Palo Alto Networks NetSec-Analyst Exam Questions Instant Access

Question 1

An administrator wants to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 device groups and five templates.

Which configuration action should the administrator take when creating the address object?

AEnsure that the Shared option is checked.

BEnsure that the Shared option is cleared.

CEnsure that Disable Override is cleared.

DTag the address object with the Global tag.

Answer : A

To reference the same address object in Security policies on 100 Panorama-managed firewalls, across 10 device groups and five templates, the administrator should ensure that the Shared option is checked when creating the address object. This option allows the administrator to create a shared address object that is available to all device groups and templates on Panorama.The shared address object can then be used in multiple firewall policy rules, filters, and other functions1.This reduces the complexity and duplication of managing address objects across multiple firewalls2.Reference:Address Objects,Create a Shared Address Object,Certifications - Palo Alto Networks,Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Question 2

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

ACreate a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

BCreate a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

CIn addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

DIn addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Answer : B

Question 3

Refer to the exhibit.

Given the topology, which zone type should you configure for firewall interface E1/1?

ATap

BTunnel

CVirtual Wire

DLayer3

Answer : A

Question 4

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

ASAML

BTACACS+

CLDAP

DKerberos

Answer : A, B

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.

Question 5

Which solution is a viable option to capture user identification when Active Directory is not in use?

ACloud Identity Engine

Bgroup mapping

CDirectory Sync Service

DAuthentication Portal

Answer : D

Question 6

What must be considered with regards to content updates deployed from Panorama?

AContent update schedulers need to be configured separately per device group.

BPanorama can only install up to five content versions of the same type for potential rollback scenarios.

CA PAN-OS upgrade resets all scheduler configurations for content updates.

DPanorama can only download one content update at a time for content updates of the same type.

Answer : D

Question 7

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.

Which security policy action causes this?

AReset server

BReset both

CDeny

DDrop

Answer : C

Explanation/Reference:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage- configuration backups/revert-firewall-configuration- changes.html

Palo Alto Networks Network Security Analyst NetSec-Analyst Exam Questions