
[Jul-2025] Palo Alto Networks PSE-Strata Exam Practice Test Questions - GuideTorrent
Updated Certification Exam PSE-Strata Dumps - Practice Test Questions
What is the value of Application Visibility and Control (AVC)?
One of the best ways to measure the value of Application Visibility and Control (AVC) is through the lens of a security operations center (SOC) that is utilizing a forward-looking approach to security. When a SOC has visibility into applications, they can identify threats earlier before they have a chance to impact users and respond faster by being able to isolate and remediate threats in less time. This saves them from having to engage with other teams, such as application owners or network teams, who may not have been previously involved in addressing threats.
The following example illustrates this point:
- A recent AVC customer enabled the AppTrack feature on their virtual firewall so that all TCP/UDP traffic from their web servers was being sent to a local analysis appliance. - The analysis appliance then used AppTrack to identify an application that was communicating with a known malware command and control server.
- The next day, the analysis appliance identified another similar event, but this time it also alerted another malware C2 server that was discovered during an investigation of the first alert.
- The second alert made it possible for the SOC team to take immediate action without engaging external teams because they were already aware of the first malware connection and could isolate it as soon as it re-appeared.
NEW QUESTION # 57
Which three categories are identified as best practices in the Best Practice Assessment tool? (Choose three.)
- A. use of device management access and settings
- B. use of decryption policies
- C. expose the visibility and presence of command-and-control sessions
- D. identify sanctioned and unsanctioned SaaS applications
- E. measure the adoption of URL filters. App-ID. User-ID
Answer: B,D,E
Explanation:
The Best Practice Assessment (BPA) tool provided by Palo Alto Networks helps organizations to assess and improve their security posture. The tool identifies several best practices, including:
* Use of Decryption Policies: Implementing decryption policies ensures that encrypted traffic can be inspected for threats. This is crucial for identifying and mitigating risks hidden within SSL/TLS encrypted traffic (Marks4Sure).
* Measure the Adoption of URL Filters, App-ID, User-ID: The BPA tool evaluates how effectively the organization is utilizing URL filtering, application identification (App-ID), and user identification (User-ID) to enforce security policies. These technologies are essential for granular control and visibility over network traffic (Marks4Sure).
* Identify Sanctioned and Unsanctioned SaaS Applications: The tool helps in identifying which SaaS applications are being used within the network, distinguishing between those that are sanctioned by IT and those that are not. This visibility is crucial for managing shadow IT and ensuring that only approved applications are used, reducing security risks (Marks4Sure).
NEW QUESTION # 58
Where are three tuning considerations when building a security policy to protect against modern day attacks? (Choose three)
- A. Create a WildFire profile to schedule file uploads during low network usage windows
- B. Create an SSL Decryption policy to decrypt 100% of the traffic
- C. Create an anti-spyware profile to block all spyware
- D. Create a vulnerability protection profile to block all the vulnerabilities with severity low and higher
- E. Create an antivirus profile to block all content that matches and antivirus signature
Answer: A,B,D
NEW QUESTION # 59
Which two configuration items are required when the NGFW needs to act as a decryption broker for multiple transparent bridge security chains? (Choose two.)
- A. a single pair of decryption forwarding interfaces
- B. a unique Decryption policy rule is required per security chain
- C. a unique Transparent Bridge Decryption Forwarding Profile to a single Decryption policy rule
- D. dedicated pair of decryption forwarding interfaces required per security chain
Answer: B,C
Explanation:
When configuring the NGFW to act as a decryption broker for multiple transparent bridge security chains, the following items are required:
* A unique Transparent Bridge Decryption Forwarding Profile to a single Decryption policy rule (B):
Each decryption policy rule must be associated with a unique Transparent Bridge Decryption Forwarding Profile. This ensures that decrypted traffic is forwarded appropriately to the specific security chain.
* A unique Decryption policy rule is required per security chain (C): You need to create a separate decryption policy rule for each security chain. This allows you to distribute the decrypted traffic among multiple security chains based on policy criteria.
These configurations enable the firewall to effectively manage and distribute the load across multiple security chains, ensuring optimal performance and security (Palo Alto Networks) (Palo Alto Networks)
NEW QUESTION # 60
A customer is seeing an increase in the number of malicious files coming in from undetectable sources in their network. These files include doc and .pdf file types. The customer believes that someone has clicked an email that might have contained a malicious file type. The customer already uses a firewall with User-ID enabled.
Which feature must also be enabled to prevent these attacks?
- A. Custom App-ID rules
- B. Content Filtering
- C. WildFire
- D. App-ID
Answer: C
NEW QUESTION # 61
Which User-ID method maps IP addresses to usernames for users connecting through an
802.1x-enabled wireless network device that has no native integration with PAN-OS software?
- A. XML API
- B. Port Mapping
- C. Client Probing
- D. Server Monitoring
Answer: A
NEW QUESTION # 62
Access to a business site is blocked by URL Filtering inline machine learning (ML) and considered as a false-positive.
How should the site be made available?
- A. Create a custom URL category and add it to the Security policy
- B. Disable URL Filtering inline ML
- C. Create a custom URL category and add it on exception of the inline ML profile
- D. Change the action of real-time detection category on URL filtering profile
Answer: C
Explanation:
When access to a business site is blocked by URL Filtering inline machine learning (ML) and it is identified as a false positive, the appropriate way to resolve this is to create a custom URL category and add the site to the exceptions list of the inline ML profile. This ensures that the specific URL is no longer subjected to the filtering rules applied by the inline ML, thereby allowing access to the site.
Creating a custom URL category and adding it to the exceptions of the inline ML profile ensures that the legitimate business site is accessible without completely disabling the URL Filtering inline ML feature, which would reduce overall security effectiveness.
References:
* Palo Alto Networks, URL Filtering Administration Guide.
NEW QUESTION # 63
What two advantages of the DNS Sinkholing feature? (Choose two)
- A. It can be deployed independently of an Anti-Spyware Profile.
- B. It is forging DNS replies to known malicious domains.
- C. It can work upstream from the internal DNS server.
- D. It is monitoring DNS requests passively for malware domains.
Answer: B,C
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/dns- sinkholing
NEW QUESTION # 64
Which three categories are identified as best practices in the Best Practice Assessment tool? (Choose three.)
- A. use of device management access and settings
- B. use of decryption policies
- C. expose the visibility and presence of command-and-control sessions
- D. identify sanctioned and unsanctioned SaaS applications
- E. measure the adoption of URL filters. App-ID. User-ID
Answer: B,D,E
NEW QUESTION # 65
Which two of the following are required when configuring the Domain Credential Filter method for preventing phishing attacks? (Choose two.)
- A. IP-address-to-username mapping
- B. LDAP connector
- C. Group mapping
- D. Windows User-ID agent
Answer: A,D
NEW QUESTION # 66
Which three actions should be taken before deploying a firewall evaluation unit in the customer's environment? (Choose three.)
- A. Reset the evaluation unit to factory default to ensure that data from any previous customer evaluation is removed.
- B. Inform the customer that they will need to provide a SPAN port for the evaluation unit assuming a TAP mode deployment.
- C. Request that the customs make port 3978 available to allow the evaluation unit to communicate with Panorama.
- D. Upgrade the evaluation unit to the most current recommended firmware, unless a demo of the upgrade process is planned.
- E. Set expectations around which information will be presented in the Security Lifecycle Review because sensitive information may be made visible.
Answer: A,B,D
NEW QUESTION # 67
A prospective customer wants to purchase a next-generation firewall (NGFW) and requires at least 2 million concurrent sessions with a minimum of 10Gbps of throughput with threat detection enabled.
Which tool will help quickly determine the correct size of NGFW for this customer?
- A. Quoting tool available on the Palo Alto Networks website
- B. NGFW sizing app available for iOS and Android devices
- C. Data Lake Calculator available on the Palo Alto Networks website
- D. Product Comparison tool available on the Palo Alto Networks website
Answer: D
NEW QUESTION # 68
What can be applied to prevent users from unknowingly downloading malicious file types from the internet?
- A. A file blocking profile to security policy rules that allow general web access
- B. A zone protection profile to the untrust zone
- C. An antivirus profile to security policy rules that deny general web access
- D. A vulnerability profile to security policy rules that deny general web access
Answer: A
Explanation:
To prevent users from unknowingly downloading malicious file types from the internet, a File Blocking Profile should be applied to security policy rules that allow general web access. This profile can be configured to block or alert on downloads of specific file types that are commonly used to deliver malware, providing an additional layer of protection against threats (Palo Alto Networks) (Palo Alto Networks).
NEW QUESTION # 69
Which Palo Alto Networks pre-sales tool involves approximately 4 hour interview to discuss a customer's current security posture?
- A. BPA
- B. PPA
- C. Expedition
- D. SLR
Answer: A
NEW QUESTION # 70
Which two features are found in a Palo Alto Networks NGFW but are absent in a legacy firewall product?
(Choose two.)
- A. Identification of application is possible on any port
- B. Traffic is separated by zones
- C. Policy match is based on application
- D. Traffic control is based on IP port, and protocol
Answer: A,C
Explanation:
Palo Alto Networks Next-Generation Firewalls (NGFWs) offer advanced features that are not typically found in legacy firewall products, including:
* Policy Match is Based on Application: Unlike legacy firewalls that base policies primarily on IP addresses, ports, and protocols, Palo Alto Networks NGFWs can create policies based on specific applications (App-ID). This allows for more precise control over network traffic, ensuring that only legitimate application traffic is allowed while blocking unwanted or malicious applications.
* Identification of Application is Possible on Any Port: Traditional firewalls often rely on static port numbers to identify traffic, which can be easily bypassed by applications using non-standard ports. Palo Alto Networks NGFWs can identify applications regardless of the port they use, providing more accurate application identification and better security enforcement.
These features enhance the ability to manage and secure network traffic effectively, providing superior protection compared to legacy firewall solutions.
NEW QUESTION # 71
In PAN-OS 10.0 and later, DNS Security allows policy actions to be applied based on which three domains?
(Choose three.)
- A. command and control (C2)
- B. government
- C. grayware
- D. malware
- E. benign
Answer: A,C,D
Explanation:
In PAN-OS 10.0 and later, DNS Security allows for the application of policy actions based on specific domain types, enhancing the network's security posture.
* Grayware (Option A):
* Domains associated with potentially unwanted applications or non-malicious software that may pose a security risk.
NEW QUESTION # 72
......
Updated Verified PSE-Strata dumps Q&As - Pass Guarantee or Full Refund: https://examcollection.guidetorrent.com/PSE-Strata-dumps-questions.html