Palo Alto Networks Network Security Architect v1.0

Which factor must be taken into consideration when determining whether an NGFW edge architecture or a SASE architecture is appropriate to recommend to a customer planning to implement a Zero Trust Network Access (ZTNA) solution?

An organization has selected Prisma SD-WAN ION devices for use at branch offices and is working to build a low-level design for its sites. A typical branch site has a 10 Mbps MPLS with fiber LC-SR, and an RJ-45 Ethernet 50 Mbps DIA internet circuit.
There are 75 workstations and a stacked core switch that supports LACP, M-LAG, BGP, and OSPF will be used. The core switch is the default gateway for all local VLANs. The final design will determine the selection of the appropriate model and accessories for the site.
Which statement applies to the Prisma SD-WAN architecture in this use case?

An architect is designing a security solution for a large AWS environment with numerous application virtual private clouds (VPCs). These applications have diverse and sometimes conflicting inbound security requirements, making a single, unified ruleset challenging to create and maintain. The solution must secure inbound traffic for different application groups while also centrally securing all outbound and east-west traffic via an AWS Transit Gateway.
Which design model recommendation will simplify rule complexity for inbound traffic while meeting all security requirements?

A security architect needs to design a log collection architecture for a large organization with hundreds of firewalls distributed across multiple geographic regions. The primary requirement is to ensure that if a single Log Collector in any region fails, logs from the firewalls in that region will automatically be sent to another available Log Collector without manual intervention.
What is the recommended Panorama feature to achieve this level of log collection resilience?

A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment.
The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach:

Zero Trust Gaps -
Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments.
The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups.
Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access.
If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets.

Cloud Blind Spots -
The organization uses Azure for its production environments and hosts applications that contain sensitive customer data.
Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health.

Remote User Access -
Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency.
Traditional VPN is used for remote employees.
The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection.

Visibility and Logging -
Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented.

Data Security Concern -
Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance.

Ingress Security -
Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points.
The current Microsoft Azure NGFW architecture will not support the increased traffic with the new applications being migrated.
Which architectural solution will provide scalable inspection?

A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment.
The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach:

Zero Trust Gaps -
Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments.
The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups.
Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access.
If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets.

Cloud Blind Spots -
The organization uses Azure for its production environments and hosts applications that contain sensitive customer data.
Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health.

Remote User Access -
Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency.
Traditional VPN is used for remote employees.
The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection.

Visibility and Logging -
Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented.

Data Security Concern -
Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance.

Ingress Security -
Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points.
The organization needs to ensure data security and prevent the leakage of sensitive product design files since it is migrating to SaaS and cloud environments.
How would implementing a Next-Generation CASB (CASB-X) capability address the concerns in the scenario?

A global organization is in the process of securing critical applications during a cloud-based migration while migrating to a cloud-first design, and it is currently performing a brownfield migration of its most critical applications — such as CRM and product intellectual property / design systems — into Azure Cloud. The organization already has an active/passive high availability (HA) NGFW deployed at its data center with multiple zones and has replicated that design into its existing Azure HA deployment.
The organization recognizes the need to modernize its security posture as critical workloads move out of the data center and users connect from anywhere. Its security model is defined by a traditional "hard shell, soft center" approach:

Zero Trust Gaps -
Current network segmentation is perimeter-based. The organization wants to expand Zero Trust principles across cloud and on-premises environments.
The network relies heavily on VLANs and IP address-based Access Control Lists (ACLs) segmented primarily by office location and broad departmental groups.
Once employees are on the corporate network (i.e., inside the "perimeter"), they have relatively wide access.
If attackers compromise a single endpoint (e.g., via a phishing email), they can easily move laterally and scan for high-value targets.

Cloud Blind Spots -
The organization uses Azure for its production environments and hosts applications that contain sensitive customer data.
Security controls in the cloud are often managed independently of the on-premises network. Access is frequently granted with overly permissive identity and access management (IAM) roles and keys based on the resource rather than the user’s real-time context or application health.

Remote User Access -
Many remote users are still hairpinning into the corporate data center just to reach internet or SaaS resources, creating latency and inefficiency.
Traditional VPN is used for remote employees.
The VPN grants access to the entire internal network segment making the remote endpoint the new, weaker perimeter. There is no continuous check on the user’s device health after the initial connection.

Visibility and Logging -
Logs are primarily stored on-premises, then forwarded to a local Security Information and Event Management (SIEM) solution. As applications move to Azure, visibility into cloud traffic and user behavior becomes fragmented.

Data Security Concern -
Sensitive data, including product design files, will now live in SaaS and cloud environments. The organization needs data security to prevent leakage and enforce compliance.

Ingress Security -
Third-party partners and suppliers require access into the data center and cloud applications, introducing risk at ingress points.
Which solution will improve resilience and reduce operational overhead in this scenario?

An organization wants to modernize its legacy branch architecture. The existing architecture is rigid, complex, and ill-suited for a cloud-first strategy, creating high operational costs and latency.
The four core data centers are strategically located in Dallas, Toronto, London and Tokyo, and they are interconnected by a dedicated MPLS backbone providing reliable connectivity but incurring significant costs and offering limited bandwidth scalability.
Branches rely on MPLS or site-to-site VPN to connect to the nearest geographical data center.
All internet-bound traffic from the branches is backhauled to the data center egress firewalls. This creates latency for SaaS applications and increases bandwidth strain on the MPLS links.
The organization requires a proposal for a new WAN architecture for branch connectivity with the goal of improving security posture and SaaS application access as well as supporting local internet breakout for all branch devices, including IoT.
Which two implementations will achieve the goal of modernizing the branch architecture? (Choose two.)

An organization wants to modernize its legacy branch architecture. The existing architecture is rigid, complex, and ill-suited for a cloud-first strategy, creating high operational costs and latency.
The four core data centers are strategically located in Dallas, Toronto, London and Tokyo, and they are interconnected by a dedicated MPLS backbone providing reliable connectivity but incurring significant costs and offering limited bandwidth scalability.
Branches rely on MPLS or site-to-site VPN to connect to the nearest geographical data center.
All internet-bound traffic from the branches is backhauled to the data center egress firewalls. This creates latency for SaaS applications and increases bandwidth strain on the MPLS links.
What is the primary security posture enhancement that can be achieved in this use case by offloading data center backhaul to a PAN-OS SD-WAN model with local internet breakout for SaaS traffic?

A global organization is modernizing its data center and private cloud infrastructure. The environment consists of:
A Nutanix AHV cluster hosting critical east-west application workloads
A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps)
A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale
Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec
A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency
The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic.
VM-Series on Nutanix AHV - Resource Allocation
Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload.
VM-Series on VMware ESXi - NUMA and vCPU Placement
In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required.
Operational Integration and High Availability
With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks.
The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns.
Which resource allocation strategy should the architect use for the VM-Series virtual machine (VM)?

A global organization is modernizing its data center and private cloud infrastructure. The environment consists of:
A Nutanix AHV cluster hosting critical east-west application workloads
A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps)
A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale
Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec
A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency
The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic.
VM-Series on Nutanix AHV - Resource Allocation
Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload.
VM-Series on VMware ESXi - NUMA and vCPU Placement
In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required.
Operational Integration and High Availability
With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks.
The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns.
While using the VM-Series to build the NFV environment, which configuration should the architect use?

A global organization is modernizing its data center and private cloud infrastructure. The environment consists of:
A Nutanix AHV cluster hosting critical east-west application workloads
A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps)
A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale
Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec
A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency
The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic.
VM-Series on Nutanix AHV - Resource Allocation
Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload.
VM-Series on VMware ESXi - NUMA and vCPU Placement
In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required.
Operational Integration and High Availability
With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks.
The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns.
Which PAN-OS feature will meet the CISO’s need for north-south traffic inspection?

A global organization is modernizing its data center and private cloud infrastructure. The environment consists of:
A Nutanix AHV cluster hosting critical east-west application workloads
A VMware ESXi cluster with multi-socket hosts, supporting high-throughput workloads (>10 Gbps)
A new pair of PA-5450 firewalls to secure the perimeter and handle encrypted traffic inspection at scale
Strict performance service-level agreements (SLAs) for both north-south and east-west flows, with heavy reliance on TLS 1.3 and IPSec
A Network Functions Virtualization (NFV) environment on KVM to provide high-performance security services to maximize packet throughput and minimize latency
The chief architect is tasked with ensuring that the firewall design avoids hypervisor contention optimizes non-uniform memory access (NUMA) and uses hardware features for encrypted traffic.
VM-Series on Nutanix AHV - Resource Allocation
Because the Nutanix cluster is already heavily used, the architect's main concern is preventing performance degradation of the virtual firewall. Thin provisioning or ballooning could introduce latency and unpredictability which is unacceptable for a security-sensitive workload.
VM-Series on VMware ESXi - NUMA and vCPU Placement
In the VMware ESXi environment, the architect is deploying VM-Series for workloads pushing >10 Gbps. Assigning vCPUs across NUMA nodes or oversubscribing cores would create latency due to cross-socket memory access and scheduling delays. Similarly, dedicating logical hypethreads does not provide the deterministic data plane performance required.
Operational Integration and High Availability
With performance guaranteed by correct hypervisor and hardware provisioning, the architect also considers high availability (HA). VM-Series pairs are deployed in active/passive HA across Nutanix and VMware clusters, while PA-5450s form the data center’s north-south secure perimeter deployment. This ensures resilience without introducing unnecessary east-west inspection bottlenecks.
The recommendation must be a scalable, high-performance firewall deployment aligned with enterprise SLAs and the CISO’s encrypted traffic concerns.
To optimize throughput and minimize latency, what is recommended to configure the vCPUs and NUMA for this deployment?

An organization is in the process of building a network infrastructure that is cloud first. Part of the revised architecture includes Prisma Access as demonstrated in the diagram below. The organization has selected Strata Cloud Manager (SCM) as the management method for Prisma Access and NGFWs deployed at the data center and in public cloud environments. There are 150 NGFWs in place that are used to terminate service connections and segment networks as well as to secure the data center and public cloud resources.

One of the resilience requirements is to provide highly available directory services and authentication for the NGFW and Prisma Access deployment.
Which two configurations meet the design and customer requirements in this scenario? (Choose two.)