the pinhole is closed to prevent unauthorized access.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – ALGs are commonly deployed in enterprise network firewalls to manage
application-specific connections securely.
Security Policies – Firewalls use ALG security policies to allow or block dynamically negotiated
connections.
VPN Configurations – Some VPNs rely on ALGs for handling complex applications requiring NAT
traversal.
Threat Prevention – ALGs help detect and prevent application-layer threats by inspecting traffic
content.
WildFire – Not directly related, but deep inspection features like WildFire can work alongside ALG to
inspect payloads for malware.
Panorama – Used for centralized policy management, including ALG-based policies.
Zero Trust Architectures – ALG enhances Zero Trust by ensuring only explicitly allowed application
traffic is permitted through temporary pinholes.
Thus, the correct answer is A. Pinhole because it enables a firewall to establish application-layer
connections securely while enforcing dynamic traffic filtering.
Which action is only taken during slow path in the NGFW policy?
B
Explanation:
In Palo Alto Networks Next-Generation Firewall (NGFW), packet processing is categorized into the
fast path (also known as the accelerated path) and the slow path (also known as deep inspection
processing). The slow path is responsible for handling operations that require deep content
inspection and policy enforcement beyond standard Layer 2-4 packet forwarding.
Slow Path Processing and SSL/TLS Decryption
SSL/TLS decryption is performed only during the slow path because it involves computationally
intensive tasks such as:
Intercepting encrypted traffic and performing man-in-the-middle (MITM) decryption.
Extracting the SSL handshake and certificate details for security inspection.
Inspecting decrypted payloads for threats, malicious content, and compliance with security policies.
Re-encrypting the traffic before forwarding it to the intended destination.
This process is critical in environments where encrypted threats can bypass traditional security
inspection mechanisms. However, it significantly impacts firewall performance, making it a slow path
action.
Other Answer Choices Analysis
(A) Session Lookup – This occurs in the fast path as part of session establishment before any deeper
inspection. It checks whether an incoming packet belongs to an existing session.
(C) Layer 2–Layer 4 Firewall Processing – These are stateless or stateful filtering actions (e.g., access
control, NAT, and basic connection tracking), handled in the fast path.
(D) Security Policy Lookup – This is also in the fast path, where the firewall determines whether to
allow, deny, or perform further inspection based on the defined security policy rules.
Reference and Justification:
Firewall Deployment – SSL/TLS decryption is part of the firewall’s deep packet inspection and Zero
Trust enforcement strategies.
Security Policies – NGFWs use SSL decryption to enforce security policies, ensuring compliance and
blocking encrypted threats.
VPN Configurations – SSL VPNs and IPsec VPNs also undergo decryption processing in specific
security enforcement zones.
Threat Prevention – Palo Alto’s Threat Prevention engine analyzes decrypted traffic for malware, C2
(Command-and-Control) connections, and exploit attempts.
WildFire – Inspects decrypted traffic for zero-day malware and sandboxing analysis.
Panorama – Provides centralized logging and policy enforcement for SSL decryption events.
Zero Trust Architectures – Decryption is a crucial Zero Trust principle, ensuring encrypted traffic is not
blindly trusted.
Thus, SSL/TLS decryption is the correct answer as it is performed exclusively in the slow path of Palo
Alto Networks NGFWs.
Which Security profile should be queried when investigating logs for upload attempts that were
recently blocked due to sensitive information leaks?
B
Explanation:
When investigating logs for upload attempts that were recently blocked due to sensitive information
leaks, the appropriate Security Profile to query is Data Filtering.
Why Data Filtering?
Data Filtering is a content inspection security profile within Palo Alto Networks Next-Generation
Firewalls (NGFWs) that detects and prevents the unauthorized transmission of sensitive or
confidential data. This security profile is designed to inspect files, text, and patterns in network traffic
and block uploads that match predefined data patterns such as:
Personally Identifiable Information (PII) – e.g., Social Security Numbers, Credit Card Numbers,
Passport Numbers
Financial Data – e.g., Bank Account Numbers, SWIFT Codes
Health Information (HIPAA Compliance) – e.g., Patient Medical Records
Custom Data Patterns – Organizations can define proprietary data patterns for detection
How Data Filtering Works in Firewall Logs?
Firewall Policy Application – The Data Filtering profile is attached to Security Policies that inspect file
transfers (HTTP, FTP, SMB, SMTP, etc.).
Traffic Inspection – The firewall scans the payload for sensitive data patterns before allowing or
blocking the transfer.
Alert and Block Actions – If sensitive data is detected in an upload, the firewall can alert, block, or
quarantine the file transfer.
Log Investigation – Security Administrators can analyze Threat Logs (Monitor > Logs > Data Filtering
Logs) to review:
File Name
Destination IP
Source User
Matched Data Pattern
Action Taken (Allowed/Blocked)
Reference to Firewall Deployment and Security Features:
Firewall Deployment – Data Filtering is enforced at the firewall level to prevent sensitive data
exfiltration.
Security Policies – Configured to enforce Data Filtering rules based on business-critical data
classifications.
VPN Configurations – Ensures encrypted VPN traffic is also subject to data inspection to prevent
insider data leaks.
Threat Prevention – Helps mitigate the risk of data theft, insider threats, and accidental exposure of
sensitive information.
WildFire Integration – Data Filtering can work alongside WildFire to inspect files for advanced threats
and malware.
Panorama – Provides centralized visibility and management of Data Filtering logs across multiple
firewalls.
Zero Trust Architectures – Aligns with Zero Trust principles by enforcing strict content inspection and
access control policies to prevent unauthorized data transfers.
Thus, the correct answer is B. Data Filtering, as it directly pertains to preventing and investigating
data leaks in upload attempts blocked by the firewall.
When using the perfect forward secrecy (PFS) key exchange, how does a firewall behave when SSL
Inbound Inspection is enabled?
A
Explanation:
Perfect Forward Secrecy (PFS) is a cryptographic feature in SSL/TLS key exchange that ensures each
session uses a unique key that is not derived from previous sessions. This prevents attackers from
decrypting historical encrypted traffic even if they obtain the server’s private key.
When SSL Inbound Inspection is enabled on a Palo Alto Networks Next-Generation Firewall (NGFW),
the firewall decrypts inbound encrypted traffic destined for an internal server to inspect it for
threats, malware, or policy violations.
Firewall Behavior with PFS and SSL Inbound Inspection
Meddler-in-the-Middle (MITM) Role – Since PFS prevents session key reuse, the firewall cannot use
static keys for decryption. Instead, it must act as a man-in-the-middle (MITM) between the client and
the internal server.
Decryption Process –
The firewall terminates the SSL session from the external client.
It then establishes a new encrypted session between itself and the internal server.
This allows the firewall to decrypt, inspect, and then re-encrypt traffic before forwarding it to the
server.
Security Implications –
This approach ensures threat detection and policy enforcement before encrypted traffic reaches
critical internal servers.
However, it breaks end-to-end encryption since the firewall acts as an intermediary.
Why Other Options Are Incorrect?
❌
B . It acts transparently between the client and the internal server.
Incorrect, because SSL Inbound Inspection requires the firewall to actively terminate and re-establish
SSL connections, making it a non-transparent MITM.
❌
C . It decrypts inbound and outbound SSH connections.
Incorrect, because SSL Inbound Inspection applies only to SSL/TLS traffic, not SSH connections. SSH
decryption requires a different feature (e.g., SSH Proxy).
❌
D . It decrypts traffic between the client and the external server.
Incorrect, because SSL Inbound Inspection is designed to inspect traffic destined for an internal
server, not external connections. SSL Forward Proxy would be used for outbound traffic decryption.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – SSL Inbound Inspection is used in enterprise environments to monitor
encrypted traffic heading to internal servers.
Security Policies – Decryption policies control which inbound SSL sessions are decrypted.
VPN Configurations – PFS is commonly used in IPsec VPNs, ensuring that keys change per session.
Threat Prevention – Enables deep inspection of SSL/TLS traffic to detect malware, exploits, and data
leaks.
WildFire Integration – Extracts potentially malicious files from encrypted traffic for advanced
sandboxing and malware detection.
Panorama – Provides centralized management of SSL decryption logs and security policies.
Zero Trust Architectures – Ensures encrypted traffic is continuously inspected, aligning with Zero
Trust security principles.
Thus, the correct answer is:
✅
A. It acts as meddler-in-the-middle between the client and the internal server.
What should be reviewed when log forwarding from an NGFW to Strata Logging Service becomes
disconnected?
A
Explanation:
When log forwarding from a Palo Alto Networks NGFW to the Strata Logging Service (formerly Cortex
Data Lake) becomes disconnected, the primary aspect to review is device certificates. This is because
the firewall uses certificates for mutual authentication with the logging service. If these certificates
are missing, expired, or invalid, the firewall will fail to establish a secure connection, preventing log
forwarding.
Key Reasons Why Device Certificates Are Critical
Authentication Requirement – The NGFW uses a Palo Alto Networks-issued device certificate for
authentication before it can send logs to the Strata Logging Service.
Expiration Issues – If the certificate has expired, the NGFW will be unable to authenticate, causing a
disconnection.
Misconfiguration or Revocation – If the certificate is not properly installed, revoked, or incorrectly
assigned, the logging service will reject log forwarding attempts.
Cloud Trust Relationship – The firewall relies on secure cloud-based authentication, where
certificates validate the NGFW’s identity before log ingestion.
How to Verify and Fix Certificate Issues
Check Certificate Status
Navigate to Device > Certificates in the NGFW web interface.
Verify the presence of a valid Palo Alto Networks device certificate.
Look for expiration dates and renew if necessary.
Reinstall Certificates
If the certificate is missing or invalid, reinstall it by retrieving the correct device certificate from the
Palo Alto Networks Customer Support Portal (CSP).
Ensure Correct Certificate Chain
Verify that the correct root CA certificate is installed and trusted by the firewall.
Confirm Connectivity to Strata Logging Service
Ensure that outbound connections to the logging service are not blocked due to misconfigured
security policies, firewalls, or proxies.
Other Answer Choices Analysis
(B) Decryption Profile – SSL/TLS decryption settings affect traffic inspection but have no impact on log
forwarding.
(C) Auth Codes – Authentication codes are used during the initial device registration with Strata
Logging Service but do not impact ongoing log forwarding.
(D) Software Warranty – The firewall’s warranty does not influence log forwarding; however, an
active support license is required for continuous access to Strata Logging Service.
Reference and Justification:
Firewall Deployment – Certificates are fundamental to secure NGFW cloud communication.
Security Policies – Proper authentication ensures logs are securely transmitted.
Threat Prevention & WildFire – Logging failures could impact threat visibility and WildFire analysis.
Panorama – Uses the same authentication mechanisms for centralized logging.
Zero Trust Architectures – Requires strict identity verification, including valid certificates.
Thus, Device Certificates (A) is the correct answer, as log forwarding depends on a valid,
authenticated certificate to establish connectivity with Strata Logging Service.
In Prisma SD-WAN. what is the recommended initial action when VoIP traffic experiences high
latency and packet loss during business hours?
B
Explanation:
VoIP (Voice over IP) traffic is highly sensitive to network conditions, including latency, jitter, and
packet loss. In Prisma SD-WAN, maintaining optimal VoIP quality requires dynamic path selection
and real-time monitoring of network conditions.
Recommended Initial Action: Monitoring Real-Time Path Performance Metrics
When VoIP traffic experiences high latency and packet loss during business hours, the first step is to
analyze real-time path performance metrics in Prisma SD-WAN’s monitoring dashboard.
Why Real-Time Monitoring is Crucial?
Identifies the Affected Links – Prisma SD-WAN continuously monitors path quality metrics for each
available WAN link (e.g., MPLS, broadband, LTE).
Provides Insights on Congestion – Real-time monitoring helps determine whether the issue is caused
by congestion, ISP problems, or packet drops.
Aids in Dynamic Path Selection – Prisma SD-WAN can automatically switch to a better-performing
path based on live telemetry data.
Avoids Unnecessary Configuration Changes – Without accurate diagnostics, changing VPN gateways
or link tags may not address the root cause.
Why Other Options Are Incorrect?
❌
A . Configure a new VPN gateway connection.
Incorrect, because the issue is VoIP performance degradation due to latency and packet loss, not a
VPN gateway failure.
A new VPN connection won’t resolve ongoing traffic congestion in the current SD-WAN path.
❌
C . Add new link tags to existing interfaces.
Incorrect, because adding new link tags does not immediately resolve latency and packet loss issues.
Link tags help classify WAN links for application-aware routing, but the immediate priority is to
analyze performance metrics first.
❌
D . Disable the most recently created path quality.
Incorrect, because disabling a path quality profile without understanding the cause could negatively
impact failover and traffic steering policies.
Instead, monitoring real-time metrics first ensures the right corrective action is taken.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – Prisma SD-WAN is deployed alongside Palo Alto firewalls for network security
and traffic steering.
Security Policies – Ensures VoIP traffic is prioritized with QoS and traffic shaping policies.
VPN Configurations – Uses IPsec tunnels and Dynamic Path Selection (DPS) for optimal WAN
performance.
Threat Prevention – Detects and mitigates network-based attacks impacting VoIP performance.
WildFire Integration – Not directly related but helps detect malicious traffic within VoIP signaling.
Panorama – Centralized logging and monitoring of SD-WAN path quality metrics across multiple
locations.
Zero Trust Architectures – Enforces identity-based access controls for secure VoIP communications.
Thus, the correct answer is:
✅
B. Monitor real-time path performance metrics.
A hospital system allows mobile medical imaging trailers to connect directly to the internal network
of its various campuses. The network security team is concerned about this direct connection and
wants to begin implementing a Zero Trust approach in the flat network.
Which solution provides cost-effective network segmentation and security enforcement in this
scenario?
C
Explanation:
In a Zero Trust Architecture (ZTA), network segmentation is critical to prevent unauthorized lateral
movement within a flat network. Since the hospital system allows mobile medical imaging trailers to
connect directly to its internal network, this poses a significant security risk, as these trailers may
introduce malware, vulnerabilities, or unauthorized access to sensitive medical data.
The most cost-effective and practical solution in this scenario is:
Creating separate security zones for the imaging trailers.
Applying access control and inspection policies via the hospital’s existing core firewalls instead of
deploying new hardware.
Implementing strict policy enforcement to ensure that only authorized communication occurs
between the trailers and the hospital’s network.
Why Separate Zones with Enforcement is the Best Solution?
Network Segmentation for Zero Trust
By placing the medical imaging trailers in their own firewall-enforced zone, they are isolated from
the main hospital network.
This reduces attack surface and prevents an infected trailer from spreading malware to critical
hospital systems.
Granular security policies ensure only necessary communications occur between zones.
Cost-Effective Approach
Uses existing core firewalls instead of deploying costly additional edge firewalls at every campus.
Reduces complexity by leveraging the current security infrastructure.
Visibility & Security Enforcement
The firewall enforces security policies, such as allowing only medical imaging protocols while
blocking unauthorized traffic.
Integration with Threat Prevention and WildFire ensures that malicious files or traffic anomalies are
detected.
Logging and monitoring via Panorama helps the security team track and respond to threats
effectively.
Other Answer Choices Analysis
(A) Deploy edge firewalls at each campus entry point
This is an expensive approach, requiring multiple hardware firewalls at every hospital location.
While effective, it is not the most cost-efficient solution when existing core firewalls can enforce the
necessary segmentation and policies.
(B) Manually inspect large images like holograms and MRIs
This does not align with Zero Trust principles.
Manual inspection is impractical, as it slows down medical workflows.
Threats do not depend on image size; malware can be embedded in small and large files alike.
(D) Configure access control lists (ACLs) on core switches
ACLs are limited in security enforcement, as they operate at Layer 3/4 and do not provide deep
inspection (e.g., malware scanning, user authentication, or Zero Trust enforcement).
Firewalls offer application-layer visibility, which ACLs on switches cannot provide.
Switches do not log and analyze threats like firewalls do.
Reference and Justification:
Firewall Deployment – Firewall-enforced network segmentation is a key practice in Zero Trust.
Security Policies – Granular policies ensure medical imaging traffic is controlled and monitored.
VPN Configurations – If remote trailers are involved, secure VPN access can be enforced within the
zones.
Threat Prevention & WildFire – Firewalls can scan imaging files (e.g., DICOM images) for malware.
Panorama – Centralized visibility into all traffic between hospital zones and trailers.
Zero Trust Architectures – This solution follows Zero Trust principles by segmenting untrusted devices
and enforcing least privilege access.
Thus, Configuring separate zones (C) is the correct answer, as it provides cost-effective segmentation,
Zero Trust enforcement, and security visibility using existing firewall infrastructure.
How does Panorama improve reporting capabilities of an organization's next-generation firewall
deployment?
A
Explanation:
Panorama is Palo Alto Networks’ centralized management platform for Next-Generation Firewalls
(NGFWs). One of its key functions is to aggregate and analyze logs from multiple firewalls, which
significantly enhances reporting and visibility across an organization's security infrastructure.
How Panorama Improves Reporting Capabilities:
Centralized Log Collection – Panorama collects logs from multiple firewalls, allowing administrators
to analyze security events holistically.
Advanced Data Analytics – It provides rich visual reports, dashboards, and event correlation for
security trends, network traffic, and threat intelligence.
Automated Log Forwarding – Logs can be forwarded to SIEM solutions or stored for long-term
compliance auditing.
Enhanced Threat Intelligence – Integrated with Threat Prevention and WildFire, Panorama correlates
logs to detect malware, intrusions, and suspicious activity across multiple locations.
Why Other Options Are Incorrect?
❌
B . By automating all Security policy creations for multiple firewalls.
Incorrect, because while Panorama enables centralized policy management, it does not fully
automate policy creation—administrators must still define and configure policies.
❌
C . By pushing out all firewall policies from a single physical appliance.
Incorrect, because Panorama is available as a virtual appliance as well, not just a physical one.
While it pushes security policies, its primary enhancement to reporting is log aggregation and
analysis.
❌
D . By replacing the need for individual firewall deployment.
Incorrect, because firewalls are still required for traffic enforcement and threat prevention.
Panorama does not replace firewalls; it centralizes their management and reporting.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – Panorama provides centralized log analysis for distributed NGFWs.
Security Policies – Supports policy-based logging and compliance reporting.
VPN Configurations – Provides visibility into IPsec and GlobalProtect VPN logs.
Threat Prevention – Enhances reporting for malware, intrusion attempts, and exploit detection.
WildFire Integration – Stores WildFire malware detection logs for forensic analysis.
Zero Trust Architectures – Supports log-based risk assessment for Zero Trust implementations.
Thus, the correct answer is:
✅
A. By aggregating and analyzing logs from multiple firewalls.
When a user works primarily from a remote location but reports to the corporate office several times
a month, what does GlobalProtect use to determine if the user should connect to an internal
gateway?
C
Explanation:
GlobalProtect is Palo Alto Networks' VPN and Zero Trust remote access solution. It dynamically
determines whether a user should connect to an internal or external gateway based on external host
detection.
How External Host Detection Works:
Preconfigured External Host Detection –
The GlobalProtect agent checks for a predefined trusted external IP address (e.g., the corporate
office’s public IP).
Decision Making –
If the detected IP matches the trusted external host, the GlobalProtect client assumes the user is
inside the corporate network and does not establish a VPN connection.
If the detected IP does not match, GlobalProtect initiates a VPN connection to an external gateway.
Improves Performance & Security –
Prevents unnecessary VPN connections when users are inside the corporate office.
Reduces bandwidth overhead by ensuring only external users connect via VPN.
Why Other Options Are Incorrect?
❌
A . ICMP ping to Panorama management interface.
Incorrect, because GlobalProtect does not use ICMP pings to determine location.
Panorama does not play a role in dynamic gateway selection for GlobalProtect.
❌
B . User login credentials.
Incorrect, because credentials are used for authentication, not for detecting location.
Users authenticate regardless of whether they are inside or outside the network.
❌
D . Reverse DNS lookup of preconfigured host IP.
Incorrect, because Reverse DNS lookups are not used for gateway selection.
DNS lookups can be inconsistent and are not a reliable method for internal/external detection.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – GlobalProtect works with NGFWs to provide secure remote access.
Security Policies – Can enforce different security postures based on internal vs. external user
location.
VPN Configurations – Uses dynamic gateway selection to optimize VPN performance.
Threat Prevention – Protects remote users from phishing, malware, and network-based threats.
WildFire Integration – Inspects files uploaded/downloaded via VPN for threats.
Zero Trust Architectures – Enforces Zero Trust Network Access (ZTNA) by verifying user identity and
device security before granting access.
Thus, the correct answer is:
✅
C. External host detection.
What will collect device information when a user has authenticated and connected to a
GlobalProtect gateway?
C
Explanation:
When a user authenticates and connects to a GlobalProtect gateway, the firewall can collect and
evaluate device information using Host Information Profile (HIP). This feature helps enforce security
policies based on the device’s posture before granting or restricting network access.
Why is HIP the Correct Answer?
What is HIP?
Host Information Profile (HIP) is a feature in GlobalProtect that gathers security-related information
from the endpoint device, such as:
OS version
Patch level
Antivirus status
Disk encryption status
Host-based firewall status
Running applications
How Does HIP Work?
When a user connects to a GlobalProtect gateway, their device submits its HIP report to the firewall.
The firewall evaluates this information against configured security policies.
If the device meets security compliance, access is granted; otherwise, remediation actions (e.g.,
blocking access) can be applied.
Other Answer Choices Analysis
(A) RADIUS Authentication – While RADIUS is used for user authentication, it does not collect device
security posture.
(B) IP Address – The user's IP address is tracked but does not provide device security information.
(D) Session ID – A session ID identifies the user session but does not collect host-based security
details.
Reference and Justification:
Firewall Deployment – HIP profiles help enforce security policies based on device posture.
Security Policies – Administrators use HIP checks to restrict non-compliant devices.
Threat Prevention & WildFire – HIP ensures that endpoints are properly patched and protected.
Panorama – HIP reports can be monitored centrally via Panorama.
Zero Trust Architectures – HIP enforces device trust in Zero Trust models.
Thus, Host Information Profile (HIP) is the correct answer, as it collects device security information
when a user connects to a GlobalProtect gateway.
After a Best Practice Assessment (BPA) is complete, it is determined that dynamic updates for Cloud-
Delivered Security Services (CDSS) used by company branch offices do not match recommendations.
The snippet used for dynamic updates is currently set to download and install updates weekly.
Knowing these devices have the Precision Al bundle, which two statements describe how the settings
need to be adjusted in the snippet? (Choose two.)
A C
Explanation:
A Best Practice Assessment (BPA) evaluates firewall configurations against Palo Alto Networks'
recommended best practices. In this case, the Cloud-Delivered Security Services (CDSS) update
settings do not align with best practices, as they are currently set to weekly updates, which delays
threat prevention.
Best Practices for Dynamic Updates in the Precision AI Bundle
Applications and Threats – Update Daily
Regular updates ensure the firewall detects and blocks the latest exploits, vulnerabilities, and
malware.
Weekly updates are too slow and leave the network vulnerable to newly discovered attacks.
WildFire – Update Every Five Minutes
WildFire is Palo Alto Networks' cloud-based malware analysis engine, which identifies and mitigates
new threats in near real-time.
Updating every five minutes ensures that newly discovered malware signatures are applied quickly.
A weekly update would significantly delay threat response.
Other Answer Choices Analysis
(B) Antivirus should be updated daily.
While frequent updates are recommended, Antivirus in Palo Alto firewalls is updated hourly by
default (not daily).
(D) URL Filtering should be updated hourly.
URL Filtering databases are updated dynamically in the cloud, and do not require fixed hourly
updates.
URL filtering effectiveness depends on cloud integration rather than frequent updates.
Reference and Justification:
Firewall Deployment – Ensuring dynamic updates align with best practices enhances security.
Security Policies – Applications, Threats, and WildFire updates are critical for enforcing protection
policies.
Threat Prevention & WildFire – Frequent updates reduce the window of exposure to new threats.
Panorama – Updates can be managed centrally for branch offices.
Zero Trust Architectures – Requires real-time threat intelligence updates.
Thus, Applications & Threats (A) should be updated daily, and WildFire (C) should be updated every
five minutes to maintain optimal security posture in accordance with BPA recommendations.
Which Panorama centralized management feature allows native and third-party integrations to
monitor VM-Series NGFW logs and objects?
A
Explanation:
In Panorama centralized management, Plugins enable native and third-party integrations to monitor
VM-Series NGFW logs and objects.
How Plugins Enable Integrations in Panorama
Native Integrations – Panorama plugins provide built-in support for cloud environments like AWS,
Azure, GCP, as well as VM-Series firewalls.
Third-Party Integrations – Plugins allow Panorama to send logs and security telemetry to third-party
systems like SIEMs, SOARs, and IT automation tools.
Log Monitoring & Object Management – Plugins help export logs, monitor firewall events, and
manage dynamic firewall configurations in cloud deployments.
Automation and API Support – Plugins extend Panorama’s capabilities by integrating with external
systems via APIs.
Why Other Options Are Incorrect?
❌
B . Template
Incorrect, because Templates are used for configuring firewall settings like network interfaces, not for
log monitoring or third-party integrations.
❌
C . Device Group
Incorrect, because Device Groups manage firewall policies and objects, but do not handle log
forwarding or third-party integrations.
❌
D . Log Forwarding Profile
Incorrect, because Log Forwarding Profiles define how logs are sent, but do not provide integration
capabilities with third-party tools.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – Panorama uses plugins to integrate VM-Series NGFWs with cloud platforms.
Security Policies – Plugins support policy-based log forwarding and integration with external security
tools.
VPN Configurations – Cloud-based VPNs can be managed and monitored using plugins.
Threat Prevention – Plugins enable SIEM integration to monitor threat logs.
WildFire Integration – Some plugins support automated malware analysis and reporting.
Zero Trust Architectures – Supports log-based security analytics for Zero Trust enforcement.
Thus, the correct answer is:
✅
A. Plugin
Which two components of a Security policy, when configured, allow third-party contractors access to
internal applications outside business hours? (Choose two.)
AB
Explanation:
To allow third-party contractors access to internal applications outside business hours, the Security
Policy must include:
User-ID –
Identifies specific users (e.g., third-party contractors) and applies access rules accordingly.
Ensures that only authenticated users from the contractor group receive access.
Schedule –
Specifies the allowed access time frame (e.g., outside business hours: 6 PM - 6 AM).
Ensures that contractors can only access applications during designated off-hours.
Why Other Options Are Incorrect?
❌
C . Service
Incorrect, because Service defines ports and protocols, not user identity or time-based access
control.
❌
D . App-ID
Incorrect, because App-ID identifies and classifies applications, but does not restrict access based on
user identity or time.
Reference to Firewall Deployment and Security Features:
Firewall Deployment – Ensures contractors access internal applications securely via User-ID and
Schedule.
Security Policies – Implements granular time-based and identity-based access control.
VPN Configurations – Third-party contractors may access applications through GlobalProtect VPN.
Threat Prevention – Reduces attack risks by limiting access windows for third-party users.
WildFire Integration – Ensures downloaded contractor files are scanned for threats.
Zero Trust Architectures – Supports least-privilege access based on user identity and time
restrictions.
Thus, the correct answers are:
✅
A. User-ID
✅
B. Schedule
Which two policies in Strata Cloud Manager (SCM) will ensure the personal data of employees
remains private while enabling decryption for mobile users in Prisma Access? (Choose two.)
CD
Explanation:
In Strata Cloud Manager (SCM), policies need to balance privacy while ensuring secure decryption for
mobile users in Prisma Access. The correct approach involves:
SSL Forward Proxy (C) – Enables decryption of outbound SSL traffic, allowing security inspection
while ensuring unauthorized data does not leave the network.
No Decryption (D) – Excludes personal data from being decrypted, ensuring compliance with privacy
regulations (e.g., GDPR, HIPAA) and protecting sensitive employee information.
Why These Two Policies?
SSL Forward Proxy (C)
Decrypts outbound SSL traffic from mobile users.
Inspects traffic for malware, data exfiltration, and compliance violations.
Ensures corporate security policies are enforced on user traffic.
No Decryption (D)
Ensures privacy-sensitive traffic (e.g., online banking, healthcare portals) remains untouched.
Exclusions can be defined based on categories, user groups, or destinations.
Helps maintain regulatory compliance while still securing other traffic.
Other Answer Choices Analysis
(A) SSH Decryption – Not relevant in this context, as SSH traffic is typically used for administrative
access rather than mobile user web browsing.
(B) SSL Inbound Inspection – Used for inbound traffic to company-hosted servers, not for securing
outbound traffic from mobile users.
Reference and Justification:
Firewall Deployment – SSL Forward Proxy enables traffic visibility, No Decryption protects privacy.
Security Policies – Defines what traffic should or should not be decrypted.
Threat Prevention & WildFire – Decryption helps detect hidden threats while excluding sensitive
personal data.
Zero Trust Architectures – Ensures least-privilege access while maintaining privacy compliance.
Thus, SSL Forward Proxy (C) and No Decryption (D) are the correct answers, as they balance security
and privacy for mobile users in Prisma Access.
Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to
changes in server roles or security posture based on log events?
A
Explanation:
A Dynamic Address Group (DAG) is a firewall feature that automatically updates firewall rules based
on changing attributes of devices, servers, or endpoints. This allows engineers to simplify rule
creation and ensure policies remain up-to-date without manual intervention.
Why Dynamic Address Groups?
Automatically Adapts to Changes
DAGs use log events, tags, and attributes to dynamically update firewall rules.
If a server role changes (e.g., a web server becomes an application server), it is automatically placed
in the correct security rule without requiring manual updates.
Simplifies Rule Creation
Instead of manually defining static IP addresses, engineers use logical groupings based on metadata,
such as VM tags, cloud attributes, or user roles.
Ensures policies remain accurate even when IP addresses or security postures change.
Other Answer Choices Analysis
(B) Dynamic User Groups – Controls policies based on user identity, not server roles or log-based
attributes.
(C) Predefined IP Addresses – Static and does not adapt to infrastructure changes.
(D) Address Objects – Manually defined and does not dynamically adjust based on log events or
security posture.
Reference and Justification:
Firewall Deployment – DAGs help dynamically assign security policies based on real-time data.
Security Policies – Automatically applies correct rules based on changing attributes.
Threat Prevention & WildFire – Ensures that compromised systems are automatically placed under
restrictive security policies.
Panorama – DAGs are managed centrally, ensuring uniform policy enforcement across multiple
firewalls.
Zero Trust Architectures – Dynamic adaptation ensures least-privilege access enforcement as
environments change.
Thus, Dynamic Address Groups (A) is the correct answer, as it simplifies rule creation and ensures
automatic adaptation to changes in server roles or security posture.