Palo Alto Networks Certified Network Security Professional NetSec-Pro Exam Practice Test

Page: 1 / 14
Total 60 questions
Question 1

Which two security services are required for configuration of NGFW Security policies to protect against malicious and misconfigured domains? (Choose two.)



Answer : A, D

Protecting against malicious and misconfigured domains requires two critical services:

Advanced Threat Prevention

Provides signature-based and advanced analysis to identify threats, including DNS-based attacks.

''Advanced Threat Prevention enables the NGFW to detect and prevent exploits and malware-based communications, including those leveraging DNS.''

(Source: Advanced Threat Prevention)

Advanced DNS Security

Specifically designed to detect and sinkhole malicious and misconfigured DNS queries.

''DNS Security uses real-time intelligence to block DNS-based threats, protect against data exfiltration, and automatically sinkhole suspicious domain lookups.''

(Source: DNS Security)

By combining these services in security policies, NGFWs ensure robust protection against domain-based threats and misconfigurations.


Question 2

Which zone is available for use in Prisma Access?



Answer : B

In Prisma Access, the interzone security policy rule is available and plays a crucial role in controlling traffic between zones.

''You can configure an interzone rule to control traffic that flows between different zones in Prisma Access, enabling granular security policy enforcement.''

(Source: Prisma Access Security Policies)

This ensures comprehensive control of traffic crossing security boundaries in the cloud-delivered architecture.


Question 3

What key capability distinguishes Content-ID technology from conventional network security approaches?



Answer : B

Content-ID is the core of Palo Alto Networks' prevention architecture, providing single-pass application layer inspection to deliver real-time threat prevention across all traffic.

''Content-ID uses a single-pass architecture to perform application-layer (Layer 7) traffic inspection and real-time threat prevention. Unlike traditional firewalls that rely on multiple scans, Content-ID inspects traffic once to enforce multiple security controls simultaneously.''

(Source: Content-ID Overview)

By consolidating security functions in a single pass, it ensures both efficiency and comprehensive security.


Question 4

Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two.)



Answer : B, C

When migrating from a perpetual VM-Series firewall license to a flexible VM licensing model, two critical steps are needed:

Allocate same number of vCPUs -- This ensures that the VM-Series capacity remains consistent and avoids resource bottlenecks.

''When migrating perpetual VM-Series licenses to flexible VM licensing, allocate the same vCPU and memory resources to ensure equivalent performance.''

(Source: VM-Series Flexible Licensing Migration)

Limit to same security services -- Flexible licensing requires maintaining the same security services to preserve licensing compliance.

''Ensure that you allow only the same security services on the flexible VM instance as were licensed on the perpetual VM.''

(Source: Flexible Licensing and Service Subscriptions)


Question 5

Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two.)



Answer : C, D

To allow third-party contractors controlled access, security policies must combine user identification and time-based access controls:

User-ID

''User-ID enables security policies to be based on user identity rather than IP addresses, ensuring precise policy enforcement for specific users such as contractors.''

(Source: User-ID Overview)

Schedule

''Schedules allow policies to be active only during specific times, providing time-based access control (e.g., after business hours).''

(Source: Security Policy Schedules)

Together, they ensure that only authorized users (contractors) have access, and only when explicitly allowed.


Question 6

How can a firewall administrator block a list of 300 unique URLs in the most time-efficient manner?



Answer : C

For large lists of specific URLs, creating a custom URL category and importing the list is the most efficient approach for granular URL filtering.

''You can create custom URL categories to define specific URLs or patterns and enforce policies for these categories. This is the most efficient way to handle large sets of URLs.''

(Source: Custom URL Categories)

This approach saves time compared to manual rule creation or using generic application filters.


Question 7

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two.)



Answer : B, C

When implementing SSL Forward Proxy decryption for outbound traffic, two key challenges that must be evaluated are:

Incomplete certificate chains: This occurs when the firewall cannot validate the entire certificate chain for a site, which may cause decryption failures.

Certificate pinning: Applications like banking apps may use certificate pinning to prevent MITM (man-in-the-middle) attacks, and these applications will break if SSL Forward Proxy is used.

''When decrypting outbound SSL traffic, you must consider incomplete certificate chains, which can cause decryption to fail if the firewall cannot validate the entire chain. Also, be aware of certificate pinning in applications that prevents decryption by rejecting forged certificates.''

(Source: Palo Alto Networks Decryption Concepts)


Page:    1 / 14   
Total 60 questions