GET 70% Discount on All Products
Coupon code: "Board70"
What are the first two steps a customer should perform as they begin to understand and adopt Zero Trust principles? (Choose two)
Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.
Enable relevant Cloud-Delivered Security Services (CDSS) subscriptions to automatically protect the customer's environment from both internal and external threats.
Map the transactions between users, applications, and data, then verify and inspect those transactions.
Implement VM-Series NGFWs in the customer’s public and private clouds to protect east-west traffic.
Zero Trust principles revolve around minimizing trust in the network and verifying every interaction. To adopt Zero Trust, customers should start by gaining visibility and understanding the network and its transactions.
A. Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.
The first step in adopting Zero Trust is understanding the full scope of the network. Identifying users, devices, applications, and data is critical for building a comprehensive security strategy.
C. Map the transactions between users, applications, and data, then verify and inspect those transactions.
After identifying all assets, the next step is to map interactions and enforce verification and inspection of these transactions to ensure security.
Why Other Options Are Incorrect
B: Enabling CDSS subscriptions is important for protection but comes after foundational Zero Trust principles are established.
D: Implementing VM-Series NGFWs is part of enforcing Zero Trust, but it is not the first step. Visibility and understanding come first.
Which three descriptions apply to a perimeter firewall? (Choose three.)
Network layer protection for the outer edge of a network
Power utilization less than 500 watts sustained
Securing east-west traffic in a virtualized data center with flexible resource allocation
Primarily securing north-south traffic entering and leaving the network
Guarding against external attacks
A perimeter firewall is traditionally deployed at the boundary of a network to protect it from external threats. It provides a variety of protections, including blocking unauthorized access, inspecting traffic flows, and safeguarding sensitive resources. Here is how the options apply:
Option A (Correct): Perimeter firewalls provide network layer protection by filtering and inspecting traffic entering or leaving the network at the outer edge. This is one of their primary roles.
Option B: Power utilization is not a functional or architectural aspect of a firewall and is irrelevant when describing the purpose of a perimeter firewall.
Option C: Securing east-west traffic is more aligned with data center firewalls, which monitor lateral (east-west) movement of traffic within a virtualized or segmented environment. A perimeter firewall focuses on north-south traffic instead.
Option D (Correct): A perimeter firewall primarily secures north-south traffic, which refers to traffic entering and leaving the network. It ensures that inbound and outbound traffic adheres to security policies.
Option E (Correct): Perimeter firewalls play a critical role in guarding against external attacks, such as DDoS attacks, malicious IP traffic, and other unauthorized access attempts.
Which technique is an example of a DNS attack that Advanced DNS Security can detect and prevent?
High entropy DNS domains
Polymorphic DNS
CNAME cloaking
DNS domain rebranding
Advanced DNS Security on Palo Alto Networks firewalls is designed to identify and prevent a wide range of DNS-based attacks. Among the listed options, "High entropy DNS domains" is a specific example of a DNS attack that Advanced DNS Security can detect and block.
Why "High entropy DNS domains" (Correct Answer A)?High entropy DNS domains are often used in attacks where randomly generated domain names (e.g., gfh34ksdu.com) are utilized by malware or bots to evade detection. This is a hallmark of Domain Generation Algorithms (DGA)-based attacks. Palo Alto Networks firewalls with Advanced DNS Security use machine learning to detect such domains by analyzing the entropy (randomness) of DNS queries. High entropy values indicate the likelihood of a dynamically generated or malicious domain.
Why not "Polymorphic DNS" (Option B)?While polymorphic DNS refers to techniques that dynamically change DNS records to avoid detection, it is not specifically identified as an attack type mitigated by Advanced DNS Security in Palo Alto Networks documentation. The firewall focuses more on the behavior of DNS queries, such as detecting DGA domains or anomalous DNS traffic patterns.
Why not "CNAME cloaking" (Option C)?CNAME cloaking involves using CNAME records to redirect DNS queries to malicious or hidden domains. Although Palo Alto firewalls may detect and block malicious DNS redirections, the focus of Advanced DNS Security is primarily on identifying patterns of DNS abuse like DGA domains, tunneling, or high entropy queries.
Why not "DNS domain rebranding" (Option D)?DNS domain rebranding involves changing the domain names associated with malicious activity to evade detection. This is typically a tactic used for persistence but is not an example of a DNS attack type specifically addressed by Advanced DNS Security.
Advanced DNS Security focuses on dynamic, real-time identification of suspicious DNS patterns, such as high entropy domains, DNS tunneling, or protocol violations. High entropy DNS domains are directly tied to attack mechanisms like DGAs, making this the correct answer.
A prospective customer is concerned about stopping data exfiltration, data infiltration, and command-and-control (C2) activities over port 53.
Which subscription(s) should the systems engineer recommend?
Threat Prevention
App-ID and Data Loss Prevention
DNS Security
Advanced Threat Prevention and Advanced URL Filtering
DNS Security (Answer C):
DNS Security is the appropriate subscription for addressing threats over port 53.
DNS tunneling is a common method used for data exfiltration, infiltration, and C2 activities, as it allows malicious traffic to be hidden within legitimate DNS queries.
The DNS Security service applies machine learning models to analyze DNS queries in real-time, block malicious domains, and prevent tunneling activities.
It integrates seamlessly with the NGFW, ensuring advanced protection against DNS-based threats without requiring additional infrastructure.
Why Not Threat Prevention (Answer A):
Threat Prevention is critical for blocking malware, exploits, and vulnerabilities, but it does not specifically address DNS-based tunneling or C2 activities over port 53.
Why Not App-ID and Data Loss Prevention (Answer B):
While App-ID can identify applications, and Data Loss Prevention (DLP) helps prevent sensitive data leakage, neither focuses on blocking DNS tunneling or malicious activity over port 53.
Why Not Advanced Threat Prevention and Advanced URL Filtering (Answer D):
Advanced Threat Prevention and URL Filtering are excellent for broader web and network threats, but DNS tunneling specifically requires the DNS Security subscription, which specializes in DNS-layer threats.
References from Palo Alto Networks Documentation:
DNS Security Subscription Overview
In addition to Advanced DNS Security, which three Cloud-Delivered Security Services (CDSS) subscriptions utilize inline machine learning (ML)? (Choose three)
Enterprise DLP
Advanced URL Filtering
Advanced WildFire
Advanced Threat Prevention
IoT Security
To secure and protect your traffic using CDSS, Cloud NGFW for AWS provides Palo Alto Networks protections such as:
App-ID. Based on patented Layer 7 traffic classification technology, the App-ID service allows you to see the applications on your network, learn how they work, observe their behavioral characteristics, and understand their relative risk. Cloud NGFW for AWS identifies applications and application functions via multiple techniques, including application signatures, decryption, protocol decoding, and heuristics. These capabilities determine the exact identity of applications traversing your network, including those attempting to evade detection by masquerading as legitimate traffic by hopping ports or using encryption.
Threat Prevention. The Palo Alto Networks Threat Prevention service protects your network by providing multiple layers of prevention to confront each phase of an attack. In addition to essential intrusion prevention service (IPS) capabilities, Threat Prevention possesses the unique ability to detect and block threats on any ports—rather than simply invoking signatures based on a limited set of predefined ports.
Advanced URL Filtering. This critical service built into Cloud NGFW for AWS stops unknown web-based attacks in real-time to prevent patient zero with the industry’s only ML-powered Advanced URL Filtering. Advanced URL Filtering combines the renowned Palo Alto Networks malicious URL database with the industry’s first real-time web protection engine so organizations can automatically and instantly detect and prevent new malicious and targeted web-based threats.
DNS. DNS Security gives you real-time protection, applying industry-first protections to disrupt attacks that use DNS. Tight integration with a Palo Alto Networks Next-Generation Firewall (NGFW) gives you automated protections, prevents attackers from bypassing security measures, and eliminates the need for independent tools or changes to DNS routing. DNS Security gives your organization a critical new control point to stop attacks.
WildFire. Palo Alto Networks Advanced WildFire® is the industry’s largest cloud-based malware prevention engine that protects organizations from highly evasive threats using patented machine learning detection engines, enabling automated protections across network, cloud, and endpoints. Advanced WildFire analyzes every unknown file for malicious intent and then distributes prevention in record time—60 times faster than the nearest competitor—to reduce the risk of patient zero.
https://docs.paloaltonetworks.com/cloud-ngfw-aws/administration/protect/cloud-delivered-security-services
A company with Palo Alto Networks NGFWs protecting its physical data center servers is experiencing a performance issue on its Active Directory (AD) servers due to high numbers of requests and updates the NGFWs are placing on the servers. How can the NGFWs be enabled to efficiently identify users without overloading the AD servers?
Configure Cloud Identity Engine to learn the users' IP address-user mappings from the AD authentication logs.
Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect Windows SSO to gather user information.
Configure data redistribution to redistribute IP address-user mappings from a hub NGFW to the other spoke NGFWs.
Configure an NGFW as a GlobalProtect gateway, then have all users run GlobalProtect agents to gather user information.
When high traffic from Palo Alto Networks NGFWs to Active Directory servers causes performance issues, optimizing the way NGFWs gather user-to-IP mappings is critical. Palo Alto Networks offers multiple ways to collect user identity information, and Cloud Identity Engine provides a solution that reduces the load on AD servers while still ensuring efficient and accurate mapping.
Option A (Correct): Cloud Identity Engine allows NGFWs to gather user-to-IP mappings directly from Active Directory authentication logs or other identity sources without placing heavy traffic on the AD servers. By leveraging this feature, the NGFW can offload authentication-related tasks and efficiently identify users without overloading AD servers. This solution is scalable and minimizes the overhead typically caused by frequent User-ID queries to AD servers.
Option B: Using GlobalProtect Windows SSO to gather user information can add complexity and is not the most efficient solution for this problem. It requires all users to install GlobalProtect agents, which may not be feasible in all environments and can introduce operational challenges.
Option C: Data redistribution involves redistributing user-to-IP mappings from one NGFW (hub) to other NGFWs (spokes). While this can reduce the number of queries sent to AD servers, it assumes the mappings are already being collected from AD servers by the hub, which means the performance issue on the AD servers would persist.
Option D: Using GlobalProtect agents to gather user information is a valid method for environments where GlobalProtect is already deployed, but it is not the most efficient or straightforward solution for the given problem. It also introduces dependencies on agent deployment, configuration, and management.
How to Implement Cloud Identity Engine for User-ID Mapping:
Enable Cloud Identity Engine from the Palo Alto Networks console.
Integrate the Cloud Identity Engine with the AD servers to allow it to retrieve authentication logs directly.
Configure the NGFWs to use the Cloud Identity Engine for User-ID mappings instead of querying the AD servers directly.
Monitor performance to ensure the AD servers are no longer overloaded, and mappings are being retrieved efficiently.
Device-ID can be used in which three policies? (Choose three.)
Security
Decryption
Policy-based forwarding (PBF)
SD-WAN
Quality of Service (QoS)
The question asks about the policies where Device-ID, a feature of Palo Alto Networks NGFWs, can be applied. Device-ID enables the firewall to identify and classify devices (e.g., IoT, endpoints) based on attributes like device type, OS, or behavior, enhancing policy enforcement. Let’s evaluate its use across the specified policy types.
Step 1: Understand Device-ID
Device-ID leverages the IoT Security subscription and integrates with the Strata Firewall to provide device visibility and control. It uses data from sources like DHCP, HTTP headers, and machine learning to identify devices and allows policies to reference device objects (e.g., “IP Camera,” “Medical Device”). This feature is available on PA-Series firewalls running PAN-OS 10.0 or later with the appropriate license.
A large global company plans to acquire 500 NGFWs to replace its legacy firewalls and has a specific requirement for centralized logging and reporting capabilities.
What should a systems engineer recommend?
Combine Panorama for firewall management with Palo Alto Networks' cloud-based Strata Logging Service to offer scalability for the company's logging and reporting infrastructure.
Use Panorama for firewall management and to transfer logs from the 500 firewalls directly to a third-party SIEM for centralized logging and reporting.
Highlight the efficiency of PAN-OS, which employs AI to automatically extract critical logs and generate daily executive reports, and confirm that the purchase of 500 NGFWs is sufficient.
Deploy a pair of M-1000 log collectors in the customer data center, and route logs from all 500 firewalls to the log collectors for centralized logging and reporting.
A large deployment of 500 firewalls requires a scalable, centralized logging and reporting infrastructure. Here's the analysis of each option:
Option A: Combine Panorama for firewall management with Palo Alto Networks' cloud-based Strata Logging Service to offer scalability for the company's logging and reporting infrastructure
The Strata Logging Service (or Cortex Data Lake) is a cloud-based solution that offers massive scalability for logging and reporting. Combined with Panorama, it allows for centralized log collection, analysis, and policy management without the need for extensive on-premises infrastructure.
This approach is ideal for large-scale environments like the one described in the scenario, as it ensures cost-effectiveness and scalability.
This is the correct recommendation.
Option B: Use Panorama for firewall management and to transfer logs from the 500 firewalls directly to a third-party SIEM for centralized logging and reporting
While third-party SIEM solutions can be integrated with Palo Alto Networks NGFWs, directly transferring logs from 500 firewalls to a SIEM can lead to bottlenecks and scalability issues. Furthermore, relying on third-party solutions may not provide the same level of native integration as the Strata Logging Service.
This is not the ideal recommendation.
Option C: Highlight the efficiency of PAN-OS, which employs AI to automatically extract critical logs and generate daily executive reports, and confirm that the purchase of 500 NGFWs is sufficient
While PAN-OS provides AI-driven insights and reporting, this option does not address the requirement for centralized logging and reporting. It also dismisses the need for additional infrastructure to handle logs from 500 firewalls.
This is incorrect.
Option D: Deploy a pair of M-1000 log collectors in the customer data center, and route logs from all 500 firewalls to the log collectors for centralized logging and reporting
The M-1000 appliance is an on-premises log collector, but it has limitations in terms of scalability and storage capacity when compared to cloud-based options like the Strata Logging Service. Deploying only two M-1000 log collectors for 500 firewalls would result in potential performance and storage challenges.
This is not the best recommendation.
Which two actions should a systems engineer take when a customer is concerned about how to remain aligned to Zero Trust principles as they adopt additional security features over time? (Choose two)
Turn on all licensed Cloud-Delivered Security Services (CDSS) subscriptions in blocking mode for all policies.
Apply decryption where possible to inspect and log all new and existing traffic flows.
Use the Best Practice Assessment (BPA) tool to measure progress toward Zero Trust principles.
Use the Policy Optimizer tool to understand security rules allowing users to bypass decryption.
When adopting additional security features over time, remaining aligned with Zero Trust principles requires a focus on constant visibility, control, and adherence to best practices. The following actions are the most relevant:
Why "Apply decryption where possible to inspect and log all new and existing traffic flows" (Correct Answer B)?Zero Trust principles emphasize visibility into all traffic, whether encrypted or unencrypted. Without decryption, encrypted traffic becomes a blind spot, which attackers can exploit. By applying decryption wherever feasible, organizations ensure they can inspect, log, and enforce policies on encrypted traffic, thus adhering to Zero Trust principles.
Why "Use the Best Practice Assessment (BPA) tool to measure progress toward Zero Trust principles" (Correct Answer C)?The BPA tool provides detailed insights into the customer’s security configuration, helping measure alignment with Palo Alto Networks’ Zero Trust best practices. It identifies gaps in security posture and recommends actionable steps to strengthen adherence to Zero Trust principles over time.
Why not "Turn on all licensed Cloud-Delivered Security Services (CDSS) subscriptions in blocking mode for all policies" (Option A)?While enabling CDSS subscriptions (like Threat Prevention, URL Filtering, Advanced Threat Prevention) in blocking mode can enhance security, it is not an action specifically tied to maintaining alignment with Zero Trust principles. A more holistic approach, such as decryption and BPA analysis, is critical to achieving Zero Trust.
Why not "Use the Policy Optimizer tool to understand security rules allowing users to bypass decryption" (Option D)?Policy Optimizer is used to optimize existing security rules by identifying unused or overly permissive policies. While useful, it does not directly address alignment with Zero Trust principles or help enforce decryption.
Which three known variables can assist with sizing an NGFW appliance? (Choose three.)
Connections per second
Max sessions
Packet replication
App-ID firewall throughput
Telemetry enabled
When sizing a Palo Alto Networks NGFW appliance, it's crucial to consider variables that affect its performance and capacity. These include the network's traffic characteristics, application requirements, and expected workloads. Below is the analysis of each option:
Option A: Connections per second
Connections per second (CPS) is a critical metric for determining how many new sessions the firewall can handle per second. High CPS requirements are common in environments with high traffic turnover, such as web servers or applications with frequent session terminations and creations.
This is an important sizing variable.
Option B: Max sessions
Max sessions represent the total number of concurrent sessions the firewall can support. For environments with a large number of users or devices, this metric is critical to prevent session exhaustion.
This is an important sizing variable.
Option C: Packet replication
Packet replication is used in certain configurations, such as TAP mode or port mirroring for traffic inspection. While it impacts performance, it is not a primary variable for firewall sizing as it is a specific use case.
This is not a key variable for sizing.
Option D: App-ID firewall throughput
App-ID throughput measures the firewall's ability to inspect traffic and apply policies based on application signatures. It directly impacts the performance of traffic inspection under real-world conditions.
This is an important sizing variable.
Option E: Telemetry enabled
While telemetry provides data for monitoring and analysis, enabling it does not significantly impact the sizing of the firewall. It is not a core variable for determining firewall performance or capacity.
This is not a key variable for sizing.
TESTED 10 Jul 2026
Copyright © 2014-2026 CertsBoard. All Rights Reserved