New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PSE-Strata Palo Alto Networks System Engineer Professional - Strata Exam Practice Test

Demo: 40 questions
Total 137 questions

Palo Alto Networks System Engineer Professional - Strata Questions and Answers

Question 1

Which two features can be enabled to support asymmetric routing with redundancy on a Palo

Alto networks next-generation firewall (NGFW)? (Choose two.)

Options:

A.

Active / active high availability (HA)

B.

Multiple virtual systems

C.

non-SYN first packet

D.

Asymmetric routing profile

Question 2

WildFire subscription supports analysis of which three types? (Choose three.)

Options:

A.

GIF

B.

7-Zip

C.

Flash

D.

RPM

E.

ISO

F.

DMG

Question 3

Within the Five-Step Methodology of Zero Trust, in which step would application access and user access be defined?

Options:

A.

Step 3: Architect a Zero Trust Network

B.

Step 5. Monitor and Maintain the Network

C.

Step 4: Create the Zero Trust Policy

D.

Step 1: Define the Protect Surface

E.

Step 2 Map the Protect Surface Transaction Flows

Question 4

Which three items contain information about Command-and-Control (C2) hosts? (Choose three.)

Options:

A.

Threat logs

B.

WildFire analysis reports

C.

Botnet reports

D.

Data filtering logs

E.

SaaS reports

Question 5

What two types of certificates are used to configure SSL Forward Proxy? (Сhoose two.)

Options:

A.

Enterprise CA-signed certificates

B.

Self-Signed certificates

C.

Intermediate certificates

D.

Private key certificates

Question 6

Which is the smallest Panorama solution that can be used to manage up to 2500 Palo Alto Networks Next Generation firewalls?

Options:

A.

M-200

B.

M-600

C.

M-100

D.

Panorama VM-Series

Question 7

The Palo Ao Networks Cloud Identity Engino (CIE) includes which service that supports identity Providers (ldP)?

Options:

A.

Directory Sync and Cloud Authentication Service that support IdP ung SAML 2.0 and OAuth2

B.

Cloud Authentication Service that supports IdP using SAML 2.0 and OAuth2

C.

Directory Sync and Cloud Authentication Service that support IdP ng SAML 2.0

D.

Directory Sync that supports IdP using SAML 2.0

Question 8

Which three script types can be analyzed in WildFire? (Choose three)

Options:

A.

PythonScript

B.

MonoSenpt

C.

JScript

D.

PowerShell Script

E.

VBScript

Question 9

In Panorama, which three reports or logs will help identify the inclusion of a host source in a command-and-control (C2) incident? (Choose three.)

Options:

A.

SaaS reports

B.

data filtering logs

C.

WildFire analysis reports

D.

threat logs

E.

botnet reports

Question 10

How often are the databases for Anti-virus. Application, Threats, and WildFire subscription updated?

Options:

A.

Anti-virus (weekly): Application (daily). Threats (weekly), WildFire (5 minutes)

B.

Anti-virus (weekly), Application (daily), Threats (daily), WildFire (5 minutes)

C.

Anti-virus (daily), Application (weekly), Threats (weekly), WildFire (5 minutes)

D.

Anti-virus (daily), Application (weekly), Threats (daily), WildFire (5 minutes)

Question 11

Which component is needed for a large-scale deployment of NGFWs with multiple Panorama Management Servers?

Options:

A.

M-600 appliance

B.

Panorama Interconnect plugin

C.

Panorama Large Scale VPN (LSVPN) plugin

D.

Palo Alto Networks Cluster license

Question 12

Select the BOM for the Prisma Access, to provide access for 5500 mobile users and 10 remote locations (100Mbps each) for one year, including Base Support and minimal logging. The customer already has 4x PA5220r 8x PA3220,1x Panorama VM for 25 devices.

Options:

A.

5500x PAN-GPCS-USER-C-BAS-1YR, 1000x PAN-GPCS-NET-B-BAS-1YR, 1x PAN-LGS-1TB-1YR

B.

5500x PAN-GPCS-USER-C-BAS-1YR, 1000x PAN-GPCS-NET-B-BAS-1YR, 1x PAN-SVC-BAS-PRA-25. 1x PAN-PRA-25

C.

5500x PAN-GPCS-USER-C-BAS-1YR, 1000x PAN-GPCS-NET-B-BAS-1YRr 1x PAN-LGS-1TB-1YR, 1x PAN-PRA-25, 1x PAN-SVC-BAS-PRA-25

D.

1x PAN-GPCS-USER-C-BAS-1YR, 1x PAN-GPCS-NET-B-BAS-1YR, 1x PAN-LGS-1TB-1YR

Question 13

A customer is designing a private data center to host their new web application along with a separate headquarters for users.

Which cloud-delivered security service (CDSS) would be recommended for the headquarters only?

Options:

A.

Threat Prevention

B.

DNS Security

C.

WildFire

D.

Advanced URL Filtering (AURLF)

Question 14

Which four steps of the cyberattack lifecycle does the Palo Alto Networks Security Operating Platform prevent? (Choose four.)

Options:

A.

breach the perimeter

B.

weaponize vulnerabilities

C.

lateral movement

D.

exfiltrate data

E.

recon the target

F.

deliver the malware

Question 15

As you prepare to scan your Amazon S3 account, what enables Prisma service permission to access Amazon S3?

Options:

A.

access key ID

B.

secret access key

C.

administrative Password

D.

AWS account ID

Question 16

A packet that is already associated with a current session arrives at the firewall.

What is the flow of the packet after the firewall determines that it is matched with an existing session?

Options:

A.

it is sent through the fast path because session establishment is not required. If subject to content inspection, it will pass through a single stream-based content inspection engine before egress.

B.

It is sent through the slow path for further inspection. If subject to content inspection, it will pass through a single stream-based content inspection engines before egress

C.

It is sent through the fast path because session establishment is not required. If subject to content inspection, it will pass through multiple content inspection engines before egress

D.

It is sent through the slow path for further inspection. If subject to content inspection, it will pass through multiple content inspection engines before egress

Question 17

Which CLI allows you to view the names of SD-WAN policy rules that send traffic to the specified virtual SD-WAN interface, along with the performance metrics?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Question 18

What are three considerations when deploying User-ID? (Choose three.)

Options:

A.

Specify included and excluded networks when configuring User-ID

B.

Only enable User-ID on trusted zones

C.

Use a dedicated service account for User-ID services with the minimal permissions necessary

D.

User-ID can support a maximum of 15 hops

E.

Enable WMI probing in high security networks

Question 19

A prospective customer currently uses a firewall that provides only Layer 4

inspection and protections. The customer sees traffic going to an external destination, port 53, but cannot determine what Layer 7 application traffic is going over that port

Which capability of PAN-OS would address the customer's lack of visibility?

Options:

A.

Device ID, because it will give visibility into which devices are communicating with external destinations over port 53

B.

single pass architecture (SPA), because it will improve the performance of the Palo Alto Networks Layer 7 inspection

C.

User-ID, because it will allow the customer to see which users are sending traffic to external destinations over port 53

D.

App-ID, because it will give visibility into what exact applications are being run over that port and allow the customer to block unsanctioned applications using port 53

Question 20

Which two features are found in a Palo Alto Networks NGFW but are absent in a legacy firewall product? (Choose two.)

Options:

A.

Traffic is separated by zones

B.

Policy match is based on application

C.

Identification of application is possible on any port

D.

Traffic control is based on IP port, and protocol

Question 21

WildFire machine learning (ML) for portable executable (PE) files is enabled in the antivirus profile and added to the appropriate firewall rules in the profile. In the Palo Alto Networks WildFire test av file, an attempt to download the test file is allowed through.

Which command returns a valid result to verify the ML is working from the command line.

Options:

A.

show wfml cloud-status

B.

show mlav cloud-status

C.

show ml cloud-status

D.

show av cloud-status

Question 22

A customer has business-critical applications that rely on the general web-browsing application. Which security profile can help prevent drive-by-downloads while still allowing web-browsing traffic?

Options:

A.

File Blocking Profile

B.

DoS Protection Profile

C.

URL Filtering Profile

D.

Vulnerability Protection Profile

Question 23

What are two ways to manually add and remove members of dynamic user groups (DUGs)? (Choose two)

Options:

A.

Add the user to an external dynamic list (EDL).

B.

Tag the user using Panorama or the Web Ul of the firewall.

C.

Tag the user through the firewalls XML API.

D.

Tag the user through Active Directory

Question 24

Which two email links, contained in SMTP and POP3, can be submitted from WildFire analysis with a WildFire subscription? (Choose two.)

Options:

A.

FTP

B.

HTTPS

C.

RTP

D.

HTTP

Question 25

Which CLI command will allow you to view latency, jitter and packet loss on a virtual SD-WAN interface?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Question 26

Which of the following statements is valid with regard to Domain Name System (DNS) sinkholing?

Options:

A.

it requires the Vulnerability Protection profile to be enabled

B.

DNS sinkholing signatures are packaged and delivered through Vulnerability Protection updates

C.

infected hosts connecting to the Sinkhole Internet Protocol (IP) address can be identified in the traffic logs

D.

It requires a Sinkhole license in order to activate

Question 27

What helps avoid split brain in active / passive high availability (HA) pair deployment?

Options:

A.

Enable preemption on both firewalls in the HA pair.

B.

Use a standard traffic interface as the HA3 link.

C.

Use the management interface as the HA1 backup link

D.

Use a standard traffic interface as the HA2 backup

Question 28

Which Security profile on the Next-Generation Firewall (NGFW) includes Signatures to protect against brute force attacks?

Options:

A.

Vulnerability Protection profile

B.

Antivirus profile

C.

URL Filtering profile

D.

Anti-Spyware profile

Question 29

Which task would be identified in Best Practice Assessment tool?

Options:

A.

identify the visibility and presence of command-and-control sessions

B.

identify sanctioned and unsanctioned SaaS applications

C.

identify the threats associated with each application

D.

identify and provide recommendations for device management access

Question 30

Prisma SaaS provides which two SaaS threat prevention capabilities? (Choose two)

Options:

A.

shellcode protection

B.

file quarantine

C.

SaaS AppID signatures

D.

WildFire analysis

E.

remote procedural call (RPC) interrogation

Question 31

An Administrator needs a PDF summary report that contains information compiled from existing reports based on data for the Top five(5) in each category Which two timeframe options are available to send this report? (Choose two.)

Options:

A.

Daily

B.

Monthly

C.

Weekly

D.

Bi-weekly

Question 32

Which three of the following actions must be taken to enable Credential Phishing Prevention? (Choose three.)

Options:

A.

Enable User Credential Detection

B.

Enable User-ID

C.

Define a Secure Sockets Layer (SSL) decryption rule base

D.

Enable App-ID

E.

Define a uniform resource locator (URL) Filtering profile

Question 33

A customer requests that a known spyware threat signature be triggered based on a rate of occurrence, for example, 10 hits in 5 seconds.

How is this goal accomplished?

Options:

A.

Create a custom spyware signature matching the known signature with the time attribute

B.

Add a correlation object that tracks the occurrences and triggers above the desired threshold

C.

Submit a request to Palo Alto Networks to change the behavior at the next update

D.

Configure the Anti-Spyware profile with the number of rule counts to match the occurrence frequency

Question 34

in which step of the Palo Alto Networks Five-Step Zero Trust Methodology would an organization's critical data, applications, assets, and services (DAAS) be identified?

Options:

A.

Step 4. Create the Zero Trust policy.

B.

Step 2: Map the transaction flows.

C.

Step 3. Architect a Zero Trust network.

D.

Step 1: Define the protect surface

Question 35

A customer with a fully licensed Palo Alto Networks firewall is concerned about threats based on domain generation algorithms (DGAS).

Which Security profile is used to configure Domain Name Security (DNS) to Identity and block

previously unknown DGA-based threats in real time?

Options:

A.

URL Filtering profile

B.

WildFire Analysis profile

C.

Vulnerability Protection profile

D.

Anti-Spyware profile

Question 36

Which CLI command allows visibility into SD-WAN events such as path Selection and path quality measurements?

Options:

A.

>show sdwan path-monitor stats vif

B.

>show sdwan session distribution policy-name

C.

>show sdwan connection all

D.

>show sdwan event

Question 37

What are two core values of the Palo Alto Network Security Operating Platform? (Choose two.}

Options:

A.

prevention of cyber attacks

B.

safe enablement of all applications

C.

threat remediation

D.

defense against threats with static security solution

Question 38

Which two products can send logs to the Cortex Data Lake? (Choose two.)

Options:

A.

AutoFocus

B.

PA-3260 firewall

C.

Prisma Access

D.

Prisma Public Cloud

Question 39

Which four actions can be configured in an Anti-Spyware profile to address command-and-control traffic from compromised hosts? (Choose four.)

Options:

A.

Quarantine

B.

Allow

C.

Reset

D.

Redirect

E.

Drop

F.

Alert

Question 40

What will best enhance security of a production online system while minimizing the impact for the existing network?

Options:

A.

Layer 2 interfaces

B.

active / active high availability (HA)

C.

Virtual wire

D.

virtual systems

Demo: 40 questions
Total 137 questions