Question 1. Which answer best describes the sales cycle role that a Security Lifecycle Review provides?
A. It can provide automated enforcement for best practices when a single NGFW is left at the customer for six months or more.
B. It is a way to use a prospect’s own data to show where the Palo Alto Networks Security Operating Platform can help them.
C. It is a way to show the kind of reports that can be generated after a customer purchases a comprehensive security platform from Palo Alto Networks.
D. It often lengthens the firewall sales cycle because it takes so much time.
Question 2. When should a Security Lifecycle Review be run?
A. for existing customers as a health check and for potential customers to help build a business case for Palo Alto Networks
B. only for existing customers, to determine features and functions of the security environment that are not fully or properly utilized
C. only for potentially new customers, to expose the security weaknesses of their existing security environment
D. primarily for helping Customer Support learn more about support cases
Question 3. Which statement describes the BPA Report password?
A. defined at report generation time and is required to view the password-protected report
B. must be 13 characters long but once entered is never again required
C. the same as the Panorama or firewall admin password and is required to access the report generator
D. allows access to encrypted data stored by the firewall and uploaded to the Support Portal
Question 4. For Tap mode installation of an NGFW to collect data for an SLR, where is the NGFW placed?
A. off a SPAN port of a switch that sees all north-south traffic of the network to be reviewed
B. between an internal database server and its backup server
C. between the internet and existing perimeter security competitive firewalls
D. off a SPAN port of a firewall that will be the competition for the NGFW
Question 5. Cortex XDR analyzes logs from which source?
A. Prisma SaaS logs
B. Palo Alto Networks Cortex Data Lake
C. Panorama distributed log collectors
D. syslog servers
Question 6. How does use of User-ID in a security rule help implement the Palo Alto Networks security posture?
A. specifies the exfiltration zones to which security profiles apply
B. increases the attack surface to support positive enforcement
C. reduces the attack surface to support Zero Trust
D. specifies traffic data pattern matching to support Zero Trust
Question 7. How can an analyst identify which cloud-based data is accessible by outside users that have credentials?
A. view a SaaS Risk Assessment report
B. define a Cortex XDR Alert for outside access to cloud-based data
C. generate a Data Access report from the Monitor page of the next-generation firewall
D. view the data section of an SLR report
Question 8. To configure a firewall to collect data for an SLR, the interface that is connected to the customer’s switch’s SPAN port should be which zone type?
C. Virtual Wire
Question 9. Which file should be used to provide data for a BPA or Heatmap?
A. Tech Support File
B. exported Traffic log csv
C. SaaS Risk Assessment report
D. exported config file
Question 10. Which tool most directly helps a customer’s engineer to systematically check a previous engineer’s Palo Alto Networks NGFW configuration for general cyber hygiene?
A. Aperture Explore Assets tool
B. Best Practices Analysis tool
C. NGFW ACC page
Question 11. Click Remote Command Execution in the left navigation panel and scroll down to show the visualization of the alert. We only see a red arrow, indicating that: The above image is from the Cortex XDR demo script that describes exploring an alert. Which answer best completes the demo script after the words “indicating that”?
A. the blue line, representing sessions going the other direction, is hidden by the red line.
B. no sessions are going the other direction, from the Private network to 10.10.1.104.
C. this is the first time this behavior is seen from this user, and the behavior is anomalous.
D. 83 sessions between 10.10.1.104 and the Private network were blocked.
Question 12. To configure a firewall to collect data for an SLR, what should the WildFire® action be in the Antivirus Profile attached to the security rule used by the interface receiving customer traffic?
A. “alert” for FTP and HTTP, and “reset both” for all other decoders
B. “default” for all actions
C. “alert” for all actions
D. “reset client” for all actions
Question 13. After a Tech Support File is uploaded to the partner portal to create a BPA report, what does Zone Mapping do?
A. When the Tech Support File is from Panorama and reflects multiple firewalls, it allows a user to specify whether each firewall is physical or virtual.
B. It allows a user to map each zone in the Tech Support File to its area of architecture, such as internet, DMZ, remote/VPN, or other areas.
C. It allows a user an additional opportunity to specify source and destination zones for firewall rules analyzed in the BPA.
D. It allows a user to rename zones for clarity in the BPA report.
Question 14. Which selections should be used for applications, destinations, and users in the Security policy rule used by a firewall to collect data for an SLR?
A. pre-logon, any, trust
B. any, any, untrust
C. any, any, any
D. pre-logon, all-palo-alto-base, trust
Question 15. Which option describes how samples can be used between the NGFW and WildFire®?
A. WildFire sends samples of malicious code to the NGFW, which then uses those samples to compare with traffic flowing through it.
B. The firewall sends unknown files to WildFire, which does a threat analysis of the sample and generates new signatures when threats are identified.
C. The firewall sends a configurable distribution of random traffic samples to WildFire, which determines firewall configuration errors based on those samples.
D. The firewall samples WildFire data every five minutes and adds any threats found to its WildFire Security Profile.
Question 16. Which action or configuration contributes to positive enforcement?
A. configuring a rule that allows traffic only for specific applications to reach a zone
B. configuring a rule that allows all traffic between zones but logs that traffic
C. defining zones according to business needs to access those zones
D. configuring a security profile that logs all spyware.
Question 17. What should be specified in Antivirus, Anti-Spyware, URL Filtering, and Vulnerability Protection profiles when a firewall is configured to collect data for an SLR?
A. an HTTPS application exception
B. selection of “critical” and “high” severity for alerts
C. packet capture
D. profile name of “default”
Question 18. In an attack intended to exfiltrate data, the attack’s first landing in the target network is not its target server. Which three steps are likely to be part of the continuation of that attack? (Choose three.)
A. obtaining credentials
B. accessing sensitive servers
C. probing the network
D. denial of service
Question 19. How do security rules and security profiles work together to create security policy?
A. Security rules specify what happens to traffic that an attached security profile would otherwise allow.
B. Security profiles specify what happens to traffic that an attached security rule blocks.
C. Security profiles specify what happens to traffic that an attached security rule would otherwise allow.
D. The firewall forwards traffic when it finds either a security rule or a security profile that allows that traffic.
Question 20. Which answer describes Security Lifecycle Reviews?
A. They are based on non-intrusive collection of data.
B. They are limited to use with competitive security products documented as compatible with SLR data collection.
C. They provide value only after a customer purchases Palo Alto Networks security products.
D. They provide value only before a customer purchases Palo Alto Networks security products.
Question 21. What does WildFire® do when a file or URL is uploaded to it by an NGFW?
A. WildFire replies to the NGFW with a hash of a signature that matches the sent file or URL.
B. WildFire updates PAN-OS® software with its analysis and the NGFW gets that information the next time it updates PAN-OS® software.
C. WildFire provides a WildFire Analysis Profile back to the NGFW to be attached to the rule that allowed the file or URL.
D. WildFire determines a verdict of Benign, Grayware, Malware, or Phishing.
Question 22. What does the Cortex Data Lake do?
A. tracks all firewall uses of logs including log export to syslog, email servers, Panorama, SNMP, and HTTP servers
B. collects logs from all firewalls in a deployment, reformats them, and provides them to the firewall running the service
C. logs and tracks operational errors that occur in any firewalls in a single environment and provides a report of those errors to Panorama
D. feeds network Security logs and Endpoint Protection logs into a data lake that is used by applications in the Cortex Hub
Question 23. When an NGFW is set up to collect data for an SLR, from where on the customer network does data flow to the NGFW?
A. from an ingress port on a customer router
B. from the customer’s internet service provider link
C. from an egress port on a customer switch
D. from a SPAN port on a customer switch
Question 24. Which feature or option helps find the security rule that allowed traffic from a particular application at a particular time?
A. WildFire® verdict
B. log at NGFW Monitor > Traffic
C. BPA heatmap
D. Prisma SaaS Risk Assessment Report
Question 25. To prepare for data collection for an SLR, what needs to be done about licenses and dynamic updates?
A. Licenses and dynamic updates are configured on the firewall.
B. The customer can use their existing licenses and dynamic updates.
C. Licenses and dynamic updates are provided by the Partner Portal or Support Portal as part of deal registration.
D. The firewall is in Tap mode so licenses and dynamic updates are unnecessary.
Question 26. How is the data in a Stats Dump file made available for SLR Report creation?
A. fed through the Cortex Data Lake and made available to the SLR app
B. uploaded directly from the firewall to the Partner Portal
C. automatically pulled by Panorama and uploaded to the Partner Portal
D. downloaded from the firewall to a computer, then uploaded when requested from the Partner Portal
Question 27. A customer evolving its computing from on-premises through private cloud, public cloud, and SaaS computing has which three main security challenges? (Choose three.)
A. With manual processes, managing policy and investigating incidents across multiple cloud environments and various tools can be difficult.
B. If they keep remnants from each step in their evolution, the resulting security architecture can be so fragmented that is impossible to operate.
C. Security cannot be made consistent across the different places applications are deployed.
D. With cloud computing, small human errors can result in sensitive data being exposed to scripts and bots that scan the internet for public leaks.
E. Security processes in the cloud environment cannot be automated so the benefits of cloud computing cannot be fully leveraged.
Question 28. Which answer best describes the meaning of the above picture in the context of Palo Alto Networks Security Lifecycle Reviews?
A. Firewalls involved in Security Lifecycle Reviews use wireless interfaces only.
B. The firewall in Tap mode connects to a switch and does not impact customer traffic at all.
C. Firewalls can connect only to customer switches, they cannot connect to customer routers.
D. The firewall essentially is a router on a stick.
Question 29. What does the Cortex XDR application provide?
A. a way to scale institutional security to very large independent sovereign states
B. visibility into a monitored environment
C. behavioral analytics on data from a monitored environment
D. enforcement of Security policy into a monitored environment
Question 30. Prisma SaaS addresses which kind of security?
B. data center
C. inline network
Question 31. Which tool would provide an existing NGFW customer configuration analysis and recommendations based on best practice checks?
A. Prisma SaaS
B. Cortex XDR
C. NGFW Custom reports
Question 32. To configure a firewall for SLR data collection, how is the data to be logged specified?
A. from Monitor > Manage Custom Reports on the firewall web interface
B. by a Security Policy rule on the firewall
C. from the Partner Portal or Support Portal
D. with an ACL on the customer switch SPAN port
Question 33. Logs can be used in the Security Operating Platform in which three ways? (Choose three.)
A. An analyst can view applications with the most sessions and highest risk applications with the most sessions from the Application Command Center.
B. Cortex XDR can use logs to build a baseline of behavior and identify abnormal behavior against that.
C. The firewall can receive logs from other devices sent through a syslog server and incorporate those logs in its reports.
D. The firewall can automatically reconfigure security profiles when there are too many logs for a specific commodity threat.
E. The Security Lifecycle Review can use logs to discover applications and threats present in an environment.
Question 34. A BPA Heatmap is filtered by source and destination zone. What does this mean for the Heatmap display?
A. Security rules in the Heatmap’s firewall will be reconfigured to limit traffic to the specified source and destination.
B. Profile adoption will be shown only for rules with that source and destination.
C. The virtual router in the Heatmap’s firewall will route traffic from the specified source to the specified destination.
D. Traffic shown will be limited to the specified source and destination.
Question 35. To create a BPA report without a registered opportunity, which URL is accessed?
A. Partner Portal
B. Support Portal
C. NGFW Security Portal
D. Customer Success Portal
Question 36. Which demo of the Palo Alto Networks Security Operating Platform can show a customer how to determine who has access to a certain Box cloud storage file?
B. Prisma SaaS
Question 37. Which product can be characterized as an API-based CASB?
A. Cortex XDR
C. Prisma SaaS
Question 38. How can User-ID connectivity be verified for an NGFW?
A. Check traffic load on the network’s LDAP server.
B. Check WMI logs.
C. Check the CPU load on the network’s domain controller.
D. Check Device > User Identification > User Mapping > Server Monitoring.
Question 39. How are dynamic content updates for the NGFW checked?
A. From Device > Dynamic Updates, click Check Now once.
B. From Device > Dynamic Updates, click Check Now once for Antivirus, then once again for Application, Prisma Access, Threats, and WildFire® updates.
C. From Device > Dynamic Updates, click Check Now once each for Antivirus, Application, Prisma Access, Threats, and WildFire® updates.
D. Log in to the Partner Portal or Customer Success Portal, and specify the IP address of the firewall to receive dynamic updates.
Question 40. Which process yields a Tech Support File that is ready for upload?
A. Click Device > Support > Generate Tech Support File from the NGFW web interface, then download the file to a computer.
B. Download the Tech Support File from the support website, load it into the firewall, and click Device > Support > Generate Tech Support File.
C. Click Device > Support > Generate Tech Support File from the NGFW web interface.
D. From Monitor > PDF Reports, select Tech Support File, and specify a location to save the file.
Question 41. Which demo would you present to showcase abnormalities in network traffic?
B. Cortex XDR
D. Best Practices Analysis Report
Question 42. What does a BPA adoption Heatmap show?
A. the feature sets of a particular firewall that are currently licensed
B. the feature sets of a particular firewall that actually are used
C. the rules of a particular firewall that are hit most often
D. the distribution of traffic among firewall ports
Question 43. How can an external list of malicious domains be leveraged by an NGFW?
A. Content-ID technology combines results from WildFire® analysis with administrator-defined policies to inspect and control content traversing the firewall, using dataloss prevention techniques in a single, unified engine.
B. The external list can be specified as a URL in a security rule’s zone configuration to block traffic from the zone containing these domains.
C. The external list can be specified as an External Dynamic List in an Anti-Spyware Security Profile that need not be attached to a security rule.
D. An Anti-Spyware Profile can define access to any of the domains on the list to be an application, and the profile can use App-ID to block that application.
Question 44. What is the difference between a BPA Report for a registered opportunity and a report without a registered opportunity?
A. Reports for registered opportunities are based on Tech Support Files and reports outside of registered opportunities are based on Prospect Tech Support Files.
B. The report for a registered opportunity is free, but there is a fee for generating a report when there is no registered opportunity.
C. There is no difference between the two reports.
D. Reports for registered opportunities include information about licensing entered when the opportunity was registered.
Answer: A,B is wrong
Question 45. How does Cortex XDR identify behavioral anomalies?
A. comparing new traffic and host profile data to a baseline of normal customer¬-specific activity built by analyzing collected data over 30 days and
B. comparing customer behavior to known behaviors found in environments with good security hygiene
C. comparing differences among data from Traps, Prisma SaaS, the Next-Generation firewall, and Prisma Access agents
D. comparing customer traffic behavior to a huge database of that customer’s competitors’ traffic behavior
E. comparing customer behavior with a current list of abnormal behavior
Answer: B,C are wrong
Question 46. What allows an SLR evaluation firewall to collect data to obtain information about who is sending or receiving traffic?
A. Data about who sends or receives traffic is not collected for an SLR.
B. User-ID is configured on the firewall.
C. Syslog data is uploaded while the SLR report is generated.
D. The customer provides endpoint Traffic logs.
Answer: D is wrong
Question 47. What is the correct order of activity to create an SLR report?
A. upload Stats Dump file, access the Partner Portal, select the Opportunity, provide Report Input Filters
B. access the Partner Portal, click TRACK DEALS, provide Report Input Filters, upload Stats Dump file
C. upload Stats Dump file, click TRACK DEALS, select the Opportunity, provide Account Information, provide Report Input Filters
D. access the Partner Portal, select Opportunity, click TRACK DEALS, upload Stats Dump file, provide Account Information
Answer: A is wrong
Question 48. Which part of the Palo Alto Networks Security Operating Platform helps customers accelerate their consumption of innovative cloud security offerings?
A. Cortex Hub
B. Prisma SaaS
C. Cortex XDR
D. Generation Alpha Firewall
Answer: B,C are wrong
Question 49. Which product protects against threats moving between servers in the cloud?
A. Prisma Access
B. Prisma SaaS
C. next-generation firewall VM
D. Cortex XDR
Answer: B,D are wrong
Question 50. What is the purpose of the “Executive Summary“ section of the SLR?
A. summarize the BOM for a large proposal
B. summarize pricing to address issues identified by an SLR
C. show the Sensitive Lost Resource properties in one place
D. highlight key findings
Answer: C is wrong
Question 51. Which file should be uploaded to the Security Lifecycle Review tool?
A. SaaS Risk Assessment report
B. Stats Dump file
C. SLR report csv
D. exported config file
Answer: C,D are wrong
Question 52. Which comparison does a BPA Report present?
A. a customer’s NGFW configuration against best practices
B. customer breaches against those that would be blocked by a properly licensed and configured firewall
C. signatures in the firewall against signatures available from WildFire®
D. a customer’s configuration against the results of a customer interview
Answer: B is wrong
Question 53. Which function or feature describes an advantage of Prisma SaaS?
A. Every application secured provides its own security analysis and management tools.
B. Prisma SaaS provides consistent security across SaaS applications.
C. Prisma SaaS security rules are imported from any vendor’s firewalls.
D. Prisma SaaS essentially is a single management point for cloud ¬native security across multiple cloud service vendors.
Answer: D is wrong
Question 54. Which option best describes the role of App-ID in Palo Alto Networks NGFW security policy?
A. The firewall automatically disallows a competitor’s applications for security reasons.
B. App-ID is the firewall’s way of identifying which user’s traffic is associated with an application.
C. Application recognition is considered as part of the NGFW security rule matching process.
D. App-ID allows administrators to rename standard applications with internal nicknames.
Answer: B is wrong