PSE-Strata-Topic-2
Question #: 78
Topic #: 1
What are two benefits of the sinkhole Internet Protocol (IP) address that DNS Security sends to the client in place of malicious IP addresses? (Choose two.)
A. It represents the remediation server that the client should visit for patching.
B. In situations where the internal DNS server is between the client and the firewall, it gives the firewall the ability to identify the clients who originated the query to the malicious domain.
C. The client communicates with it instead of the malicious IP address.
D. It will take over as the new DNS resolver for that client and prevent further DNS requests from occurring in the meantime.
Selected Answer: BC
Question #: 74
Topic #: 1
A customer is starting to understand their Zero Trust protect surface using the Palo Alto Networks Zero Trust reference architecture.
What are two steps in this process? (Choose two.)
A. Prioritize securing the endpoints of privileged users because if non-privileged user endpoints are exploited, the impact will be minimal due to perimeter controls.
B. Categorize data and applications by levels of sensitivity.
C. Gain visibility of and control over applications and functionality in the traffic flow using a port and protocol firewall.
D. Validate user identities through authentication.
Selected Answer: B
Question #: 67
Topic #: 1
What is an advantage public cloud WildFire has over the private WildFire appliance?
A. signatures being available within minutes to protect global users once malware has been submitted
B. generating malware reports
C. using different types of operating systems (OSs) to test malware against
D. generating antivirus and domain name system (DNS) signatures for discovered malware and assigning a Uniform Resource Locator (URL) category to malicious links
Selected Answer: A
Question #: 66
Topic #: 1
Which two features can be enabled to support asymmetric routing with redundancy on a Palo Alto Networks next-generation firewall (NGFW)? (Choose two.)
A. multiple virtual systems
B. active / active high availability (HA)
C. non-SYN first packet
D. asymmetric routing profile
Selected Answer: B
Question #: 65
Topic #: 1
Which of the following statements is valid with regard to Domain Name System (DNS) sinkholing?
A. It requires the Vulnerability Protection profile to be enabled.
B. It requires a Sinkhole license in order to activate.
C. DNS sinkholing signatures are packaged and delivered through Vulnerability Protection updates.
D. Infected hosts connecting to the Sinkhole Internet Protocol (IP) address can be identified in the traffic logs.
Selected Answer: D
Question #: 64
Topic #: 1
Which two features are key in preventing unknown targeted attacks? (Choose two.)
A. Single Pass Parallel Processing (SP3)
B. nightly botnet report
C. App-ID with the Zero Trust model
D. WildFire Cloud threat analysis
Selected Answer: CD
Question #: 54
Topic #: 1
Which functionality is available to firewall users with an active Threat Prevention subscription, but no WildFire license?
A. Access to the WildFire API
B. WildFire hybrid deployment
C. PE file upload to WildFire
D. 5 minute WildFire updates to threat signatures
Selected Answer: C
Question #: 47
Topic #: 1
Which three platform components can identify and protect against malicious email links? (Choose three.)
A. WildFire hybrid cloud solution
B. WildFire public cloud
C. WF-500
D. M-200
E. M-600
Selected Answer: ABC
Question #: 41
Topic #: 1
Which three considerations should be made prior to installing a decryption policy on the NGFW? (Choose three.)
A. Include all traffic types in decryption policy
B. Inability to access websites
C. Exclude certain types of traffic in decryption policy
D. Deploy decryption setting all at one time
E. Ensure throughput is not an issue
Selected Answer: BCE
Question #: 37
Topic #: 1
Which three script types can be analyzed in WildFire? (Choose three.)
A. JScript
B. PythonScript
C. PowerShell Script
D. VBScript
E. MonoScript
Selected Answer: ACD
Question #: 35
Topic #: 1
Palo Alto Networks publishes updated Command-and-Control signatures.
How frequently should the related signatures schedule be set?
A. Once an hour
B. Once a day
C. Once a week
D. Once every minute
Selected Answer: B
Question #: 23
Topic #: 1
Which three settings must be configured to enable Credential Phishing Prevention? (Choose three.)
A. validate credential submission detection
B. enable User-ID
C. define an SSL decryption rulebase
D. define URL Filtering Profile
E. Enable App-ID
Selected Answer: BCD
Question #: 21
Topic #: 1
Which three features are used to prevent abuse of stolen credentials? (Choose three.)
A. multi-factor authentication
B. URL Filtering Profiles
C. WildFire Profiles
D. Prisma Access
E. SSL decryption rules
Selected Answer: ABE
Question #: 13
Topic #: 1
Which three categories are identified as best practices in the Best Practice Assessment tool? (Choose three.)
A. use of device management access and settings
B. identify sanctioned and unsanctioned SaaS applications
C. expose the visibility and presence of command-and-control sessions
D. measure the adoption of URL filters, App-ID, User-ID
E. use of decryption policies
Selected Answer: ADE
Question #: 9
Topic #: 1
Which task would be identified in Best Practice Assessment tool?
A. identify the visibility and presence of command-and-control sessions
B. identify sanctioned and unsanctioned SaaS applications
C. identify the threats associated with each application
D. identify and provide recommendations for device management access
Selected Answer: D
Question #: 51
Topic #: 1
What action would address the sub-optimal traffic path shown in the figure?
Key:
RN – Remote Network –
SC – Service Connection –
MU GW – Mobile User Gateway –
A. Onboard a Service Connection in the Americas region
B. Remove the Service Connection in the EMEA region
C. Onboard a Service Connection in the APAC region
D. Onboard a Remote Network location in the EMEA region
Selected Answer: A
Question #: 80
Topic #: 1
What are three key benefits of the Palo Alto Networks platform approach to security? (Choose three.)
A. minimized threat landscape due to reducing internet footprint to a single point of failure
B. cost savings due reduction in IT management effort and device consolidation
C. improved revenue due to more efficient network traffic throughput
D. operational efficiencies due to reduction in manual incident review and decrease in mean time to resolution (MTTR)
E. increased security due to scalable cloud-delivered security services (CDSS)
Selected Answer: BDE
Question #: 26
Topic #: 1
What are three valid sources that are supported for user IP address mapping in Palo Alto Networks NGFW? (Choose three.)
A. RADIUS
B. Client Probing
C. Lotus Domino
D. Active Directory monitoring
E. TACACS
F. eDirectory monitoring
Selected Answer: BDF
Question #: 95
Topic #: 1
Which two actions should be taken to provide some protection when a client chooses not to block uncategorized websites? (Choose two.)
A. Add a URL-filtering profile with the action set to “Continue” for unknown URL categories attached to Security policy rules that allow web access.
B. Attach a file-blocking profile to Security policy rules that allow uncategorized websites.
C. Add a Security policy rule using only known URL categories with the action set to “Allow.”
D. Attach a data-filtering profile with a custom data pattern to Security policy rules that deny uncategorized websites.
Selected Answer: AB
Question #: 118
Topic #: 1
Which solution informs a customer concerned about zero-day targeted attacks whether an attack is specifically targeted at its property?
A. Panorama Correlation Report
B. AutoFocus
C. Cortex XSOAR Community Edition
D. Cortex XDR Prevent
Selected Answer: B
Question #: 72
Topic #: 1
The ability to prevent users from resolving internet protocol (IP) addresses to malicious, grayware, or newly registered domains is provided by which Security service?
A. DNS Security
B. Threat Prevention
C. WildFire
D. IoT Security
Selected Answer: A
Question #: 71
Topic #: 1
A potential customer requires an NGFW solution that enables high-throughput, low-latency network security and also inspects the application.
Which aspect of the Palo Alto Networks NGFW capabilities should be highlighted to help address these requirements?
A. single-pass architecture (SPA)
B. threat prevention
C. GlobalProtect
D. Elastic Load Balancing (ELB)
Selected Answer: A
Question #: 83
Topic #: 1
Which Security profile on the Next-Generation Firewall (NGFW) includes signatures to protect against brute force attacks?
A. Vulnerability Protection profile
B. URL Filtering profile
C. Antivirus profile
D. Anti-Spyware profile
Selected Answer: A
