Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Paloalto Networks PSE-Strata Professional PSE-Strata-Pro-24 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam PSE-Strata-Pro-24 Premium Access

View all detail and faqs for the PSE-Strata-Pro-24 exam

Go to Exam

418 Students Passed

89% Average Score

93% Same Questions

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions

Questions # 1:

The PAN-OS User-ID integrated agent is included with PAN-OS software and comes in which two forms? (Choose two.)

Options:

Integrated agent

GlobalProtect agent

Windows-based agent

Cloud Identity Engine (CIE)

Questions # 2:

What are the first two steps a customer should perform as they begin to understand and adopt Zero Trust principles? (Choose two)

Options:

Understand which users, devices, infrastructure, applications, data, and services are part of the network or have access to it.

Enable relevant Cloud-Delivered Security Services (CDSS) subscriptions to automatically protect the customer's environment from both internal and external threats.

Map the transactions between users, applications, and data, then verify and inspect those transactions.

Implement VM-Series NGFWs in the customer’s public and private clouds to protect east-west traffic.

Questions # 3:

A prospective customer has provided specific requirements for an upcoming firewall purchase, including the need to process a minimum of 200,000 connections per second while maintaining at least 15 Gbps of throughput with App-ID and Threat Prevention enabled.

What should a systems engineer do to determine the most suitable firewall for the customer?

Options:

Upload 30 days of customer firewall traffic logs to the firewall calculator tool on the Palo Alto Networks support portal.

Download the firewall sizing tool from the Palo Alto Networks support portal.

Use the online product configurator tool provided on the Palo Alto Networks website.

Use the product selector tool available on the Palo Alto Networks website.

Questions # 4:

A customer sees unusually high DNS traffic to an unfamiliar IP address. Which Palo Alto Networks Cloud-Delivered Security Services (CDSS) subscription should be enabled to further inspect this traffic?

Options:

Advanced Threat Prevention

Advanced WildFire

Advanced URL Filtering

Advanced DNS Security

Answer

Explanation

The appropriate CDSS subscription to inspect and mitigate suspicious DNS traffic is Advanced DNS Security. Here’s why:

Advanced DNS Security protects against DNS-based threats, including domain generation algorithms (DGA), DNS tunneling (often used for data exfiltration), and malicious domains used in attacks. It leverages machine learning to detect and block DNS traffic associated with command-and-control servers or other malicious activities. In this case, unusually high DNS traffic to an unfamiliar IP address is likely indicative of a DNS-based attack or malware activity, making this the most suitable service.

Option A: Advanced Threat Prevention (ATP) focuses on identifying and blocking sophisticated threats in network traffic, such as exploits and evasive malware. While it complements DNS Security, it does not specialize in analyzing DNS-specific traffic patterns.

Option B: Advanced WildFire focuses on detecting and preventing file-based threats, such as malware delivered via email attachments or web downloads. It does not provide specific protection for DNS-related anomalies.

Option C: Advanced URL Filtering is designed to prevent access to malicious or inappropriate websites based on their URLs. While DNS may be indirectly involved in resolving malicious websites, this service does not directly inspect DNS traffic patterns for threats.

Option D (Correct): Advanced DNS Security specifically addresses DNS-based threats. By enabling this service, the customer can detect and block DNS queries to malicious domains and investigate anomalous DNS behavior like the high traffic observed in this scenario.

How to Enable Advanced DNS Security:

Ensure the firewall has a valid Advanced DNS Security license.

Navigate to Objects > Security Profiles > Anti-Spyware.

Enable DNS Security under the "DNS Signatures" section.

Apply the Anti-Spyware profile to the relevant Security Policy to enforce DNS Security.

[References:, Palo Alto Networks Advanced DNS Security Overview: https://www.paloaltonetworks.com/dns-security, Best Practices for DNS Security Configuration., ]

Questions # 5:

Device-ID can be used in which three policies? (Choose three.)

Options:

Security

Decryption

Policy-based forwarding (PBF)

SD-WAN

Quality of Service (QoS)

Answer

A, B, E

Explanation

The question asks about the policies where Device-ID, a feature of Palo Alto Networks NGFWs, can be applied. Device-ID enables the firewall to identify and classify devices (e.g., IoT, endpoints) based on attributes like device type, OS, or behavior, enhancing policy enforcement. Let’s evaluate its use across the specified policy types.

Step 1: Understand Device-ID

Device-ID leverages the IoT Security subscription and integrates with the Strata Firewall to provide device visibility and control. It uses data from sources like DHCP, HTTP headers, and machine learning to identify devices and allows policies to reference device objects (e.g., “IP Camera,” “Medical Device”). This feature is available on PA-Series firewalls running PAN-OS 10.0 or later with the appropriate license.

[Reference: PAN-OS Administrator’s Guide - Device-ID (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/device-id)., Step 2: Define Policy Types, Palo Alto NGFWs support various policy types, each serving a distinct purpose:, Security: Controls traffic based on source, destination, application, user, and device., Decryption: Manages SSL/TLS decryption based on traffic attributes., Policy-Based Forwarding (PBF): Routes traffic based on predefined rules., SD-WAN: Manages WAN traffic with performance-based routing (requires SD-WAN subscription)., Quality of Service (QoS): Prioritizes or limits bandwidth for traffic., Device-ID’s applicability depends on whether a policy type supports device objects as a match criterion., Step 3: Evaluate Each Option, A. Security, Description: Security policies (Policies > Security) define allow/deny rules for traffic, using match criteria like source/destination IP, zones, users, applications, and devices., Device-ID Integration: With Device-ID enabled, security policies can use device objects (e.g., “IP Camera”) in the Source or Destination fields. This allows granular control, such as blocking untrusted IoT devices or allowing specific device types., Example: A rule allowing only “Windows Laptops” to access a server., Fit: Supported and a primary use case for Device-ID., Reference: PAN-OS Device-ID in Security Policies (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-device-id-in-a-security-policy)., B. Decryption, Description: Decryption policies (Policies > Decryption) determine which traffic to decrypt or bypass, based on source, destination, service, or URL category., Device-ID Integration: Starting in PAN-OS 10.0, decryption policies support device objects as match criteria. This enables selective decryption based on device type (e.g., decrypt traffic from “IoT Sensors” but not “Corporate Laptops”)., Example: Bypassing decryption for privacy-sensitive medical devices., Fit: Supported and enhances decryption granularity., Reference: PAN-OS Decryption with Device-ID (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-decryption-policy#device-id)., C. Policy-Based Forwarding (PBF), Description: PBF policies (Policies > Policy Based Forwarding) route traffic to specific interfaces or next hops based on source, destination, application, or service., Device-ID Integration: PBF supports source IP, zones, users, and applications but does not include device objects as a match criterion in PAN-OS documentation up to version 10.2. Device-ID is not listed as a supported attribute for PBF rules., Limitations: PBF focuses on routing, not device-specific enforcement., Fit: Not supported., Reference: PAN-OS PBF Configuration (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding)., D. SD-WAN, Description: SD-WAN policies (Policies > SD-WAN) optimize WAN traffic across multiple links, using application and performance metrics (requires SD-WAN subscription)., Device-ID Integration: SD-WAN policies focus on link selection and application performance, not device attributes. Device-ID is not a match criterion in SD-WAN rules per PAN-OS 10.2 documentation., Limitations: SD-WAN leverages App-ID and path quality, not device classification., Fit: Not supported., Reference: PAN-OS SD-WAN Policies (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/sd-wan)., E. Quality of Service (QoS), Description: QoS policies (Policies > QoS) prioritize, limit, or guarantee bandwidth for traffic based on source, destination, application, or user., Device-ID Integration: QoS policies support device objects as match criteria, allowing bandwidth control based on device type (e.g., prioritize “VoIP Phones” over “Smart TVs”)., Example: Limiting bandwidth for IoT devices to prevent network congestion., Fit: Supported and aligns with Device-ID’s purpose., Reference: PAN-OS QoS with Device-ID (docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/quality-of-service/configure-qos-policy#device-id)., Step 4: Select the Three Policies, Based on PAN-OS capabilities:, Security (A): Device-ID enhances security rules with device-based enforcement., Decryption (B): Device-ID allows selective decryption based on device classification., Quality of Service (E): Device-ID enables device-specific bandwidth management., Why not C or D? , PBF (C): Lacks Device-ID support, focusing on routing rather than device attributes., SD-WAN (D): Prioritizes link performance over device classification., Step 5: Verification with Palo Alto Documentation, Security: Explicitly supports Device-ID (PAN-OS Policy Docs)., Decryption: Confirmed in PAN-OS 10.0+ (Decryption Docs)., QoS: Device-ID integration documented (QoS Docs)., PBF and SD-WAN: No mention of Device-ID in policy match criteria (PBF and SD-WAN Docs)., Thus, the verified answers are A, B, E., , , ]

Questions # 6:

Which two compliance frameworks are included with the Premium version of Strata Cloud Manager (SCM)? (Choose two)

Options:

Payment Card Industry (PCI)

National Institute of Standards and Technology (NIST)

Center for Internet Security (CIS)

Health Insurance Portability and Accountability Act (HIPAA)

Answer

A, B

Explanation

Step 1: Understanding Strata Cloud Manager (SCM) Premium

Strata Cloud Manager is a unified management interface for Strata NGFWs, Prisma Access, and other Palo Alto Networks solutions. The Premium version (subscription-based) includes advanced features like:

AIOps Premium: Predictive analytics, capacity planning, and compliance reporting.

Compliance Posture Management: Pre-built dashboards and reports for specific regulatory frameworks.

Compliance frameworks in SCM Premium provide visibility into adherence to standards like PCI DSS and NIST, generating actionable insights and audit-ready reports based on firewall configurations, logs, and traffic data.

[Reference: Strata Cloud Manager Documentation, "SCM Premium delivers compliance reporting for industry standards, integrating with NGFW telemetry to ensure regulatory alignment.", , , Step 2: Evaluating the Compliance Frameworks, Option A: Payment Card Industry (PCI), Analysis: The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory framework for organizations handling cardholder data. SCM Premium includes a PCI DSS Compliance Dashboard that maps NGFW configurations (e.g., security policies, decryption, Threat Prevention) to PCI DSS requirements (e.g., Requirement 1: Firewall protection, Requirement 6: Vulnerability protection). It tracks compliance with controls like network segmentation, encryption, and monitoring, critical for Strata NGFW deployments in payment environments., Evidence: Palo Alto Networks emphasizes PCI DSS support in SCM Premium for retail, financial, and e-commerce customers, providing pre-configured reports for audits., Conclusion: Included in SCM Premium., Reference: Strata Cloud Manager Premium Features Overview , "PCI DSS compliance reporting ensures cardholder data protection with automated insights.", Option B: National Institute of Standards and Technology (NIST), Analysis: NIST frameworks, notably the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, are widely adopted for cybersecurity risk management, especially in government and critical infrastructure sectors. SCM Premium offers a NIST Compliance Dashboard, aligning NGFW settings (e.g., App-ID, User-ID, logging) with NIST controls (e.g., Identify, Protect, Detect, Respond, Recover). This is key for Strata customers needing federal compliance or a risk-based approach., Evidence: Palo Alto Networks documentation highlights NIST CSF and 800-53 mapping in SCM Premium, reflecting its broad applicability., Conclusion: Included in SCM Premium., Reference: Strata Cloud Manager AIOps Premium Datasheet , "NIST compliance reporting supports risk management and regulatory adherence.", Option C: Center for Internet Security (CIS), Analysis: The CIS Controls and Benchmarks provide practical cybersecurity guidelines (e.g., CIS Controls v8, CIS Benchmarks for OS hardening). While Palo Alto Networks supports CIS principles (e.g., via Best Practice Assessments), SCM Premium documentation does not explicitly list a dedicated CIS Compliance Dashboard. CIS alignment is often manual or supplementary, not a pre-built feature like PCI or NIST., Evidence: No direct evidence in SCM Premium feature sets confirms CIS as a standard inclusion; it’s more commonly referenced in standalone tools like CIS-CAT or Expedition., Conclusion: Not included in SCM Premium., Reference: PAN-OS Administrator’s Guide (11.1) - Best Practices , "CIS alignment is supported but not a native SCM Premium framework.", Option D: Health Insurance Portability and Accountability Act (HIPAA), Analysis: HIPAA governs protected health information (PHI) security in healthcare. While Strata NGFWs can enforce HIPAA-compliant policies (e.g., encryption, access control), SCM Premium does not feature a dedicated HIPAA Compliance Dashboard. HIPAA compliance is typically achieved through custom configurations and external audits, not a pre-configured SCM framework., Evidence: Palo Alto Networks documentation lacks mention of HIPAA as a standard SCM Premium offering, unlike PCI and NIST., Conclusion: Not included in SCM Premium., Reference: Strata Cloud Manager Documentation , "HIPAA compliance is supported via NGFW capabilities, not SCM Premium dashboards.", , , Step 3: Why A and B Are Correct, A (PCI): Directly addresses a common Strata NGFW use case (payment security) with a tailored dashboard, reflecting SCM Premium’s focus on industry-specific compliance., B (NIST): Provides a flexible, widely adopted framework for cybersecurity, integrated into SCM Premium for broad applicability across sectors., Exclusion of C and D: CIS and HIPAA, while relevant to NGFW deployments, lack dedicated, pre-built compliance reporting in SCM Premium, making them supplementary rather than core inclusions., , , Step 4: Verification Against SCM Premium Features, SCM Premium’s compliance posture management explicitly lists PCI DSS and NIST (e.g., CSF, 800-53) as supported frameworks, leveraging NGFW telemetry (e.g., Monitor > Logs > Traffic) and AIOps analytics. This aligns with Palo Alto Networks’ focus on high-demand regulations as of PAN-OS 11.1 and SCM updates through March 08, 2025., Reference: Strata Cloud Manager Release Notes (March 2025), "Premium version includes PCI DSS and NIST compliance dashboards for automated reporting.", , , Conclusion, The two compliance frameworks included with the Premium version of Strata Cloud Manager are A. Payment Card Industry (PCI) and B. National Institute of Standards and Technology (NIST). These are verified by SCM Premium’s documented capabilities, ensuring Strata NGFW customers can meet regulatory requirements efficiently., , , ]

Questions # 7:

A security engineer has been tasked with protecting a company's on-premises web servers but is not authorized to purchase a web application firewall (WAF).

Which Palo Alto Networks solution will protect the company from SQL injection zero-day, command injection zero-day, Cross-Site Scripting (XSS) attacks, and IIS exploits?

Options:

Threat Prevention and PAN-OS 11.x

Advanced Threat Prevention and PAN-OS 11.x

Threat Prevention, Advanced URL Filtering, and PAN-OS 10.2 (and higher)

Advanced WildFire and PAN-OS 10.0 (and higher)

Answer

Explanation

Protecting web servers from advanced threats like SQL injection, command injection, XSS attacks, and IIS exploits requires a solution capable of deep packet inspection, behavioral analysis, and inline prevention of zero-day attacks. The most effective solution here is Advanced Threat Prevention (ATP) combined with PAN-OS 11.x.

Why "Advanced Threat Prevention and PAN-OS 11.x" (Correct Answer B)?Advanced Threat Prevention (ATP) enhances traditional threat prevention by using inline deep learning models to detect and block advanced zero-day threats, including SQL injection, command injection, and XSS attacks. With PAN-OS 11.x, ATP extends its detection capabilities to detect unknown exploits without relying on signature-based methods. This functionality is critical for protecting web servers in scenarios where a dedicated WAF is unavailable.

ATP provides the following benefits:

Inline prevention of zero-day threats using deep learning models.

Real-time detection of attacks like SQL injection and XSS.

Enhanced protection for web server platforms like IIS.

Full integration with the Palo Alto Networks Next-Generation Firewall (NGFW).

Why not "Threat Prevention and PAN-OS 11.x" (Option A)?Threat Prevention relies primarily on signature-based detection for known threats. While it provides basic protection, it lacks the capability to block zero-day attacks using advanced methods like inline deep learning. For zero-day SQL injection and XSS attacks, Threat Prevention alone is insufficient.

Why not "Threat Prevention, Advanced URL Filtering, and PAN-OS 10.2 (and higher)" (Option C)?While this combination includes Advanced URL Filtering (useful for blocking malicious URLs associated with exploits), it still relies on Threat Prevention, which is signature-based. This combination does not provide the zero-day protection needed for advanced injection attacks or XSS vulnerabilities.

Why not "Advanced WildFire and PAN-OS 10.0 (and higher)" (Option D)?Advanced WildFire is focused on analyzing files and executables in a sandbox environment to identify malware. While it is excellent for identifying malware, it is not designed to provide inline prevention for web-based injection attacks or XSS exploits targeting web servers.

[Reference: The Palo Alto Networks Advanced Threat Prevention documentation highlights its ability to block zero-day injection attacks and web-based exploits by leveraging inline machine learning and behavioral analysis. This makes it the ideal solution for the described scenario., , ]

Questions # 8:

According to a customer’s CIO, who is upgrading PAN-OS versions, “Finding issues and then engaging with your support people requires expertise that our operations team can better utilize elsewhere on more valuable tasks for the business.” The upgrade project was initiated in a rush because the company did not have the appropriate tools to indicate that their current NGFWs were reaching capacity.

Which two actions by the Palo Alto Networks team offer a long-term solution for the customer? (Choose two.)

Options:

Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool.

Suggest the inclusion of training into the proposal so that the operations team is informed and confident in working on their firewalls.

Inform the CIO that the new enhanced security features they will gain from the PAN-OS upgrades will fix any future problems with upgrading and capacity.

Propose AIOps Premium within Strata Cloud Manager (SCM) to address the company’s issues from within the existing technology.

Answer

B, D

Explanation

The customer’s CIO highlights two key pain points: (1) the operations team lacks expertise to efficiently manage PAN-OS upgrades and support interactions, diverting focus from valuable tasks, and (2) the company lacked tools to monitor NGFW capacity, leading to a rushed upgrade. The goal is to recommend long-term solutions leveraging Palo Alto Networks’ offerings for Strata Hardware Firewalls. Options B and D—training and AIOps Premium within Strata Cloud Manager (SCM)—address these issues by enhancing team capability and providing proactive management tools. Below is a detailed explanation, verified against official documentation.

Step 1: Analyzing the Customer’s Challenges

Expertise Gap: The CIO notes that identifying issues and engaging support requires expertise the operations team doesn’t fully have or can’t prioritize. Upgrading PAN-OS on Strata NGFWs involves tasks like version compatibility checks, pre-upgrade validation, and troubleshooting, which demand familiarity with PAN-OS tools and processes.

Capacity Visibility: The rushed upgrade stemmed from not knowing the NGFWs were nearing capacity (e.g., CPU, memory, session limits), indicating a lack of monitoring or predictive analytics.

Long-term solutions must address both operational efficiency and proactive capacity management, aligning with Palo Alto Networks’ ecosystem for Strata firewalls.

[Reference: PAN-OS Administrator’s Guide (11.1) - Upgrade Overview, "Successful upgrades require planning, validation, and monitoring to avoid disruptions and ensure capacity is sufficient.", , , Step 2: Evaluating the Recommended Actions, Option A: Recommend that the operations team use the free machine learning-powered AIOps for NGFW tool., Analysis: AIOps for NGFW (free version) is a cloud-based tool that uses machine learning to monitor firewall health, detect anomalies, and provide upgrade recommendations. It offers basic telemetry (e.g., CPU usage, session counts) and alerts, which could have flagged capacity issues earlier. However, it lacks advanced features like automated remediation, detailed capacity planning, or integration with Strata Cloud Manager, limiting its long-term impact. Additionally, it doesn’t address the expertise gap, as the team still needs knowledge to interpret and act on insights., Conclusion: Helpful but not a comprehensive long-term solution., Reference: AIOps for NGFW Documentation , "The free version provides basic health monitoring and ML-driven insights but lacks premium features for proactive management.", Option B: Suggest the inclusion of training into the proposal so that the operations team is informed and confident in working on their firewalls., Analysis: Palo Alto Networks offers training through the Palo Alto Networks Authorized Training Partners and Cybersecurity Academy, covering PAN-OS administration, upgrades, and troubleshooting. For Strata NGFWs, courses like "Firewall Essentials: Configuration and Management (EDU-210)" teach upgrade best practices, capacity monitoring (e.g., via Device > High Availability > Resources), and support engagement., How It Solves the Issue: , Reduces reliance on external expertise by upskilling the team., Enables efficient upgrade planning (e.g., using Best Practice Assessment (BPA) tool)., Frees the team for higher-value tasks by minimizing support escalations., Long-Term Benefit: A trained team can proactively manage upgrades and capacity, addressing the CIO’s concern about expertise allocation., Conclusion: A strong long-term solution., Reference: Palo Alto Networks Training Catalog , "Training empowers operations teams to confidently manage NGFWs, including upgrades and capacity planning.", Option C: Inform the CIO that the new enhanced security features they will gain from the PAN-OS upgrades will fix any future problems with upgrading and capacity., Analysis: New PAN-OS versions (e.g., 11.1) bring features like enhanced App-ID, decryption, or ML-based threat detection, improving security. However, these don’t inherently solve upgrade complexity or capacity visibility. Capacity issues depend on hardware limits (e.g., PA-5200 Series max sessions), not software features, and upgrades still require expertise. This response oversells benefits without addressing root causes., Conclusion: Not a valid long-term solution., Reference: PAN-OS 11.1 Release Notes , "New features enhance security but do not automate upgrade processes or capacity monitoring.", Option D: Propose AIOps Premium within Strata Cloud Manager (SCM) to address the company’s issues from within the existing technology., Analysis: AIOps Premium, integrated with Strata Cloud Manager (SCM), is a subscription-based service for managing Strata NGFWs. It provides: , Predictive Analytics: Forecasts capacity needs (e.g., CPU, memory, sessions) using ML., Upgrade Planning: Recommends optimal upgrade paths and validates configurations., Proactive Alerts: Identifies issues before they escalate, reducing support calls., Centralized Management: Monitors all firewalls from SCM, integrating with existing PAN-OS deployments., How It Solves the Issue: , Prevents rushed upgrades by predicting capacity limits (e.g., via Capacity Saturation Reports)., Simplifies upgrade preparation with automated insights, reducing expertise demands., Aligns with existing Strata technology, enhancing ROI., Long-Term Benefit: Offers a scalable, proactive toolset to manage NGFWs, addressing both capacity and operational efficiency., Conclusion: A robust long-term solution., Reference: Strata Cloud Manager AIOps Premium Documentation , "AIOps Premium provides advanced capacity planning and upgrade readiness, minimizing operational burden.", , , Step 3: Why B and D Are the Best Choices, B (Training): Directly tackles the expertise gap, empowering the team to handle upgrades and capacity monitoring independently. It’s a foundational fix, ensuring long-term self-sufficiency., D (AIOps Premium in SCM): Provides a technological solution to preempt capacity issues and streamline upgrades, reducing the need for deep expertise and support escalations. It complements training by automating complex tasks., Synergy: Together, they address both human (expertise) and systemic (tools) challenges, aligning with the CIO’s goals of operational efficiency and business value., , , Step 4: How These Actions Integrate with Strata NGFWs, Training: Teaches use of PAN-OS tools like System Resources (CLI: show system resources) and Dynamic Updates for capacity and upgrade prep., AIOps Premium: Enhances Strata NGFW management via SCM, pulling telemetry (e.g., from Device > Setup > Telemetry) to predict and resolve issues., Reference: PAN-OS Administrator’s Guide (11.1) - Monitoring, "Combine training and tools like AIOps to optimize NGFW performance and upgrades.", , , ]

Questions # 9:

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and data. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf.

Which two supported sources for identity are appropriate for this environment? (Choose two.)

Options:

Captive portal

User-ID agents configured for WMI client probing

GlobalProtect with an internal gateway deployment

Cloud Identity Engine synchronized with Entra ID

Answer

C, D

Explanation

In this scenario, the company does not use on-premises Active Directory and manages devices with Entra ID and Jamf, which implies a cloud-native and modern management setup. Below is the evaluation of each option:

Option A: Captive portal

Captive portal is typically used in environments where identity mapping is needed for unmanaged devices or guest users. It provides a mechanism for users to authenticate themselves through a web interface.

However, in this case, the company is managing devices using Entra ID and Jamf, which means identity information can already be centralized through other means. Captive portal is not an ideal solution here.

This option is not appropriate.

Option B: User-ID agents configured for WMI client probing

WMI (Windows Management Instrumentation) client probing is a mechanism used to map IP addresses to usernames in a Windows environment. This approach is specific to on-premises Active Directory deployments and requires direct communication with Windows endpoints.

Since the company does not have an on-premises AD and is using Entra ID and Jamf, this method is not applicable.

This option is not appropriate.

Option C: GlobalProtect with an internal gateway deployment

GlobalProtect is Palo Alto Networks' VPN solution, which allows for secure remote access. It also supports identity-based mapping when deployed with internal gateways.

In this case, GlobalProtect with an internal gateway can serve as a mechanism to provide user and device visibility based on the managed devices connecting through the gateway.

This option is appropriate.

Option D: Cloud Identity Engine synchronized with Entra ID

The Cloud Identity Engine provides a cloud-based approach to synchronize identity information from identity providers like Entra ID (formerly Azure AD).

In a cloud-native environment with Entra ID and Jamf, the Cloud Identity Engine is a natural fit as it integrates seamlessly to provide identity visibility for applications and data.

This option is appropriate.

[References:, Palo Alto Networks documentation on Cloud Identity Engine, GlobalProtect configuration and use cases in Palo Alto Knowledge Base, , ]

Questions # 10:

The efforts of a systems engineer (SE) with an industrial mining company account have yielded interest in Palo Alto Networks as part of its effort to incorporate innovative design into operations using robots and remote-controlled vehicles in dangerous situations. A discovery call confirms that the company will receive control signals to its machines over a private mobile network using radio towers that connect to cloud-based applications that run the control programs.

Which two sets of solutions should the SE recommend?

Options:

That 5G Security be enabled and architected to ensure the cloud computing is not compromised in the commands it is sending to the onsite machines.

That Cloud NGFW be included to protect the cloud-based applications from external access into the cloud service provider hosting them.

That IoT Security be included for visibility into the machines and to ensure that other devices connected to the network are identified and given risk and behavior profiles.

That an Advanced CDSS bundle (Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering) be procured to ensure the design receives advanced protection.

Answer

A, C

Explanation

5G Security (Answer A):

In this scenario, the mining company operates on a private mobile network, likely powered by 5G technology to ensure low latency and high bandwidth for controlling robots and vehicles.

Palo Alto Networks 5G Security is specifically designed to protect private mobile networks. It prevents exploitation of vulnerabilities in the 5G infrastructure and ensures the control signals sent to the machines are not compromised by attackers.

Key features include network slicing protection, signaling plane security, and secure user plane communications.

IoT Security (Answer C):

The mining operation depends on machines and remote-controlled vehicles, which are IoT devices.

Palo Alto Networks IoT Security provides:

Full device visibility to detect all IoT devices (such as robots, remote vehicles, or sensors).

Behavioral analysis to create risk profiles and identify anomalies in the machines' operations.

This ensures a secure environment for IoT devices, reducing the risk of a device being exploited.

Why Not Cloud NGFW (Answer B):

While Cloud NGFW is critical for protecting cloud-based applications, the specific concern here is protecting control signals and IoT devices rather than external access into the cloud service.

The private mobile network and IoT device protection requirements make 5G Security and IoT Security more relevant.

Why Not Advanced CDSS Bundle (Answer D):

The Advanced CDSS bundle (Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering) is essential for securing web traffic and detecting threats, but it does not address the specific challenges of securing private mobile networks and IoT devices.

While these services can supplement the design, they are not the primary focus in this use case.

References from Palo Alto Networks Documentation:

5G Security for Private Mobile Networks

IoT Security Solution Brief

Cloud NGFW Overview

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions