Online Access Free NetSec-Analyst Exam Questions

A company is implementing a new BYOD policy and needs to ensure that mobile devices accessing internal resources are protected from known and unknown malware. They have deployed a Palo Alto Networks firewall with WildFire subscriptions. Which configuration steps are essential to leverage WildFire for comprehensive malware analysis and prevention specifically for BYOD traffic, assuming a security policy rule already exists for BYOD access?

• A.Create a new WildFire Analysis profile. Set the 'File Types' to 'all' and 'Action' to 'upload' for known good and bad files. Attach this WildFire Analysis profile directly to the BYOD security policy rule. Ensure Antivirus and Anti-Spyware profiles are also applied.
• B.Create a WildFire Analysis profile with a 'Forward' action for 'PE' files. Create a File Blocking profile to block all 'unknown-file-types'. Group these into a new Security Profile Group and apply it to the BYOD security policy rule. Ensure the firewall has connectivity to the WildFire cloud or appliance.
• C.Enable WildFire analysis within the existing URL Filtering profile applied to the BYOD security policy. Configure a File Blocking profile to block all executable files, and enable WildFire submission for 'all' file types.
• D.Modify the existing Anti-Spyware profile applied to BYOD traffic to include WildFire signature updates. Configure a Data Filtering profile to detect and block suspicious file transfers from BYOD devices. No separate WildFire Analysis profile is needed.
• E.Create a WildFire Analysis profile configured to 'Block' for 'PE' files and 'upload' for all other file types. Apply this profile within a Security Profile Group along with an Antivirus profile set to 'reset-both' for critical severity threats. Ensure the Security Policy rule's action is 'allow'.

A multinational corporation uses Panorama for centralized management. A recent compliance audit highlighted that several regional firewalls have overly permissive 'any-any' rules that are rarely, if ever, used, creating unnecessary attack surface. The security team wants to systematically address these. Which sequence of operations, leveraging Policy Optimizer, would be most efficient and ensure minimal disruption?

• A.1. Use Activity Insights to find the least used applications. 2. Create new policies to block these applications. 3. Push to firewalls.
• B.1. In Policy Optimizer, utilize the 'Security Policy Rule Optimization' dashboard. 2. Filter for 'Any-Any' rules with low hit counts. 3. For each candidate rule, use the 'Convert to specific' feature (if applicable) or change its action to 'Deny' after a validation period. 4. Push updates to respective firewalls.
• C.1. Manually review each firewall's security policy for 'any-any' rules. 2. Delete the rules if they appear unused. 3. Push commits.
• D.1. In Policy Optimizer, run a 'Rule Usage' report across all Device Groups. 2. For rules with zero or very low hit count, change action to 'Deny' and commit. 3. Monitor logs for complaints.
• E.1. In Policy Optimizer, identify all 'any-any' rules across relevant Device Groups using the 'Rule Browser'. 2. For each identified rule, change its action to 'Alert' and observe traffic patterns for a week. 3. If no legitimate traffic is logged, change action to 'Deny' and commit.

An enterprise is facing a unique challenge with its SD-WAN deployment. They have a custom, latency-critical, stateful application (App-ID: proprietary-app) that requires all its traffic (initial connection and subsequent data) to be pinned to a single, consistent WAN path for the entire session duration to avoid session resets. This application must prefer a specific MPLS link (Link A) if its latency is below 30ms and packet loss is below 0.01 If Link A degrades, the application should failover to a dedicated Internet VPN tunnel (Tunnel B) if Tunnel B's latency is below 50ms and packet loss below 0.1%. If both links fail their respective SLAs, the traffic should be dropped. Furthermore, if a session is established on Tunnel B, it should not flap back to Link A even if Link A recovers, to maintain session consistency. Which configuration elements are crucial to implement this requirement?

• A.1. Create a primary SD-WAN Path Group for Link A with a 30ms latency / 0.01% packet loss SLA. 2. Create a secondary SD-WAN Path Group for Tunnel B with a 50ms latency / 0.1% packet loss SLA. 3. Apply an SD-WAN policy for 'proprietary-app' that uses these path groups in order. 4. Enable 'Failover Only' mode for the secondary Path Group, which ensures once traffic moves to Tunnel B, it stays there until Tunnel B itself fails its SLA.
• B.1. Define two SLA profiles: 'MPLS_SLA' (30ms lat, 0.01% loss) and 'Internet_SLX (50ms lat, 0.1% loss). 2. Create an SD-WAN policy for 'proprietary-app'. Configure 'Dynamic Path Selection' with 'Best Path' and the following order: LinkA (using 'MPLS SLA'), then Tunnel B (using 'Internet_SLA'). 3. Crucially, enable 'Session Stickiness' within the SD-WAN policy settings for this application to prevent flap-back.
• C.1. Create an SLA profile for 'proprietary-app' with latency (30ms) and packet loss (0.01 thresholds. Apply this SLA to Link 2. Configure a PBF rule for 'proprietary-app' with primary next-hop Link A and secondary next-hop Tunnel B. Enable 'Session Stickiness' on the PBF rule. 3. Configure a separate SLA profile for Tunnel B (latency 50ms, packet loss 0.1 %) and link it to the PBF secondary path.
• D.1. Use a PBF rule for 'proprietary-app' to force it to LinkA as the primary interface. 2. Configure a monitor on Link A's health. If LinkA fails, automatically disable its interface. 3. Rely on routing to then pick Tunnel B as the next best path. 4. Implement a custom script to manually re-enable Link A only after a prolonged period of stability to prevent flapping.
• E.1. Configure Link A as the primary egress interface in a Zone. Configure Tunnel B as a backup interface in the same Zone. 2. Implement an SD-WAN policy for 'proprietary-app' that uses this Zone. 3. Use BFD on both Link A and Tunnel B to detect link failures. 4. Manually configure session persistence on the firewall for proprietary-app' to keep sessions on the initial path.

A Palo Alto Networks firewall is configured to forward logs via a Log Forwarding Profile named 'LFP Cloud SIEM' to an AWS S3 bucket using the HTTP(S) protocol. The forwarding is currently failing with intermittent 'HTTP 403 Forbidden' errors, even though the IAM role and bucket policy seem correct. The firewall logs indicate 'Failed to send log to HTTP server: Authentication failed'. Which of the following is MOST likely the cause, assuming no network connectivity issues or time synchronization problems?

• A.The firewall's clock is significantly out of sync with AWS services, causing signature validation failures for signed HTTP requests, even with valid credentials.
• B.The IAM role assigned to the AWS user/role used by the firewall does not have the 's3:PutObject' permission for the target S3 bucket, or a condition in the IAM policy is being met that denies the action.
• C.The Log Fomarding Profile is configured to use an invalid 'Access Key ID' or 'Secret Access Key' for AWS S3 authentication.
• D.The AWS S3 bucket policy is incorrectly configured to only allow uploads from specific IP addresses, and the firewall's egress IP is not included.
• E.The HTTP(S) server profile associated with the Log Fomarding Profile specifies an incorrect 'Host' or 'Path' for the S3 bucket endpoint.

A financial institution is deploying IoT devices for environmental monitoring in its data centers. These devices use HTTPS for communication with a cloud-based management platform. Due to compliance requirements, all data leaving the data center must be inspected for sensitive information (e.g., financial data leakage, PII). Additionally, the devices must be authenticated using client certificates. Describe the comprehensive Palo Alto Networks IoT security profile configuration that ensures both deep content inspection and device authentication for these IoT devices.

• A.Create an 'IoT Security Profile' with 'Device-ID' enabled. Configure a 'Security Policy' rule from the IoT zone to the Internet, specifying 'Application: ssl', 'Service: application-default', and enable 'SSL Decryption' with a forward trust certificate. Additionally, configure 'Client Certificate Authentication' within the 'Authentication Profile' linked to the security rule.
• B.Implement 'URL Filtering' to allow only the cloud management platform's domain. Create a 'Data Filtering' profile to inspect for sensitive data. Configure a 'Security Policy' allowing HTTPS to the cloud platform, applying both URL Filtering and Data Filtering. Rely on pre-shared keys for device authentication.
• C.Configure a 'NAT Policy' to translate IoT device IPs. Create a 'Custom URL Category' for the cloud platform. Enable 'DDoS Protection' for the IoT zone. Device authentication will be handled at the cloud platform level.
• D.Apply a 'Threat Prevention' profile to block all suspicious activity. Create a 'Tunnel Inspection' profile for all IoT traffic. Configure a 'Security Policy' with 'Source: IoT Zone', 'Destination: Cloud IP', 'Application: any', and 'Action: Allow'.
• E.Deploy a 'Web Proxy' in front of the NGFW for HTTPS inspection. Configure the NGFW to use 'User-ID' for device authentication and integrate it with an external AAA server. Use 'File Blocking' to prevent data leakage.