NetSec-Analyst Exam Question 51

An enterprise is facing a unique challenge with its SD-WAN deployment. They have a custom, latency-critical, stateful application (App-ID: proprietary-app) that requires all its traffic (initial connection and subsequent data) to be pinned to a single, consistent WAN path for the entire session duration to avoid session resets. This application must prefer a specific MPLS link (Link A) if its latency is below 30ms and packet loss is below 0.01 If Link A degrades, the application should failover to a dedicated Internet VPN tunnel (Tunnel B) if Tunnel B's latency is below 50ms and packet loss below 0.1%. If both links fail their respective SLAs, the traffic should be dropped. Furthermore, if a session is established on Tunnel B, it should not flap back to Link A even if Link A recovers, to maintain session consistency. Which configuration elements are crucial to implement this requirement?
  • NetSec-Analyst Exam Question 52

    A web application development team needs to deploy a new API gateway that uses WebSocket connections for real-time data exchange.
    The current Security Policy has a strict rule blocking all 'unknown' or 'incomplete' applications. When testing the API, the WebSocket connections are being reset. Analysis of the traffic logs shows sessions being terminated with 'application-incomplete'. What is the most appropriate action to allow the WebSocket application while maintaining security posture?
  • NetSec-Analyst Exam Question 53

    A company is experiencing performance issues with their cloud-based CRM application (e.g., Salesforce), which uses App-ID: salesforce-base. Users in remote branches report slow response times, even though their internet links appear healthy. Investigation reveals occasional transient packet loss spikes and latency jitter affecting the application's performance. The network team wants to implement an SD-WAN policy that proactively steers Salesforce traffic away from paths experiencing degradation, even if the degradation is intermittent and temporary. Which of the following is the most appropriate configuration?
  • NetSec-Analyst Exam Question 54

    A Security Administrator is hardening the outbound security posture for a network segment with multiple user groups, each requiring different levels of internet access and content inspection. Specifically: 1. The 'Finance' group requires strict URL filtering, preventing access to social media, streaming, and unknown categories, but allowing access to specific financial news sites. They also need aggressive threat prevention. 2. The 'Marketing' group needs access to social media and some streaming for business purposes, but all downloads must be scanned by WildFire and executable files blocked. 3. The 'IT' group has broad internet access but all outbound SSH and RDP traffic must be inspected for command injection and suspicious activity. How would you design the security policy rules and Security Profile Groups to meet these requirements efficiently?
  • NetSec-Analyst Exam Question 55

    A large manufacturing facility is deploying thousands of new IoT sensors for predictive maintenance. These sensors communicate over MQTT and generate sensitive operational data'. The security team needs to implement a robust IoT security profile on their Palo Alto Networks Next-Generation Firewall (NGFW) to ensure data confidentiality, integrity, and device authentication. Which of the following approaches is MOST effective for establishing a strong IoT security posture for these sensors, assuming they cannot support complex PKI or client certificates initially?