PCSFE-Topic-3
Question #: 95
Topic #: 1
What does GlobalProtect gateway use to determine which resources a compliant device should be accessing and a non-compliant device should not be accessing?
A. VPN posture
B. Device posture
C. Host information profile (HIP)
D. Host posture
Selected Answer: C
Question #: 94
Topic #: 1
Which tool or actions should users employ to estimate the amount of flex credits for VM-Series and CN-Series deployment?
A. Cloud NGFW for AWS Pricing Estimator
B. Open up a support case
C. Software NGFW Flex Credits Calculator
D. Software NGFW Credit Estimator
Selected Answer: D
Question #: 93
Topic #: 1
What is the correct sequence of events for offloading by the Intelligent Traffic Offload (ITO) service?
A. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC sends rest of flow to VM-Series for inspection
B. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC forwards flow directly to destination
C. Sample packets sent to ITO > ITO instructs Smart NIC to inspect of bypass > Smart NIC forwards flow directly to destination
D. ITO instructs Smart NIC to inspect of bypass > Sample packets sent to ITO > Smart NIC sends rest of flow to VM-Series for inspection
Selected Answer: C
Question #: 66
Topic #: 1
What needs to be configured to deploy VM-Series firewalls in Azure as an Active/Active High Availability (HA) pair?
A. Active/Active HA is not supported in Azure
B. HA3 Link
C. Floating IP Address
D. HA1 and HA2 Link
Selected Answer: A
Question #: 80
Topic #: 1
To get the current auth code applied to a CN-Series firewall, which Panorama CLI command should be used?
A. requests plugins kubernetes get-license-tokens
B. requests plugins kubernetes get-node-license-info
C. requests tech-support dump
D. requests plugins vm-series list-dp-pods
Selected Answer: A
Question #: 77
Topic #: 1
Which plugin is used to create and push device group-based policies to the Cloud NGFW?
A. Panorama AWS
B. Zero Touch Provisioning (ZTP)
C. Panorama Interconnect «•
D. Cloud Services
Selected Answer: A
Question #: 70
Topic #: 1
With the Panorama plugin for VM-Series installed. Panorama can collect a predefined set of attributes from which services in Amazon Web Services (AWS) as tags and populate it in the VM-Series firewall?
A. Load balancers
B. VPCs
C. Transit gateways
D. EC2 instances
Selected Answer: D
Question #: 67
Topic #: 1
Organizations using multiple public and private cloud platforms can deploy and configure the VM-Series using which three toolsets? (Choose three.)
A. Panorama
B. Terraform
C. Github
D. Ansible
E. CloudFormation
Selected Answer: ABD
Question #: 63
Topic #: 1
Which two criteria are required to deploy VM-Series firewalls in high availability (HA)? (Choose two.)
A. Assignment of identical licenses and subscriptions
B. Deployment on a different host
C. Configuration of asymmetric routing
D. Deployment on same type of hypervisor
Selected Answer: AD
Question #: 23
Topic #: 1
Which two methods of Zero Trust implementation can benefit an organization? (Choose two.)
A. Compliance is validated.
B. Boundaries are established.
C. Security automation is seamlessly integrated.
D. Access controls are enforced.
Selected Answer: BD
Question #: 61
Topic #: 1
Which service, when enabled, provides inbound traffic protection?
A. Advanced URL Filtering (AURLF)
B. Threat Prevention
C. Data loss prevention (DLP)
D. DNS Security
Selected Answer: B
Question #: 55
Topic #: 1
How are CN-Series firewalls licensed?
A. Data-plane vCPU
B. Service-plane vCPU
C. Management-plane vCPU
D. Control-plane vCPU
Selected Answer: A
Question #: 53
Topic #: 1
Which two routing options are supported by VM-Series? (Choose two.)
A. OSPF
B. RIP
C. BGP
D. IGRP
Selected Answer: AC
Question #: 26
Topic #: 1
Why are VM-Series firewalls and hardware firewalls that are external to the Kubernetes cluster problematic for protecting containerized workloads?
A. They are located outside the cluster and have no visibility into application-level cluster traffic.
B. They do not scale independently of the Kubernetes cluster.
C. They are managed by another entity when located inside the cluster.
D. They function differently based on whether they are located inside or outside of the cluster.
Selected Answer: C
Question #: 21
Topic #: 1
What Palo Alto Networks software firewall protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service?
A. VM-Series
B. Cloud next-generation firewall (NGFW)
C. CN-Series
D. Ion-Series Ion-Series
Selected Answer: B
Question #: 15
Topic #: 1
A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?
A. Edit the IP address of all of the affected VMs.
B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.
C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).
D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.
Selected Answer: B
Question #: 10
Topic #: 1
How is traffic directed to a Palo Alto Networks firewall integrated with Cisco ACI?
A. By using contracts between endpoint groups that send traffic to the firewall using a shared policy
B. Through a virtual machine (VM) monitor domain
C. Through a policy-based redirect (PBR)
D. By creating an access policy
Selected Answer: C
Question #: 24
Topic #: 1
Which two actions can be performed for VM-Series firewall licensing by an orchestration system? (Choose two.)
A. Creating a license
B. Renewing a license
C. Registering an authorization code
D. Downloading a content update
Selected Answer: BC
Question #: 8
Topic #: 1
Which two statements apply to the VM-Series plugin? (Choose two.)
A. It can manage capabilities common to both VM-Series firewalls and hardware firewalls.
B. It can be upgraded independently of PAN-OS.
C. It enables management of cloud-specific interactions between VM-Series firewalls and supported public cloud platforms.
D. It can manage Panorama plugins.
Selected Answer: BC
Question #: 6
Topic #: 1
Which feature provides real-time analysis using machine learning (ML) to defend against new and unknown threats?
A. Advanced URL Filtering (AURLF)
B. Cortex Data Lake
C. DNS Security
D. Panorama VM-Series plugin
Selected Answer: A
Question #: 2
Topic #: 1
Which two mechanisms could trigger a high availability (HA) failover event? (Choose two.)
A. Heartbeat polling
B. Ping monitoring
C. Session polling
D. Link monitoring
Selected Answer: A
Question #: 5
Topic #: 1
A CN-Series firewall can secure traffic between which elements?
A. Host containers
B. Source applications
C. Containers
D. Pods
Selected Answer: B
Question #: 99
Topic #: 1
How many tokens are consumed for each vCPU used in a CN-Series firewall?
A. 1
B. 2
C. 4
D. 8
Selected Answer: A
Question #: 52
Topic #: 1
Which feature must be configured in an NSX environment to ensure proper operation of a VM-Series firewall in order to secure east-west traffic?
A. Deployment of the NSX DFW
B. VMware Information Sources
C. User-ID agent on a Windows domain server
D. Device groups within VMware Services Manager
Selected Answer: A
Question #: 30
Topic #: 1
When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network’s gateway IP address?
A. ARP load sharing
B. Floating IP address
C. HSRP
D. VRRP
Selected Answer: D
Question #: 82
Topic #: 1
What is the minimum number of management interfaces created when the Google Cloud Platform (GCP) Marketplace deploys an instance of the VM-Series firewall?
A. 1
B. 2
C. 3
D. 4
Selected Answer: A
Question #: 69
Topic #: 1
Which type of Terraform code is commonly used to deploy infrastructure as code (IaC)?
A. Library
B. SDK
C. Module
D. Plugin
Selected Answer: C
Question #: 28
Topic #: 1
What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?
A. Special AWS plugins are needed for load balancing.
B. Resources are shared within the cluster.
C. Only active-passive high availability (HA) is supported.
D. High availability (HA) clusters are limited to fewer than 8 virtual appliances.
Selected Answer: B
Question #: 29
Topic #: 1
Which three NSX features can be pushed from Panorama in PAN-OS? (Choose three.)
A. Security group assignment of virtual machines (VMs)
B. Security groups
C. Steering rules
D. User IP mappings
E. Multiple authorization codes
Selected Answer: ABC
