To maintain security efficacy of its public cloud resources by using native tools, a company purchases
Cloud NGFW credits to replicate the Panorama, PA-Series, and VM-Series devices used in physical
data centers. Resources exist on AWS and Azure:
The AWS deployment is architected with AWS Transit Gateway, to which all resources connect
The Azure deployment is architected with each application independently routing traffic
The engineer deploying Cloud NGFW in these two cloud environments must account for the
following:
Minimize changes to the two cloud environments
Scale to the demands of the applications while using the least amount of compute resources
Allow the company to unify the Security policies across all protected areas
Which two implementations will meet these requirements? (Choose two.)
B, D
Explanation:
To meet the company's requirements - minimizing changes to the cloud environments, optimizing
compute resources, and unifying security policies - the best approach is to deploy Cloud NGFW
solutions natively for AWS and Azure while managing policies centrally with Panorama.
In Azure, using Cloud NGFW for Azure deployed within vNETs allows traffic to be routed through
security appliances efficiently without requiring a complete re-architecture. This approach aligns
with Azure's existing routing mechanism while maintaining security.
In AWS, deploying Cloud NGFW for AWS in a centralized Security VPC and integrating it with AWS
Transit Gateway enables traffic inspection for all connected VPCs without modifying individual
workloads. This method ensures efficient scaling and minimal infrastructure changes while
maintaining security consistency.
During an upgrade to the routing infrastructure in a customer environment, the network
administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.
Which firewall models support this configuration?
C
Explanation:
The Advanced Routing Engine (ARE) is supported on Palo Alto Networks firewalls that utilize the PAN-
OS 11.0+ software and have the required hardware architecture. The supported models include PA-
3200 Series, PA-5400 Series, PA-800 Series, and PA-400 Series. These models provide enhanced
routing capabilities, including BGP, OSPF, and more complex routing policies.
PA-3260 and PA-5410 are part of the PA-3200 and PA-5400 Series, which are known to support ARE.
PA-850 and PA-460 are within the PA-800 and PA-400 Series, which also support ARE
Which two statements apply to configuring required security rules when setting up an IPSec tunnel
between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
C, D
Explanation:
Separate rules must be created for each direction: Palo Alto Networks firewalls enforce security
policies based on traffic direction. To allow bidirectional communication through the IPSec tunnel,
two separate rules are required - one for incoming and one for outgoing traffic.
IKE negotiation and IPSec/ESP packets are denied by default: Palo Alto Networks firewalls use an
interzone default deny policy, meaning that unless an explicit policy allows IKE (UDP 500/4500) and
ESP (protocol 50) traffic, the firewall will block these packets, preventing tunnel establishment.
Therefore, administrators must create explicit rules permitting IKE and IPSec/ESP traffic to the
firewall's external interface.
Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?
C
Explanation:
Terraform is an Infrastructure-as-Code (IaC) tool that automates the provisioning and management
of infrastructure resources, including Palo Alto Networks Next-Generation Firewalls (NGFWs). By
using Terraform configuration files, administrators can define and deploy NGFW instances across
cloud environments (such as AWS, Azure, and GCP) efficiently and consistently.
Terraform enables:
Automated firewall deployment in cloud environments.
Configuration of security policies and networking settings in a declarative manner.
Scalability and repeatability, reducing manual intervention in firewall provisioning.
By default, which type of traffic is configured by service route configuration to use the management
interface?
D
Explanation:
By default, the Autonomous Digital Experience Manager (ADEM) traffic is configured to use the
management interface in a Palo Alto Networks firewall. The management interface is typically used
for management-related traffic, such as monitoring and logging, and it is configured to handle
ADEM-related traffic for the optimal performance of digital experience monitoring features.
This default configuration helps ensure that ADEM traffic does not interfere with regular traffic that
may traverse other interfaces, such as traffic from security zones or IPSec tunnels.
In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a
logical router on a PAN-OS firewall?
A
Explanation:
To enable the Advanced Routing Engine (ARE) on a Palo Alto Networks firewall, the license for the
ARE must be applied first. Without the proper license, the firewall cannot activate and use the
advanced routing features provided by ARE, such as support for more complex routing protocols
(e.g., BGP, OSPF, etc.).
Once the license is applied and validated, the routing engine can be configured, allowing the creation
of logical routers and routing policies.
Which two zone types are valid when configuring a new security zone? (Choose two.)
A, D
Explanation:
When configuring a new security zone on a Palo Alto Networks firewall, the two valid zone types are:
Tunnel: A Tunnel zone is used for traffic that is associated with a VPN tunnel, such as IPSec tunnels.
Traffic passing through a tunnel interface is classified into this zone.
Virtual Wire: A Virtual Wire zone is used when a firewall operates in transparent mode (also known
as Layer 2 mode). In this configuration, the firewall can inspect traffic without modifying the IP
address structure of the network.
An organization has configured GlobalProtect in a hybrid authentication model using both certificate-
based authentication for the pre-logon stage and SAML-based multi-factor authentication (MFA) for
user logon.
How does the GlobalProtect agent process the authentication flow on Windows endpoints?
A
Explanation:
In a hybrid authentication model with both certificate-based authentication for pre-logon and SAML-
based multi-factor authentication (MFA) for user logon, the GlobalProtect agent processes the flow
as follows:
During the pre-logon stage, the agent uses the machine certificate to authenticate and establish the
initial VPN tunnel.
Once the user logs in (after the machine is connected), the agent then triggers SAML-based MFA to
ensure the user is authenticated with multi-factor authentication, validating both the device and the
user identity before granting full access.
This method ensures that both the device and user are properly authenticated and validated in the
hybrid authentication model.
An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to
Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device
certificates have been installed, and Panorama and the firewalls have been successfully onboarded to
Strata Logging Service.
Which configuration task must be performed to start sending the logs to Strata Logging Service and
continue forwarding them to the Panorama log collectors as well?
D
Explanation:
To begin sending logs to Strata Logging Service while continuing to forward them to Panorama log
collectors, the necessary configuration is to enable Cloud Logging. This option is configured in the
Cloud Logging section under Device → Setup → Management in the appropriate templates. Once
enabled, this ensures that logs are directed both to the Strata Logging Service (cloud) and to the
Panorama log collectors.
An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all
interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients
located behind the various interfaces cannot communicate with each other.
Which action taken by the engineer will resolve this issue?
B
Explanation:
In a Layer 2 configuration, interfaces are typically grouped into the same Layer 2 zone. When the
interfaces are assigned to the same VLAN, the firewall will treat them as part of the same broadcast
domain.
In a Layer 2 setup, interfaces must be in the same Layer 2 zone to allow the traffic within the same
VLAN to pass. Additionally, a security policy must be configured to allow traffic within this VLAN or
zone. This will resolve the issue by ensuring that traffic is permitted between clients behind different
interfaces assigned to the same VLAN.
In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based
authentication for both users and devices. To ensure proper validation of certificates, one or more
certificate profiles are configured.
What function do certificate profiles serve in this context?
B
Explanation:
In the context of GlobalProtect with certificate-based authentication, certificate profiles are used to
ensure proper validation of the certificates. They perform the following functions:
Define trust anchors, which are the root and intermediate Certificate Authorities (CAs) that the
firewall trusts to authenticate certificates.
Specify revocation checks, such as CRL (Certificate Revocation List) and OCSP (Online Certificate
Status Protocol), to ensure that the certificates being used have not been revoked.
Map certificate attributes, such as the Common Name (CN), which helps in authenticating users and
devices based on their certificates.
How does a Palo Alto Networks NGFW respond when the preemptive hold time is set to 0 minutes
during configuration of route monitoring?
D
Explanation:
When the preemptive hold time is set to 0 minutes in route monitoring, the firewall is configured to
immediately reinstall the route into the Routing Information Base (RIB) as soon as the monitored
path comes up. This essentially means that the firewall will not wait for any predefined hold time
before reestablishing the route once the monitoring condition is met, ensuring a faster recovery of
the route.
After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall
generates system messages reporting the tunnel is failing to establish.
Which of the following actions will resolve this issue?
B
Explanation:
The Proxy IDs (or Traffic Selectors) define the local and remote subnets that are allowed to
communicate over the IPSec tunnel. If the Proxy IDs on the Palo Alto Networks firewall do not match
the configuration on the Cisco ASA, the tunnel will fail to establish because the firewalls won't agree
on which traffic to encrypt. Ensuring that the Proxy IDs match between the Palo Alto Networks
firewall and the Cisco ASA will resolve the issue.
Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE)
interface on a Palo Alto Networks high availability (HA) active/passive pair?
C
Explanation:
In a High Availability (HA) active/passive pair configuration, when setting up an Aggregate Ethernet
(AE) interface, enabling the "Enable in HA Passive State" option allows the interface to participate in
LACP (Link Aggregation Control Protocol) even when the system is in the passive state. This ensures
that the pre-negotiation of the LACP link occurs, allowing the link aggregation to be ready as soon as
the firewall becomes active.
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic
between microservices?
D
Explanation:
When integrating Kubernetes with Palo Alto Networks NGFWs, the CN-Series firewalls are specifically
designed to secure traffic between microservices in containerized environments. These firewalls
provide advanced security features like Application Identification (App-ID), URL filtering, and Threat
Prevention to secure communication between containers and microservices within a Kubernetes
environment.