NetSec-Analyst Exam Question 31

Consider the following Python script designed to generate an External Dynamic List for Palo Alto Networks firewalls. The script pulls data from an API and formats it. If an administrator notices that their firewall EDL is always empty, despite the API returning data, what could be the issue with the generated file or its handling by the firewall?
  • NetSec-Analyst Exam Question 32

    An enterprise is deploying a new containerized application infrastructure, using Kubernetes, exposed via a dedicated load balancer that sits behind a Palo Alto Networks firewall. The security team anticipates a very high, burstable volume of legitimate traffic, but also expects sophisticated HTTP/2-based DoS attacks that exploit the protocol's multiplexing capabilities and header compression. The firewall needs to detect and mitigate these without impacting legitimate, high-concurrency connections. Given that standard HTTP/I .1 flood protection might be insufficient, what advanced DoS profile configurations should be prioritized for the Palo Alto Networks firewall to protect this environment, assuming HTTP/2 inspection is enabled?
  • NetSec-Analyst Exam Question 33

    A sophisticated zero-day attack is suspected to be propagating laterally within your network. You need to quickly identify all active network connections, their associated applications, users, and any related threats, across your distributed environment. Then, you need to rapidly quarantine affected hosts and block the identified malicious application signature. Which set of tools and features provides the most efficient and comprehensive response?
  • NetSec-Analyst Exam Question 34

    A distributed manufacturing company utilizes several IoT devices across its factories that transmit telemetry data via MQTT to a central cloud broker. The MQTT traffic is highly sensitive to packet loss but can tolerate moderate latency. The company has a mix of Satellite, 4G, and MPLS links at each factory. They want an SD-WAN policy that prioritizes MPLS for MQTT, then 4G, and only uses Satellite as a last resort, unless the Satellite link offers exceptionally low packet loss (below 0.1 %) even if its latency is higher than 4G. If no link meets the packet loss requirement for MQTT (i.e., packet loss on all links exceeds 0.5%), the traffic should be dropped to prevent unreliable data transmission. Which SD-WAN configuration achieves this, considering the complex conditional preference for Satellite?
  • NetSec-Analyst Exam Question 35

    A network architect is designing a decryption strategy for outbound traffic, including advanced threat protection. The requirement states that traffic to known malicious sites (categorized by a custom URL category 'Malicious_Domains') must be blocked immediately without decryption, whereas traffic to cloud storage services (e.g., Google Drive, Dropbox) must be decrypted for DLP inspection. All other internet-bound TLS traffic should be decrypted by default, with an emphasis on blocking connections that utilize deprecated SSL/TLS versions or weak ciphers. Assume the following objects exist: 'DLP_Decryption_Profile' (Forward Proxy, strong cipher/protocol requirements), 'No_Decryption_Profile', and 'Block_Profile' (a security profile with action block).