NetSec-Analyst Exam Question 56

A Palo Alto Networks firewall is configured to decrypt SSL/TLS traffic using SSL Forward Proxy. Due to a recent audit, there's a new requirement: all decrypted sessions must enforce TLS 1.2 or higher, and any attempt to use older, weaker protocols like TLS 1.0 or 1.1 must be blocked and logged. However, for a specific legacy application that must use TLS 1.0, an exception needs to be made, allowing it to communicate without decryption but still logging the attempt to use TLS 1.0. How would you configure this using a combination of decryption profiles and policies?
  • NetSec-Analyst Exam Question 57

    A Palo Alto Networks firewall is configured with a Layer 3 interface on zone 'Internal' (10.0.1.1/24) and another on zone 'External' (203.0.113.1/29). An internal server (10.0.1.100) needs to initiate outbound connections to the internet, and its source IP address must be translated to a specific public IP from a pool. You are tasked with configuring a NAT policy for this. Which of the following NAT types and configurations would achieve this requirement for ALL outbound connections from the internal server, ensuring the internal IP is always hidden behind a public IP from the pool?
  • NetSec-Analyst Exam Question 58

    An internal server (10.0.1.5) on the 'Trust' zone needs to access a specific public service (example.com, 1.1.1.1) on TCP port 80. Due to a complex network design and a requirement for strict outbound traffic control, all traffic from this server to 1.1.1.1:80 must be translated to a specific public IP 203.0.113.20. All other traffic from 10.0.1.5 to the Internet should use the firewall's egress interface IP (203.0.113.1 Additionally, any return traffic from 1.1.1.1 to 203.0.113.20 should be automatically translated back to 10.0.1.5. Which of the following NAT configurations achieves this with the highest specificity and ensures bi-directional communication for the dedicated service?
  • NetSec-Analyst Exam Question 59

    A security architect is designing an automated incident response playbook within their Security Orchestration, Automation, and Response (SOAR) platform. This playbook needs to interact with Strata Cloud Manager (SCM) to perform actions like blocking malicious IPs, quarantining compromised devices, and retrieving firewall logs. Which of the following Python code snippets demonstrates the correct initial step to authenticate and interact with SCM's API for such operations?
  • NetSec-Analyst Exam Question 60

    A critical server application relies on a set of custom web services running on non-standard ports. The security team needs to ensure that these specific web services are protected by comprehensive threat prevention, including WildFire analysis, but without impacting the performance of other high-volume, less critical HTTP/S traffic. The firewall must distinguish between these custom services and standard HTTP/S. Which approach offers the most efficient and secure configuration?