NetSec-Analyst Exam Question 21

An organization uses Palo Alto Networks firewalls and needs to enforce a strict data exfiltration prevention policy. They want to block any outgoing traffic that contains specific patterns of sensitive internal project codes, credit card numbers (PCI DSS scope), and social security numbers (PII scope). They have identified the following requirements: 1. Project codes (e.g., 'PROJ-ALPHA-2024-001', 'PROJ-BETA-FY25-ABC') follow a regex pattern: 2. Credit card numbers (16 digits) must be detected but only if they are associated with the 'PCI DATA ZONE' source zone. 3. Social security numbers (XXX-XX-XXXX) must be detected regardless of the source zone. Which combination of Data Filtering objects, profiles, and security policy rules would achieve this goal with the highest precision and minimal false positives, considering the specific zone requirement for credit cards?
  • NetSec-Analyst Exam Question 22

    A managed security service provider (MSSP) uses Strata Cloud Manager (SCM) to deliver security services to multiple distinct customers. Each customer requires strict logical separation of their firewall configurations, policies, and logs within SCM, while the MSSP's central operations team needs a consolidated view of all customer environments without cross-customer data leakage. Which SCM design principles and features are paramount for achieving this multi-tenancy with secure isolation?
  • NetSec-Analyst Exam Question 23

    A publicly accessible web application is frequently targeted by HTTP GET floods and slow-read attacks. The existing DoS protection profile on the Palo Alto Networks firewall is configured with generic thresholds, leading to false positives and occasional legitimate user disruptions. The security team wants to refine the DoS protection to specifically counter these HTTP-based attacks while minimizing impact on legitimate users. Which of the following combinations of DoS protection profile settings and their application would be most effective?
  • NetSec-Analyst Exam Question 24

    A financial institution uses Palo Alto Networks firewalls to secure its network. They've observed that their proprietary internal trading application, which operates on a non-standard port (TCP/8080), is being consistently identified by App-ID as 'web-browsing' due to its HTTP-like traffic patterns, leading to incorrect policy enforcement and performance issues. They need to ensure this application is always correctly identified as 'proprietary-trading-app' for specific security policies. Which of the following is the most appropriate and robust solution to address this application misidentification without disrupting other web traffic?
  • NetSec-Analyst Exam Question 25

    An organization is deploying a new web application server that requires strict adherence to security best practices. The security team has defined a custom URL category for 'critical-application-updates' and another for 'developer-tools'. They want to ensure that only 'critical-application-updates' URLs are allowed, 'developer-tools' URLs are logged but blocked, and all other unclassified or malicious URLs are blocked with an appropriate response page. Which URL Filtering profile configuration meets these requirements?