Palo Alto Networks Network Security Analyst 認定 NetSec-Analyst 試験問題:

1. An organization is deploying a new web application server that requires strict adherence to security best practices. The security team has defined a custom URL category for 'critical-application-updates' and another for 'developer-tools'. They want to ensure that only 'critical-application-updates' URLs are allowed, 'developer-tools' URLs are logged but blocked, and all other unclassified or malicious URLs are blocked with an appropriate response page. Which URL Filtering profile configuration meets these requirements?

A) Create a new URL Filtering profile. Set 'critical-application-updates' to 'allow'. Set 'developer-tools' to 'block' with a custom response page that explains the policy, and ensure 'malware' and 'phishing' categories are set to 'block' with a generic block page. Other categories remain default.
B) Configure the URL Filtering profile with 'critical-application-updates' set to 'allow'. Set 'developer-tools' to 'block' and enable logging for this category. For 'unclassified' and 'unknown' categories, set to 'block'. For all other categories, set to 'alert'. Use a custom response page for 'developer-tools' and a default block page for others.
C) In the URL Filtering profile, set 'critical-application-updates' to 'allow'. Set 'developer-tools' to 'block' and configure an immediate 'reset-both' action. For 'unclassified', 'n/a', and 'all-others' categories, set to 'block' with the default response page. Ensure logging is enabled for all blocked categories.
D) Configure the URL Filtering profile with 'critical-application-updates' set to 'allow', 'developer-tools' set to 'alert', and 'unclassified' and 'gambling' categories set to 'block'. Use the default block page for all blocked categories.
E) Define the URL Filtering profile with 'critical-application-updates' set to 'allow'. For 'developer-tools', set the action to 'block' and enable logging. For 'unclassified', 'unknown', 'malware', and 'phishing' categories, set the action to 'block' with the appropriate response pages. The order of evaluation for custom categories is important, ensuring 'critical-application-updates' is evaluated before 'developer-tools'.

2. An organization is migrating services to a hybrid cloud environment and needs to create custom Zone Protection profiles to mitigate specific Layer 2 and Layer 3 attacks targeting their new cloud-connected interfaces. They have identified the following attack vectors:
1 . ARP Spoofing attempts originating from within the trusted internal network segment connected to the firewall's 'trust-zone' interface.
2. IP Spoofing (source IP outside allowed ranges) on their external-facing 'untrust-zone' interface.
3. Fragmented Packet attacks targeting the 'dmz-zone' interface, where a critical web server resides. Which combination of Zone Protection Profiles and their respective settings would address these requirements most effectively and precisely?

A)

B)

C)

D)

E)

3. A critical server application relies on a set of custom web services running on non-standard ports. The security team needs to ensure that these specific web services are protected by comprehensive threat prevention, including WildFire analysis, but without impacting the performance of other high-volume, less critical HTTP/S traffic. The firewall must distinguish between these custom services and standard HTTP/S. Which approach offers the most efficient and secure configuration?

A) Create a service object for each custom port. Define a security policy rule allowing these service objects to the critical server. Apply a Security Profile Group containing Antivirus, Anti-Spyware, Vulnerability Protection, and a WildFire Analysis profile. For standard HTTP/S traffic, apply a separate security policy with a less CPU-intensive Security Profile Group.
B) Define a custom application for each non-standard web service, explicitly identifying its port and application type. Create a dedicated security policy rule for these custom applications, allowing traffic from relevant sources to the critical server. To this rule, attach a Security Profile Group containing Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering (tuned for web services), File Blocking, and a WildFire Analysis profile configured for all file types.
C) Utilize policy-based forwarding (PBF) to direct all traffic destined for the critical server through a dedicated Vwire interface. On this Vwire, apply a zone protection profile and a comprehensive Security Profile Group including WildFire. For other HTTP/S traffic, apply standard security policies.
D) Configure the existing 'web-browsing' application to include the custom non-standard ports within the service object. Create a security policy rule for this modified 'web-browsing' application, allowing it to the critical server. Apply a comprehensive Security Profile Group (with WildFire) to this rule, and then create a separate, less restrictive policy for general HTTP/S traffic.
E) Create a custom application for each specific web service using a signature-based approach or by specifying the application name (e.g., 'web-browsing') with custom ports. Then, create a single security policy rule for all web traffic (HTTP/S and custom services), and apply a comprehensive Security Profile Group (including WildFire) to this rule.

4. You are managing a Palo Alto Networks firewall and need to allow access to an internal SSH server (10.0.5.22, TCP/22) from a specific partner's public IP address (20.20.20.20). However, due to port conflicts, the partner will be connecting to your public IP (203.0.113.50) on an alternate port, TCP/2222. You must configure a Destination NAT policy for this. Additionally, you want to log successful NAT translations and identify the original source and destination IPs, as well as the translated IPs and ports in the traffic logs. Which of the following configurations for the NAT policy and associated logging is correct and most informative?

A) The NAT rule should specify the Source Address as 20.20.20.20 and the Security Rule Destination Address as 203.0.113.50.
B) NAT Rule:
C) NAT Rule:
D) NAT Rule:
E) NAT Rule:

5. Consider a large enterprise with multiple regional data centers and branch offices. They are deploying SD-WAN with Palo Alto Networks firewalls. The security team mandates that all Internet-bound traffic from branch offices must first be inspected by a centralized security stack (e.g., NGFW cluster, SWG) located in Region A Data Center, before exiting to the Internet. However, internal branch-to-branch communication should be routed directly over the optimal SD-WAN path without hair-pinning through a data center. All traffic types have their own application-specific SLA requirements. Which of the following policy constructs are essential and correctly ordered to satisfy these requirements?

A) 1. SD-WAN Policy for Branch-to-Branch: Define internal destinations and apply appropriate application SLAs for direct routing. 2. SD-WAN Policy for Internet- bound traffic: Match destination 'Any', configure 'Data Center Access' pointing to Region A DC as the preferred egress for internet traffic, allowing SD-WAN to select the optimal tunnel based on DC availability and performance. 3. Security Policies: Ensure proper access controls.
B) 1. SD-WAN Policy for Internet-bound traffic: Match destination 'Any', configure 'Egress Interface' to the tunnel to Region A DC, and apply application-specific SLAs. 2. SD-WAN Policy for Branch-to-Branch traffic: Match internal destinations, and apply application-specific SLAs for direct path selection. 3. PBF Rule: Define a PBF rule with higher priority than SD-WAN policies to enforce Internet-bound traffic to the Region A D
C) 1. SD-WAN Policy for Internet-bound traffic: Define destination as 'Any' and egress interface as the tunnel to Region A DC. 2. PBF Rule: Match Internet-bound traffic and explicitly forward to the Region A DC tunnel. 3. SD-WAN Policy for Branch-to-Branch: Define specific internal network destinations and apply application-specific SLAs.
D) 1. PBF Rule: Match branch-to-branch traffic (source branch networks, destination branch networks) and specify 'no-forward' to SD-WAN. 2. SD-WAN Policy for Internet-bound traffic: Match all other traffic, apply application-specific SLAs, and configure 'Data Center Access' to Region A DC for Internet egress. 3. Security Policies: Allow/deny traffic as needed.
E) 1. Policy-Based Forwarding (PBF) Rule: Match internet-bound traffic (destination 'Any', egress interface 'Intemet') and set next-hop to the tunnel interface leading to Region A DC. Set a PBF tag. 2. SD-WAN Policy: Create application-specific policies for branch-to-branch traffic with 'Dynamic Path Selection'. 3. Security Policy: Define security rules for all traffic types.

質問と回答：