Palo Alto Networks Certified Software Firewall Engineer Exam Practice Test

Page: 1 / 14
Total 65 questions
Question 1

Which two steps are involved in deployment of a VM-Series firewall on NSX? (Choose two.)



Answer : C, D

To deploy a VM-Series firewall on NSX, you need to enable communication between Panorama and the NSX Manager. This allows Panorama to receive information about the virtual machines and services in the NSX environment. You also need to register the VM-Series firewall as a service on the NSX Manager.This allows NSX to redirect traffic to the VM-Series firewall for inspection3. Reference:VM-Series Deployment Guide for VMware NSX


Question 2

Which two design options address split brain when configuring high availability (HA)? (Choose two.)



Answer : A, B

The two design options that address split brain when configuring high availability (HA) are:

Adding a backup HA1 interface

Using the heartbeat backup

Split brain is a condition that occurs when both firewalls in an HA pair assume the active role and start processing traffic independently, resulting in traffic duplication, policy inconsistency, or session disruption. Split brain can be caused by network failures, device failures, or configuration errors that prevent the firewalls from communicating their HA status and synchronizing their configurations and sessions. Adding a backup HA1 interface is a design option that addresses split brain when configuring HA. The HA1 interface is used for exchanging HA state information and configuration synchronization between the firewalls. Adding a backup HA1 interface provides redundancy and failover protection for the HA1 interface, ensuring that the firewalls can maintain their HA communication and avoid split brain. Using the heartbeat backup is a design option that addresses split brain when configuring HA. The heartbeat backup is a mechanism that allows the firewalls to send additional heartbeat messages through an alternate path, such as a management interface or a data interface, to verify the health of the peer firewall. Using the heartbeat backup prevents split brain caused by network failures or device failures that affect the primary HA interfaces. Bundling multiple interfaces in an aggregated interface group and assigning HA2, and sending heartbeats across the HA2 interfaces are not design options that address split brain when configuring HA, but they are related features that can enhance performance and reliability. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [High Availability Overview], [Configure HA Backup Links], [Configure Heartbeat Backup]


Question 3

When implementing active-active high availability (HA), which feature must be configured to allow the HA pair to share a single IP address that may be used as the network's gateway IP address?



Answer : B


Question 4

Which three NSX features can be pushed from Panorama in PAN-OS? (Choose three.)



Answer : A, B, C


Question 5

What is a design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment?



Answer : C

A design consideration for a prospect who wants to deploy VM-Series firewalls in an Amazon Web Services (AWS) environment is that only active-passive high availability (HA) is supported. High availability (HA) is a feature that provides redundancy and failover protection for firewalls in case of hardware or software failure. Active-passive HA is a mode of HA that consists of two firewalls in a pair, where one firewall is active and handles all traffic, while the other firewall is passive and acts as a backup. Active-passive HA is the only mode of HA that is supported for VM-Series firewalls in an AWS environment, due to the limitations of AWS networking and routing. Active-active HA, which is another mode of HA that consists of two firewalls in a pair that both handle traffic and synchronize sessions, is not supported for VM-Series firewalls in an AWS environment. A design consideration for a prospect who wants to deploy VM-Series firewalls in an AWS environment is not that special AWS plugins are needed for load balancing, resources are shared within the cluster, or high availability (HA) clusters are limited to fewer than 8 virtual appliances, as those are not valid or relevant factors for firewall deployment in an AWS environment. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [High Availability Overview], [High Availability on AWS]


Question 6

How must a Palo Alto Networks Next-Generation Firewall (NGFW) be configured in order to secure traffic in a Cisco ACI environment?



Answer : B

A Palo Alto Networks Next-Generation Firewall (NGFW) must be configured to use a Layer 3 underlay network in order to secure traffic in a Cisco ACI environment. A Layer 3 underlay network is a physical network that provides IP connectivity between devices, such as routers, switches, and firewalls. A Palo Alto Networks NGFW must use a Layer 3 underlay network to communicate with the Cisco ACI fabric and receive traffic redirection from the Cisco ACI policy-based redirect mechanism. A Palo Alto Networks NGFW does not need to be deployed as a member of a device cluster, receive all forwarding lookups from the network controller, or be identified as a default gateway in order to secure traffic in a Cisco ACI environment, as those are not valid requirements or options for firewall integration with Cisco ACI. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Deploy the VM-Series Firewall on Cisco ACI], [Cisco ACI Underlay Network]


Question 7

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.

How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?



Answer : B

The partition can be accomplished without editing the IP addresses or the default gateways of any of the guest VMs by creating a new virtual switch and using the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch. A virtual switch is a software-based switch that connects virtual machines (VMs) in a VMware ESXi environment. A virtual wire is a deployment mode of the VM-Series firewall that allows it to act as a bump in the wire between two network segments, without requiring an IP address or routing configuration. By creating a new virtual switch and using the VM-Series firewall to separate virtual switches using virtual wire mode, the customer can isolate the group of VMs that require more security from the rest of the network, and apply security policies to the traffic passing through the firewall. The partition cannot be accomplished without editing the IP addresses or the default gateways of any of the guest VMs by editing the IP address of all of the affected VMs, creating a Layer 3 interface in the same subnet as the VMs and then configuring proxy Address Resolution Protocol (ARP), or sending the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it, as those methods would require changing the network configuration of the guest VMs or introducing additional complexity and latency. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Deploying Virtual Switches], [Virtual Wire Deployment], [Deploying Virtual Wire on VMware ESXi]


Page:    1 / 14   
Total 65 questions