Correct Answer: B

Explanation: Secure Sockets Layer (SSL) Inbound Inspection is the offering that can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication. SSL Inbound Inspection is a feature that allows the firewall to decrypt and inspect inbound SSL/TLS traffic from external clients to internal servers. SSL Inbound Inspection can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication by applying threat prevention technologies, such as antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, data filtering, and WildFire analysis, to the decrypted traffic and blocking any malicious content or activity. OCSP, Advanced URL Filtering (AURLF), and WildFire are not offerings that can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication, but they are related solutions that can enhance security and visibility. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [SSL Inbound Inspection], [Threat Prevention Datasheet]

Correct Answer: C

Explanation: Containers are the elements that a CN-Series firewall can secure traffic between. Containers are isolated units of software that run on a shared operating system and have their own resources, dependencies, and configuration. A CN-Series firewall can inspect and enforce security policies on traffic between containers within a pod, across pods, or across namespaces in a Kubernetes cluster. Host containers, source applications, and IPods are not valid elements that a CN-Series firewall can secure traffic between. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [CN-Series Concepts], [What is a Container?]

Correct Answer: A

Explanation: Containers are uniquely suitable for runtime security based on allow lists because containers have only a few defined processes that should ever be executed. Developers can specify the processes that are allowed to run in a container using a Dockerfile, but this does not guarantee that only those processes will run at runtime. Therefore, using an allow list approach can prevent any unauthorized or malicious processes from running in a container2. References: Container Security

Correct Answer: D

Explanation: CN-Series firewall prevents exfiltration by inspecting outbound traffic content and blocking suspicious activity. Exfiltration is a technique used by attackers to steal sensitive data or assets from a compromised network or system, usually by sending them to an external destination, such as a command and control server, a drop zone, or an email address. CN-Series firewall is a containerized firewall that integrates with Kubernetes and provides visibility and control over container traffic. CN-Series firewall prevents exfiltration by inspecting outbound traffic content and blocking suspicious activity using threat prevention technologies, such as antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, data filtering, and WildFire analysis. CN-Series firewall does not prevent exfiltration by employing custom-built signatures based on hash, distributing incoming virtual private cloud (VPC) traffic across the pool of VM-Series firewalls, or providing a license deactivation API key, as those are not valid or relevant methods for exfiltration prevention. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [CN-Series Concepts], [CN-Series Deployment Guide for Native K8], [Threat Prevention Datasheet], [What is Exfiltration?]

Correct Answer: C

Explanation: Address groups are the type of groups that allow sharing cloud-learned tags with on-premises firewalls. Address groups are dynamic objects that can include IP addresses or tags as members. Cloud-learned tags are tags that are assigned to cloud resources by cloud providers or third-party tools. By using address groups with cloud- learned tags, you can apply consistent security policies across your hybrid cloud environment. References: [Address Groups]