A company requires that all file transfers only over HTTP (tcp/80 and tcp/8080) to SaaS storage must be inspected for data exfiltration. Traffic to encrypted HTTPS SaaS storage cannot be inspected based on the company decryption restrictions.
When using a security profile group, which Security policy configuration meets this requirement?
AOne with data filtering to inspect all HTTP traffic on the web-browsing application using application-default for the service.
BOne with URL filtering and file blocking to block all file uploads to the URL category online-storage-and-backup, then set the service to tcp/80 and tcp/8080.
COne with data filtering and the service set to tcp/80 and tcp/8080, then verify block threshold is set to "1" to stop exfiltration.
DOne with data filtering and an application filter that matches "file-sharing" applications, then set the service to tcp/80 and tcp/8080.
To comply with new regulations, a company requires all traffic logs related to the "HR-App" application across all Security policies be sent to a compliance syslog server. A Log Forwarding profile already exists to send logs to a default syslog server.
What is the most efficient process for configuring an NGFW to comply with the new regulations without disrupting existing traffic logs being sent to the default syslog server?
AEdit the existing Log Forwarding profile by adding a new match list consisting of Log Forwarding filter for the application named "HR-App" to direct logs to the compliance syslog server.
BCreate a new Log Forwarding profile, update the profile with the details of the compliance syslog server and attach the profile to the relevant Security policy rule.
CEdit the existing Log Forwarding profile, add a new entry, use the filter builder to match on application "HR-App, " and add the details for the compliance syslog server.
DCreate a Log Forwarding profile and enable the predefined filter for "Application" In the associated dropdown, select or create a new application object with the name "HR-App," and add the details for the compliance syslog server.
Which aspect of a network’s current health does the Strata Cloud Manager (SCM) Device Health dashboard provide?
AHealth trends based on which CVEs are not remediated.
BHealth score based on current physical hardware issues detected.
CHealth score based on security profile feature adoption.
DHealth trends for firewalls filtered by how long the issue has been experienced.
Which log type should be checked first using Log Viewer when a user reports being unable to access a specific website?
AFirewall/URL
BFirewall/Traffic
CFirewall/Threat
DFirewall/DNS Security
What is the most granular method for ensuring that traffic to a firewall’s public IP address on the public interface is translated to the private IP address of the web server?
ACreate one NAT policy, ensure the policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, and mark Bi-directional as "Yes."
BCreate one NAT policy, set the source address to the public IP address and destination address to the private IP address, and ensure Bi-directional is checked.
CCreate two static NAT policies, ensure one policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, ensure the other policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address.
DCreate one NAT policy, ensure the policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address, and mark Bi-directional as "Yes."
What are two valid pattern types in a Data Filtering profile? (Choose two.)
ACustom Dictionary
BProximity Pattern
CFile Properties
DRegular Expression
A security analyst is using the Strata Cloud Manager (SCM) Policy Optimizer to create specific and focused rules. The analyst accepts the new rules from Policy Optimizer and updates the rule base, but the traffic does not hit these new rules.
Which action needs to be taken to resolve this issue?
AExecute a push configuration
BRemove the original Security policy rule
CEnable the newly created Security policy rules
DPerform a commit
Which action ensures that a Panorama push will not fail due to pending local firewall changes?
ACommit configurations locally on the device and then repeat the same configuration from Panorama.
BDisable "Merge with Device Candidate Config."
CEnable "Force Template Values."
DEnable both options "Include Device and Network Templates" and "Include Firewall Clusters."
A financial company is deploying NGFWs with the Advanced SD-WAN subscription to improve uptime and bandwidth across thousands of ATMs. The company requires that traffic flows to the internal application needed by the ATMs always use the path with the lowest latency and packet loss.
Which unique SD-WAN rule parameters meet this criteria?
AApplication/Service: "Internal Application for ATMs" → Path Selection: "Best Available Path" in Traffic Distribution Profile.
BApplication/Service: "Internal Application for ATMs" & "Management" in Path Quality Profile → Path Selection "Any."
CApplication/Service: "Internal Application for ATMs" → Path Selection "Weighted Distribution" in Traffic Distribution Profile.
DApplication/Service: "Internal Application for ATMs" & "ATM Path(Custom)" in Path Quality Profile → Path Selection "Any."
A security administrator wants to determine which action a URL Filtering profile will take on the URL "www.chatgpt.com." The firewall has a custom URL object with "www.chatgpt.com/" as a member called "Permitted-AI." The URL "www.chatgpt.com" is also categorized as "Artificial-Intelligence, " "Computer-and-Internet-Info," and "Low-Risk." The URL Filtering profile has the following in descending order:
• Artificial-Intelligence set to continue
• Computer-and-Internet-Info set to block
• Low-Risk set to alert
• Permitted-AI set to allow
Which action will the URL Filtering profile take when traffic matches the "www.chatgpt.com" URL on a rule with this profile attached?
AContinue
BAlert
CAllow
DBlock
A team of analysts uses four NGWFs with the Precision Al Bundle, SaaS Security Inline, and Strata Cloud Manager Pro Collectively this secures all company assets across the data center and two remote sites. A security incident requires the team to review a mobile user, John Doe.
During the audit, the team prompts, "How was the application experience for John Doe over the past 60 days?”
What is an expected response from Strata Copilot?
A"The average application test score for 'john doe’ over the past 60 days is 37 67."
BThe user ’John Doe' encountered a total of 219 threats in the last 3 hours."
CThe top three threats impacting John Doe are phishing, SQL injections, and ransomware."
D"Your organization doesn’t have ADEM."
A security administrator is building out Decryption policies and wants to decrypt according to Palo Alto Networks best practices.
Which URL categories should the administrator add to the policies?
AProxy avoidance and anonymizers, ransomware unknown, web-based email, web advertisements, and not resolved.
BOnline storage and backup web-based email web hosting, personal sites and blogs, content delivery networks, and high-risk URL.
CAI website generator, Command and Control, compromised website, encrypted DNS, and dynamic DNS.
DNewly registered domains, internet communications and telephony, high-risk URL, insufficient content, hacking, and grayware.
DNS rewrite can only be configured on a NAT rule with which type of destination address translation?
ADynamic IP and Port (DIPP)
BDynamic IP (with session distribution)
CStatic IP
DDynamic IP
A security administrator is creating an internet of things (IoT) Security policy and needs to select behaviors for the trafficю
Which characteristic has the greatest impact to the risk level of applications?
AUsed by Malware
BPervasive
CTunnels Other Apps
DKnown Vulnerabilities
Which action ensures that sensitive information such as medical records, financial transactions, and legal communications are not decrypted and that they maintain strong security?
ACreate a log forwarding filter to exclude sensitive information.
BDisable decryption globally to avoid exposing sensitive data.
CCreate an SSL Inbound Inspection policy to identify users sending sensitive information.
DCreate a no-decrypt policy for traffic matching specific URL categories.
An alert indicates that multiple internal endpoints are communicating with a known malicious IP address, and the analyst needs to identify the scope of this activity by using Log Viewer.
What is the first step in identifying which internal hosts have communicated with the malicious IP address and determining the extent of the communication?
AFilter the traffic logs by the known endpoint IP addresses.
BFilter the traffic logs by the DNS Server's IP address.
CFilter the traffic logs by the NGFWs IP addresses.
DFilter the traffic logs by the malicious IP address.
Based on the image below, what is a risk associated with this configuration?
AMin Version setting of TLSvl 3 can cause compatibility issues with legacy applications or clients.
BAuthentication algorithm selections can significantly increase resource consumption and cause performance degradation.
CEncryption algorithms 3DES and RC4 being disabled decreases security posture.
DMax Version setting of "Max" enables the use of Perfect Forward Secrecy (PFS) and cannot be decrypted.
A Palo Alto Networks NGFW for a high-security environment is being configured and requires a security profile group that includes vulnerability protection.
When configuring the action based on the severity of the threat types, what does Palo Alto Networks recommend?
AUse action "allow" for critical high, and medium vulnerabilities.
BUse action "alert" for critical, high, and medium vulnerabilities.
CUse action "default" for critical, high, and medium vulnerabilities.
DUse action "reset-both" for critical, high, and medium vulnerabilities.
A firewall administrator is creating an application override rule to bypass Layer 7 inspection for a pre-defined application.
What is the expected behavior for Content-ID checks for this application?
ADNS Security will have degraded performance for advanced features.
BWildFire will only use inline-ML checks instead of sending items to WildFire Cloud.
CNo additional security checks will occur due to there being only Layer 4 handling.
DThreat inspection will occur if the pre-defined application supports threat inspection.
When a company has a private list of allowed URLs for its users, what can be used to force the NGFWs to securely access the external dynamic list server using username/password?
Preview
