Palo Alto Networks NetSec-Pro Exam Questions Instant Access

Question 1

How do Cloud NGFW instances get created when using AWS centralized deployments?

ACloud NGFW is placed in a vWAN with a virtual hub.

BThey replace the internet gateway service.

CSelected VPCs will have Cloud NGFW workloads added to them.

DA security VPC will be created as transit gateways to push all traffic through the area.

Answer : C

When using AWS centralized deployments for Cloud NGFW, the service deploys NGFW instances into selected VPCs as additional workloads to secure that traffic.

''In centralized deployments, Cloud NGFW instances are deployed as security appliances within the selected VPCs, ensuring consistent traffic inspection and protection.''

(Source: Cloud NGFW Deployment Models)

This approach minimizes complexity and ensures direct security policy enforcement within AWS.

Question 2

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?

ACreate a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic.

BCreate overrides for all company owned FQDNs.

CConfigure DNS Security signature policy settings to sinkhole malicious DNS queries.

DEnable Advanced Threat Prevention with default settings and only focus on high-risk traffic.

Answer : C

Advanced DNS Security uses a signature policy to sinkhole malicious DNS queries and prevent them from resolving.

''The DNS Security service integrates with Anti-Spyware profiles, and you must configure signature policy settings to sinkhole malicious queries. This proactively stops traffic to known malicious domains.''

(Source: Configure DNS Security)

Sinkholing ensures that DNS queries to malicious FQDNs are redirected to a safe IP, preventing compromise.

Question 3

A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment style is valid and meets the requirements in this scenario?

AOn a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

BOn a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

COn a VM-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

DOn a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

Answer : C

In cloud environments like Azure, the VM-Series NGFW is deployed to create Layer 3 segmentation zones closest to the application workloads.

''In Azure, deploy VM-Series firewalls in Layer 3 mode to enforce security policies closest to private applications, meeting strict compliance and segmentation requirements.''

(Source: VM-Series in Public Clouds)

Layer 3 segmentation ensures security policies are enforced at the right boundary to isolate traffic within Azure's virtual networks.

Question 4

Which two SSH Proxy decryption profile settings should be configured to enhance the company's security posture? (Choose two.)

ABlock sessions when certificate validation fails.

BAllow sessions with legacy SSH protocol versions.

CBlock connections that use non-compliant SSH versions.

DAllow sessions when decryption resources are unavailable.

Answer : A, C

Blocking non-compliant SSH versions and failing certificate validations are fundamental security measures:

Block sessions when certificate validation fails

''The SSH Proxy profile should block sessions that fail certificate validation to ensure that only trusted hosts are allowed.''

(Source: SSH Proxy Decryption Best Practices)

Block connections using non-compliant SSH versions

Older SSH versions may have vulnerabilities or lack modern encryption algorithms.

''To enforce stronger security, block SSH sessions that use older or deprecated versions of the SSH protocol that do not comply with your security posture.''

(Source: SSH Decryption and Best Practices)

Together, these measures minimize the risk of MITM attacks and secure SSH traffic.

Question 5

During a security incident investigation, which Security profile will have logs of attempted confidential data exfiltration?

AFile Blocking Profile

BEnterprise DLP Profile

CVulnerability Protection Profile

DWildFire Analysis Profile

Answer : B

Enterprise DLP Profile is specifically designed to detect and log data exfiltration attempts, including those involving confidential or sensitive data.

''Enterprise DLP logs capture incidents involving potential data exfiltration. They help identify sensitive data transfers, even in seemingly legitimate traffic.''

(Source: Enterprise DLP Logging and Alerts)

File Blocking and Vulnerability Protection handle files or exploit detection, while WildFire focuses on malware analysis---not direct data exfiltration.

Question 6

Which set of attributes is used by IoT Security to identify and classify appliances on a network when determining Device-ID?

AIP address, network traffic patterns, and device type

BMAC address, device manufacturer, and operating system

CHostname, application usage, and encryption method

DDevice model, firmware version, and user credential

Answer : B

IoT Security uses MAC address, device manufacturer, and OS information to identify and classify devices via Device-ID.

''IoT Security uses passive network traffic analysis to fingerprint devices based on the MAC address, manufacturer, and operating system to ensure accurate classification.''

(Source: IoT Security Device-ID and Classification)

These attributes provide a robust, manufacturer-agnostic method to fingerprint IoT devices.

Question 7

An NGFW administrator is updating PAN-OS on company data center firewalls managed by Panoram

a. Prior to installing the update, what must the administrator verify to ensure the devices will continue to be supported by Panorama?

ADevice telemetry is enabled.

BPanorama is configured as the primary device in the log collecting group for the data center firewalls.

CAll devices are in the same template stack.

DPanorama is running the same or newer PAN-OS release as the one being installed.

Answer : D

The firewall must be running a PAN-OS version that is supported by Panorama. This means that Panorama must be running the same or a newer PAN-OS version as the one being installed on the firewalls to maintain compatibility.

''Before you upgrade the firewall, ensure that Panorama is running the same or a later PAN-OS version than the firewall. Panorama must always be at the same or a higher version to maintain compatibility.''

(Source: Panorama Admin Guide -- Upgrade Process)

Palo Alto Networks Certified Network Security Professional NetSec-Pro Exam Questions