Prisma-SD-WAN Flashcards
Question #216 Topic 1
A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the
following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users.
Which two settings must the customer configure? (Choose two.)
A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the
security policy rules in Mobile_User_Device_Group.
D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of
the security policy rules in the Mobile_User_Device_Group.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the
security policy rules in Mobile_User_Device_Group.
for On-Prem firewalls, but you cannot directly forward Syslog from Prisma Access. You need to forward your logs to
Cortex DL (C). From there, you can forward your logs to your SIEM
Question #236 Topic 1
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by
Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information
Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?
A. Configure Prisma Access to learn group mapping via SAML assertion.
B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
C. Assign a master device in Panorama through which Prisma Access learns groups.
D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.
How can policies based on group mapping be learned and enforced in Prisma Access?
C. Assign a master device in Panorama through which Prisma Access learns groups.
Question #242 Topic 1
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet.
One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Configure policy-based forwarding
D. Deploy Prisma SD-WAN with Prisma Access
B. Upgrade to a PAN-OS SD-WAN subscription
direct internet access offload = SDWAN
Question #287 Topic 1
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum
amount of bandwidth the administrator could configure at the compute location?
A. 90Mbps
B. 75Mbps
C. 50Mbps
D. 300Mbps
Question
C. 50Mbps
Question #296 Topic 1
A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only Internet egress for the connected
clients. Prisma
Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected
and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?
A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet
B. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the
Internet
C. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet
D. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet
A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet
Question #310 Topic 1
A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator
needs to minimize the BGP configuration and management overhead on on-prem network devices.
What should the administrator implement?
A. hot potato routing
B. summarized BGP routes before advertising
C. default routing
D. target service connection for traffic steering
C. default routing
Question #420 Topic 1
An engineer is attempting to resolve an issue with slow traffic.
Which PAN-OS feature can be used to prioritize certain network traffic?
A. Prisma Access for Mobile Users
B. Forward Error Correction (FEC)
C. SaaS Quality Profile
D. Quality of Service (QoS)
D. Quality of Service (QoS)
Question #502 Topic 1
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode.
Which three elements must be in place before a transparent web proxy can function? (Choose three.)
A. User-ID for the proxy zone
B. DNS Security license
C. Prisma Access explicit proxy license
D. Cortex Data Lake license
E. Authentication Policy Rule set to default-web-form
A. User-ID for the proxy zone
B. DNS Security license
E. Authentication Policy Rule set to default-web-form
Question #157 Topic 1
SD-WAN is designed to support which two network topology types? (Choose two.)
A. point-to-point
B. hub-and-spoke
C. full-mesh
D. ring
B. hub-and-spoke
C. full-mesh
Question #159 Topic 1
Which three items are important considerations during SD-WAN configuration planning? (Choose three.)
A. branch and hub locations
B. link requirements
C. the name of the ISP
D. IP Addresses
A. branch and hub locations
B. link requirements
D. IP Addresses
Question #162 Topic 1
Panorama provides which two SD-WAN functions? (Choose two.)
A. network monitoring
B. control plane
C. data plane
D. physical network links
A. network monitoring
B. control plane
Question #237 Topic 1
What happens to traffic traversing SD-WAN fabric that doesn’t match any SD-WAN policies?
A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.
B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.
C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).
C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
Question #242 Topic 1
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet.
One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Configure policy-based forwarding
D. Deploy Prisma SD-WAN with Prisma Access
B. Upgrade to a PAN-OS SD-WAN subscription
Question #251 Topic 1
In a template, you can configure which two objects? (Choose two.)
A. Monitor profile
B. application group
C. SD-WAN path quality profile
D. IPsec tunnel
A. Monitor profile
D. IPsec tunnel
Question #305 Topic 1
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has
already ended.
Where would you find this in Panorama or firewall logs?
A. System Logs
B. Session Browser
C. You cannot find failover details on closed sessions
D. Traffic Logs
D. Traffic Logs
Keyword: session that has
already ended.
