Palo Alto Networks Network Security Analyst Sample Questions:

1. A network architect is designing a decryption strategy for outbound traffic, including advanced threat protection. The requirement states that traffic to known malicious sites (categorized by a custom URL category 'Malicious_Domains') must be blocked immediately without decryption, whereas traffic to cloud storage services (e.g., Google Drive, Dropbox) must be decrypted for DLP inspection. All other internet-bound TLS traffic should be decrypted by default, with an emphasis on blocking connections that utilize deprecated SSL/TLS versions or weak ciphers. Assume the following objects exist: 'DLP_Decryption_Profile' (Forward Proxy, strong cipher/protocol requirements), 'No_Decryption_Profile', and 'Block_Profile' (a security profile with action block).

A) Rule 1: Source: Any, Destination: cloud-storage-apps, Service: ssl, Action: Allow, Decryption Profile: DLP_Decryption_Profile. Rule 2: Source: Any, Destination: Malicious_Domains, Service: ssl, Action: Deny. Rule 3: Source: Any, Destination: Any, Service: ssl, Action: Allow, Decryption Profile: DLP_Decryption_Profile.
B) Rule 1: Source: Any, Destination: Malicious_Domains, Service: application-default, Action: Deny. Rule 2: Source: Any, Destination: cloud-storage-apps, Service: application-default, Action: Allow, Decryption Profile: DLP_Decryption_Profile. Rule 3: Source: Any, Destination: Any, Service: application-default, Action: Allow, Decryption Profile: DLP_Decryption_Profile.
C) Rule 1: Source: Any, Destination: cloud-storage-apps, Service: application-default, Action: Allow, Decryption Profile: DLP_Decryption_Profile. Rule 2: Source: Any, Destination: Malicious_Domains, Service: application-default, Action: Deny. Rule 3: Source: Any, Destination: Any, Service: application-default, Action: Allow, Decryption Profile: DLP_Decryption_Profile.
D) Rule 1: Source: Any, Destination: Malicious_Domains, Service: application-default, Action: Deny. Rule 2: Source: Any, Destination: cloud-storage-apps, Service: application-default, Action: Allow, Decryption Profile: No_Decryption_Profile. Rule 3: Source: Any, Destination: Any, Service: application-default, Action: Allow, Decryption Profile:
E) Rule 1: Source: Any, Destination: Malicious_Domains, Service: application-default, Action: Deny. Rule 2: Source: Any, Destination: Any, Service: application- default, Action: Allow, Decryption Profile: DLP_Decryption_Profile. Rule 3: Source: Any, Destination: cloud-storage-apps, Service: application-default, Action: Allow, Decryption Profile: DLP_Decryption_Profile.

2. During a planned maintenance window, a network administrator needs to push a new security policy to a group of Palo Alto Networks firewalls managed by Strata Cloud Manager (SCM). To minimize downtime and ensure consistency, they want to preview the configuration changes and then apply them in a controlled manner. Which sequence of SCM operations is most appropriate for this scenario?

A) Push to Devices Monitor Status -> Create Policy -> Commit to Device Group.
B) Monitor Status -> Create Policy -> Push to Devices -> Commit to Device Group.
C) Push to Devices -> Preview Changes -> Commit to Device Group -> Create Policy.
D) Create Policy Preview Changes -> Commit to Device Group Push to Devices.
E) Create Policy -> Commit to Device Group -> Push to Devices -> Monitor Status.

3. A security operations center (SOC) needs to automate the blocking of IP addresses identified by their SIEM as malicious. They use Palo Alto Networks Panorama for central management. The automation should dynamically update a Block List custom URL category, which is then referenced by a security policy. Which of the following automation workflows using Panorama and its APIs would be the most robust and scalable?

A) The SIEM exports a CSV of malicious IPs. A script on a management server periodically reads this CSV and uses the Panorama CLI to add entries to the custom URL category.
B) A cron job on the Panorama appliance itself executes a script that directly modifies the configuration files based on SIEM alerts.
C) The SIEM triggers a webhook to a Cloud Function. This function uses the Panorama XML API to add new IP addresses to a custom URL category object, followed by a 'commit' and 'push' operation.
D) Manually create a new Security Policy Rule for each malicious IP address identified by the SIEM, then commit and push.
E) Configure all firewalls to forward logs directly to the SIEM, and the SIEM will automatically block malicious IPs without Panorama intervention.

4. An organization is migrating its data to cloud storage platforms like AWS S3 and Azure Blob Storage. They need a security policy that allows upload and download of specific file types (e.g., .docx, .pdf, .xlsx) to and from these cloud storage services, but strictly blocks executable files (.exe, .zip, .rar) and prevents any sensitive data (e.g., credit card numbers, PII) from leaving the network. How would you configure Content-ID profiles to enforce this, considering both upload and download scenarios?

A) Create a File Blocking Profile: Rule 1: 'block' for .exe, .zip, .rar (upload). Rule 2: 'block' for .exe, .zip, .rar (download). Create a Data Filtering Profile with sensitive data patterns, 'block' action for 'upload'. Apply these to the cloud access rule. Add a second Data Filtering Profile with 'block' for 'download' of sensitive data.
B) Create a File Blocking Profile to block .exe, .zip, .rar for 'upload' and 'download'. Create a Data Filtering Profile to block sensitive patterns for 'upload'. Apply these to the cloud access rule.
C) Create a File Blocking Profile with 'block' action for file types .exe, .zip, .rar. Create a Data Filtering Profile with 'block' action for sensitive data patterns. Apply both profiles to the security rule allowing cloud storage access, ensuring directionality (e.g., upload/download) is implicitly handled.
D) Create a File Blocking Profile: Rule 1: 'block' for .exe, .zip, .rar (both upload & download). Rule 2: 'allow' for .docx, .pdf, .xlsx (both upload & download). Create a Data Filtering Profile with sensitive data patterns, 'block' action for 'upload' and 'download'. Apply both to the cloud access rule.
E) Create a File Blocking Profile: Rule for 'upload': block .exe, .zip, .rar. Rule for 'download': block .exe, .zip, .rar. Create a Data Filtering Profile: Rule for 'upload': block sensitive patterns. Rule for 'download': block sensitive patterns. Apply these combined profiles to the security policy rule allowing access to AWS S3 and Azure Blob. Also, ensure a WildFire Analysis Profile is applied.

5. Consider a large enterprise using Panorama for managing over 500 Palo Alto Networks firewalls. The security operations team frequently needs to deploy emergency security policy updates, which involve adding new URL filtering categories and threat prevention profiles to a subset of firewalls. Due to the critical nature, these updates must be atomic and reversible. Which of the following strategies, leveraging Panorama's folder and snippet capabilities, would best meet these requirements while minimizing downtime and human error?

A) Create a new 'Emergency Policies' folder at a lower hierarchical level. Place the emergency policies within this folder and push. To revert, disable or delete the policies within this folder and re-push. This approach can utilize a 'pre-rule' or 'post-rule' structure within the device group.
B) Use a Python script with the Panorama API to programmatically add and remove the emergency policies. Store the policy definitions as code (snippets) in a version control system.
C) Manually create new policy rules in each affected Device Group and then commit and push. To revert, manually remove them.
D) Create a 'Shared Emergency Snippet' containing the required URL filtering and threat profiles. Apply this snippet to the relevant Device Groups as a 'Shared' policy rule. To revert, remove the shared snippet reference from the policy rule.
E) Export the configuration of affected firewalls, modify the XML to include the emergency rules, and re-import. To revert, re-import the original XML.

Solutions: