A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.
The solution must meet these requirements:
The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.
The branch locations must have internet filtering and data center connectivity.
The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.
The security team must have access to manage the mobile user and access to branch locations.
The network team must have access to manage only the partner access.
How should Prisma Access be implemented to meet the customer requirements?
ADeploy two Prisma Access instances - the first with mobile users, remote networks, and private access for all internal connection types, and the second with remote networks and private application access for B2B connections - and use the Strata Multitenant Cloud Manager Prisma Access configuration scope to manage access.
BDeploy a Prisma Access instance with mobile users, remote networks, and private access for all connection types, and use the Prisma Access Configuration scope to manage all access.
CDeploy two Prisma Access instances - the first with mobile users, remote networks, and private access for all internal connection types, and the second with remote networks and private application access for B2B connections - and use the specific configuration scope for the connection type to manage access.
DDeploy a Prisma Access instance with mobile users, remote networks, and private access for all connection types, and use the specific configuration scope for the connection type to manage access.
Which overlay protocol must a customer premises equipment (CPE) device support when terminating a Partner Interconnect-based Colo-Connect in Prisma Access?
AGeneve
BIPSec
CGRE
DDTLS
A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.
The solution must meet these requirements:
The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.
The branch locations must have internet filtering and data center connectivity.
The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.
The security team must have access to manage the mobile user and access to branch locations.
The network team must have access to manage only the partner access.
Which two components can be provisioned to enable data center connectivity over the internet? (Choose two.)
AZTNA Connector
BSD-WAN Connector
CService connections
DColo-Connect
A large retailer has deployed all of its stores with the same IP address subnet. An engineer is onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the engineer selects the “Overlapping Subnets” checkbox.
Which Remote Network flow is supported after onboarding in this scenario?
ATo private applications
BTo the internet
CTo remote network
DTo mobile users
Which two statements apply when a customer has a large branch office with employees who all arrive and log in within a five-minute time period? (Choose two.)
ADNS results are only cached for frequently used hostnames.
BMaximum pending TCP DNS requests is 64.
CMaximum number of TCP DNS retries is 3.
DDNS results are cached for 300 seconds.
Question 6
Deployment Configuration
0
Question 7
Deployment Configuration
Question 8
Deployment Configuration
Question 9
Deployment Configuration
Question 10
Post-Deployment Configuration and Management
Question 11
Troubleshooting
Question 12
Post-Deployment Configuration and Management
Question 13
Post-Deployment Configuration and Management
Question 14
Troubleshooting
Question 15
Deployment Configuration
Question 16
Deployment Configuration
Question 17
Troubleshooting
Question 18
Deployment Configuration
Question 19
Troubleshooting
Question 20
Troubleshooting
Question 21
Post-Deployment Configuration and Management
Question 22
Troubleshooting
Question 23
Deployment Configuration
Question 24
Deployment Configuration
Question 25
Deployment Configuration
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Which statement applies when enabling multitenancy in Prisma Access (Managed by Panorama)?
AService connection licenses will be assigned only to the first tenant, and these service connections can be shared with the other tenants.
BA single tenant cannot consist solely of mobile users or solely of remote networks.
CEach tenant is allocated its own dedicated Prisma Access instances, with compute resources that are not shared across tenants.
DThere is flexibility to manage different tenants using separate Panoramas, which allows for better organization and management of the multiple tenants.
A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header.
Which option will prevent this form of attack?
AAdvanced Threat Prevention option to block “Domain Fronting”
BAdvanced URL Filtering and block the “Malicious Behavior” category
CAdvanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”
DSSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”
In an Explicit Proxy deployment where no agent can be used on the endpoint, which authentication method is supported with mobile users?
ALDAP
BKerberos
CSAMLD. SSO
How can an engineer verify that only the intended changes will be applied when modifying Prisma Access policy configuration in Strata Cloud Manager (SCM)?
AReview the SCM portal for blue circular indicators next to each configuration menu item and ensure only the intended areas of configuration have this indicator.
BCompare the candidate configuration and the most recent version under “Config Version Snapshots.”
CSelect the most recent job under Operations > Push Status to view the pending changes that would apply to Prisma Access.
DOpen the push dialogue in SCM to preview all changes which would be pushed to Prisma Access.
When using the traffic replication feature in Prisma Access, where is the mirrored traffic directed for analysis?
ASpecified internal security appliance
BDedicated cloud storage location
CPanorama
DStrata Cloud Manager (SCM)
Strata Logging Service is configured to forward logs to an external syslog server; however, a month later, there is a disruption on the syslog server.
Which action will send the missing logs to the external syslog server?
AConfigure a replay profile with the affected time range and associate it with the affected syslog server profile.
BDelete the affected syslog server profile and create a new one.
CExport the logs from Strata Logging Service, and then manually import them to the syslog server.
DConfigure a log filter under the syslog server profile with the affected time range.
Which two actions can a company with Prisma Access deployed take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.)
AConfigure a webhook to receive notifications of IP address changes.
BCopy the Egress IP API Key in the service infrastructure settings.
CEnable the Egress IP API endpoint in Prisma Access.
DDownload a client certificate to authenticate to the Egress IP API.
A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links.
With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?
AConfigure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.
BConfigure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center.
CConfigure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.
DConfigure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.
What will cause a connector to fail to establish a connection with the cloud gateway during the deployment of a new ZTNA Connector in a data center?
AThere is a misconfiguration in the DNS settings on the connector.
BThe connector is deployed behind a double NAT.
CThe connector is using a dynamic IP address.
DThere is a high latency in the network connection.
Which feature can help address a customer concern about the length of time it takes to update their SaaS-allowed IP addresses while onboarding to Prisma Access?
ADynamic IP pooling
BDNS-based load balancing
CTraffic steering
DDedicated IP addresses
What must be configured to accurately report an application's availability when onboarding a discovered application for ZTNA Connector?
Aicmp ping
Bhttps ping
Ctcp ping
Dudp ping
All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive this error message:
Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request”
Which action will identify the root cause of this error?
AVerify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
BExamine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked.
CVerify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
DReview the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures.
When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?
AAdd the duplicate entries to the ignore list in IoT Security.
BMerge individual devices into a single device with multiple interfaces.
CCreate a custom role to merge devices with the same hostname and operating system.
DDelete all duplicate devices, keeping only those discovered using their management IP addresses.
An engineer configures User-ID redistribution from an on-premises firewall connected to Prisma Access (Managed by Panorama) using a service connection. After committing the configuration, traffic from remote network connections is still not matching the correct user-based policies.
Which two configurations need to be validated? (Choose two.)
AEnsure the Remote_Network_Template is selected when adding the User-ID Agent in Panorama.
BConfirm there is a Security policy configured in Prisma Access to allow the communication on port 5007.
CConfirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall.
DEnsure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama.
An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications.
What is a reason for this issue?
AThe rule was created with improper threat management settings.
BThe rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.
CThe rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.
DThe rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.
After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?
AVerify from the routing table.
BEnable dump level logs on GlobalProtect Application.
CVerify zoom.us is resolved by the tunnel assigned DNS server.
DPing zoom.us from the CLI.
An engineer deploys a new branch connected to Prisma Access. From the customer premises equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted packets are not coming back from Prisma Access.
Which Strata Logging Service log facility should the engineer review to determine why Phase 2-encrypted traffic is not being received?
ADecrypt logs
BSystem logs
CTraffic logs
DTunnel logs
Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?
AEntra ID Group Attribute
BAttribute Group Mapping
CEntra ID Cloud Group
DCloud Dynamic User Group
A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.
The solution must meet these requirements:
The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.
The branch locations must have internet filtering and data center connectivity.
The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.
The security team must have access to manage the mobile user and access to branch locations.
The network team must have access to manage only the partner access.
How can the engineer configure mobile users and branch locations to meet the requirements?
AUse GlobalProtect and Remote Networks to filter internet traffic and provide access to data center resources using service connections.
BUse Explicit Proxy to filter internet traffic and provide access to data center resources using service connections.
CUse GlobalProtect to filter internet traffic and provide access to data center resources using service connections.
DUse Explicit Proxy and Remote Networks to filter internet traffic and provide access to data center resources using service connections.
A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.
The solution must meet these requirements:
The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.
The branch locations must have internet filtering and data center connectivity.
The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.
The security team must have access to manage the mobile user and access to branch locations.
The network team must have access to manage only the partner access.
Which two options will allow the engineer to support the requirements? (Choose two.)
AConfigure the CPE with Static Routes pointing to Prisma Access Infrastructure and Mobile User routes.
BEnable eBGP for dynamic routing and configure RemoteNetworks.
CConfigure Remote Networks and define the branch IP subnets using Static Routes.
