Palo Alto Networks NetSec-Pro Exam Questions Instant Access

Question 1

Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?

AAddress objects

BDynamic Address Groups

CDynamic User Groups

DPredefined IP addresses

Answer : B

Dynamic Address Groups enable the firewall to automatically adjust security policies based on tags assigned dynamically (via log events, API, etc.). This eliminates the need for manual updates to policies when server roles or IPs change.

''Dynamic Address Groups allow you to create policies that automatically adapt to changes in the environment. These groups are populated dynamically based on tags, enabling automated security policy updates without manual intervention.''

(Source: Dynamic Address Groups)

Question 2

Using Prisma Access, which solution provides the most security coverage of network protocols for the mobile workforce?

AExplicit proxy

BClient-based VPN

CEnterprise browser

DClientless VPN

Answer : B

Client-based VPN solutions like GlobalProtect provide full coverage for the mobile workforce by extending the enterprise security stack to remote endpoints. It establishes a secure tunnel, allowing consistent security policies across the enterprise perimeter and the mobile workforce.

''GlobalProtect is a client-based VPN that provides secure, consistent protection for mobile users by extending the security capabilities of Prisma Access to remote endpoints, covering all network protocols.''

(Source: GlobalProtect Admin Guide)

Question 3

Which action is only taken during slow path in the NGFW policy?

ASession lookup

BLayer 2---Layer 4 firewall processing

CSSL/TLS decryption

DSecurity policy lookup

Answer : C

In Palo Alto Networks' Single-Pass Parallel Processing (SP3) architecture, SSL/TLS decryption occurs only during the slow path when the firewall first encounters a new session.

''SSL/TLS decryption, which requires CPU-intensive cryptographic operations, is performed during the slow path when establishing new sessions. Once decrypted, traffic is processed in the fast path for subsequent packets.''

(Source: Packet Flow and SP3 Architecture)

After the initial decryption in the slow path, decrypted traffic is handled by fast path for efficiency.

Question 4

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?

ACreate a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic.

BCreate overrides for all company owned FQDNs.

CConfigure DNS Security signature policy settings to sinkhole malicious DNS queries.

DEnable Advanced Threat Prevention with default settings and only focus on high-risk traffic.

Answer : C

Advanced DNS Security uses a signature policy to sinkhole malicious DNS queries and prevent them from resolving.

''The DNS Security service integrates with Anti-Spyware profiles, and you must configure signature policy settings to sinkhole malicious queries. This proactively stops traffic to known malicious domains.''

(Source: Configure DNS Security)

Sinkholing ensures that DNS queries to malicious FQDNs are redirected to a safe IP, preventing compromise.

Question 5

In a distributed enterprise implementing Prisma SD-WAN, which configuration element should be implemented first to ensure optimal traffic flow between remote sites and headquarters?

ADeploy redundant ION devices at each location.

BImplement dynamic path selection using real-time performance metrics.

CConfigure static routes between all the branch offices.

DEnable split tunneling for all branch locations.

Answer : B

Dynamic path selection is the foundation of SD-WAN, leveraging real-time performance data to dynamically route traffic over the best available path.

''Dynamic path selection continuously monitors performance metrics (loss, latency, jitter) and makes real-time routing decisions to ensure application SLAs are met across the WAN.''

(Source: Prisma SD-WAN Dynamic Path Selection)

Establishing dynamic path selection first ensures the rest of the SD-WAN optimizations (e.g., failover, QoS) work effectively.

Question 6

What occurs when a security profile group named ''default'' is created on an NGFW?

AIt only applies to traffic that has been dropped due to the reset client action.

BIt allows traffic to bypass all security checks by default.

CIt negates all existing security profiles rules on new policy.

DIt is automatically applied to all new security rules.

Answer : D

A security profile group named ''default'' is automatically applied to all new security rules unless a specific profile group is explicitly configured.

''If a security profile group named 'default' exists, it will be automatically applied to any newly created security policy rules to ensure consistent protection.''

(Source: Security Profile Groups)

This behavior ensures that newly created policies are always protected by default security profiles, minimizing human error.

Question 7

In which two applications can Prisma Access threat logs for mobile user traffic be reviewed? (Choose two.)

APrisma Cloud dashboard

BStrata Cloud Manager (SCM)

CStrata Logging Service

DService connection firewall

Answer : B, C

Threat logs for Prisma Access mobile users can be reviewed in both Strata Cloud Manager (SCM) and Strata Logging Service. Prisma Cloud and service connection firewalls are not directly tied to mobile user traffic logs.

''Prisma Access logs are available in the Strata Cloud Manager and can also be sent to the Strata Logging Service for detailed analysis and threat visibility.''

(Source: Prisma Access Administration Guide)

Palo Alto Networks Certified Network Security Professional NetSec-Pro Exam Questions