Palo Alto Networks Network Security Architect Sample Questions:

1. An organization wants to reduce attack surface by allowing only sanctioned applications while blocking unknown traffic. What is the BEST approach?

A) Allow all and monitor logs
B) Use App-ID with allow-list policy
C) Use only antivirus profiles
D) Block all ports except 80/443

2. A global manufacturing organization has a strategic plan for rapid growth through mergers and acquisitions Several components the organization has purchased are deemed large deployments with existing IP address schemas and allocations that conflict with the parent organization. The manufacturing organization needs access to the resources before a re-IP initiative can be completed.
All of the deployments include a variety of IoT devices Leadership requires protection of vulnerable assets and identification of any known CVEs associated with the IoT devices. The governance, risk and compliance (GRC) team requires comprehensive non-repudiable logs to identify all IoT devices reporting "Critical (9 0+) CVE scores" for mandatory remediation.
Throughput needs to exceed the current 1 Gbps trending rate, and with expected growth will soon scale to 5 Gbps.
Segmentation is a mandatory requirement with enclaves based on region, device type, and function.
Which architectural component ensures the IoT storage, integrity, and non-repudiation of this granular risk data for auditing purposes?

A) Panorama log collector using its local database with a 90-day retention policy
B) NGFW's session table, which is encrypted with the master key
C) GlobalProtect agent to collect device posture and to locally log all critical CVE scores
D) Strata Logging Service for cloud storage of the security logs and device telemetry

3. An organization has a directive to adopt a Zero Trust framework focused on using identity and role-based access groups, device security and content inspection across all Security policies. To achieve this goal, an Enterprise License Agreement (ELA) was purchased, including Advanced Threat Prevention, IoT Security, and GlobalProtect.
The current security architecture uses Panorama to manage 60 NGFWs - a mix of PA-3240, PA-1410, and PA-440. Sites with PA-3240s host private application resources in the trust data center zone All sites have an untrust zone for internet access and a users zone for managed and unmanaged endpoint devices. A transit mesh zone exists to establish site-to-site connectivity through PAN-OS SD-WAN.
Privately hosted applications include web servers, SMB and NFS file servers and hosted Active Directory. The organization is in the process of adopting group mapping restrictions to these private applications, with daily additions of groups. It is also planning to build AI applications to assist the data teams with complex queries that will be hosted in the large offices containing data centers and is exploring hosting in the public cloud.
The organization uses on-premises Exchange, Dropbox, Zoom, and ChatGPT. There are a number of shadow SaaS applications that require further investigation. Users have been using Google Drive to upload confidential files within the organization by using their personal logins.
IoT devices on the network are associated on their own VLAN on the users zone. Using Device Security, all IoT devices have been categorized by asset profiles with medium or high confidence, policy sets imported into Panorama, and a default deny applied to the IoT networks.
The organization has rolled out SSL decryption and is using URL categorization for the majority of content filtering. Malicious categories, unknown and high-risk websites are blocked, with the remainder of sites set to alert.
Which action should the architect recommend to restrict the confidential file exfiltration present in the organization's environment using existing technology?

A) In Prisma Browser create an access security rule and a data security rule preventing file-upload unsanctioned file-sharing applications
B) Using App-ID, create a policy denying google- drive-web-upload
C) Using SaaS Security, enable tenant restrictions, preventing personal logins from using unsanctioned applications
D) Using Enterprise DLP, create custom data patterns notifying confidential data, and block the custom data pattern from being uploaded

4. An organization plans to deploy a full SASE architecture consisting of Prisma SD-WAN IONs at branches and data centers alongside Prisma Access remote networks, service connections, and mobile users. The business office team requires that traffic from global remote offices to public cloud is of highest criticality, and this traffic should have the greatest service-level agreement (SLA) and QoS priority while still maintaining a balance of threat inspection. Which recommendation should the architect make to provide the lowest latency, highest throughput, and greatest resilience for the applications?

A) Prisma SD-WAN ION deployed at both branch and private data center with a direct private link between the private data center and the public cloud provider
B) Prisma Access Agent or a PAC file explicit proxy configuration connecting the end user devices directly to Prisma Access with a service connection to the public cloud provider
C) Prisma SD-WAN IONs deployed within the cloud environment using BGP-to-peer to the internal route tables of the application
D) Prisma Access remote networks with service connections directly to the cloud environment using IPSec and either static or dynamic routing

5. A security architect needs to design a log collection architecture for a large organization with hundreds of firewalls distributed across multiple geographic regions. The primary requirement is to ensure that if a single Log Collector in any region fails, logs from the firewalls in that region will automatically be sent to another available Log Collector without manual intervention. What is the recommended Panorama feature to achieve this level of log collection resilience?

A) Log Collector Group for each geographic region
B) Load balancer to distribute logs across all Log Collectors
C) Storage capacity increase on each individual Log Collector
D) Log Collectors deployed in a high availability (HA) pair

Solutions: