A Palo Alto Networks firewall is configured with an External Dynamic List (EDL) sourced from an internal web server. The web server is located in a different security zone. Which of the following security policy rules must be in place to allow the firewall to successfully fetch updates for this EDL?
Correct Answer: A
EDL fetching is initiated by the firewall's management plane. Therefore, a security policy rule must allow traffic from the firewall's management interface (or the zone it belongs to, typically 'management' or 'trust') to the web server's IP address on the appropriate HTTP/HTTPS port (80 or 443). Options B and C are incorrect as they refer to data plane or untrust zones, which are not typically the source for EDL fetching. Option D is incorrect as security policies do apply. Option E is incorrect as NAT is not required for the firewall to initiate a connection.
NetSec-Analyst Exam Question 97
A Palo Alto Networks firewall configured as an active/passive HA pair is experiencing split-brain scenarios, where both firewalls briefly become active, causing network disruption. Packet captures on the HA interfaces show intermittent high latency and packet loss. The 'HA Link Monitoring' and 'Path Monitoring' are configured. Which of the following is the most likely, yet often overlooked, cause of this complex HA instability?
Correct Answer: C
While options A, B, D, and E are valid HA troubleshooting points, the presence of 'intermittent high latency and packet loss' on HA interfaces and 'split-brain scenarios' with 'HA Link Monitoring' and 'Path Monitoring' configured, strongly points to a subtle network issue. Asymmetric routing (C) is a notoriously difficult-to-diagnose cause of HA instability. If the firewall sends out an HA monitoring probe (e.g., for Path Monitoring) and the return path for that probe takes a different route, potentially via a slower or congested link, or even gets dropped, the firewall might incorrectly interpret this as a link or path failure, triggering an HA failover. This leads to the 'briefly active' state on both firewalls until the issue resolves or another failover occurs. It creates a flapping scenario that is often misattributed to the firewall itself rather than the underlying network.
NetSec-Analyst Exam Question 98
A secure healthcare network leverages Palo Alto Networks NGFWs to protect critical medical IoT devices (IoMT) like infusion pumps and patient monitors. These devices communicate using proprietary protocols over TCP. The security team has identified that some of these devices are attempting to establish undocumented SSH connections to external IP addresses, likely due to a compromise. The challenge is that the NGFW's 'Application-ID' correctly identifies the proprietary IoMT application, but it also identifies the rogue SSH connection from the same device . How can the security policy, leveraging IoT security profiles, be configured to allow the legitimate IoMT proprietary application while blocking the specific SSH connection from the compromised device without disrupting essential medical operations?
Correct Answer: A
Option A is the most effective and precise solution. Palo Alto Networks' 'Application-ID' works by identifying applications regardless of port. If both the proprietary IoMT app and SSH are identified from the same device, the most direct way to block SSH while allowing the legitimate app is to create a specific 'deny' rule for SSH, targeted at the compromised device (or device group), and place it higher in the rulebase than any 'allow' rule for that device/group. Since firewall rules are processed top-down, the deny for SSH will be hit first. Option B is incorrect as it would block all legitimate IoMT functions. Option C (Anti-Spyware with custom signature) is a reactive measure for known threats; policy-based blocking is more direct for application control. Option D (Application Override) is a misapplication; it would force all traffic on the IoMT port to be seen as the IoMT app, potentially masking the rogue SSH if it uses the same port, or preventing accurate identification if SSH uses a different port. Application-ID is already correctly identifying both. Option E is a good general practice for 'least privilege' (allowing only known applications), but Option A specifically addresses the immediate need to block the identified SSH from the compromised device without affecting the legitimate IoMT app.
NetSec-Analyst Exam Question 99
Consider the following XML snippet representing a partial SD-WAN template configuration in Panorama for a new branch template stack: Which of the following statements accurately describe the implications or missing crucial components for this SD-WAN template to effectively manage application-specific traffic with performance objectives, specifically for a VoIP' application?
Correct Answer: B,C,E
Option B is correct because 'Rule_1' is a catch-all and needs a more specific rule for VoIP with a higher priority and linked to the performance profile. Option C is correct because 'Path Monitoring' profiles are fundamental; without them, the firewall cannot measure link quality (latency, jitter, loss) against the defined 'path-quality-profiles'. Option E is correct because 'path-quality-profiles' define what constitutes good quality, but the SD-WAN policy rule is what applies this definition to specific applications and dictates how paths are selected based on that quality (e.g., best quality, performance-based, etc.) and which links are considered. Option A is partially correct in that Rule_1 needs modification, but a new rule is generally preferred for specific applications like VoIP and its path selection should be 'performance-based' rather than just referencing the profile. Option D is incorrect; SD-WAN profiles are applied to interfaces (or zones) via a template or device group, but the 'path- quality-profiles' themselves are referenced within the SD-WAN policy rules, not directly applied to interfaces in this manner.
NetSec-Analyst Exam Question 100
Consider a scenario where a Palo Alto Networks firewall is used to secure access to a critical internal web application that uses a custom header for authentication, e.g., 'X-Auth-Token: [TOKEN VALUE]'. To enhance security, the organization wants to implement a custom vulnerability signature that detects attempts to bypass this authentication by submitting requests with a missing or malformed 'X-Auth- Token' header. Which of the following PCRE (Perl Compatible Regular Expressions) patterns for a custom vulnerability signature would effectively detect both a completely missing 'X-Auth-Token' header and an 'X-Auth-Token' header that is present but followed by an empty string or only whitespace, specifically when targeting HTTP POST requests to '/api/vl/secure_resource'? Assume the signature 'Location' is 'http-post-request-headers' and 'Scope' is 'transaction'.
Correct Answer: E
This question tests PCRE knowledge within the context of Palo Alto Networks custom signatures. We need to detect two conditions: missing header OR empty/whitespace header. Let's break down the required regex components: 1. Missing 'X-Auth-Token' header: This requires a negative lookahead to assert that the string does NOT contain 'X-Auth-Token:". The pattern 'A(?!. X-Auth-Token:). $ means 'from the beginning of the string, assert that nowhere after that (. ) is the string 'X-Auth-Token:' found, then match the entire string (. $ y. 2. 'X-Auth-Token' header with empty or whitespace value: This requires matching 'X-Auth-Token:' followed by zero or more whitespace characters until the end of the line (or header value). The pattern $ achieves this. Combining these with an OR CIS) operator: 'A(?!. X-Auth-Token:). $ (for missing header) $ (for empty/whitespace header) So, the combined pattern should be 'A(?!. X-Auth-Token:). $1X-Auth- Token:\s $. Option E matches this exactly. The order of the OR conditions generally doesn't matter for correctness in this case. Let's look at why others are incorrect: A: 'A(?!. X-Auth-Token:. ). $ is slightly redundant with the second The first part is A(?!. X-Auth-Token:). $ which is correct for missing. The second part $ would only match if 'X-Auth-Token:' is at the very beginning of the string, which might not be the case if other headers precede it within the same 'http-post-request-headers' location inspection context. However, often the 'Location' context implies matching within the specific header block. Let's re-evaluate. B: - This only checks for 'X-Auth-Token:' at the very beginning of the entire header block , which is unlikely for a specific header. - The '$' here would match the end of the line , which is what we want for a header value, but the first part is flawed. C: $ - This is a more complex negative lookahead, but its application needs to be careful. "AX-Auth-Token: $ - This uses which matches any character, not just whitespace. Is more precise for whitespace. D: 'A(?!. X-Auth-Token:). $ for missing is correct. $ for empty/whitespace is correct. This is effectively the same as E. There might be a subtle difference in how the signature engine interprets them, but semantically they are identical for this purpose. However, in Palo Alto Networks regex, should be used with caution as it can consume the entire buffer. But for the purpose of a missing header check, it's appropriate. The common idiom for 'does not contain X' is 'A(?!. X). $. Given the options, E and D are effectively identical and correct for the problem statement. When faced with multiple identical correct options, it's usually a trick or a poorly designed question. However, choosing one that precisely matches the commonly accepted PCRE patterns is best. Let's assume the question expects the most idiomatic pattern. Let's re-examine option D and E. They are indeed identical. Let's pick one. Typically, the negative lookahead followed by the positive match is the preferred structure. So E is X-Auth-Token:). $ which puts the 'empty/whitespace' check first. D is 'A(?!. X-Auth-Token:). $1X-Auth-Token:\s $ which puts the 'missing' check first. Both are logically equivalent. If there's a performance implication, it's usually negligible for simple regexes. I will stick with E as the provided solution in an earlier assessment.