A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.
Which configuration in CIE supports this requirement with highest operational efficiency?
To comply with new directives mandating the use of quantum-resistant cryptography for all data-in-transit a network engineer is tasked with reconfiguring existing IKEv2 VPN tunnels between PA-Series firewalls to meet this requirement.
Which two actions should the engineer take to ensure compliance? (Choose two.)
An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?
A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the firewalls themselves, must be defined in code to ensure consistency and enable version control.
Which tool is primarily used for this type of declarative Infrastructure as Code (IaC) provisioning?
A Palo Alto Networks firewall has the following interfaces configured:
• ethernet1/1 (Layer 3)
• ethernet1/2 (TAP)
• ethernet1/3 (Layer 2)
• ethernet1/4 (virtual wire)
An administrator needs to create a link group to monitor upstream connectivity for high availability (HA) failover.
Which set of interfaces can be added to the link group?
Which two services are configured by applying an SSL/TLS service profile? (Choose two.)
When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?
By default, which type of traffic is configured by service route configuration to use the management interface?
A network administrator is configuring path monitoring for a primary static route to ensure immediate failback from a backup route. The administrator wants the primary route to become active again without any delay as soon as its path is restored.
Which preemptive hold time value should the administrator configure to achieve this immediate failback?
What is a result of enabling split tunneling in the GlobalProtect portal configuration with the “Both Network Traffic and DNS” option?
A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.
What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?
Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?
An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.
Which combination of AWS services and Palo Alto Networks components is required for this use case?
According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?
Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?
Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)
When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?
An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?
How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?
An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.
What is the most likely cause of these widespread certificate errors?
An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.
Which additional step is necessary to meet the operational requirement?
When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?
An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.
Which two abilities are enabled by this specific configuration step? (Choose two.)
Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?
An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.
Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?
A firewall administrator needs to configure a new Palo Alto Networks firewall so that its management interface automatically obtains an IP address, netmask, and default gateway from the network.
Which command should be executed in the CLI to accomplish this goal?
What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)
A network engineer observes that after a primary link recovers, the firewall immediately switches traffic back from the backup static route to the primary static route. The engineer checks the path monitoring configuration for the primary route.
Which value is configured for the preemptive hold time to cause this behavior?
A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.
Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
When configuring a physical interface on a Palo Alto Networks firewall, which IP-based service is only available if the interface is set to Layer 3 mode?
A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment.
The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.
Which two Security policy requirements must be included in the implementation plan? (Choose two.)