An organization has a directive to adopt a Zero Trust framework focused on using identity and role-based access groups, device security and content inspection across all Security policies. To achieve this goal, an Enterprise License Agreement (ELA) was purchased, including Advanced Threat Prevention, IoT Security, and GlobalProtect.
The current security architecture uses Panorama to manage 60 NGFWs - a mix of PA-3240, PA-1410, and PA-440. Sites with PA-3240s host private application resources in the trust data center zone All sites have an untrust zone for internet access and a users zone for managed and unmanaged endpoint devices. A transit mesh zone exists to establish site-to-site connectivity through PAN-OS SD-WAN.
Privately hosted applications include web servers, SMB and NFS file servers and hosted Active Directory. The organization is in the process of adopting group mapping restrictions to these private applications, with daily additions of groups. It is also planning to build AI applications to assist the data teams with complex queries that will be hosted in the large offices containing data centers and is exploring hosting in the public cloud.
The organization uses on-premises Exchange, Dropbox, Zoom, and ChatGPT. There are a number of shadow SaaS applications that require further investigation. Users have been using Google Drive to upload confidential files within the organization by using their personal logins.
IoT devices on the network are associated on their own VLAN on the users zone. Using Device Security, all IoT devices have been categorized by asset profiles with medium or high confidence, policy sets imported into Panorama, and a default deny applied to the IoT networks.
The organization has rolled out SSL decryption and is using URL categorization for the majority of content filtering. Malicious categories, unknown and high-risk websites are blocked, with the remainder of sites set to alert.
Which deployment method should the architect suggest for enabling User-ID based rules, restricting or allowing access as close to the source as possible, while minimizing operational overhead?
A. Panorama device template for data redistribution, referencing primary and secondary Panoramas as the User-ID agent
B. Panorama device template with a group mapping profile with group allow list to reduce group update time on the firewalls
C. Cloud Identity agent to sync user groups to the Cloud Identity Engine and the firewalls
D. Cloud Directory via SCIM to sync user groups to the Cloud Identity Engine and the firewalls
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
A global manufacturing organization with 50,000 employees spanning 35 countries designs advanced industrial equipment and owns significant intellectual property. The organization operates in a highly competitive market where protecting trade secrets is critical to maintaining market advantage.
Over the past 18 months, the CISO discovered that employees across the organization have adopted hundreds of GenAI applications to improve productivity. Engineers use AI coding assistants to accelerate product development sales teams use AI tools to generate proposals, and customer service representatives use chatbots to draft responses. While this adoption has driven innovation, it has also created significant security risks.
A security audit reveals sensitive CAD files uploaded to image-generation services, proprietary source code shared with public coding assistants, and confidential customer information used in prompts. The audit identifies over 300 different GenAI applications in use, most of which had not been formally reviewed or approved.
The customer service department has also been developing internal AI applications, including a customer service copilot built on a cloud large language model (LLM) platform, an internal knowledge management assistant, and a code review tool. These internal applications access sensitive databases, customer records and internal APIs - creating additional security concerns about exploitation or misuse.
The organization has a distributed workforce in which 60% of employees work remotely or in hybrid arrangements, accessing corporate resources and AI applications from various locations using managed and unmanaged devices. Existing network security infrastructure lacks AI-specific security capabilities.
Organization leadership wants to enable AI-driven innovation while implementing comprehensive security controls. The CISO has been tasked with developing an organization-wide GenAI governance program that protects sensitive assets without hindering productivity. The program must address both external AI applications employees are using and internal AI applications being developed by IT.
Which architectural approach best aligns with the organization's strategic objectives to enable AI innovation and protect sensitive assets?
A. Rely on existing perimeter firewalls and VPN concentrators applying standard URL filtering and data loss prevention (DLP) policies for AI traffic
B. Block external GenAI applications at the firewall and empower employees to use internally developed AI applications.
C. Deploy a cloud-delivered security platform with AI-aware controls integrated with identity and device posture
D. Segment network zones within each data center to isolate AI workloads from critical IP address repositories and monitor east-west traffic
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
An organization wants to migrate to an SSE model using Prisma Access for hybrid workforce connectivity. Following bandwidth analysis, network engineers have identified high-bandwidth requirements (>2 Gbps) sustained throughput to the data center for privately hosted applications (e.g., three tier applications active FTP and SMB file servers, EDR toolsets).
Business continuity for the organization requires the ability to use multiple cloud providers for private-application connectivity, ensuring no single cloud provider outage can disrupt operations.
The network operations team has expressed concerns about migrating to SSE with legacy routing technical debt noting multiple redistribution protocols in place across the environment.
Which two network connectivity methods will meet the business requirements to access private applications from Prisma Access? (Choose two.)
A. Colo-Connect
B. ZTNA Connectors
C. Service connections
D. Cloud gateways
正解:A,C
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
An architect is designing a security solution for a large AWS environment with numerous application virtual private clouds (VPCs). These applications have diverse and sometimes conflicting inbound security requirements, making a single, unified ruleset challenging to create and maintain. The solution must secure inbound traffic for different application groups while also centrally securing all outbound and east-west traffic via an AWS Transit Gateway. Which design model recommendation will simplify rule complexity for inbound traffic while meeting all security requirements?
A. Centralized model to consolidating all security functions by directing all inbound, outbound, and east-west traffic through a single, shared security VPC
B. Combined model using dedicated inbound NGFWs for logical application groups and a central NGFW for east-west and outbound traffic
C. Isolated model deploying a separate non-connected security VPC for each application VPC
D. Transit Gateway model focused on establishing connectivity by creating a full mesh of direct peering connections between all application VPCs
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
A network experiences encrypted threats bypassing inspection. What is the BEST mitigation?
A. Enable SSL decryption
B. Block all HTTPS
C. Use static routes
D. Disable logging
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed.
All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation.
Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps.
Segmentation is a mandatory requirement with enclaves based on region, device type, and function.
Which off-ramp should an architect recommend to meet the requirements of the organization?
A. ZTNA Connector
B. Colo-Connect
C. Service Connection
D. GCP Network Cloud Connector
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
A company needs DNS-based threat protection to block malicious domains. Which solution is appropriate?
A. URL Filtering
B. App-ID
C. QoS
D. DNS Security
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
774 お客様のコメント






黒*瞳 -
模擬テストにひたすら受けてて、受験して簡単に合格することができました。Pass4Testさん、ありがとうございました。