NetSec-Analyst Exam Question 101

An energy utility is employing Palo Alto Networks NGFWs to secure its distribution grid, which relies heavily on DNP3 and IEC 61850 protocols for substation automation. The security team wants to apply an 'IoT Security Profile' that provides robust protection against common industrial protocol vulnerabilities and ensures protocol conformity. Specifically, they need to:
1. Enforce strict DNP3/IEC 61850 protocol compliance, flagging any malformed packets or out-of-spec commands.
2. Prevent unauthorized 'firmware update' commands on IEC 61850 devices.
3. Detect and block known exploits targeting DNP3 and IEC 61850.
Which combination of features within an 'IoT Security Profile' and associated policy would address all these requirements effectively? (Multiple Response)
  • NetSec-Analyst Exam Question 102

    An organization uses a Palo Alto Networks firewall and requires highly specific logging and alerting for anomalous DNS queries. They want to generate a custom log entry whenever a DNS query for a domain matches a specific regex pattern 'A(?!. (?:googlelmicrosoftlamazon)\.com$). AND the query originates from a client within their 'Guest_Network' zone. Furthermore, the log entry should include the matched domain and the client's IP address. Which custom log configuration using a Data Pattern and custom Log Profile would achieve this requirement while minimizing performance impact?
  • NetSec-Analyst Exam Question 103

    You are tasked with automating the deployment and management of DoS protection profiles on multiple Palo Alto Networks firewalls using the PAN-OS API. A new DoS protection profile, 'Sensitive_APl DOS', needs to be created that applies 'Packet Based Attack Protection' for UDP floods (activation-rate 10000, alarm-rate 5000, action drop) and 'Session Based Attack Protection' for Max Concurrent Sessions (activation-rate 20000, alarm-rate 10000, action protect), with 'group-by source-ip'. Which of the following API calls, using an appropriate XML payload, would correctly create this profile? (Assume correct authentication and URL for the API endpoint).
  • NetSec-Analyst Exam Question 104

    A large enterprise uses Panorama for centralized management of hundreds of Palo Alto Networks firewalls. An administrator configured a new URL Filtering profile and pushed it to a device group. Post-push, users on some firewalls are reporting that previously allowed URLs are now being blocked by the new profile, while others on different firewalls in the same device group are not experiencing the issue. No 'deny' rules were explicitly added for these URLs. Which of the following is the most likely complex misconfiguration scenario?