Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Paloalto Networks PSE-Strata-Pro-24 Palo Alto Networks Systems Engineer Professional - Hardware Firewall Exam Practice Test

Palo Alto Networks Systems Engineer Professional - Hardware Firewall Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

What are the first two steps a customer should perform as they begin to understand and adopt Zero Trust principles? (Choose two)

Options:

A.

Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.

B.

Enable relevant Cloud-Delivered Security Services (CDSS) subscriptions to automatically protect the customer's environment from both internal and external threats.

C.

Map the transactions between users, applications, and data, then verify and inspect those transactions.

D.

Implement VM-Series NGFWs in the customer’s public and private clouds to protect east-west traffic.

Question 2

When a customer needs to understand how Palo Alto Networks NGFWs lower the risk of exploitation by newly announced vulnerabilities known to be actively attacked, which solution and functionality delivers the most value?

Options:

A.

Advanced URL Filtering uses machine learning (ML) to learn which malicious URLs are being utilized by the attackers, then block the resulting traffic.

B.

Advanced Threat Prevention's command injection and SQL injection functions use inline deep learning against zero-day threats.

C.

Single Pass Architecture and parallel processing ensure traffic is efficiently scanned against any enabled Cloud-Delivered Security Services (CDSS) subscription.

D.

WildFire loads custom OS images to ensure that the sandboxing catches any activity that would affect the customer's environment.

Question 3

Which initial action can a network security engineer take to prevent a malicious actor from using a file-sharing application for data exfiltration without impacting users who still need to use file-sharing applications?

Options:

A.

Use DNS Security to limit access to file-sharing applications based on job functions.

B.

Use App-ID to limit access to file-sharing applications based on job functions.

C.

Use DNS Security to block all file-sharing applications and uploading abilities.

D.

Use App-ID to block all file-sharing applications and uploading abilities.

Question 4

A prospective customer is interested in Palo Alto Networks NGFWs and wants to evaluate the ability to segregate its internal network into unique BGP environments.

Which statement describes the ability of NGFWs to address this need?

Options:

A.

It cannot be addressed because PAN-OS does not support it.

B.

It can be addressed by creating multiple eBGP autonomous systems.

C.

It can be addressed with BGP confederations.

D.

It cannot be addressed because BGP must be fully meshed internally to work.

Question 5

An existing customer wants to expand their online business into physical stores for the first time. The customer requires NGFWs at the physical store to handle SD-WAN, security, and data protection needs, while also mandating a vendor-validated deployment method. Which two steps are valid actions for a systems engineer to take? (Choose two.)

Options:

A.

Recommend the customer purchase Palo Alto Networks or partner-provided professional services to meet the stated requirements.

B.

Use Golden Images and Day 1 configuration to create a consistent baseline from which the customer can efficiently work.

C.

Create a bespoke deployment plan with the customer that reviews their cloud architecture, store footprint, and security requirements.

D.

Use the reference architecture "On-Premises Network Security for the Branch Deployment Guide" to achieve a desired architecture.

Question 6

A systems engineer should create a profile that blocks which category to protect a customer from ransomware URLs by using Advanced URL Filtering?

Options:

A.

Ransomware

B.

High Risk

C.

Scanning Activity

D.

Command and Control

Question 7

What is the minimum configuration to stop a Cobalt Strike Malleable C2 attack inline and in real time?

Options:

A.

Next-Generation CASB on PAN-OS 10.1

B.

Advanced Threat Prevention and PAN-OS 10.2

C.

Threat Prevention and Advanced WildFire with PAN-OS 10.0

D.

DNS Security, Threat Prevention, and Advanced WildFire with PAN-OS 9.x

Question 8

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and data. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf.

Which two supported sources for identity are appropriate for this environment? (Choose two.)

Options:

A.

Captive portal

B.

User-ID agents configured for WMI client probing

C.

GlobalProtect with an internal gateway deployment

D.

Cloud Identity Engine synchronized with Entra ID

Question 9

Which technique is an example of a DNS attack that Advanced DNS Security can detect and prevent?

Options:

A.

High entropy DNS domains

B.

Polymorphic DNS

C.

CNAME cloaking

D.

DNS domain rebranding

Question 10

What does Policy Optimizer allow a systems engineer to do for an NGFW?

Options:

A.

Recommend best practices on new policy creation

B.

Show unused licenses for Cloud-Delivered Security Services (CDSS) subscriptions and firewalls

C.

Identify Security policy rules with unused applications

D.

Act as a migration tool to import policies from third-party vendors

Question 11

A customer sees unusually high DNS traffic to an unfamiliar IP address. Which Palo Alto Networks Cloud-Delivered Security Services (CDSS) subscription should be enabled to further inspect this traffic?

Options:

A.

Advanced Threat Prevention

B.

Advanced WildFire

C.

Advanced URL Filtering

D.

Advanced DNS Security

Question 12

Device-ID can be used in which three policies? (Choose three.)

Options:

A.

Security

B.

Decryption

C.

Policy-based forwarding (PBF)

D.

SD-WAN

E.

Quality of Service (QoS)

Question 13

A customer has acquired 10 new branch offices, each with fewer than 50 users and no existing firewall. The systems engineer wants to recommend a PA-Series NGFW with Advanced Threat Prevention at each branch location. Which NGFW series is the most cost-efficient at securing internet traffic?

Options:

A.

PA-200

B.

PA-400

C.

PA-500

D.

PA-600

Question 14

Which statement applies to the default configuration of a Palo Alto Networks NGFW?

Options:

A.

Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall.

B.

The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone.

C.

The default policy action allows all traffic unless explicitly denied.

D.

The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.

Question 15

As a team plans for a meeting with a new customer in one week, the account manager prepares to pitch Zero Trust. The notes provided to the systems engineer (SE) in preparationfor the meeting read: "Customer is struggling with security as they move to cloud apps and remote users." What should the SE recommend to the team in preparation for the meeting?

Options:

A.

Lead with the account manager pitching Zero Trust with the aim of convincing the customer that the team's approach meets their needs.

B.

Design discovery questions to validate customer challenges with identity, devices, data, and access for applications and remote users.

C.

Lead with a product demonstration of GlobalProtect connecting to an NGFW and Prisma Access, and have SaaS security enabled.

D.

Guide the account manager into recommending Prisma SASE at the customer meeting to solve the issues raised.

Question 16

What are two methods that a NGFW uses to determine if submitted credentials are valid corporate credentials? (Choose two.)

Options:

A.

Group mapping

B.

LDAP query

C.

Domain credential filter

D.

WMI client probing

Question 17

A company with a large Active Directory (AD) of over 20,000 groups has user roles based on group membership in the directory. Up to 1,000 groups may be used in Security policies. The company has limited operations personnel and wants to reduce the administrative overhead of managing the synchronization of the groups with their firewalls.

What is the recommended architecture to synchronize the company's AD with Palo Alto Networks firewalls?

Options:

A.

Configure a group mapping profile with custom filters for LDAP attributes that are mapped to the user roles.

B.

Configure a group mapping profile, without a filter, to synchronize all groups.

C.

Configure a group mapping profile with an include group list.

D.

Configure NGFWs to synchronize with the AD after deploying the Cloud Identity Engine (CIE) and agents.

Question 18

A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:

"Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important."

Which recommendations should the SE make?

Options:

A.

Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

B.

Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.

C.

VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.

D.

VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems.