NetSec-Analyst Exam Question 76

A security analyst is investigating a persistent issue where an internal server, running a custom application over a non-standard TCP port (e.g., TCP 12345), cannot establish outbound connections to an external cloud service. The Palo Alto Networks firewall is configured with a security policy allowing this traffic with 'Application: any' and 'Service: application-default'. Packet captures show the initial SYN from the server, but no response from the cloud service. The firewall's traffic logs for this session show 'deny' with 'reason: untrusted' and 'action: drop'. What is the most plausible and complex reason for this behavior, indicating a deep understanding of App-ID and security profiles?
  • NetSec-Analyst Exam Question 77

    A cloud-native application leverages multiple dynamically assigned ephemeral ports within a specific range (e.g., TCP/30000-35000) for internal service-to-service communication. Due to the dynamic nature and potential for rapid changes in underlying protocols (Grpc over HTTP/2, custom protobufs), App-ID frequently labels this traffic as 'unknown-tcp' or 'unknown-udp', hindering security visibility. The security team wants to consolidate all traffic within this port range between specific internal subnets (10.0.1.0/24 to 10.0.2.0/24) as a single logical application, 'cloud-microservices', regardless of the underlying protocol, to apply consistent security profiles and logging.
    Which of the following approaches is the most appropriate and why?
  • NetSec-Analyst Exam Question 78

    A security analyst needs to create a custom URL category for a new phishing campaign targeting the company. The phishing URLs frequently change their domain and path but always contain specific, unique query parameters used to track victims. Which combination of URL category types and regex patterns would be most effective and efficient for capturing these URLs while minimizing false positives, given the following example URL structures:
  • NetSec-Analyst Exam Question 79

    An organization is leveraging Palo Alto Networks Panorama for managing its Next-Generation Firewalls and GlobalProtect. They need to implement dynamic access control for remote users based on their device posture (e.g., patch level, anti-virus status) reported by a third-party Endpoint Detection and Response (EDR) solution. This posture information needs to be consumed by GlobalProtect Security Policies. Which of the following approaches leverages Panorama and its integration capabilities most effectively to achieve this, including an example of how the EDR data might influence policy?
  • NetSec-Analyst Exam Question 80

    A Palo Alto Networks administrator is troubleshooting a scenario where GlobalProtect VPN users are intermittently failing to authenticate against an external RADIUS server. Packet captures on the firewall show RADIUS requests being sent to the server, but no responses are received. The RADIUS server itself shows no incoming connection attempts from the firewall. The firewall's routing table is confirmed to be correct for reaching the RADIUS server. What advanced troubleshooting step, specific to the firewall's internal processing, should be performed to diagnose this 'black hole' issue?