After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish. Which of the following actions will resolve this issue?
Correct Answer: B
The Proxy IDs (or Traffic Selectors) define the local and remote subnets that are allowed to communicate over the IPSec tunnel. If the Proxy IDs on the Palo Alto Networks firewall do not match the configuration on the Cisco ASA, the tunnel will fail to establish because the firewalls won't agree on which traffic to encrypt. Ensuring that the Proxy IDs match between the Palo Alto Networks firewall and the Cisco ASA will resolve the issue.
Question 2
An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service. Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?
Correct Answer: A
To begin sending logs to Strata Logging Service while continuing to forward them to Panorama log collectors, the necessary configuration is to enable Cloud Logging. This option is configured in the Cloud Logging section under Device # Setup # Management in the appropriate templates. Once enabled, this ensures that logs are directed both to the Strata Logging Service (cloud) and to the Panorama log collectors.
Question 3
A firewall administrator uses Panorama to manage a fleet of firewalls. After successfully onboarding the firewalls to Strata Logging Service and enabling cloud logging via a template, the security operations team reports that they can no longer see new logs on the on-premises Panorama log collectors. Logs are appearing correctly in Strata Logging Service. Which setting was likely missed in the Panorama template configuration?
Correct Answer: B
When integratingStrata Logging Service(formerly Cortex Data Lake) into a managed environment, Panorama-managed firewalls change their default logging behavior. By default, once a firewall is configured to send logs to the Strata Logging Service, it assumes the cloud is the primary destination. If an administrator wishes to maintain visibility on local,on-premises Panorama log collectorssimultaneously, they must explicitly enable a specific setting. The setting is located underDevice # Setup # Management # Logging and Storage Settings. Specifically, there is an option to"Send logs to both Panorama and Strata Logging Service"(or similar wording depending on the PAN-OS version, often referred to as duplicate logging). If this checkbox is not enabled within the Template or Template Stack pushed to the managed firewalls, the firewall will favor the cloud destination and cease sending logs to the on-premises Log Collector. While aLog Forwarding Profile(Option C) determineswhichlogs are sent (e.g., security, threat, traffic), the underlying transport mechanism to Panorama is governed by the Device Setup. If the firewalls were previously logging to Panorama correctly and the only change was the addition of Strata Logging Service, the "Log to both" toggle is the most probable missing component. This ensures that the firewall's log forwarding process forks the data to both the cloud infrastructure and the local collector group infrastructure.
Question 4
An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility. Which approach meets these requirements?
Correct Answer: C
This approach meets all the requirements for securing east-west traffic within each Kubernetes cluster, maintaining consistent security policies across on-premises and cloud environments, and allowing for dynamic scaling of the CN-Series NGFWs as containerized workloads spin up or down. By using Kubernetes- native deployment tools (such as Helm), the CN-Series NGFWs can be deployed and scaled dynamically within each cluster. Local insertion into the service mesh or CNI ensures that the NGFW can inspect traffic at the appropriate points within the cluster. Centralized management via Panorama ensures that security policies are uniform across both on-premises and cloud environments, providing visibility and control across all clusters.
Question 5
Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?
Correct Answer: B
When building a custom report on a Palo Alto Networks NGFW, you can select detailed logs that provide specific insights into various aspects of firewall activity. The available options for detailed logs typically include: Traffic logs: These provide information on the network traffic passing through the firewall. Threat logs: These logs capture data related to identified security threats, such as malware or intrusion attempts. Data filtering logs: These logs capture events related to data filtering policies, such as preventing the transfer of sensitive data. User-ID logs: These logs associate user identities with the traffic and activities observed on the firewall, enabling user-based policy enforcement.