Which procedure is most effective for maintaining continuity and security during a Prisma Access
data plane software upgrade?
A
Explanation:
The best practice for Prisma Access data plane upgrades involves backing up configurations,
scheduling upgrades during off-peak hours, and using a phased approach to minimize disruption and
maintain continuity. As per the Palo Alto Networks documentation:
“To minimize disruptions, it is recommended to perform Prisma Access upgrades during non-
business hours and in a phased manner, starting with less critical sites to validate the process before
moving to critical locations. Backup configurations and validate the system’s readiness to avoid data
loss and maintain service continuity.”
(Source: Prisma Access Best Practices)
An NGFW administrator is updating PAN-OS on company data center firewalls managed by Panoram
a. Prior to installing the update, what must the administrator verify to ensure the devices will
continue to be supported by Panorama?
D
Explanation:
The firewall must be running a PAN-OS version that is supported by Panorama. This means that
Panorama must be running the same or a newer PAN-OS version as the one being installed on the
firewalls to maintain compatibility.
“Before you upgrade the firewall, ensure that Panorama is running the same or a later PAN-OS
version than the firewall. Panorama must always be at the same or a higher version to maintain
compatibility.”
(Source: Panorama Admin Guide – Upgrade Process)
In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose
two.)
B, C
Explanation:
Threat logs for Prisma Access mobile users can be reviewed in both Strata Cloud Manager (SCM) and
Strata Logging Service. Prisma Cloud and service connection firewalls are not directly tied to mobile
user traffic logs.
“Prisma Access logs are available in the Strata Cloud Manager and can also be sent to the Strata
Logging Service for detailed analysis and threat visibility.”
(Source: Prisma Access Administration Guide)
Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two.)
C, D
Explanation:
Cloud NGFW for AWS can be configured using Panorama for centralized management, as well as the
AWS management console for native integration and configuration.
“You can configure Cloud NGFW for AWS using Panorama for centralized security management, or
directly through the AWS management console to deploy and manage security services for your AWS
resources.”
(Source: Cloud NGFW for AWS Guide)
Using Prisma Access, which solution provides the most security coverage of network protocols for
the mobile workforce?
B
Explanation:
Client-based VPN solutions like GlobalProtect provide full coverage for the mobile workforce by
extending the enterprise security stack to remote endpoints. It establishes a secure tunnel, allowing
consistent security policies across the enterprise perimeter and the mobile workforce.
“GlobalProtect is a client-based VPN that provides secure, consistent protection for mobile users by
extending the security capabilities of Prisma Access to remote endpoints, covering all network
protocols.”
(Source: GlobalProtect Admin Guide)
Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two.)
B, C
Explanation:
When implementing SSL Forward Proxy decryption for outbound traffic, two key challenges that must
be evaluated are:
Incomplete certificate chains: This occurs when the firewall cannot validate the entire certificate
chain for a site, which may cause decryption failures.
Certificate pinning: Applications like banking apps may use certificate pinning to prevent MITM
(man-in-the-middle) attacks, and these applications will break if SSL Forward Proxy is used.
“When decrypting outbound SSL traffic, you must consider incomplete certificate chains, which can
cause decryption to fail if the firewall cannot validate the entire chain. Also, be aware of certificate
pinning in applications that prevents decryption by rejecting forged certificates.”
(Source: Palo Alto Networks Decryption Concepts)
Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to
changes in server roles or security posture based on log events?
B
Explanation:
Dynamic Address Groups enable the firewall to automatically adjust security policies based on tags
assigned dynamically (via log events, API, etc.). This eliminates the need for manual updates to
policies when server roles or IPs change.
“Dynamic Address Groups allow you to create policies that automatically adapt to changes in the
environment. These groups are populated dynamically based on tags, enabling automated security
policy updates without manual intervention.”
(Source: Dynamic Address Groups)
How does a firewall behave when SSL Inbound Inspection is enabled?
D
Explanation:
SSL Inbound Inspection allows the firewall to decrypt incoming encrypted traffic to internal servers
(e.g., web servers) by acting as a man-in-the-middle (MITM). The firewall uses the private key of the
server to decrypt the session and apply security policies before re-encrypting the traffic.
“SSL Inbound Inspection requires you to import the server’s private key and certificate into the
firewall. The firewall then acts as a man-in-the-middle (MITM) to decrypt inbound sessions from
external clients to internal servers for inspection.”
(Source: SSL Inbound Inspection)
When a firewall acts as an application-level gateway (ALG), what does it require in order to establish
a connection?
B
Explanation:
An ALG is designed to inspect and modify the payload of application-layer protocols (like SIP, FTP,
etc.) to manage dynamic port allocations and session information.
“Application Layer Gateways (ALGs) inspect the payload of certain protocols to dynamically manage
sessions that use dynamic port assignments. By modifying payloads, the ALG ensures that NAT and
security policies are correctly applied.”
(Source: ALG Support)
Which security profile provides real-time protection against threat actors who exploit the
misconfigurations of DNS infrastructure and redirect traffic to malicious domains?
D
Explanation:
The Anti-spyware profile includes DNS-based protections like sinkholing and detection of DNS
queries to malicious domains, offering real-time protection against attacks that exploit DNS
misconfigurations.
“The Anti-Spyware profile protects against DNS-based threats by sinkholing DNS queries to malicious
domains and detecting suspicious DNS activity, thus blocking data exfiltration and C2
communication.”
(Source: Anti-Spyware Profiles)
Which method in the WildFire analysis report detonates unknown submissions to provide visibility
into real-world effects and behavior?
A
Explanation:
Dynamic analysis in WildFire refers to executing unknown files in a controlled environment (sandbox)
to observe their real-world behavior. This allows the firewall to detect zero-day threats and advanced
malware by directly analyzing the file’s impact on a system.
“WildFire dynamic analysis detonates unknown files in a secure sandbox environment, analyzing
real-world effects, behaviors, and potential malicious activity.”
(Source: WildFire Analysis)
How many places will a firewall administrator need to create and configure a custom data loss
prevention (DLP) profile across Prisma Access and the NGFW?
A
Explanation:
Palo Alto Networks' Enterprise DLP uses a centralized DLP profile that can be applied consistently
across both Prisma Access and NGFWs using Strata Cloud Manager (SCM). This eliminates the need
for duplicating efforts across multiple locations.
“Enterprise DLP profiles are created and managed centrally through the Cloud Management
Interface and can be used seamlessly across NGFW and Prisma Access deployments.”
(Source: Enterprise DLP Overview)
A cloud security architect is designing a certificate management strategy for Strata Cloud Manager
(SCM) across hybrid environments. Which practice ensures optimal security with low management
overhead?
A
Explanation:
A centralized certificate automation approach reduces management overhead and security risks by
standardizing processes, automating renewals, and continuously monitoring the certificate lifecycle.
“Implementing a centralized certificate management approach with automation and continuous
monitoring ensures optimal security while reducing operational complexity in hybrid environments.”
(Source: Best Practices for Certificate Management)
Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure
robust data encryption and protect sensitive information in SaaS applications?
D
Explanation:
CASB integration should focus on comprehensive data protection, which includes encryption for
data-at-rest and in transit, frequent key updates, and using strong encryption algorithms to ensure
confidentiality and data integrity.
“CASB solutions should enforce encryption for data-at-rest and in transit, implement key rotation
policies, and leverage robust encryption algorithms to protect sensitive SaaS application data.”
(Source: CASB Deployment Best Practices)
How does Strata Logging Service help resolve ever-increasing log retention needs for a company
using Prisma Access?
C
Explanation:
The Strata Logging Service offers scalable log storage to accommodate data growth, which ensures
organizations can retain logs for compliance and threat hunting as their environments expand.
“The Strata Logging Service is designed to scale dynamically to accommodate growing log retention
needs, allowing enterprises to maintain comprehensive visibility as they expand their network
footprint.”
(Source: Strata Logging Service Overview)