An enterprise is facing a unique challenge with its SD-WAN deployment. They have a custom, latency-critical, stateful application (App-ID: proprietary-app) that requires all its traffic (initial connection and subsequent data) to be pinned to a single, consistent WAN path for the entire session duration to avoid session resets. This application must prefer a specific MPLS link (Link A) if its latency is below 30ms and packet loss is below 0.01 If Link A degrades, the application should failover to a dedicated Internet VPN tunnel (Tunnel B) if Tunnel B's latency is below 50ms and packet loss below 0.1%. If both links fail their respective SLAs, the traffic should be dropped. Furthermore, if a session is established on Tunnel B, it should not flap back to Link A even if Link A recovers, to maintain session consistency. Which configuration elements are crucial to implement this requirement?
Correct Answer: D
Option D is the most precise and direct solution using Palo Alto Networks SD-WAN capabilities to address all requirements, especially the critical 'no flap-back' for session consistency. Primary/Secondary Path Groups with SLAs: This correctly handles the distinct SLA requirements for Link A and Tunnel B and their preference order. 'Failover Only' Mode: This is the key feature for the 'no flap-back' requirement. When 'Failover Only' is enabled on a secondary path group (Tunnel B in this case), once traffic for 'proprietary-app' switches from Link A to Tunnel B due to Link A's degradation, it will remain on Tunnel B even if Link A recovers, as long as Tunnel B itself continues to meet its configured SLA. This ensures session consistency. Traffic will only move off Tunnel B if Tunnel B itself fails its SLA, at which point the 'Fail Action' would dictate what happens (e.g., drop traffic). Session Stickiness (Context): While 'Session Stickiness' is a general concept to keep sessions on the same path, the 'Failover Only' mode for path groups is the more granular and explicit mechanism in Palo Alto Networks SD-WAN to prevent flapping back to a primary link after an SLA-triggered failover.
NetSec-Analyst Exam Question 52
A web application development team needs to deploy a new API gateway that uses WebSocket connections for real-time data exchange. The current Security Policy has a strict rule blocking all 'unknown' or 'incomplete' applications. When testing the API, the WebSocket connections are being reset. Analysis of the traffic logs shows sessions being terminated with 'application-incomplete'. What is the most appropriate action to allow the WebSocket application while maintaining security posture?
Correct Answer: C
Option C is the most appropriate. The 'application-incomplete' flag indicates that the firewall couldn't identify the application within its signature database, often happening with custom or obscure protocols or applications like WebSockets that might not be fully recognized by default signatures until the session is fully established. Creating a custom application for the API gateway, specifically identifying its WebSocket behavior, allows the firewall to correctly classify and permit the traffic. Using 'application-default' ensures the firewall applies the correct ports for that custom application. Option A is too broad and insecure. Option B is insufficient as 'web-browsing' and 'SSI' might not fully encompass WebSocket's unique characteristics. Option D is incorrect as Application Override would allow you to force an application, not necessarily resolve 'application- incomplete' for a new, unknown one. Option E is insecure as it opens up all ports.
NetSec-Analyst Exam Question 53
A company is experiencing performance issues with their cloud-based CRM application (e.g., Salesforce), which uses App-ID: salesforce-base. Users in remote branches report slow response times, even though their internet links appear healthy. Investigation reveals occasional transient packet loss spikes and latency jitter affecting the application's performance. The network team wants to implement an SD-WAN policy that proactively steers Salesforce traffic away from paths experiencing degradation, even if the degradation is intermittent and temporary. Which of the following is the most appropriate configuration?
Correct Answer: B
Option B is the correct approach. Palo Alto Networks SD-WAN's 'Dynamic Path Selection' (DPS) with 'Best Path' selection, coupled with a properly defined SLA profile monitoring latency, jitter, and packet loss, is designed precisely for scenarios where applications need to proactively steer away from degrading paths. The system constantly monitors path quality against the SLA and dynamically selects the best available path, ensuring optimal application performance even with intermittent network issues.
NetSec-Analyst Exam Question 54
A Security Administrator is hardening the outbound security posture for a network segment with multiple user groups, each requiring different levels of internet access and content inspection. Specifically: 1. The 'Finance' group requires strict URL filtering, preventing access to social media, streaming, and unknown categories, but allowing access to specific financial news sites. They also need aggressive threat prevention. 2. The 'Marketing' group needs access to social media and some streaming for business purposes, but all downloads must be scanned by WildFire and executable files blocked. 3. The 'IT' group has broad internet access but all outbound SSH and RDP traffic must be inspected for command injection and suspicious activity. How would you design the security policy rules and Security Profile Groups to meet these requirements efficiently?
Correct Answer: A
Option A is the most efficient and recommended approach. Creating a distinct Security Policy Rule for each user group (identified via User-ID) allows for the application of a unique Security Profile Group tailored to that group's specific requirements. This ensures that: Finance: Receives its custom URL Filtering profile (strict categories, allow financial sites) and aggressive threat prevention. Marketing: Gets its URL Filtering (allowing social media/streaming), WildFire for downloads, and executable file blocking. IT: Has broad access, but their SSH/RDP traffic (identified via App-ID within the same rule or a sub-rule) can have a specific Vulnerability Protection profile applied for command injection. This approach balances granularity with manageability. Option B leads to an unmanageable rule set. Option C's 'overrides' concept is not a standard or efficient way to manage diverse security profiles across user groups. Option D sacrifices crucial granularity. Option E describes the components but doesn't clearly articulate the most efficient rule design as well as A does, which implicitly suggests leveraging App-ID and User-ID effectively within each rule.
NetSec-Analyst Exam Question 55
A large manufacturing facility is deploying thousands of new IoT sensors for predictive maintenance. These sensors communicate over MQTT and generate sensitive operational data'. The security team needs to implement a robust IoT security profile on their Palo Alto Networks Next-Generation Firewall (NGFW) to ensure data confidentiality, integrity, and device authentication. Which of the following approaches is MOST effective for establishing a strong IoT security posture for these sensors, assuming they cannot support complex PKI or client certificates initially?
Correct Answer: B
Option B is the most effective. Palo Alto Networks NGFWs can identify IoT devices and their attributes, including application (MQTT), even without client certificates. By creating a specific IoT Security Profile and leveraging 'Device Identification' and 'Device Group' segmentation, the NGFW can enforce granular policies based on the type of IoT device, its behavior, and the applications it uses, far beyond basic port-based filtering. This allows for a 'least privilege' approach crucial for IoT security. Option A is too simplistic and lacks device-awareness. Option C introduces an additional point of failure and doesn't leverage the NGFW's IoT capabilities. Option D is impractical for thousands of resource- constrained sensors. Option E provides isolation but no deep packet inspection or behavior analysis.