Consider the following Python script designed to generate an External Dynamic List for Palo Alto Networks firewalls. The script pulls data from an API and formats it. If an administrator notices that their firewall EDL is always empty, despite the API returning data, what could be the issue with the generated file or its handling by the firewall?
Correct Answer: B
If the EDL is consistently empty, it implies the firewall is fetching something but isn't finding valid entries. Option B (Correct): Palo Alto Networks firewalls are strict about EDL file formatting. Each entry must be on a new line. If entries are concatenated or the file is not served as plain text, the firewall will likely parse it as empty or invalid. This is a common pitfall when scripting EDL generation. Option A would result in a 'connection refused' or 'file not found' error, not an empty list. Option C is irrelevant; the script runs on the web server, not the firewall. Option D would mean the EDL never updates at all, not that it's empty after updates. Option E would cause intermittent failures, not consistently empty lists.
NetSec-Analyst Exam Question 32
An enterprise is deploying a new containerized application infrastructure, using Kubernetes, exposed via a dedicated load balancer that sits behind a Palo Alto Networks firewall. The security team anticipates a very high, burstable volume of legitimate traffic, but also expects sophisticated HTTP/2-based DoS attacks that exploit the protocol's multiplexing capabilities and header compression. The firewall needs to detect and mitigate these without impacting legitimate, high-concurrency connections. Given that standard HTTP/I .1 flood protection might be insufficient, what advanced DoS profile configurations should be prioritized for the Palo Alto Networks firewall to protect this environment, assuming HTTP/2 inspection is enabled?
Correct Answer: E
This is a very specific scenario targeting HTTP/2 vulnerabilities. Standard HTTP/I .1 rate limiting (A, B, C partially) might not be enough because HTTP/2 multiplexing means many logical streams (requests) can occur over a single TCP connection, potentially bypassing 'Per-session' limits. HTTP/2 also has vulnerabilities like 'HPACK Bomb' (excessive header size/count) and slow stream processing. Option E directly addresses these: 1. Target rules for load balancer IPs: Ensures protection is focused. 2. HTTP Flood protection: General HTTP volume. 3. HTTP Header Length and HTTP Header Count: These are CRITICAL for detecting HTTP/2-specific attacks like 'HPACK Bomb' which exploit header compression to consume resources with small packet sizes. This is an advanced feature not present in basic HTTP flood protection. 4. Client Read Timeout: Essential for slow HTTP/2 stream attacks. 5. Action: Protect: Provides a controlled response (e.g., reset stream) rather than outright blocking, minimizing impact on legitimate connections. Option C is close but misses the specific HTTP/2 header-based protections which are vital. Option A incorrectly suggests Syn-Cookie for HTTP and is too simplistic. Option B is too generic. Option D is less granular and reactive. Option E provides the most comprehensive and targeted defense for HTTP/2 DoS.
NetSec-Analyst Exam Question 33
A sophisticated zero-day attack is suspected to be propagating laterally within your network. You need to quickly identify all active network connections, their associated applications, users, and any related threats, across your distributed environment. Then, you need to rapidly quarantine affected hosts and block the identified malicious application signature. Which set of tools and features provides the most efficient and comprehensive response?
Correct Answer: B
This scenario requires a rapid, comprehensive incident response. Command Center is paramount for real-time visibility into 'Threat Activity' and 'Network Activity' to quickly identify ongoing propagation, including applications and users. Its dynamic filtering capabilities are essential for pinpointing affected entities. For rapid blocking of indicators of compromise (IPs, URLs), EDLs or custom Anti-Spyware profiles are highly effective. Finally, creating Security Policy rules to quarantine or block traffic to/from infected hosts is the direct action needed to contain the lateral movement. Activity Insights is more for trend analysis, and Policy Optimizer is for policy refinement, not immediate incident response to a zero-day.
NetSec-Analyst Exam Question 34
A distributed manufacturing company utilizes several IoT devices across its factories that transmit telemetry data via MQTT to a central cloud broker. The MQTT traffic is highly sensitive to packet loss but can tolerate moderate latency. The company has a mix of Satellite, 4G, and MPLS links at each factory. They want an SD-WAN policy that prioritizes MPLS for MQTT, then 4G, and only uses Satellite as a last resort, unless the Satellite link offers exceptionally low packet loss (below 0.1 %) even if its latency is higher than 4G. If no link meets the packet loss requirement for MQTT (i.e., packet loss on all links exceeds 0.5%), the traffic should be dropped to prevent unreliable data transmission. Which SD-WAN configuration achieves this, considering the complex conditional preference for Satellite?
Correct Answer: B
Option B best captures the complex conditional preference and failover logic. Two SLA Profiles: By defining and we can enforce different quality criteria for different groups of links. Path Groups: Grouping MPLS and 4G into a 'primary' path group evaluated against ensures they are considered first based on the general requirement. Secondary Path Group for Satellite: Placing Satellite in a 'secondary' path group, evaluated against its own, specific (which relaxes latency but tightens packet loss), allows the system to consider Satellite exceptionally when it meets the stringent packet loss condition, even if it wouldn't be chosen by the primary SLA's latency criteria. Fail Action: The 'Fail Action' of 'Drop' ensures data integrity by preventing MQTT traffic from using any link that doesn't meet any of the specified quality requirements. This hierarchical approach using path groups and distinct SLAs is a powerful feature for granular control over application performance.
NetSec-Analyst Exam Question 35
A network architect is designing a decryption strategy for outbound traffic, including advanced threat protection. The requirement states that traffic to known malicious sites (categorized by a custom URL category 'Malicious_Domains') must be blocked immediately without decryption, whereas traffic to cloud storage services (e.g., Google Drive, Dropbox) must be decrypted for DLP inspection. All other internet-bound TLS traffic should be decrypted by default, with an emphasis on blocking connections that utilize deprecated SSL/TLS versions or weak ciphers. Assume the following objects exist: 'DLP_Decryption_Profile' (Forward Proxy, strong cipher/protocol requirements), 'No_Decryption_Profile', and 'Block_Profile' (a security profile with action block).
Correct Answer: A
The order of security policy rules is critical. First, traffic to known malicious sites should be explicitly denied before any decryption attempts, to prevent potential compromises. Second, specific traffic requiring decryption (cloud storage for DLP) should be handled. Finally, a general rule applies the default decryption policy to all other traffic. Option A correctly sequences these requirements: Block malicious first, then decrypt specific applications, then decrypt general traffic. Using 'application-default' is appropriate for most scenarios as it identifies the actual application.