Palo Alto Networks PSE-SoftwareFirewall Exam Practice Test Instant Access

Question 1

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.

How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

AEdit the IP address of all of the affected VMs.

BCreate a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

CSend the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

DCreate a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

Answer : B

Creating a New Virtual Switch:

By creating a new virtual switch, you can segment the network within the ESXi environment. The VM-Series firewall can then be used to provide security controls between these virtual switches using virtual wire mode.

Palo Alto Networks VM-Series Deployment Guide

Moving Guests to New Virtual Switch:

Guests requiring additional security are moved to the new virtual switch, allowing the VM-Series firewall to inspect and control traffic between the switches. This setup does not necessitate changes to the existing IP addresses or default gateways of the VMs.

Palo Alto Networks VM-Series Virtual Wire Mode

Question 2

Which two public cloud platforms does the VM-Series plugin support? (Choose two.)

AIBM Cloud

BOCI

CAmazon Web Services (AWS)

DAzure

Answer : C, D

The VM-Series plugin supports integration with multiple public cloud platforms, including:

Amazon Web Services (AWS): The VM-Series firewalls can be deployed in AWS to provide comprehensive security for cloud applications and data, leveraging AWS's native services and integration capabilities.

Azure: The VM-Series firewalls also integrate with Microsoft Azure, offering advanced security features and policies for applications and data hosted in Azure's cloud environment.

Palo Alto Networks VM-Series on AWS: VM-Series on AWS

Palo Alto Networks VM-Series on Azure: VM-Series on Azure

Question 3

With which two private cloud environments does Palo Alto Networks have deep integrations? (Choose two.)

ACisco ACI

BVMware NSX-T

CNutanix

DDell APEX

Answer : A, B

Palo Alto Networks has deep integrations with:

Cisco ACI: Integration with Cisco Application Centric Infrastructure (ACI) allows for automated security provisioning and enforcement within the Cisco data center environment, leveraging the tight coupling of network and security policies.

VMware NSX-T: Integration with VMware NSX-T enables advanced security features and visibility within VMware's software-defined data center (SDDC) environment, facilitating automated security policies and enforcement across virtualized workloads.

Palo Alto Networks Integration with Cisco ACI: Cisco ACI Integration

Palo Alto Networks Integration with VMware NSX-T: VMware NSX-T Integration

Question 4

Which technology allows for granular control of east-west traffic in a software-defined network?

AMicrosegmentation

BMAC Access Control List

CRouting

DVirtualization

Answer : A

Microsegmentation is a security technique that enables granular control of east-west traffic within a software-defined network. By dividing the network into smaller segments, each with its own security policies, microsegmentation allows for detailed control over communication between workloads, thereby reducing the attack surface and preventing lateral movement of threats within the network.

Palo Alto Networks Microsegmentation Guide: Microsegmentation Guide

VMware NSX Microsegmentation: NSX Microsegmentation

Question 5

Which two features of CN-Series firewalls protect east-west traffic between pods in different trust zones? (Choose two.)

AIntrusion prevention system (IPS)

BCommunication with Panorama

CExternal load balancer (ELB)

DLayer 7 visibility

Answer : A, D

Intrusion Prevention System (IPS): The CN-Series firewalls incorporate an Intrusion Prevention System to detect and prevent exploits and attacks on applications and systems. This feature is essential for securing east-west traffic, as it can identify and block threats within the data center traffic between pods in different trust zones.

Layer 7 Visibility: CN-Series firewalls provide Layer 7 (application layer) visibility, enabling deep inspection of application traffic. This allows the firewall to understand and enforce policies based on the application and its behavior, rather than just ports and protocols, ensuring comprehensive security for east-west traffic within a Kubernetes environment.

Palo Alto Networks CN-Series Datasheet: CN-Series Datasheet

Palo Alto Networks CN-Series Documentation: CN-Series Documentation

Question 6

Which two criteria are required to deploy VM-Series firewalls in high availability (HA)? (Choose two.)

AConfiguration of asymmetric routing

BAssignment of identical licenses and subscriptions

CDeployment on a different host

DDeployment on same type of hypervisor

Answer : B, D

For deploying VM-Series firewalls in high availability (HA), it is crucial to ensure that both firewalls in the HA pair have identical licenses and subscriptions to ensure feature parity and uninterrupted service during failover. Additionally, both firewalls must be deployed on the same type of hypervisor to ensure compatibility and proper synchronization of state and configurations between the active and passive units.

Palo Alto Networks High Availability Guide: HA Requirements

Palo Alto Networks VM-Series Deployment Guide: High Availability

Question 7

What do tags allow a VM-Series firewall to do in a virtual environment?

AIntegrate with security information and event management (SIEM) solutions.

BEnable machine learning (ML).

CProvide adaptive reporting.

DAdapt Security policy rules dynamically.

Answer : D

Tags in a VM-Series firewall environment allow administrators to dynamically adjust security policy rules based on changes within the virtual environment. These tags can be used to label and categorize virtual machines (VMs) or other entities within the environment, and policies can be created to automatically respond to these tags. This facilitates adaptive security measures that align with the current state and requirements of the environment.

Palo Alto Networks VM-Series Deployment Guide: Dynamic Address Groups and Tags

Palo Alto Networks PSE-SoftwareFirewall Palo Alto Networks Systems Engineer (PSE): Software Firewall Professional Exam Practice Test