Cloud high availability (HA) strategies differ from traditional HA deployments in physical firewalls. Cloud NGFW provides cloud-native high availability options that align with cloud architectures , particularly in AWS and Azure environments .

Cloud NGFW automatically scales up or down based on traffic demand and load conditions .

This ensures consistent security enforcement without manual intervention.

Auto-scaling is managed by cloud-native services (AWS Auto Scaling, Azure Virtual Machine Scale Sets, etc.).

Cloud NGFW can be integrated with cloud-native load balancers (AWS Elastic Load Balancing, Azure Load Balancer) to distribute traffic.

This helps ensure high availability and failover in case of firewall instance failures.

B. Terraform to automate HA ❌

Terraform automates infrastructure provisioning , but it does not inherently provide HA .

It helps automate HA configuration , but does not directly provide HA functionality .

C. Dedicated vNIC for HA ❌

Cloud NGFW does not use dedicated vNICs for HA —it relies on cloud-native failover mechanisms .

Dedicated vNICs are more relevant for on-prem HA deployments .

Firewall Deployment – Cloud NGFW supports HA through autoscaling and load balancing .

Security Policies – Ensures policies remain enforced across dynamically scaled instances .

VPN Configurations – Works with IPsec VPNs in cloud deployments .

Threat Prevention – Maintains security inspection even during autoscaling events .

WildFire Integration – Ensures malware inspection is consistently available .

Zero Trust Architectures – Enforces Zero Trust security at scale .

1. Automated Autoscaling ( ✔ ️ Correct) 2. Deployed with Load Balancers ( ✔ ️ Correct) Why Other Options Are Incorrect? References to Firewall Deployment and Security Features: Thus, the correct answers are: ✅ A. Automated autoscaling ✅ D. Deployed with load balancers

Based on the image and default rulestack settings of the Cloud NGFW for AWS , the source IP address seen in the data filtering logs will be 20.10.10.15 , which is the IP address of the load balancer.

Default Rulestack Behavior : By default, the rulestack settings do not inspect or preserve the original client IP (e.g., 10.1.1.2) in the "X-Forwarded-For" header. Instead, the load balancer's IP (20.10.10.15) is recorded as the source IP.

Logging Mechanism : Unless explicitly configured to parse the "X-Forwarded-For" header, the firewall's logs will reflect the IP address of the device directly sending the traffic to the NGFW (the load balancer in this case).

References :

Cloud NGFW for AWS Documentation

Data Filtering Logs and Source IP Behavior

An ION device (used in Prisma SD-WAN) must be configured in Analytics mode at a newly acquired site to audit traffic without steering it . This mode allows administrators to monitor network behavior without actively modifying traffic paths .

Passively Observes Traffic

The ION device monitors and logs site traffic for analysis.

No active control over routing or traffic flow is applied.

Useful for Network Auditing Before Full Deployment

Analytics mode provides visibility into site traffic before committing to SD-WAN policy changes .

Helps identify optimization opportunities and troubleshoot connectivity before enabling traffic steering.

(A) Access Mode – Enables active routing and steering of traffic, which is not desired for passive auditing.

(B) Control Mode – Actively controls traffic flows and enforces policies, not suitable for observation-only setups.

(C) Disabled Mode – The device would not function in this mode, making it useless for traffic monitoring.

Firewall Deployment – Prisma SD-WAN ION devices must be placed in Analytics mode for initial audits.

Zero Trust Architectures – Helps assess security risks before enabling active controls.

Why Analytics Mode is the Correct Choice? Other Answer Choices Analysis References and Justification: Thus, Analytics Mode (D) is the correct answer , as it allows auditing of site traffic without traffic steering.

In Strata Cloud Manager (SCM) , the most efficient way to apply a Security policy to multiple firewalls in a single data center is to group the firewalls together into a folder and create the Security policy at that configuration scope.

Grouping Firewalls : By organizing the ten firewalls into a folder, administrators can manage them as a single entity, reducing configuration time and ensuring consistency.

Configuration Scope : SCM allows you to create policies at different scopes, such as Global, Device Group, or Folder level. By applying the policy at the folder scope, it is automatically propagated to all firewalls within the group.

Efficiency : This approach eliminates the need to individually configure each firewall or manually clone policies, which can be time-consuming and error-prone.

References :

Strata Cloud Manager Policy Management

Best Practices for Multi-Firewall Management

When a user authenticates and connects to a GlobalProtect gateway , the firewall can collect and evaluate device information using Host Information Profile (HIP) . This feature helps enforce security policies based on the device’s posture before granting or restricting network access.

What is HIP?

Host Information Profile (HIP) is a feature in GlobalProtect that gathers security-related information from the endpoint device, such as:

OS version

Patch level

Antivirus status

Disk encryption status

Host-based firewall status

Running applications

How Does HIP Work?

When a user connects to a GlobalProtect gateway , their device submits its HIP report to the firewall.

The firewall evaluates this information against configured security policies .

If the device meets security compliance , access is granted; otherwise, remediation actions (e.g., blocking access) can be applied.

(A) RADIUS Authentication – While RADIUS is used for user authentication, it does not collect device security posture .

(B) IP Address – The user's IP address is tracked but does not provide device security information .

(D) Session ID – A session ID identifies the user session but does not collect host-based security details.

Firewall Deployment – HIP profiles help enforce security policies based on device posture.

Security Policies – Administrators use HIP checks to restrict non-compliant devices.

Threat Prevention & WildFire – HIP ensures that endpoints are properly patched and protected.

Panorama – HIP reports can be monitored centrally via Panorama.

Zero Trust Architectures – HIP enforces device trust in Zero Trust models.

Why is HIP the Correct Answer? Other Answer Choices Analysis References and Justification: Thus, Host Information Profile (HIP) is the correct answer , as it collects device security information when a user connects to a GlobalProtect gateway.

The Policy Optimizer tool helps refine security rules by analyzing historical traffic data and identifying the applications observed over past weeks . It is designed to:

Improve Security Policies – Identifies overly permissive rules and suggests specific application-based security policies .

Enhance Rule Accuracy – Helps replace port-based rules with App-ID-based security rules , reducing the risk of unintended access .

Use Historical Traffic Data – Analyzes past network activity to determine which applications should be explicitly allowed or denied .

Simplify Rule Management – Reduces redundant or outdated policies , leading to more effective firewall rule enforcement .

A. Security Lifecycle Review (SLR) ❌

Incorrect, because SLR provides a high-level security assessment , not a tool for refining specific security rules.

It focuses on identifying security gaps rather than optimizing security policies based on past traffic data.

B. Custom Reporting ❌

Incorrect, because Custom Reporting generates security insights and compliance reports , but does not analyze policy rules .

C. Autonomous Digital Experience Management (ADEM) ❌

Incorrect, because ADEM is designed for network performance monitoring , not firewall rule refinement.

It helps measure end-user digital experiences rather than security policy optimizations .

Firewall Deployment – Policy Optimizer improves firewall efficiency and accuracy .

Security Policies – Refines rules based on actual observed application traffic .

VPN Configurations – Helps optimize security policies for VPN traffic .

Threat Prevention – Ensures that unused or unnecessary policies do not create security risks.

WildFire Integration – Works alongside WildFire threat detection to fine-tune application security rules.

Zero Trust Architectures – Supports least-privilege access control by defining specific App-ID-based rules .

Why Other Options Are Incorrect? References to Firewall Deployment and Security Features: Thus, the correct answer is: ✅ D. Policy Optimizer

When a firewall functions as an Application-Level Gateway (ALG) , it intercepts, inspects, and dynamically manages traffic at the application layer of the OSI model. The primary role of an ALG is to provide deep packet inspection (DPI), address translation, and protocol compliance enforcement.

To establish a connection successfully, an ALG requires a pinhole —a temporary, dynamically created rule that allows the firewall to permit the return traffic necessary for specific applications (e.g., VoIP, FTP, and SIP-based traffic). These pinholes are essential because many applications dynamically negotiate port numbers, making static firewall rules ineffective .

For example, when a Session Initiation Protocol (SIP) application initiates a connection, the firewall dynamically opens a pinhole to allow the SIP media stream (RTP) to pass through while maintaining security controls. Once the session ends, the pinhole is closed to prevent unauthorized access.

Firewall Deployment – ALGs are commonly deployed in enterprise network firewalls to manage application-specific connections securely.

Security Policies – Firewalls use ALG security policies to allow or block dynamically negotiated connections.

VPN Configurations – Some VPNs rely on ALGs for handling complex applications requiring NAT traversal.

Threat Prevention – ALGs help detect and prevent application-layer threats by inspecting traffic content.

WildFire – Not directly related, but deep inspection features like WildFire can work alongside ALG to inspect payloads for malware.

Panorama – Used for centralized policy management, including ALG-based policies.

Zero Trust Architectures – ALG enhances Zero Trust by ensuring only explicitly allowed application traffic is permitted through temporary pinholes.

References to Firewall Deployment and Security Features: Thus, the correct answer is A. Pinhole because it enables a firewall to establish application-layer connections securely while enforcing dynamic traffic filtering.