A network security engineer at a 24/7 online retailer is upgrading an active/passive high availability (HA) cluster of PAN-OS firewalls. The primary goal is to perform the upgrade with no service interruption to online transactions. The engineer has already downloaded the new software to both devices.
Which sequence of actions will meet this requirement?
An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)
Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?
Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)
A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.
Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?
When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?
Which CLI command is used to configure the management interface as a DHCP client?
An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.
What is the most likely cause of this issue?
An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.
Which combination of AWS services and Palo Alto Networks components is required for this use case?
When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?
A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.
Which architecture should be used for the VM-Series firewalls in this use case?
A network administrator is configuring path monitoring for a primary static route to ensure immediate failback from a backup route. The administrator wants the primary route to become active again without any delay as soon as its path is restored.
Which preemptive hold time value should the administrator configure to achieve this immediate failback?
A network administrator needs to replace the default self-signed certificate on a firewall with one signed by the company's internal certificate authority (CA).
Which two firewall features would require this new certificate to be assigned via an SSL/TLS service profile? (Choose two.)
A network engineer observes that after a primary link recovers, the firewall immediately switches traffic back from the backup static route to the primary static route. The engineer checks the path monitoring configuration for the primary route.
Which value is configured for the preemptive hold time to cause this behavior?
Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?
A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.
Which configuration in CIE supports this requirement with highest operational efficiency?
An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.
What is the recommended method to achieve this goal?
After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.
Which of the following actions will resolve this issue?
After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.
What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?
Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?
An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?
An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.
Which two configurations are required to implement this authentication fallback strategy? (Choose two.)
A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.
Within which section of a Zone Protection profile should these protections be configured?
A firewall administrator uses Panorama to manage a fleet of firewalls. After successfully onboarding the firewalls to Strata Logging Service and enabling cloud logging via a template, the security operations team reports that they can no longer see new logs on the on-premises Panorama log collectors. Logs are appearing correctly in Strata Logging Service.
Which setting was likely missed in the Panorama template configuration?
How does a Palo Alto Networks NGFW respond when the preemptive hold time is set to 0 minutes during configuration of route monitoring?
An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that do not require switching context into each firewall's individual web interface.
Which set of actions is available to the administrator directly from the Panorama UI?
Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?
An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?