Which statement appropriately describes performance tuning Intrusion Prevention System (IPS) functions on a Palo Alto Networks NGFW running Advanced Threat Prevention?
Leave all signatures turned on because they do not impact performance.
Create a new threat profile to use only signatures needed for the environment.
Work with TAC to run a debug and receive exact measurements of performance utilization for the IPS.
To increase performance, disable any threat signatures that do not apply to the environment.
Create a New Threat Profile (Answer B):
Performance tuning inIntrusion Prevention System (IPS)involves ensuring that only the most relevant and necessary signatures are enabled for the specific environment.
Palo Alto Networks allows you to createcustom threat profilesto selectively enable signatures that match the threats most likely to affect the environment. This reduces unnecessary resource usage and ensures optimal performance.
By tailoring the signature set, organizations can focus on real threats without impacting overall throughput and latency.
Why Not A:
Leaving all signatures turned on is not a best practice because it may consume excessive resources, increasing processing time and degrading firewall performance, especially in high-throughput environments.
Why Not C:
While working with TAC for debugging may help identify specific performance bottlenecks, it is not a recommended approach for routine performance tuning. Instead, proactive configuration changes, such as creating tailored threat profiles, should be made.
Why Not D:
Disabling irrelevant threat signatures can improve performance, but this task is effectively accomplished bycreating a new threat profile. Manually disabling signatures one by one is not scalable or efficient.
References from Palo Alto Networks Documentation:
Threat Prevention Best Practices
Custom Threat Profile Configuration
Which two actions should a systems engineer take when a customer is concerned about how to remain aligned to Zero Trust principles as they adopt additional security features over time? (Choose two)
Turn on all licensed Cloud-Delivered Security Services (CDSS) subscriptions in blocking mode for all policies.
Apply decryption where possible to inspect and log all new and existing traffic flows.
Use the Best Practice Assessment (BPA) tool to measure progress toward Zero Trust principles.
Use the Policy Optimizer tool to understand security rules allowing users to bypass decryption.
When adopting additional security features over time, remaining aligned with Zero Trust principles requires a focus on constant visibility, control, and adherence to best practices. The following actions are the most relevant:
Why "Apply decryption where possible to inspect and log all new and existing traffic flows" (Correct Answer B)?Zero Trust principles emphasize visibility into all traffic, whether encrypted or unencrypted. Without decryption, encrypted traffic becomes a blind spot, which attackers can exploit. By applying decryption wherever feasible, organizations ensure they can inspect, log, and enforce policies on encrypted traffic, thus adhering to Zero Trust principles.
Why "Use the Best Practice Assessment (BPA) tool to measure progress toward Zero Trust principles" (Correct Answer C)?The BPA tool provides detailed insights into the customer’s security configuration, helpingmeasure alignment with Palo Alto Networks’ Zero Trust best practices. It identifies gaps in security posture and recommends actionable steps to strengthen adherence to Zero Trust principles over time.
Why not "Turn on all licensed Cloud-Delivered Security Services (CDSS) subscriptions in blocking mode for all policies" (Option A)?While enabling CDSS subscriptions (like Threat Prevention, URL Filtering, Advanced Threat Prevention) in blocking mode can enhance security, it is not an action specifically tied to maintaining alignment with Zero Trust principles. A more holistic approach, such as decryption and BPA analysis, is critical to achieving Zero Trust.
Why not "Use the Policy Optimizer tool to understand security rules allowing users to bypass decryption" (Option D)?Policy Optimizer is used to optimize existing security rules by identifying unused or overly permissive policies. While useful, it does not directly address alignment with Zero Trust principles or help enforce decryption.
Which two statements clarify the functionality and purchase options for Palo Alto Networks AIOps for NGFW? (Choose two.)
It is offered in two license tiers: a commercial edition and an enterprise edition.
It is offered in two license tiers: a free version and a premium version.
It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process.
It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process.
Palo Alto Networks AIOps for NGFW is a cloud-delivered service that leverages telemetry data and machine learning (ML) to provide proactive operational insights, best practice recommendations, and issue prevention.
Why "It is offered in two license tiers: a free version and a premium version" (Correct Answer B)?AIOps for NGFW is available in two tiers:
Free Tier:Provides basic operational insights and best practices at no additional cost.
Premium Tier:Offers advanced capabilities, such as AI-driven forecasts, proactive issue prevention, and enhanced ML-based recommendations.
Why "It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process" (Correct Answer C)?AIOps uses telemetry data from NGFWs to analyze operational trends, forecast potential problems, and recommend solutions before issues arise. ML continuously refines these insights by learning from real-world data, enhancing accuracy and effectiveness over time.
Why not "It is offered in two license tiers: a commercial edition and an enterprise edition" (Option A)?This is incorrect because the licensing model for AIOps is based on "free" and "premium" tiers, not "commercial" and "enterprise" editions.
Why not "It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process" (Option D)?AIOps does not rely on Advanced WildFire for its operation. Instead, it uses telemetry data directly from the NGFWs to perform operational and security analysis.
Which two statements correctly describe best practices for sizing a firewall deployment with decryption enabled? (Choose two.)
SSL decryption traffic amounts vary from network to network.
Large average transaction sizes consume more processing power to decrypt.
Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms.
Rivest-Shamir-Adleman (RSA) certificate authentication method (not the RSA key exchange algorithm) consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure.
When planning a firewall deployment with SSL/TLS decryption enabled, it is crucial to consider the additional processing overhead introduced by decrypting and inspecting encrypted traffic. Here are the details for each statement:
Why "SSL decryption traffic amounts vary from network to network" (Correct Answer A)?SSL decryption traffic varies depending on the organization’s specific network environment, user behavior, and applications. For example, networks with heavy web traffic, cloud applications, or encrypted VoIP traffic will have more SSL/TLS decryption processing requirements. This variability means each deployment must be properly assessed and sized accordingly.
Why "Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms" (Correct Answer C)?PFS algorithms like DHE and ECDHE generate unique session keys for each connection, ensuring better security but requiring significantly more processing power compared to RSA key exchange. When decryption is enabled, firewalls must handle these computationally expensive operations for every encrypted session, impacting performance and sizing requirements.
Why not "Large average transaction sizes consume more processing power to decrypt" (Option B)?While large transaction sizes can consume additional resources, SSL/TLS decryption is more dependent on the number of sessions and the complexity of the encryption algorithms used, rather than the size of the transactions. Hence, this is not a primary best practice consideration.
Why not "Rivest-Shamir-Adleman (RSA) certificate authentication method consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure" (Option D)?This statement discusses certificate authentication methods, not SSL/TLS decryption performance. While ECDSA is more efficient and secure than RSA, it is not directly relevant to sizing considerations for firewall deployments with decryption enabled.
Which statement applies to the default configuration of a Palo Alto Networks NGFW?
Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall.
The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone.
The default policy action allows all traffic unless explicitly denied.
The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.
The default configuration of a Palo Alto Networks NGFW includes a set of default security rules that determine how traffic is handled when no explicit rules are defined. Here's the explanation for each option:
Option A: Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall
Security profiles (such as Antivirus, Anti-Spyware, and URL Filtering) are not applied to any policies by default. Administrators must explicitly apply them to security rules.
This statement is incorrect.
Option B: The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone
By default, traffic within the same zone (intrazone traffic) isallowed. For example, traffic between devices in the "trust" zone is permitted unless explicitly denied by an administrator.
This statement is incorrect.
Option C: The default policy action allows all traffic unless explicitly denied
Palo Alto Networks firewalls do not have an "allow all" default rule. Instead, they include a default "deny all" rule for interzone traffic and an implicit "allow" rule for intrazone traffic.
This statement is incorrect.
Option D: The default policy action for interzone traffic is deny, eliminating implicit trust between security zones
By default, traffic between different zones (interzone traffic) is denied. This aligns with the principle of zero trust, ensuring that no traffic is implicitly allowed between zones. Administrators must define explicit rules to allow interzone traffic.
This statement is correct.
References:
Palo Alto Networks documentation on Security Policy Defaults
Knowledge Base article on Default Security Rules
In which two locations can a Best Practice Assessment (BPA) report be generated for review by a customer? (Choose two.)
PANW Partner Portal
Customer Support Portal
AIOps
Strata Cloud Manager (SCM)
Step 1: Understand the Best Practice Assessment (BPA)
Purpose: The BPA assesses NGFW (e.g., PA-Series) and Panorama configurations against best practices, including Center for Internet Security (CIS) Critical Security Controls, to enhance security and feature adoption.
Process: Requires a Tech Support File (TSF) upload or telemetry data from onboarded devices to generate the report.
Evolution: Historically available via the Customer Support Portal, the BPA has transitioned to newer platforms like AIOps and Strata Cloud Manager.
References: "BPA measures security posture against best practices" (paloaltonetworks.com, Best Practice Assessment Overview).
Step 2: Evaluate Each Option
Option A: PANW Partner Portal
Description: The Palo Alto Networks Partner Portal is a platform for partners (e.g., resellers, distributors) to access tools, resources, and customer-related services.
BPA Capability:
Historically, partners could generate BPAs on behalf of customers via the Customer Success Portal (accessible through Partner Portal integration), but this was not a direct customer-facing feature.
As of July 17, 2023, the BPA generation capability in the Customer Support Portal and related partner tools was disabled, shifting focus to AIOps and Strata Cloud Manager.
Partners can assist customers with BPA generation but cannot directly generate reports for customer review in the Partner Portal itself; customers must access reports via their own interfaces (e.g., AIOps).
Verification:
"BPA transitioned to AIOps; Customer Support Portal access disabled after July 17, 2023" (live.paloaltonetworks.com, BPA Transition Announcement, 07-10-2023).
No current documentation supports direct BPA generation in the Partner Portal for customer review.
Conclusion: Not a customer-accessible location for generating BPAs.Not Applicable.
Option B: Customer Support Portal
Description: The Customer Support Portal (support.paloaltonetworks.com) provides customers with tools, case management, and historically, BPA generation.
BPA Capability:
Prior to July 17, 2023, customers could upload a TSF under "Tools > Best Practice Assessment" to generate a BPA report (HTML, XLSX, PDF formats).
Post-July 17, 2023, this functionality was deprecated in favor of AIOps and Strata Cloud Manager. Historical BPA data was maintained until December 31, 2023, but new report generation ceased.
As of March 08, 2025, the Customer Support Portal no longer supports BPA generation, though it remains a support hub.
Verification:
"TSF uploads for BPA in Customer Support Portal disabled after July 17, 2023" (docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-best-practices).
"Transition to AIOps for BPA generation" (live.paloaltonetworks.com, BPA Transition to AIOps, 07-10-2023).
Conclusion: No longer a valid location for BPA generation as of the current date.Not Applicable.
Option C: AIOps
Description: AIOps for NGFW is an AI-powered operations platform for managing Strata NGFWs and Panorama, offering real-time insights, telemetry-based monitoring, and BPA generation.
BPA Capability:
Supports two BPA generation methods:
On-Demand BPA: Customers upload a TSF (PAN-OS 9.1 or higher) via "Dashboards > On Demand BPA" to generate a report, even without telemetry or onboarding.
Continuous BPA: For onboarded devices with telemetry enabled (PAN-OS 10.0+), AIOps provides ongoing best practice assessments via the Best Practices dashboard.
Available in free and premium tiers; the free tier includes BPA generation.
Reports include detailed findings, remediation steps, and adoption summaries.
Use Case: Ideal for customers managing firewalls with or without full AIOps integration.
Verification:
"Generate on-demand BPA reports by uploading TSFs in AIOps" (docs.paloaltonetworks.com/aiops/aiops-for-ngfw/dashboards/on-demand-bpa).
"AIOps Best Practices dashboard assesses configurations continuously" (live.paloaltonetworks.com, AIOps On-Demand BPA, 10-25-2022).
Conclusion: A current, customer-accessible location for BPA generation.Applicable.
Option D: Strata Cloud Manager (SCM)
Description: Strata Cloud Manager is a unified, AI-powered management interface for NGFWs and SASE, integrating AIOps, digital experience management, and configuration tools.
BPA Capability:
Supports on-demand BPA generation by uploading a TSF under "Dashboards > On Demand BPA," similar to AIOps, for devices not sending telemetry or not fully onboarded.
For onboarded devices, provides real-time best practice checks via the "Best Practices" dashboard, analyzing policies against Palo Alto Networks and CIS standards.
Available in Essentials (free) and Pro (paid) tiers; BPA generation is included in both.
Use Case: Offers a modern, centralized platform for customers to manage and assess security posture.
Verification:
"Run BPA directly from Strata Cloud Manager with TSF upload" (docs.paloaltonetworks.com/strata-cloud-manager/dashboards/on-demand-bpa, 07-24-2024).
"Best Practices dashboard measures posture against guidance" (paloaltonetworks.com, Strata Cloud Manager Overview).
Conclusion: A current, customer-accessible location for BPA generation.Applicable.
Step 3: Select the Two Valid Locations
C (AIOps): Supports both on-demand (TSF upload) and continuous BPA generation, accessible to customers via the Palo Alto Networks hub.
D (Strata Cloud Manager): Provides identical on-demand BPA capabilities and real-timeassessments, designed as a unified management interface.
Why Not A or B?
A (PANW Partner Portal): Partner-focused, not a direct customer tool for BPA generation.
B (Customer Support Portal): Deprecated for BPA generation post-July 17, 2023; no longer valid as of March 08, 2025.
Step 4: Verified References
AIOps BPA: "On-demand BPA in AIOps via TSF upload" (docs.paloaltonetworks.com/aiops/aiops-for-ngfw/dashboards/on-demand-bpa).
Strata Cloud Manager BPA: "Generate BPA reports in SCM" (docs.paloaltonetworks.com/strata-cloud-manager/dashboards/on-demand-bpa).
Customer Support Portal Transition: "BPA moved to AIOps/SCM; CSP access ended July 17, 2023" (live.paloaltonetworks.com, BPA Transition, 07-10-2023).
Which initial action can a network security engineer take to prevent a malicious actor from using a file-sharing application for data exfiltration without impacting users who still need to use file-sharing applications?
Use DNS Security to limit access to file-sharing applications based on job functions.
Use App-ID to limit access to file-sharing applications based on job functions.
Use DNS Security to block all file-sharing applications and uploading abilities.
Use App-ID to block all file-sharing applications and uploading abilities.
To prevent malicious actors from abusing file-sharing applications for data exfiltration,App-IDprovides a granular approach to managing application traffic. Palo Alto Networks'App-IDis a technology that identifies applications traversing the network, regardless of port, protocol, encryption (SSL), or evasive tactics. By leveraging App-ID, security engineers can implement policies that restrict the use of specific applications or functionalities based on job functions, ensuring that only authorized users or groups can use file-sharing applications while blocking unauthorized or malicious usage.
Here’s why the options are evaluated this way:
Option A:DNS Security focuses on identifying and blocking malicious domains. While it plays a critical role in preventing certain attacks (like command-and-control traffic), it is not effective for managing application usage. Hence, this is not the best approach.
Option B (Correct):App-ID provides the ability to identify file-sharing applications (such as Dropbox, Google Drive, or OneDrive) and enforce policies to restrict their use. For example, you can create a security rule allowing file-sharing apps only for specific job functions, such as HR or marketing, while denying them for other users. This targeted approach ensures legitimate business needs are not disrupted, which aligns with the requirement of not impacting valid users.
Option C:Blocking all file-sharing applications outright using DNS Security is a broad measure that will indiscriminately impact legitimate users. This does not meet the requirement of allowing specific users to continue using file-sharing applications.
Option D:While App-ID can block file-sharing applications outright, doing so will prevent legitimate usage and is not aligned with the requirement to allow usage based on job functions.
How to Implement the Solution (Using App-ID):
Identify the relevant file-sharing applications using App-ID in Palo Alto Networks’ predefined application database.
Create security policies that allow these applications only for users or groups defined in your directory (e.g., Active Directory).
Use custom App-ID filters or explicit rules to control specific functionalities of file-sharing applications, such as uploads or downloads.
Monitor traffic to ensure that only authorized users are accessing the applications and that no malicious activity is occurring.
References:
Palo Alto Networks Admin Guide: Application Identification and Usage Policies.
Best Practices for App-ID Configuration: https://docs.paloaltonetworks.com
While responding to a customer RFP, a systems engineer (SE) is presented the question, "How do PANW firewalls enable the mapping of transactions as part of Zero Trust principles?" Which two narratives can the SE use to respond to the question? (Choose two.)
Emphasize Zero Trust as an ideology, and that the customer decides how to align to Zero Trust principles.
Reinforce the importance of decryption and security protections to verify traffic that is not malicious.
Explain how the NGFW can be placed in the network so it has visibility into every traffic flow.
Describe how Palo Alto Networks NGFW Security policies are built by using users, applications, and data objects.
The question asks how Palo Alto Networks (PANW) Strata Hardware Firewalls enable the mapping of transactions as part of Zero Trust principles, requiring a systems engineer (SE) to provide two narratives for a customer RFP response. Zero Trust is a security model that assumes no trust by default, requiring continuous verification of all transactions, users, and devices—inside and outside the network. The Palo Alto Networks Next-Generation Firewall (NGFW), part of the Strataportfolio, supports this through its advanced visibility, decryption, and policy enforcement capabilities. Below is a detailed explanation of why options B and D are the correct narratives, verified against official Palo Alto Networks documentation.
Step 1: Understanding Zero Trust and Transaction Mapping in PAN-OS
Zero Trust principles, as defined by frameworks like NIST SP 800-207, emphasize identifying and verifying every transaction (e.g., network flows, application requests) based on context such as user identity, application, and data. For Palo Alto Networks NGFWs, "mapping of transactions" refers to the ability to identify, classify, and control network traffic with granular detail, enabling verification and enforcement aligned with Zero Trust.
The PAN-OS operating system achieves this through:
App-ID: Identifies applications regardless of port or protocol.
User-ID: Maps IP addresses to user identities.
Content-ID: Inspects and protects content, including decryption for visibility.
Security Policies: Enforces rules based on these mappings.
A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:
"Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important."
Which recommendations should the SE make?
Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.
Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.
VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.
VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems.
The customer is seeking centralized policy management to reduce human error while maintaining compliance with their contractual obligations to AWS and Azure. Here's the evaluation of each option:
Option A: Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems
Cloud NGFW is a fully managed Next-Generation Firewall service by Palo Alto Networks, offered in AWS and Azure marketplaces. It integrates natively with the CSP infrastructure, making it a good fit for customers with existing CSP agreements.
Panorama, Palo Alto Networks' centralized management solution, can be deployed as a virtual appliance in the CSP marketplace of choice, enabling centralized policy management across all NGFWs.
This option addresses the customer's need for centralized management while leveraging their existing contracts with AWS and Azure.
This option is appropriate.
Option B: Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice
This option suggests using Cloud NGFW in AWS but VM-Series firewalls in Azure. While VM-Series is a flexible virtual firewall solution, it may not align with the customer’s stated preference for CSP-managed services like Cloud NGFW.
This option introduces a mix of solutions that could complicate centralized management and reduce operational efficiency.
This option is less appropriate.
Option C: VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license
VM-Series firewalls are well-suited for cloud deployments but require more manual configuration compared to Cloud NGFW.
Building a Panorama instance manually on a host increases operational overhead and does not leverage the customer’s existing CSP marketplaces.
This option is less aligned with the customer's needs.
Option D: VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems
This option introduces both VM-Series and CN-Series firewalls in both CSPs. While CN-Series firewalls are designed for Kubernetes environments, they may not be relevant if the customer does not specifically require container-level security.
Adding CN-Series firewalls may introduce unnecessary complexity and costs.
This option is not appropriate.
References:
Palo Alto Networks documentation on Cloud NGFW
Panorama overview in Palo Alto Knowledge Base
VM-Series firewalls deployment guide in CSPs: Palo Alto Documentation
What are the first two steps a customer should perform as they begin to understand and adopt Zero Trust principles? (Choose two)
Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.
Enable relevant Cloud-Delivered Security Services (CDSS) subscriptions to automatically protect the customer's environment from both internal and external threats.
Map the transactions between users, applications, and data, then verify and inspect those transactions.
Implement VM-Series NGFWs in the customer’s public and private clouds to protect east-west traffic.
Zero Trust principles revolve around minimizing trust in the network and verifying every interaction. To adopt Zero Trust, customers should start by gaining visibility and understanding the network and its transactions.
A. Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.
The first step in adopting Zero Trust is understanding the full scope of the network. Identifying users, devices, applications, and data is critical for building a comprehensive security strategy.
C. Map the transactions between users, applications, and data, then verify and inspect those transactions.
After identifying all assets, the next step is to map interactions and enforce verification and inspection of these transactions to ensure security.
Why Other Options Are Incorrect
B:Enabling CDSS subscriptions is important for protection but comes after foundational Zero Trust principles are established.
D:Implementing VM-Series NGFWs is part of enforcing Zero Trust, but it is not the first step. Visibility and understanding come first.
References:
Palo Alto Networks Zero Trust Overview
In addition to Advanced DNS Security, which three Cloud-Delivered Security Services (CDSS) subscriptions utilize inline machine learning (ML)? (Choose three)
Enterprise DLP
Advanced URL Filtering
Advanced WildFire
Advanced Threat Prevention
IoT Security
To answer this question, let’s analyze each Cloud-Delivered Security Service (CDSS) subscription and its role in inline machine learning (ML). Palo Alto Networks leverages inline ML capabilities across several of its subscriptions to provide real-time protection against advanced threats and reduce the need for manual intervention.
A. Enterprise DLP (Data Loss Prevention)
Enterprise DLP is a Cloud-Delivered Security Service that prevents sensitive data from being exposed. Inline machine learning is utilized to accurately identify and classify sensitive information in real-time, even when traditional data patterns or signatures fail to detect them. This service integrates seamlessly with Palo Alto firewalls to mitigate data exfiltration risks by understanding content as it passes through the firewall.
B. Advanced URL Filtering
Advanced URL Filtering uses inline machine learning to block malicious URLs in real-time. Unlike legacy URL filtering solutions, which rely on static databases, Palo Alto Networks' Advanced URL Filtering leverages ML to identify and stop new malicious URLs that have not yet been categorized in static databases. This proactive approach ensures that organizations are protected against emerging threats like phishing and malware-hosting websites.
C. Advanced WildFire
Advanced WildFire is a cloud-based sandboxing solution designed to detect and prevent zero-day malware. While Advanced WildFire is a critical part of Palo Alto Networks’ security offerings, it primarily uses static and dynamic analysis rather than inline machine learning. The ML-based analysis in Advanced WildFire happens after a file is sent to the cloud for processing, rather than inline, so it does not qualify under this question’s scope.
D. Advanced Threat Prevention
Advanced Threat Prevention (ATP) uses inline machine learning to analyze traffic in real-time and block sophisticated threats such as unknown command-and-control (C2) traffic. This service replaces the traditional Intrusion Prevention System (IPS) approach by actively analyzing network traffic and blocking malicious payloads inline. The inline ML capabilities ensure ATP can detectand block threats that rely on obfuscation and evasion techniques.
E. IoT Security
IoT Security is focused on discovering and managing IoT devices connected to the network. While this service uses machine learning for device behavior profiling and anomaly detection, it does not leverage inline machine learning for real-time traffic inspection. Instead, it operates at a more general level by providing visibility and identifying device risks.
Key Takeaways:
Enterprise DLP, Advanced URL Filtering, and Advanced Threat Prevention all rely on inline machine learning to provide real-time protection.
Advanced WildFire uses ML but not inline; its analysis is performed in the cloud.
IoT Security applies ML for device management rather than inline threat detection.
Which two compliance frameworks are included with the Premium version of Strata Cloud Manager (SCM)? (Choose two)
Payment Card Industry (PCI)
National Institute of Standards and Technology (NIST)
Center for Internet Security (CIS)
Health Insurance Portability and Accountability Act (HIPAA)
Step 1: Understanding Strata Cloud Manager (SCM) Premium
Strata Cloud Manager is a unified management interface for Strata NGFWs, Prisma Access, and other Palo Alto Networks solutions. ThePremium version(subscription-based) includes advanced features like:
AIOps Premium: Predictive analytics, capacity planning, and compliance reporting.
Compliance Posture Management: Pre-built dashboards and reports for specific regulatory frameworks.
Compliance frameworks in SCM Premium provide visibility into adherence to standards like PCI DSS and NIST, generating actionable insights and audit-ready reports based on firewall configurations, logs, and traffic data.
A prospective customer is interested in Palo Alto Networks NGFWs and wants to evaluate the ability to segregate its internal network into unique BGP environments.
Which statement describes the ability of NGFWs to address this need?
It cannot be addressed because PAN-OS does not support it.
It can be addressed by creating multiple eBGP autonomous systems.
It can be addressed with BGP confederations.
It cannot be addressed because BGP must be fully meshed internally to work.
Step 1: Understand the Requirement and Context
Customer Need: Segregate the internal network into unique BGP environments, suggesting multiple isolated or semi-isolated routing domains within a single organization.
BGP Basics:
BGP is a routing protocol used to exchange routing information between autonomous systems (ASes).
eBGP: External BGP, used between different ASes.
iBGP: Internal BGP, used within a single AS, typically requiring a full mesh of peers unless mitigated by techniques like confederations or route reflectors.
Palo Alto NGFW: Supports BGP on virtual routers (VRs) within PAN-OS, enabling advanced routing capabilities for Strata hardware firewalls (e.g., PA-Series).
References: "PAN-OS supports BGP for dynamic routing and network segmentation" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp).
Step 2: Evaluate Each Option
Option A: It cannot be addressed because PAN-OS does not support it
Analysis:
PAN-OS fully supports BGP, including eBGP, iBGP, confederations, and route reflectors, configurable under "Network > Virtual Routers > BGP."
Features like multiple virtual routers and BGP allow network segregation and routing policy control.
This statement contradicts documented capabilities.
Verification:
"Configure BGP on a virtual router for dynamic routing" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/configure-bgp).
Conclusion: Incorrect—PAN-OS supports BGP and segregation techniques.Not Applicable.
Option B: It can be addressed by creating multiple eBGP autonomous systems
Analysis:
eBGP: Used between distinct ASes, each with a unique AS number (e.g., AS 65001, AS 65002).
Within a single organization, creating multiple eBGP ASes would require:
Assigning unique AS numbers (public or private) to each internal segment.
Treating each segment as a separate AS, peering externally with other segments via eBGP.
Challenges:
Internally, this isn’t practical for a single network—it’s more suited to external peering (e.g., with ISPs).
Requires complex management and public/private AS number allocation, not ideal for internal segregation.
Doesn’t leverage iBGP or confederations, which are designed for internal AS management.
PAN-OS supports eBGP, but this approach misaligns with the intent of internal network segregation.
Verification:
"eBGP peers connect different ASes" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-concepts).
Conclusion: Possible but impractical and not the intended BGP solution for internal segregation.Not Optimal.
Option C: It can be addressed with BGP confederations
Description: BGP confederations divide a single AS into sub-ASes (each with a private Confederation Member AS number), reducing the iBGP full-mesh requirement while maintaining a unified external AS.
Analysis:
How It Works:
Single AS (e.g., AS 65000) is split into sub-ASes (e.g., 65001, 65002).
Within each sub-AS, iBGP full mesh or route reflectors are used.
Between sub-ASes, eBGP-like peering (confederation EBGP) connects them, but externally, it appears as one AS.
Segregation:
Each sub-AS can represent a unique BGP environment (e.g., department, site) with its own routing policies.
Firewalls within a sub-AS peer via iBGP; across sub-ASes, they use confederation EBGP.
PAN-OS Support:
Configurable under "Network > Virtual Routers > BGP > Confederation" with a Confederation Member AS number.
Ideal for large internal networks needing segmentation without multiple public AS numbers.
Benefits:
Simplifies internal BGP management.
Aligns with the customer’s need for unique internal BGP environments.
Verification:
"BGP confederations reduce full-mesh burden by dividing an AS into sub-ASes" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).
"Supports unique internal routing domains" (knowledgebase.paloaltonetworks.com).
Conclusion: Directly addresses the requirement with a supported, practical solution.Applicable.
Option D: It cannot be addressed because BGP must be fully meshed internally to work
Analysis:
iBGP Full Mesh: Traditional iBGP requires all routers in an AS to peer with each other, scaling poorly (n(n-1)/2 connections).
Mitigation: PAN-OS supports alternatives:
Route Reflectors: Centralize iBGP peering.
Confederations: Divide the AS into sub-ASes (see Option C).
This statement ignores these features, falsely claiming BGP’s limitation prevents segregation.
Verification:
"Confederations and route reflectors eliminate full-mesh needs" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).
Conclusion: Incorrect—PAN-OS overcomes full-mesh constraints.Not Applicable.
Step 3: Recommendation Justification
Why Option C?
Alignment: Confederations allow the internal network to be segregated into unique BGP environments (sub-ASes) while maintaining a single external AS, perfectly matching the customer’s need.
Scalability: Reduces iBGP full-mesh complexity, ideal for large or segmented internal networks.
PAN-OS Support: Explicitly implemented in BGP configuration, validated by documentation.
Why Not Others?
A: False—PAN-OS supports BGP and segregation.
B: eBGP is for external ASes, not internal segregation; less practical thanconfederations.
D: Misrepresents BGP capabilities; full mesh isn’t required with confederations or route reflectors.
Step 4: Verified References
BGP Confederations: "Divide an AS into sub-ASes for internal segmentation" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).
PAN-OS BGP: "Supports eBGP, iBGP, and confederations for routing flexibility" (paloaltonetworks.com, PAN-OS Networking Guide).
Use Case: "Confederations suit large internal networks" (knowledgebase.paloaltonetworks.com).
Which two products can be integrated and managed by Strata Cloud Manager (SCM)? (Choose two)
Prisma SD-WAN
Prisma Cloud
Cortex XDR
VM-Series NGFW
Strata Cloud Manager (SCM) is Palo Alto Networks’ centralized cloud-based management platform for managing network security solutions, including Prisma Access and Prisma SD-WAN. SCM can also integrate with VM-Series firewalls for managing virtualized NGFW deployments.
Why A (Prisma SD-WAN) Is Correct
SCM is the management interface for Prisma SD-WAN, enabling centralized orchestration, monitoring, and configuration of SD-WAN deployments.
Why D (VM-Series NGFW) Is Correct
SCM supports managing VM-Series NGFWs, providing centralized visibility and control for virtualized firewall deployments in cloud or on-premises environments.
Why Other Options Are Incorrect
B (Prisma Cloud):Prisma Cloud is a separate product for securing workloads in public cloud environments. It is not managed via SCM.
C (Cortex XDR):Cortex XDR is a platform for endpoint detection and response (EDR). It is managed through its own console, not SCM.
References:
Palo Alto Networks Strata Cloud Manager Overview
There are no Advanced Threat Prevention log events in a company's SIEM instance. However, the systems administrator has confirmed that the Advanced Threat Prevention subscription is licensed and that threat events are visible in the threat logs on the firewall.
Which action should the systems administrator take next?
Enable the company's Threat Prevention license.
Check with the SIEM vendor to verify that Advanced Threat Prevention logs are reaching the company's SIEM instance.
Have the SIEM vendor troubleshoot its software.
Ensure the Security policy rules that use Advanced Threat Prevention are set for log forwarding to the correct SIEM.
Understanding the Problem:
The issue is thatAdvanced Threat Prevention (ATP) logsare visible on the firewall but are not being ingested into the company’s SIEM.
This implies that the ATP subscription is working and generating logs on the firewall but the logs are not being forwarded properly to the SIEM.
Action to Resolve:
Log Forwarding Configuration:
Verify that the Security policy rules configured to inspect traffic using Advanced Threat Prevention are set toforward logsto the SIEM instance.
This is a common oversight. Even if the logs are generated locally, they will not be forwarded unless explicitly configured.
Configuration steps to verify in the Palo Alto Networks firewall:
Go toPolicies > Security Policiesand check the "Log Forwarding" profile applied.
Ensure the "Log Forwarding" profile includes the correct settings to forwardThreat Logsto the SIEM.
Go toDevice > Log Settingsand ensure the firewall is set to forward Threat logs to the desired Syslog or SIEM destination.
Why Not the Other Options?
A (Enable the Threat Prevention license):
The problem does not relate to the license; the administrator already confirmed the license is active.
B (Check with the SIEM vendor):
While verifying SIEM functionality is important, the first step is to ensure the logs are being forwarded correctly from the firewall to the SIEM. This is under the systems administrator’s control.
C (Have the SIEM vendor troubleshoot):
This step should only be takenafterconfirming the logs are forwarded properly from the firewall.
References from Palo Alto Networks Documentation:
Log Forwarding and Security Policy Configuration
Advanced Threat Prevention Configuration Guide
TESTED 02 Apr 2025