NetSec-Analyst Exam Question 66

Consider a scenario where an internal web server (10.0.2.50) hosts a public website accessible via 'www.example.com' (public IP 203.0.113.10). The Palo Alto Networks firewall is the edge device. You need to configure a NAT policy to allow external users to access this web server. Additionally, internal users, when trying to reach 'www.example.com' (203.0.113.10), should also be directed to the internal server (10.0.2.50) without hairpinning traffic through the external interface. Which combination of NAT policies is most appropriate to achieve both external and internal access efficiently?
  • NetSec-Analyst Exam Question 67

    A distributed enterprise uses a Hub-and-Spoke VPN topology with Palo Alto Networks firewalls at each spoke and a Panorama appliance managing all firewalls. Spoke firewalls are configured to forward traffic and threat logs to the Panorama log collector. A new compliance requirement dictates that all traffic logs showing 'application-override' events, specifically, must also be forwarded to an external analytics platform, without duplicating other log types to this platform. How can this be efficiently configured from Panorama to apply to all spoke firewalls?
  • NetSec-Analyst Exam Question 68

    An organization wants to create a custom URL category for a list of highly sensitive internal web applications that should only be accessible from specific internal subnets. However, these applications are accessed via FQDNs that share a common, publicly resolvable root domain (e.g., 'appl.corp.example.com', 'app2.corp.example.com' , 'finance.corp.example.com'). The challenge is that .corp.example.com' is also used by many other public-facing services, and blocking the entire 'corp.example.com' domain would cause significant business disruption. The security team needs to precisely define the custom URL category to include only appl.corp.example.com' , 'app2.corp.example.com' , and 'finance.corp.example.com' , without affecting other subdomains, and then apply a strict access policy. Which configuration approach for the custom URL category is most precise and least prone to false positives, assuming other subdomains like 'public.corp.example.com' or 'dev.corp.example.com' exist and should not be included?
  • NetSec-Analyst Exam Question 69

    A critical web application serves content to external users. Due to a recent surge in web-based attacks (SQL injection, XSS), the security team has decided to implement aggressive protection. They want to block known attack patterns, detect and prevent zero-day exploits, and ensure any compromised system attempts to communicate with C2 servers are immediately shut down. Furthermore, all inbound file uploads must be scanned by WildFire, and specific sensitive file types (e.g., .exe, .dll, .js, .bat) should be blocked, regardless of content, if uploaded by external users. How do you combine Security Profiles and their actions to achieve this multifaceted protection?
  • NetSec-Analyst Exam Question 70

    A Palo Alto Networks firewall is experiencing frequent 'URL Filtering: category-not-resolved' errors in the traffic logs, leading to inconsistent web access for users. The firewall has valid subscriptions for URL Filtering and DNS Proxy is configured. The external DNS servers are reachable. Which of the following is the MOST LIKELY cause of this issue, and what specific configuration element should be scrutinized?