Paloalto Networks NetSec-Pro 시험

Question No : 1

What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)?

• A.Open a support ticket.
• B.Set up Cloud Identity Engine.
• C.Generate a PDF summary report.
• D.Configure a dashboard.

답을 확인하기

정답:
Explanation:
To create custom Prisma Access reports within SCM, you first configure a dashboard that aggregates the relevant logs and analytics. This allows you to define the data points you want to include.
“Dashboards in SCM can be customized to include Prisma Access data sources, enabling you to create and generate reports that meet specific business and security requirements.”
(Source: SCM Dashboards and Reporting)
Once configured, you can export the dashboard as a custom report.
“Use the dashboard’s data visualization to create custom reports for Prisma Access, which can be exported as PDFs for distribution.”
(Source: SCM Report Customization)

Question No : 2

A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address.
Which configuration will ensure there is no connectivity loss due to the negated region?

• A.Set the service to be application-default.
• B.Create a Security policy for the negated region with destination address “any”.
• C.Add a Dynamic Application Group to the Security policy.
• D.Add all regions that contain private IP addresses to the source address.

답을 확인하기

정답:
Explanation:
Negated source addresses exclude traffic from the specified region. To avoid accidental connectivity loss for traffic from that region, create a separate Security policy to explicitly permit it.
“When you use a negated region in a Security policy rule, ensure to create an additional Security policy to permit traffic from the excluded (negated) region to avoid unintentional drops.”
(Source: Prisma Access Policy Best Practices)
This ensures explicit inclusivity for the excluded region, maintaining reliable connectivity.

Question No : 3

Which two SSH Proxy decryption profile settings should be configured to enhance the company’s security posture? (Choose two.)

• A.Block sessions when certificate validation fails.
• B.Allow sessions with legacy SSH protocol versions.
• C.Block connections that use non-compliant SSH versions.
• D.Allow sessions when decryption resources are unavailable.

답을 확인하기

정답:
Explanation:
Blocking non-compliant SSH versions and failing certificate validations are fundamental security measures:
Block sessions when certificate validation fails
“The SSH Proxy profile should block sessions that fail certificate validation to ensure that only trusted hosts are allowed.”
(Source: SSH Proxy Decryption Best Practices)
Block connections using non-compliant SSH versions
Older SSH versions may have vulnerabilities or lack modern encryption algorithms.
“To enforce stronger security, block SSH sessions that use older or deprecated versions of the SSH protocol that do not comply with your security posture.”
(Source: SSH Decryption and Best Practices)
Together, these measures minimize the risk of MITM attacks and secure SSH traffic.

Question No : 4

How does Advanced WildFire integrate into third-party applications?

• A.Through playbooks automatically sending WildFire data
• B.Through customized reporting configured in NGFWs
• C.Through Strata Logging Service
• D.Through the WildFire API

답을 확인하기

정답:
Explanation:
Advanced WildFire supports direct integrations into third-party security tools through the WildFire API, enabling automated threat intelligence sharing and real-time verdict dissemination.
“WildFire exposes a RESTful API that third-party applications can leverage to integrate WildFire’s analysis results and threat intelligence seamlessly into their own security workflows.”
(Source: WildFire API Guide)
The API provides:
Verdict retrieval
Sample submission
Report retrieval
“Use the WildFire API to submit samples, retrieve verdicts, and obtain detailed analysis reports for integration with your existing security infrastructure.”
(Source: WildFire API Use Cases)

Question No : 5

After a firewall is associated with Strata Cloud Manager (SCM), which two additional actions are required to enable management of the firewall from SCM? (Choose two.)

• A.Deploy a service connection for each branch site and connect with SC
• B.Configure NTP and DNS servers for the firewall.
• C.Configure a Security policy allowing “stratacloudmanager.paloaltonetworks.com” for all users.
• D.Install a device certificate.

답을 확인하기

정답:
Explanation:
To fully manage a firewall from Strata Cloud Manager (SCM), it’s essential to establish trust and ensure reliable connectivity:
Configure NTP and DNS servers
The firewall must have accurate time (NTP) and name resolution (DNS) to securely communicate with SCM and related cloud services.
“To ensure successful management, configure the firewall’s NTP and DNS settings to synchronize time and resolve domain names such as stratacloudmanager.paloaltonetworks.com.”
(Source: SCM Onboarding Requirements)
Install a device certificate
A device certificate authenticates the firewall’s identity when connecting to SCM.
“The device certificate authenticates the firewall to Palo Alto Networks cloud services, including SCM. It’s a fundamental requirement to establish secure connectivity.”
(Source: Device Certificates)
These steps ensure trust, secure communication, and successful onboarding into SCM.

Question No : 6

How does Strata Logging Service help resolve ever-increasing log retention needs for a company using Prisma Access?

• A.It increases resilience due to decentralized collection and storage of logs.
• B.Automatic selection of physical data storage regions decreases adoption time.
• C.It can scale to meet the capacity needs of new locations as business grows.
• D.Log traffic using the licensed bandwidth purchased for Prisma Access reduces overhead.

답을 확인하기

정답:
Explanation:
The Strata Logging Service offers scalable log storage to accommodate data growth, which ensures organizations can retain logs for compliance and threat hunting as their environments expand.
“The Strata Logging Service is designed to scale dynamically to accommodate growing log retention needs, allowing enterprises to maintain comprehensive visibility as they expand their network footprint.”
(Source: Strata Logging Service Overview)

Question No : 7

Which set of practices should be implemented with Cloud Access Security Broker (CASB) to ensure robust data encryption and protect sensitive information in SaaS applications?

• A.Do not enable encryption for data-at-rest to improve performance.
• B.Use default encryption keys provided by the SaaS provider.
• C.Perform annual encryption key rotations.
• D.Enable encryption for data-at-rest and in transit, regularly update encryption keys, and use strong encryption algorithms.

답을 확인하기

정답:
Explanation:
CASB integration should focus on comprehensive data protection, which includes encryption for data-at-rest and in transit, frequent key updates, and using strong encryption algorithms to ensure confidentiality and data integrity.
“CASB solutions should enforce encryption for data-at-rest and in transit, implement key rotation policies, and leverage robust encryption algorithms to protect sensitive SaaS application data.”
(Source: CASB Deployment Best Practices)

Question No : 8

A cloud security architect is designing a certificate management strategy for Strata Cloud Manager (SCM) across hybrid environments.
Which practice ensures optimal security with low management overhead?

• A.Deploy centralized certificate automation with standardized protocols and continuous monitoring.
• B.Implement separate certificate authorities with independent validation rules for each cloud environment.
• C.Configure manual certificate deployment with quarterly reviews and environment-specific security protocols.
• D.Use cloud provider default certificates with scheduled synchronization and localized renewal processes.

답을 확인하기

정답:
Explanation:
A centralized certificate automation approach reduces management overhead and security risks by standardizing processes, automating renewals, and continuously monitoring the certificate lifecycle.
“Implementing a centralized certificate management approach with automation and continuous monitoring ensures optimal security while reducing operational complexity in hybrid environments.”
(Source: Best Practices for Certificate Management)

Question No : 9

How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW?

• A.One
• B.Two
• C.Three
• D.Four

답을 확인하기

정답:
Explanation:
Palo Alto Networks' Enterprise DLP uses a centralized DLP profile that can be applied consistently across both Prisma Access and NGFWs using Strata Cloud Manager (SCM). This eliminates the need for duplicating efforts across multiple locations.
“Enterprise DLP profiles are created and managed centrally through the Cloud Management Interface and can be used seamlessly across NGFW and Prisma Access deployments.”
(Source: Enterprise DLP Overview)

Question No : 10

Which method in the WildFire analysis report detonates unknown submissions to provide visibility into real-world effects and behavior?

• A.Dynamic analysis
• B.Static analysis
• C.Intelligent Run-time Memory Analysis
• D.Machine learning (ML)

답을 확인하기

정답:
Explanation:
Dynamic analysis in WildFire refers to executing unknown files in a controlled environment (sandbox) to observe their real-world behavior. This allows the firewall to detect zero-day threats and advanced malware by directly analyzing the file’s impact on a system.
“WildFire dynamic analysis detonates unknown files in a secure sandbox environment, analyzing real-world effects, behaviors, and potential malicious activity.”
(Source: WildFire Analysis)

Question No : 11

Which security profile provides real-time protection against threat actors who exploit the misconfigurations of DNS infrastructure and redirect traffic to malicious domains?

• A.Antivirus
• B.URL Filtering
• C.Vulnerability Protection
• D.Anti-spyware

답을 확인하기

정답:
Explanation:
The Anti-spyware profile includes DNS-based protections like sinkholing and detection of DNS queries to malicious domains, offering real-time protection against attacks that exploit DNS misconfigurations.
“The Anti-Spyware profile protects against DNS-based threats by sinkholing DNS queries to malicious domains and detecting suspicious DNS activity, thus blocking data exfiltration and C2 communication.”
(Source: Anti-Spyware Profiles)

Question No : 12

When a firewall acts as an application-level gateway (ALG), what does it require in order to establish a connection?

• A.Dynamic IP and Port (DIPP)
• B.Payload
• C.Session Initiation Protocol (SIP)
• D.Pinholes

답을 확인하기

정답:
Explanation:
An ALG is designed to inspect and modify the payload of application-layer protocols (like SIP, FTP, etc.) to manage dynamic port allocations and session information.
“Application Layer Gateways (ALGs) inspect the payload of certain protocols to dynamically manage sessions that use dynamic port assignments. By modifying payloads, the ALG ensures that NAT and security policies are correctly applied.”
(Source: ALG Support)

Question No : 13

How does a firewall behave when SSL Inbound Inspection is enabled?

• A.It acts transparently between the client and the internal server.
• B.It decrypts inbound and outbound SSH connections.
• C.It decrypts traffic between the client and the external server.
• D.It acts as meddler-in-the-middle between the client and the internal server.

답을 확인하기

정답:
Explanation:
SSL Inbound Inspection allows the firewall to decrypt incoming encrypted traffic to internal servers (e.g., web servers) by acting as a man-in-the-middle (MITM). The firewall uses the private key of the server to decrypt the session and apply security policies before re-encrypting the traffic.
“SSL Inbound Inspection requires you to import the server’s private key and certificate into the firewall. The firewall then acts as a man-in-the-middle (MITM) to decrypt inbound sessions from external clients to internal servers for inspection.”
(Source: SSL Inbound Inspection)

Question No : 14

Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?

• A.Address objects
• B.Dynamic Address Groups
• C.Dynamic User Groups
• D.Predefined IP addresses

답을 확인하기

정답:
Explanation:
Dynamic Address Groups enable the firewall to automatically adjust security policies based on tags assigned dynamically (via log events, API, etc.). This eliminates the need for manual updates to policies when server roles or IPs change.
“Dynamic Address Groups allow you to create policies that automatically adapt to changes in the environment. These groups are populated dynamically based on tags, enabling automated security policy updates without manual intervention.”
(Source: Dynamic Address Groups)

Question No : 15

Which two prerequisites must be evaluated when decrypting internet-bound traffic? (Choose two.)

• A.RADIUS profile
• B.Incomplete certificate chains
• C.Certificate pinning
• D.SAML certificate

답을 확인하기

정답:
Explanation:
When implementing SSL Forward Proxy decryption for outbound traffic, two key challenges that must be evaluated are:
Incomplete certificate chains: This occurs when the firewall cannot validate the entire certificate chain for a site, which may cause decryption failures.
Certificate pinning: Applications like banking apps may use certificate pinning to prevent MITM (man-in-the-middle) attacks, and these applications will break if SSL Forward Proxy is used.
“When decrypting outbound SSL traffic, you must consider incomplete certificate chains, which can cause decryption to fail if the firewall cannot validate the entire chain. Also, be aware of certificate pinning in applications that prevents decryption by rejecting forged certificates.”
(Source: Palo Alto Networks Decryption Concepts)