In an enterprise network, security administrators want to control traffic based on application behavior rather than only using IP addresses and TCP/UDP ports. Which NGFW capability MOST directly enables this requirement?
Correct Answer: C
Traditional firewalls rely on IP and port information. NGFWs use Deep Packet Inspection (DPI) and behavioral analysis to identify applications regardless of port usage, enabling application-based policies.
Question 12
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature. Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)
Correct Answer: C
Palo Alto Networks Panorama provides a centralized management platform that allows administrators to manage firewalls through two primary constructs:TemplatesandDevice Groups. When working directly within the Panorama UI (without switching to the firewall's context), an administrator interacts with these constructs to push configurations down to the managed devices. The tasks listed inOption Crepresent the core functionality of Panorama's hierarchical management: * Edit a post-rule:Security policies are managed withinDevice Groups. Post-rules are specific rules that appear after any locally defined rules on the firewall, allowing Panorama to enforce a "bottom-line" security posture across all managed devices. * Create a new certificate profile:Object management, including certificate profiles, is handled within Templates or Device Groups (depending on scope) and can be easily defined at the Panorama level. * Configure the firewall's hostname:System-level settings, such as hostnames, DNS, and NTP, are managed viaTemplates. Conversely, the other options include tasks that generally require a direct connection or a "Context Switch" to the specific firewall's management plane. For example, viewingreal-time session details(Option A) or the local ACC(Option B) requires querying the specific firewall's dataplane. While Panorama can trigger a software update, performing adevice reboot(Option A) or managinglocal administrator accounts(Option D) are typically performed either locally or through the context switch to ensure the administrator is interacting with the device's specific local database rather than the global Panorama template.
Question 13
Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?
Correct Answer: B
When building a custom report on a Palo Alto Networks NGFW, you can select detailed logs that provide specific insights into various aspects of firewall activity. The available options for detailed logs typically include: Traffic logs: These provide information on the network traffic passing through the firewall. Threat logs: These logs capture data related to identified security threats, such as malware or intrusion attempts. Data filtering logs: These logs capture events related to data filtering policies, such as preventing the transfer of sensitive data. User-ID logs: These logs associate user identities with the traffic and activities observed on the firewall, enabling user-based policy enforcement.
Question 14
When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?
Correct Answer: B
In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts. These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.
Question 15
Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?
Correct Answer: C
When configuring a new firewall virtual system (VSYS) on a Palo Alto Networks firewall, one of the resources that can be assigned is the sessions limit. This setting allows the administrator to control the number of active sessions that can be handled by the VSYS, ensuring that each virtual system has an appropriate allocation of resources based on its needs.