NetSec-Analyst 試験問題を無料オンラインアクセス

A multinational corporation has deployed Palo Alto Networks SD-WAN across its global offices. They have a critical VoIP application (App-ID: rtp-udp) that must always prioritize paths with less than 100ms latency and 0.5% jitter. If no single path meets both criteria, the system should attempt to aggregate bandwidth across multiple lower-quality paths if the combined latency and jitter for the aggregated flow can meet the requirements. If even aggregation is insufficient, the traffic should be dropped. Which SD-WAN policy and configuration elements are required to achieve this complex scenario?

• A.Define an SLA profile for VoIP with 100ms latency and 0.5% jitter thresholds. Apply this SLA profile to the VoIP application within an SD-WAN policy. Configure the SD-WAN policy to use 'Path Monitoring' and 'Path Failover' to drop traffic if no single path meets the SL Bandwidth aggregation is not directly supported for SLA enforcement in this manner.
• B.Create an SD-WAN path quality profile for VoIP with the specified latency and jitter thresholds. Configure 'Path Aggregation' within the SD-WAN policy for the VoIP application, setting the aggregation mode to 'Performance-Based'. The policy should also specify 'Drop Traffic' as the action if the combined aggregated path quality fails to meet the profile thresholds.
• C.Palo Alto Networks SD-WAN does not natively support 'aggregation' of paths to meet a single SLA metric. You would need to configure primary/secondary paths based on individual link quality. If no single path meets the SLA, the traffic will fail over or be dropped based on PBF configuration.
• D.Utilize an SD-WAN policy for RTP-UDP with an SLA profile defining the 100ms latency and 0.5% jitter. Configure 'Dynamic Path Selection' with 'Multi-path' enabled. The policy should include a 'fail-action' of 'drop'. The system inherently calculates combined metrics for multi-path decision-making and drops if the SLA isn't met even with aggregation.
• E.Configure an SD-WAN policy for VoIP, specifying a 'preferred path group' that includes all viable links. Set an 'SLA monitoring' profile with the latency and jitter thresholds. Enable 'link aggregation' on the device and configure a custom health check script that calculates combined path metrics across multiple links and dynamically adjusts route metrics to force traffic through aggregated paths if single links fail, otherwise drop.

A financial institution uses Palo Alto Networks firewalls to secure its network. They've observed that their proprietary internal trading application, which operates on a non-standard port (TCP/8080), is being consistently identified by App-ID as 'web-browsing' due to its HTTP-like traffic patterns, leading to incorrect policy enforcement and performance issues. They need to ensure this application is always correctly identified as 'proprietary-trading-app' for specific security policies. Which of the following is the most appropriate and robust solution to address this application misidentification without disrupting other web traffic?

• A.Modify the 'web-browsing' application definition to exclude TCP/8080 for all traffic.
• B.Implement an Application Filter for 'proprietary-trading-app' and apply it to the relevant security policies.
• C.Create a custom application signature using Protocol/Port, and then create a security policy allowing 'proprietary-trading-app' on TCP/8080.
• D.Create an Application Override policy to identify TCP/8080 traffic from the trading application's source zone/IP to its destination zone/IP as 'proprietary-trading-app'.
• E.Disable App-ID for TCP/8080 on the specific security policy allowing the trading application, relying solely on port-based identification.

A security analyst is investigating a suspicious outbound connection from an IoT smart light bulb, which normally only communicates with its cloud controller. The firewall logs show traffic initiated from the light bulb's IP address (192.168.5.10) to an external IP (203.0.113.5) on TCP port 4444. The existing IoT security profile for the 'Smart-Home-IoT' device group, to which the light bulb belongs, is configured to allow only HTTPS traffic to 'iot.vendorcloud.com'. Which of the following is the MOST likely reason for this connection being allowed, assuming no explicit 'deny all' rule is present for the IoT zone after the allowed traffic?

• A.The 'Smart-Home-IoT' device group's IoT Security Profile has a 'Service' object defined for 'any' rather than 'application-default'.
• B.The firewall's 'Application Identification' engine incorrectly identified the traffic as HTTPS.
• C.The IoT device has bypassed the firewall by using a VPN tunnel.
• D.The 'Threat Prevention' profile applied to the rule is not configured to block outbound connections.
• E.The security rule permitting HTTPS to 'iot.vendorcloud.com' has a broader 'Service' definition, or there is another rule higher in the rulebase that permits 'any' service for IoT devices.

An organization is migrating sensitive data to a new cloud storage provider. They need to ensure that no data tagged as 'Confidential' is uploaded to any cloud storage service, regardless of whether it's the approved one or not. They also need to ensure that the approved cloud storage service can only be used for uploads if the data is not tagged 'Confidential'. This requires inspecting files for specific content patterns. Which Palo Alto Networks Data Filtering configuration, utilizing a 'File Blocking' profile, would achieve this?

• A.Create a 'Data Filtering' profile with a 'Data Pattern' for 'Confidential' content (Action: Block). Apply this profile to a security policy rule allowing uploads to ALL cloud storage URLs. Create a separate security policy rule allowing uploads to the approved cloud storage URL, but without the 'Data Filtering' profile.
• B.Create two 'Data Filtering' profiles: one for 'Confidential' data (Action: Block), another for 'Non-Confidential' data (Action: Allow). Apply them based on user groups accessing cloud storage.
• C.Create a 'Data Filtering' profile with a 'Data Pattern' for 'Confidential' tag. Create a 'File Blocking' profile to block 'upload' for URL category 'cloud-storage'. Apply both to the same security policy.
• D.Create a 'Data Filtering' profile with a 'Data Pattern' for 'Confidential' content. Set 'Action' to 'Block'. In the same 'Data Filtering' profile, create another rule for 'Any' content, set 'Action' to 'Allow' for the approved cloud storage URL category. Apply this single 'Data Filtering' profile to security policies for cloud storage.
• E.Configure a 'Data Filtering' profile with a 'Data Pattern' matching 'Confidential' content. Set 'Action' to 'Block'. In a 'File Blocking' profile, create a rule to 'Block' upload of 'any' file type to the URL category 'cloud-storage'. Apply these profiles in separate security policies where the 'Confidential' blocking policy has higher precedence for all cloud-storage URLs.

A network security analyst is attempting to push a new security policy configuration to a Palo Alto Networks firewall. The commit operation fails with the error message:

Which of the following is the MOST LIKELY root cause of this commit failure?

• A.The device group hierarchy is misconfigured, preventing policy inheritance.
• B.The security policy rule 'Block_Malware_Sites' has an incorrect service port configured.
• C.The address object 'Malicious_lP_Feed' exists but is not associated with the 'Untrust' zone, or it has been deleted.
• D.The administrator's role-based access control (RBAC) privileges are insufficient to modify security policies.
• E.The firewall is experiencing a high volume of traffic, leading to a timeout during the commit process.