An organization is migrating its data center applications to a hybrid cloud model, where some applications remain on-premises and others move to AWS. SD-WAN is deployed at the on-prem data center (DC-FW) and at a new branch (BR-FW). The requirement is that users at the branch access an on-prem application (App-OnPrem) via an SD-WAN tunnel, prioritizing a direct MPLS link. If MPLS performance degrades, traffic should failover to an IPsec VPN tunnel over the internet. For an AWS-hosted application (App-AWS), users should always use the internet link via SD-WAN, and bypass the MPLS entirely. All SD-WAN tunnels originate from the branch. Which of the following intricate configurations are REQUIRED for this specific scenario?
Correct Answer: E
Option E is the most precise and correct solution. For App-OnPrem, 'Performance-Based' path selection with a 'Path Quality' profile and an explicit preferred path ensures dynamic failover to the IPsec tunnel only when MPLS degrades. For App-AWS, the key is to exclude the MPLS tunnel from the 'Applicable Paths' within its specific SD-WAN policy rule. This guarantees that traffic for App-AWS never attempts to use MPLS, regardless of its quality. Option A implies exclusion by setting different performance profiles, but explicit exclusion is cleaner. Option B is partially correct about path monitoring but misses the explicit path exclusion for App-AWS. Option C's 'Link Quality' is a valid metric, but 'Performance-Based' is more holistic for SLA. Load balancing on internet interfaces only is good but doesn't explicitly prevent MPLS if the rule for App-AWS is broad. Option D's approach of 'down-prioritizing' MPLS for App-AWS by setting high latency/jitter in Path Monitoring is an indirect and less robust method; explicit exclusion is better.
NetSec-Analyst Exam Question 27
A security auditor requires proof that all outbound DNS traffic from internal networks is strictly controlled and only allowed to specific, approved internal DNS servers. The auditor is concerned about DNS exfiltration. Which Command Center dashboard and subsequent Policy Optimizer action would best demonstrate this control and harden the posture?
Correct Answer: C
To prove strict control over outbound DNS, the 'Network Activity' dashboard in Command Center, filtered by destination port 53, allows the analyst to see exactly where DNS queries are going. This directly addresses the auditor's concern about unapproved destinations. Subsequently, Policy Optimizer's 'Rule Usage' feature helps pinpoint which specific rules are permitting this traffic, allowing for targeted modification or restriction to only approved internal DNS servers, thereby hardening the posture against exfiltration.
NetSec-Analyst Exam Question 28
A Palo Alto Networks firewall, running PAN-OS 10.1 , is experiencing intermittent CPU spikes to 95%+, leading to dropped new sessions and slow policy commit times. You suspect a potential resource exhaustion issue related to a specific application or threat signature. Which of the following commands or features would be MOST effective for initial diagnosis to identify the root cause of the high CPU usage without causing further service disruption?
Correct Answer: C
While other options might provide some insight, show running resource-monitor hour (or similar time-based options like show running resource-monitor hour day or minute) is specifically designed to show historical resource utilization including CPU, sessions, and other critical metrics. This allows for identifying trends and correlating CPU spikes with specific timeframes or events. Options A would cause disruption. Option B provides system logs, but not direct resource utilization. Option D is for deep, offline analysis and takes time. Option E focuses on session bandwidth, not direct CPU consumption.
NetSec-Analyst Exam Question 29
A Security Administrator is configuring a Palo Alto Networks firewall to block access to known malicious IP addresses. The threat intelligence feed updates hourly and contains thousands of entries. Which External Dynamic List (EDL) type is most appropriate for this scenario to ensure the firewall efficiently processes and applies the updates?
Correct Answer: A
For blocking known malicious IP addresses, an 'IP Address (IPv4/lPv6)' EDL is the most direct and efficient type. While Palo Alto Networks' pre-defined feeds are also IP-based and often used, the question specifically asks for the most appropriate type when the administrator is configuring a feed with thousands of entries, implying a custom or third-party feed. Domain and URL lists are for FQDNs and URLs, respectively, not raw IP addresses. Custom Application is irrelevant here.
NetSec-Analyst Exam Question 30
A large enterprise is deploying SD-WAN across 100+ branch offices using Panorama'. Each branch has a primary internet link and a secondary LTE link. The requirement is for all mission-critical applications (e.g., SAP, Salesforce) to exclusively use the primary internet link if its path quality (latency, jitter, packet loss) meets a predefined SLA. If the primary link degrades, these applications should automatically failover to the LTE link. Non-critical traffic should be load-balanced across both links. Which SD-WAN configuration elements are MOST crucial to implement this design efficiently and scalably from Panorama, assuming consistent policy across branches?
Correct Answer: A
Option A is the most efficient and scalable solution. A single SD-WAN profile within a template stack ensures consistency across all 100+ branches. Defining two specific SD-WAN policy rules within this profile one for mission-critical apps using 'Performance-Based' path selection with an SLA profile and explicit primary link preference, and another for non-critical apps using 'Session Distribution' directly addresses all requirements. This leverages the core strengths of SD-WAN profiles for dynamic path selection and application-aware routing. Option B introduces unnecessary complexity with separate profiles per application type and virtual routers. Option C incorrectly suggests two path monitoring profiles per link; path monitoring applies to links, and performance profiles are then applied to applications. Option D and E describe traditional routing or PBF mechanisms which are less dynamic and scalable than native SD-WAN for this specific use case.