Palo Alto Networks Certified Network Security Professional NetSec-Pro Exam Questions
Page: 1 / 14 Total 60 questions
Want more questions? Get Premium Access. ()
Question 1
Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?
Answer : B
Client-based VPN solutions like GlobalProtect provide full coverage for the mobile workforce by extending the enterprise security stack to remote endpoints. It establishes a secure tunnel, allowing consistent security policies across the enterprise perimeter and the mobile workforce.
''GlobalProtect is a client-based VPN that provides secure, consistent protection for mobile users by extending the security capabilities of Prisma Access to remote endpoints, covering all network protocols.''
(Source: GlobalProtect Admin Guide)
Question 2
Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two.)
Answer : B, C
When migrating from a perpetual VM-Series firewall license to a flexible VM licensing model, two critical steps are needed:
Allocate same number of vCPUs -- This ensures that the VM-Series capacity remains consistent and avoids resource bottlenecks.
''When migrating perpetual VM-Series licenses to flexible VM licensing, allocate the same vCPU and memory resources to ensure equivalent performance.''
(Source: VM-Series Flexible Licensing Migration)
Limit to same security services -- Flexible licensing requires maintaining the same security services to preserve licensing compliance.
''Ensure that you allow only the same security services on the flexible VM instance as were licensed on the perpetual VM.''
(Source: Flexible Licensing and Service Subscriptions)
Question 3
Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two.)
Answer : B, C
When implementing SSL Forward Proxy decryption for outbound traffic, two key challenges that must be evaluated are:
Incomplete certificate chains: This occurs when the firewall cannot validate the entire certificate chain for a site, which may cause decryption failures.
Certificate pinning: Applications like banking apps may use certificate pinning to prevent MITM (man-in-the-middle) attacks, and these applications will break if SSL Forward Proxy is used.
''When decrypting outbound SSL traffic, you must consider incomplete certificate chains, which can cause decryption to fail if the firewall cannot validate the entire chain. Also, be aware of certificate pinning in applications that prevents decryption by rejecting forged certificates.''
(Source: Palo Alto Networks Decryption Concepts)
Question 4
In a service provider environment, what key advantage does implementing virtual systems provide for managing multiple customer environments?
Answer : D
Virtual systems provide logical separation in a single physical firewall, allowing different customers (or tenants) to have isolated control and security policies.
''Virtual systems enable service providers to offer logically separated, independent environments on a single firewall. Each virtual system can have its own security policies, interfaces, and administrators.''
(Source: Virtual Systems)
This ensures secure, tenant-specific segmentation within multi-tenant environments.
Question 5
Which two SSH Proxy decryption profile settings should be configured to enhance the company's security posture? (Choose two.)
Answer : A, C
Blocking non-compliant SSH versions and failing certificate validations are fundamental security measures:
Block sessions when certificate validation fails
''The SSH Proxy profile should block sessions that fail certificate validation to ensure that only trusted hosts are allowed.''
(Source: SSH Proxy Decryption Best Practices)
Block connections using non-compliant SSH versions
Older SSH versions may have vulnerabilities or lack modern encryption algorithms.
''To enforce stronger security, block SSH sessions that use older or deprecated versions of the SSH protocol that do not comply with your security posture.''
(Source: SSH Decryption and Best Practices)
Together, these measures minimize the risk of MITM attacks and secure SSH traffic.
Question 6
In a Prisma SD-WAN environment experiencing voice quality degradation, which initial action is recommended?
Answer : B
Voice quality issues in SD-WAN deployments are typically linked to path performance metrics (latency, jitter, packet loss). Reviewing real-time analytics helps pinpoint root causes and appropriate mitigation.
''When experiencing performance issues, the first step is to analyze real-time performance data. Prisma SD-WAN provides path quality analytics to identify degradation and ensure informed troubleshooting.''
(Source: Prisma SD-WAN Monitoring)
This data-driven approach avoids unnecessary configuration changes.
Question 7
Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two.)
Answer : B, C
For IoT Security to accurately classify and monitor IoT devices, the following logs must be forwarded to Strata Logging Service:
Enhanced application logs -- provide detailed application usage and behaviors, essential for profiling device types and roles.
''Enhanced Application logs provide additional context on IoT device behavior and usage patterns, and must be forwarded to Strata Logging Service for IoT Security to build accurate Device-ID profiles.''
(Source: IoT Security Logging Requirements)
Threat logs -- essential for detecting suspicious or malicious activities by IoT devices.
''Threat logs are critical for identifying potential exploits or suspicious activities involving IoT devices and are required for accurate threat visibility within IoT Security.''
(Source: IoT Security Logs)
These logs collectively ensure accurate device classification and real-time threat visibility.
All Official Question Types