PSE-Strata-Topic-3
Question #: 89
Topic #: 1
What is an advantage of having WildFire machine learning (ML) capability inline on the firewall?
A. It eliminates of the necessity for dynamic analysis in the cloud.
B. It is always able to give more accurate verdicts than the cloud ML analysis, reducing false positives and false negatives,
C. It improves the CPU performance of content inspection.
D. It enables the firewall to block unknown malicious files in real time and prevent patient zero without disrupting business productivity.
Selected Answer: D
Question #: 60
Topic #: 1
What is the correct behavior when a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from DNS service cloud in the configured lookup time?
A. NGFW discard a response from the DNS server.
B. NGFW temporarily disable DNS Security function.
C. NGFW permit a response from the DNS server.
D. NGFW resend a verdict challenge to DNS service cloud.
Selected Answer: C
Question #: 58
Topic #: 1
Which is the smallest Panorama solution that can be used to manage up to 2500 Palo Alto Networks Next Generation firewalls?
A. M-200
B. M-600
C. M-100
D. Panorama VM-Series
Selected Answer: D
Question #: 40
Topic #: 1
What are three considerations when deploying User-ID? (Choose three.)
A. Specify included and excluded networks when configuring User-ID
B. Only enable User-ID on trusted zones
C. Use a dedicated service account for User-ID services with the minimal permissions necessary
D. User-ID can support a maximum of 15 hops
E. Enable WMI probing in high security networks
Selected Answer: ABC
Question #: 115
Topic #: 1
What is used to choose the best path on a virtual router that has two or more different routes to the same destination?
A. Metric
B. Source zone
C. Administrative distance
D. Path monitoring
Selected Answer: C
Question #: 6
Topic #: 1
What two types of certificates are used to configure SSL Forward Proxy? (׀¡hoose two.)
A. Enterprise CA-signed certificates
B. Self-Signed certificates
C. Intermediate certificates
D. Private key certificates
Selected Answer: AB
Question #: 43
Topic #: 1
Which CLI commands allows you to view SD-WAN events such as path selection and path quality measurements?
A. >show sdwan connection all
B. >show sdwan event
C. >show sdwan path-monitor stats vif
D. >show sdwan session distribution policy-name
Selected Answer: B
Question #: 98
Topic #: 1
Which two actions can be configured in an Anti-Spyware profile to address command-and-control (C2) traffic from compromised hosts? (Choose two.)
A. Redirect
B. Alert
C. Quarantine
D. Reset
Selected Answer: BD
Question #: 97
Topic #: 1
A customer with a fully licensed Palo Alto Networks firewall is concerned about threats based on domain generation algorithms (DGAs).
Which Security profile is used to configure Domain Name Security (DNS) to identify and block previously unknown DGA-based threats in real time?
A. Anti-Spyware profile
B. URL Filtering profile
C. Vulnerability Protection profile
D. WildFire Analysis profile
Selected Answer: A
Question #: 94
Topic #: 1
A WildFire subscription is required for which two of the following activities? (Choose two.)
A. Enforce policy based on Host Information Profile (HIP).
B. Forward advanced file types from the firewall for analysis.
C. Filter uniform resource locator (URL) sites by category.
D. Decrypt Secure Sockets Layer (SSL).
E. Use the WildFire Application Programming Interface (API) to submit website links for analysis.
Selected Answer: BE
Question #: 92
Topic #: 1
Access to a business site is blocked by URL Filtering inline machine learning (ML) and considered as a false-positive.
How should the site be made available?
A. Create a custom URL category and add it on exception of the inline ML profile.
B. Change the action of real-time-detection category on URL filtering profile.
C. Create a custom URL category and add it to the Security policy.
D. Disable URL Filtering inline ML.
Selected Answer: A
Question #: 69
Topic #: 1
Which action can prevent users from unknowingly downloading potentially malicious file types from the internet?
A. Apply a File Blocking profile to Security policy rules that allow general web access.
B. Apply a Zone Protection profile to the untrust zone.
C. Assign a Vulnerability profile to Security policy rules that deny general web access.
D. Assign an Antivirus profile to Security policy rules that deny general web access.
Selected Answer: A
Question #: 50
Topic #: 1
You have enabled the WildFire ML for PE files in the antivirus profile and have added the profile to the appropriate firewall rules. When you go to Palo Alto
Networks WildFire test av file and attempt to download the test file it is allowed through. In order to verify that the machine learning is working from the command line, which command returns a valid result?
A. show mlav cloud-status
B. show wfml cloud-status
C. show ml cloud-status
D. show wfav cloud-status
Selected Answer: A
Question #: 49
Topic #: 1
What aspect of PAN-OS allows for the NGFW admin to create a policy that provides auto-remediation for anomalous user behavior and malicious activity while maintaining user visibility?
A. Remote Device UserID Agent
B. user-to-tag mapping
C. Dynamic User Groups
D. Dynamic Address Groups
Selected Answer: C
Question #: 29
Topic #: 1
A customer is concerned about zero-day targeted attacks against its intellectual property.
Which solution informs a customer whether an attack is specifically targeted at them?
A. Cortex XDR Prevent
B. AutoFocus
C. Cortex XSOAR Community edition
D. Panorama Correlation Report
Selected Answer: B
Question #: 33
Topic #: 1
Which statement is true about Deviating Devices and metrics?
A. A metric health baseline is determined by averaging the health performance for a given metric over seven days plus the standard deviation
B. Deviating Device Tab is only available with a SD-WAN Subscription
C. An Administrator can set the metric health baseline along with a valid standard deviation
D. Deviating Device Tab is only available for hardware-based firewalls
Selected Answer: A
Question #: 119
Topic #: 1
A prospective customer wants to purchase a next-generation firewall (NGFW) and requires at least 2 million concurrent sessions with a minimum of 10Gbps of throughput with threat detection enabled.
Which tool will help quickly determine the correct size of NGFW for this customer?
A. Data Lake Calculator available on the Palo Alto Networks website
B. NGFW sizing app available for iOS and Android devices
C. Product Comparison tool available on the Palo Alto Networks website
D. Quoting tool available on the Palo Alto Networks website
Selected Answer: C
Question #: 88
Topic #: 1
What is the default behavior in PAN-OS when a 12 MB portable executable (PE) file is forwarded to the WildFire cloud service?
A. Flash file is not forwarded.
B. Flash file is forwarded.
C. PE File is forwarded.
D. PE File is not forwarded.
Selected Answer: C
Question #: 75
Topic #: 1
Which task would be included in the Best Practice Assessment (BPA) tool?
A. Identify sanctioned and unsanctioned software-as-a-service (SaaS) applications.
B. Identify and provide recommendations for device configurations.
C. Identify the threats associated with each application.
D. Identify the visibility and presence of command-and-control (C2) sessions.
Selected Answer: B
Question #: 102
Topic #: 1
Which three of the following actions must be taken to enable Credential Phishing Prevention? (Choose three.)
A. Enable App-ID.
B. Define a uniform resource locator (URL) Filtering profile.
C. Enable User-ID.
D. Enable User Credential Detection.
E. Define a Secure Sockets Layer (SSL) decryption rule base.
Selected Answer: BCE
Question #: 38
Topic #: 1
What helps avoid split brain in active/passive HA pair deployment?
A. Use a standard traffic interface as the HA2 backup
B. Enable preemption on both firewalls in the HA pair
C. Use the management interface as the HA1 backup link
D. Use a standard traffic interface as the HA3 link
Selected Answer: C
Question #: 28
Topic #: 1
Which two actions can be taken to enforce protection from brute force attacks in the security policy? (Choose two.)
A. Create a log forwarding object to send logs to Panorama and a third-party syslog server event correlation
B. Install content updates that include new signatures to protect against emerging threats
C. Attach the vulnerability profile to a security rule
D. Add the URL filtering profile to a security rule
Selected Answer: C
Question #: 27
Topic #: 1
Which CLI allows you to view the names of SD-WAN policy rules that send traffic to the specified virtual SD-WAN interface, along with the performance metrics?
A. >show sdwan connection all |
B. >show sdwan path-monitor stats vif
C. >show sdwan rule vif sdwan.x
D. >show sdwan session distribution policy-name
Selected Answer: C
Question #: 15
Topic #: 1
Which methods are used to check for Corporate Credential Submissions? (Choose three.)
A. Group Mapping
B. IP User Mapping
C. LDAP query
D. Domain Credential Filter
E. User ID Credential Check
Selected Answer: A
Question #: 14
Topic #: 1
You have a prospective customer that is looking for a way to provide secure temporary access to contractors for a designated period of time. They currently add contractors to existing user groups and create ad hoc policies to provide network access. They admit that once the contractor no longer needs access to the network, administrators are usually too busy to manually delete policies that provided access to the contractor. This has resulted in over-provisioned access that has allowed unauthorized access to their systems.
They are looking for a solution to automatically remove access for contractors once access is no longer required.
You address their concern by describing which feature in the NGFW?
A. Dynamic User Groups
B. Dynamic Address Groups
C. Multi-factor Authentication
D. External Dynamic Lists
Selected Answer: B
Question #: 5
Topic #: 1
Which two email links, contained in SMTP and POP3, can be submitted from WildFire analysis with a WildFire subscription? (Choose two.)
A. FTP
B. HTTPS
C. RTP
D. HTTP
Selected Answer: C
Question #: 48
Topic #: 1
When having a customer pre-sales call, which aspects of the NGFW should be covered?
A. The NGFW simplifies your operations through analytics and automation while giving you consistent protection through exceptional visibility and control across the data center, perimeter, branch, mobile and cloud networks
B. The Palo Alto Networks-developed URL filtering database, PAN-DB provides high-performance local caching for maximum inline performance on URL lookups, and offers coverage against malicious URLs and IP addresses. As WildFire identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs), the PAN-DB database is updated with information on malicious URLs so that you can block malware downloads and disable Command and Control (C2) communications to protect your network from cyberthreats. URL categories that identify confirmed malicious content ג€” malware, phishing, and C2 are updated every five minutes ג€” to ensure that you can manage access to these sites within minutes of categorization
C. The NGFW creates tunnels that allow users/systems to connect securely over a public network, as if they were connecting over a local area network (LAN). To set up a VPN tunnel you need a pair of devices that can authenticate each other and encrypt the flow of information between them The devices can be a pair of Palo Alto Networks firewalls, or a Palo Alto Networks firewall along with a VPN-capable device from another vendor
D. Palo Alto Networks URL Filtering allows you to monitor and control the sites users can access, to prevent phishing attacks by controlling the sites to which users can submit valid corporate credentials, and to enforce safe search for search engines like Google and Bing
Selected Answer: A
Question #: 20
Topic #: 1
What filtering criteria is used to determine what users to include as members of a dynamic user group?
A. Tags
B. Login IDs
C. Security Policy Rules
D. IP Addresses
Selected Answer: A
Question #: 16
Topic #: 1
WildFire subscription supports analysis of which three types? (Choose three.)
A. GIF
B. 7-Zip
C. Flash
D. RPM
E. ISO
F. DMG
Selected Answer: BCF
Question #: 24
Topic #: 1
A customer with a legacy firewall architecture is focused on port and protocol level security, and has heard that next generation firewalls open all ports by default.
What is the appropriate rebuttal that positions the value of a NGFW over a legacy firewall?
A. Palo Alto Networks does not consider port information, instead relying on App-ID signatures that do not reference ports
B. Default policies block all interzone traffic. Palo Alto Networks empowers you to control applications by default ports or a configurable list of approved ports on a per-policy basis
C. Palo Alto Networks keep ports closed by default, only opening ports after understanding the application request, and then opening only the application- specified ports
D. Palo Alto Networks NGFW protects all applications on all ports while leaving all ports opened by default
Selected Answer: B
Question #: 99
Topic #: 1
The Palo Alto Networks Cloud Identity Engine (CIE) includes which service that supports Identity Providers (IdP)?
A. Directory Sync and Cloud Authentication Service that support IdP using SAML 2.0
B. Directory Sync that supports IdP using SAML 2.0
C. Directory Sync and Cloud Authentication Service that support IdP using SAML 2.0 and OAuth2
D. Cloud Authentication Service that supports IdP using SAML 2.0 and OAuth2
Selected Answer: A
Question #: 7
Topic #: 1
Which two of the following does decryption broker provide on a NGFW? (Choose two.)
A. Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once
B. Eliminates the need for a third party SSL decryption option which allows you to reduce the total number of third party devices performing analysis and enforcement
C. Provides a third party SSL decryption option which allows you to increase the total number of third party devices performing analysis and enforcement
D. Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic multiple times
Selected Answer: AB
Question #: 46
Topic #: 1
Which two products are included in the Prisma Brand? (Choose two.)
A. Prisma Cloud Compute
B. Panorama
C. NGFW
D. Prisma Cloud Enterprise
Selected Answer: AD
Question #: 30
Topic #: 1
Which three actions should be taken before deploying a firewall evaluation unit in the customer’s environment? (Choose three.)
A. Reset the evaluation unit to factory default to ensure that data from any previous customer evaluation is removed
B. Request that the customer make port 3978 available to allow the evaluation unit to communicate with Panorama
C. Upgrade the evaluation unit to the most current recommended firmware, unless a demo of the upgrade process is planned
D. Inform the customer that they will need to provide a SPAN port for the evaluation unit assuming a TAP mode deployment
E. Set expectations around which information will be presented in the Security Lifecycle Review because sensitive information may be made visible
Selected Answer: ACD
Question #: 22
Topic #: 1
A customer has business-critical applications that rely on the general web-browsing application. Which security profile can help prevent drive-by-downloads while still allowing web-browsing traffic?
A. File Blocking Profile
B. DoS Protection Profile
C. URL Filtering Profile
D. Vulnerability Protection Profile
Selected Answer: A
Question #: 19
Topic #: 1
A potential customer requires an NGFW solution which enables high-throughput, low-latency network security, all while incorporating unprecedented features and technology. They need a solution that solves the performance problems that plague today’s security infrastructure.
Which aspect of the Palo Alto Networks NGFW capabilities can you highlight to help them address the requirements?
A. SP3 (Single Pass Parallel Processing)
B. GlobalProtect
C. Threat Prevention
D. Elastic Load Balancers
Selected Answer: A
Question #: 18
Topic #: 1
In an HA pair running Active/Passive mode, over which interface do the dataplanes communicate?
A. HA3
B. HA1
C. HA2
D. HA4
Selected Answer: C
Question #: 17
Topic #: 1
The WildFire Inline Machine Learning is configured using which Content-ID profiles?
A. Antivirus Profile
B. WildFire Analysis Profile
C. Threat Prevention Profile
D. File Blocking Profile
Selected Answer: C
Question #: 93
Topic #: 1
Which two methods are used to check for Corporate Credential Submissions? (Choose two.)
A. domain credential filter
B. IP user mapping
C. User-ID credential check
D. LDAP query
Selected Answer: AB
Question #: 126
Topic #: 1
Which two of the following are required when configuring the Domain Credential Filter method for preventing phishing attacks? (Choose two.)
A. LDAP connector
B. Group mapping
C. IP-address-to-username mapping
D. Windows User-ID agent
Selected Answer: CD
Question #: 12
Topic #: 1
For customers with high bandwidth requirements for Service Connections, what two limitations exist when onboarding multiple Service Connections to the same
Prisma Access location servicing a single Datacenter? (Choose two.)
A. Network segments in the Datacenter need to be advertised to only one Service Connection
B. The customer edge device needs to support policy-based routing with symmetric return functionality
C. The resources in the Datacenter will only be able to reach remote network resources that share the same region
D. A maximum of four service connections per Datacenter are supported with this topology
Selected Answer: AB
Question #: 63
Topic #: 1
In PAN-OS 10.0 and later, DNS Security allows policy actions to be applied based on which three domains? (Choose three.)
A. benign
B. government
C. command and control (C2)
D. malware
E. grayware
Selected Answer: CDE
Question #: 73
Topic #: 1
What are two ways to manually add and remove members of dynamic user groups (DUGs)? (Choose two.)
A. Tag the user through Active Directory.
B. Tag the user using Panorama or the Web UI of the firewall.
C. Tag the user through the firewall’s XML API.
D. Add the user to an external dynamic list (EDL).
Selected Answer: BC
Question #: 103
Topic #: 1
Which two statements correctly describe what a Network Packet Broker does for a Palo Alto Networks NGFW? (Choose two.)
A. It provides a third-party SSL decryption option, which can increase the total number of third-party devices performing analysis and enforcement.
B. It allows SSL decryption to be offloaded to the NGFW and traffic to be decrypted only once.
C. It eliminates the need for a third-party SSL decryption option, which reduces the total number of third-party devices performing decryption.
D. It allows SSL decryption to be offloaded to the NGFW and traffic to be decrypted multiple times.
Selected Answer: BC
Question #: 124
Topic #: 1
Which two interface types can be associated to a virtual router? (Choose two.)
A. Loopback
B. Virtual Wire
C. VLAN
D. Layer 2
Selected Answer: AC
Question #: 122
Topic #: 1
Which decryption requirement ensures that inspection can be provided to all inbound traffic routed to internal application and database servers?
A. Installation of certificates from the application server and database server on the NGFW and configuration of an SSL Inbound Decryption policy
B. Installation of a trusted root CA certificate on the NGFW and configuration of an SSL Inbound Decryption policy
C. Configuration of an SSL Inbound Decryption policy using one of the built-in certificates included in the certificate store
D. Configuration of an SSL Inbound Decryption policy without installing certificates
Selected Answer: D
Question #: 121
Topic #: 1
A customer next-generation firewall (NGFW) proof-of-concept (POC) and final presentation have just been completed.
Which CLI command is used to clear data, remove all logs, and restore default configuration?
A. >request private-data-reset system
B. >request reset system public-data-reset
C. >request system private-data-reset
D. >reset system public-data-reset
Selected Answer: C
Question #: 114
Topic #: 1
Which action will protect against port scans from the internet?
A. Assign an Interface Management profile to the zone of the ingress interface
B. Assign Security profiles to Security policy rules for traffic sourcing from the untrust zone
C. Apply a Zone Protection profile on the zone of the ingress interface
D. Apply App-ID Security policy rules to block traffic sourcing from the untrust zone
Selected Answer: A
