A global financial institution utilizes Strata Cloud Manager (SCM) to manage thousands of Palo Alto Networks firewalls. Due to strict regulatory compliance requirements (e.g., PCI DSS, GDPR), they need to ensure that all policy changes are peer-reviewed and logged with detailed audit trails. Furthermore, they want to automate the rollback of any erroneous policy deployments. Which SCM features, combined with external processes, would best achieve these objectives?
Correct Answer: C
This scenario requires robust change management and auditing. Granular RBAC ensures that only authorized personnel can make changes, and that changes are initiated by specific roles. SCM's Audit Logs provide an immutable record of all administrative actions and policy changes. The Configuration Revision History allows viewing and reverting to previous configurations. For automated rollback, SCM's API (Application Programming Interface) can be used to programmatically trigger rollbacks of configurations, integrating with external change management or orchestration systems. This combination addresses the compliance and automation requirements.
NetSec-Analyst Exam Question 2
An IoT smart building system uses BACnet/IP for HVAC control. The security team discovers a device sending unauthorized 'Write Property' requests to BACnet objects that control critical ventilation fans, potentially disrupting air quality. They have identified the rogue device's MAC address and IP address, but its type (vendor/model) is not yet fully classified by Device-ID. How can the Palo Alto Networks NGFW be configured, leveraging IoT security concepts, to immediately block these specific 'Write Property' requests from this rogue device, while allowing legitimate BACnet traffic from authorized devices?
Correct Answer: C
Option C is the most precise and immediate solution given the constraint. While option B is generally good for all unauthorized 'Write Property' requests, it might impact legitimate devices if their 'Write Property' functions are also needed. Option C allows for surgical enforcement: it targets only the rogue device's traffic and applies the granular 'Application Function Filtering' (blocking 'Write Property') specifically to it. This ensures legitimate BACnet traffic from other devices continues unimpeded. Option A is too broad; it blocks all BACnet from the rogue device. Option D's 'Threat Prevention' custom signature is a more complex and potentially slower reaction than direct policy. Option E would block Write Property' from ALL devices, not just the rogue one, which contradicts the requirement to allow legitimate traffic.
NetSec-Analyst Exam Question 3
A large e-commerce platform uses an internal REST API service on TCP/443 for microservices communication. While it uses TLS, App-ID often misidentifies it as 'web-browsing' or 'ssl', preventing granular policy enforcement based on the actual API application. The security team wants to classify this traffic as 'internal-rest-api' (a custom application) and apply a custom URL Filtering profile that blocks only specific API endpoints, not general web browsing. They also need to ensure that this override does not affect legitimate 'web- browsing' traffic to external sites over TCP/443. Which configuration strategy should be employed?
Correct Answer: B
Application Override policies are processed before App-ID. Therefore, for an override to successfully reclassify traffic and allow subsequent policies to act upon that reclassification, the override rule must be evaluated first. Placing it 'before any general web-browsing rules' (which would typically use 'SSI' or 'web-browsing' as their application) ensures that the specific internal API traffic is immediately identified as 'internal-rest-api'. Once identified, the subsequent security policy can apply the specific URL filtering profile. Option A suggests placing the override after , which would mean the traffic might already be identified as 'web-browsing' or 'SSI' by a previous rule, defeating the purpose of the override. Options C and D are less efficient or less precise. Option E is powerful but doesn't directly solve the App-ID misclassification issue, though it could provide more data for signature creation.
NetSec-Analyst Exam Question 4
A large enterprise has implemented GlobalProtect and is leveraging Host Information Profile (HIP) for endpoint compliance. A new compliance requirement dictates that no user should be able to access the internal 'Sensitive SharePoint' site unless their device has the latest antivirus definitions and the endpoint security agent is running. All other internal resources should remain accessible even if the HIP check fails, but without the 'Sensitive SharePoint' access. Describe the policy configuration strategy to achieve this granular access control.
Correct Answer: D
Option D correctly addresses the requirement. The first rule explicitly allows access to 'Sensitive_SharePoint' ONLY if the HIP profile matches the compliance criteria. The second rule, with lower priority, then allows all other internal access (to destinations NOT the Sensitive_SharePoint_lP) for any user, regardless of their HIP status. This ensures that the compliant access is prioritized, and other general access remains available without blocking. Option B is incorrect because Rule 2 would allow access to Sensitive_SharePoint even without the HIP check. Option C is overly complex and might lead to unintended blocks. Option A would block all other internal access. Option E has a flawed implicit deny and is not the most direct way to achieve the goal.
NetSec-Analyst Exam Question 5
During a breach investigation, a Network Security Analyst needs to retroactively search for specific malicious file hashes (MD5) that might have been downloaded or uploaded through the firewall within the last 30 days. These hashes were not known at the time of the initial traffic. The Incidents and Alerts page currently shows no alerts related to these hashes. Which of the following approaches is the MOST efficient and effective to perform this retrospective analysis using Palo Alto Networks tools, including Log Viewer and potentially other integrated services?
Correct Answer: C
Cortex Data Lake (CDL) is designed for efficient, long-term storage and querying of Palo Alto Networks logs. The Log Viewer interface, when backed by CDL, allows for powerful, indexed searches. Filtering 'threat' logs for 'file' type and then using the 'file-digest' field with an 'in' operator (to search for multiple hashes simultaneously) is the most efficient and effective method for retrospective analysis of file-based threats. The firewall automatically calculates and logs file hashes if a WildFire profile is applied to the security policy and file blocking/forwarding is configured. Option A is inefficient and prone to errors. Option B involves manual inspection, which is impractical for large datasets. Option D is incorrect; WildFire performs analysis at the time of file transfer, not a retrospective re-scan of historical traffic using new hash inputs. Option E is relevant for C2 communication but not for directly searching file hashes.