CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. NetSec-Generalist

Free NetSec-Generalist Exam Braindumps (page: 5)

Page 4 of 16
PDF with 60 Questions

Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two.)

  1. User-ID
  2. Schedule
  3. Service
  4. App-ID

Answer(s): A,B

Explanation:

To allow third-party contractors access to internal applications outside business hours, the Security Policy must include:

User-ID ­

Identifies specific users (e.g., third-party contractors) and applies access rules accordingly.

Ensures that only authenticated users from the contractor group receive access.

Schedule ­

Specifies the allowed access time frame (e.g., outside business hours: 6 PM - 6 AM).

Ensures that contractors can only access applications during designated off-hours.

Why Other Options Are Incorrect?

C) Service

Incorrect, because Service defines ports and protocols, not user identity or time-based access control.

D) App-ID

Incorrect, because App-ID identifies and classifies applications, but does not restrict access based on user identity or time.

Reference to Firewall Deployment and Security Features:

Firewall Deployment ­ Ensures contractors access internal applications securely via User-ID and Schedule.

Security Policies ­ Implements granular time-based and identity-based access control.

VPN Configurations ­ Third-party contractors may access applications through GlobalProtect VPN.

Threat Prevention ­ Reduces attack risks by limiting access windows for third-party users.

WildFire Integration ­ Ensures downloaded contractor files are scanned for threats.

Zero Trust Architectures ­ Supports least-privilege access based on user identity and time restrictions.

Thus, the correct answers are:
A) User-ID
B) Schedule



Which two policies in Strata Cloud Manager (SCM) will ensure the personal data of employees remains private while enabling decryption for mobile users in Prisma Access? (Choose two.)

  1. SSH Decryption
  2. SSL Inbound Inspection
  3. SSL Forward Proxy
  4. No Decryption

Answer(s): C,D

Explanation:

In Strata Cloud Manager (SCM), policies need to balance privacy while ensuring secure decryption for mobile users in Prisma Access. The correct approach involves:

SSL Forward Proxy (C) ­ Enables decryption of outbound SSL traffic, allowing security inspection while ensuring unauthorized data does not leave the network.

No Decryption (D) ­ Excludes personal data from being decrypted, ensuring compliance with privacy regulations (e.g., GDPR, HIPAA) and protecting sensitive employee information.

Why These Two Policies?

SSL Forward Proxy (C)

Decrypts outbound SSL traffic from mobile users.

Inspects traffic for malware, data exfiltration, and compliance violations.

Ensures corporate security policies are enforced on user traffic.

No Decryption (D)

Ensures privacy-sensitive traffic (e.g., online banking, healthcare portals) remains untouched.

Exclusions can be defined based on categories, user groups, or destinations.

Helps maintain regulatory compliance while still securing other traffic.

Other Answer Choices Analysis

(A) SSH Decryption ­ Not relevant in this context, as SSH traffic is typically used for administrative access rather than mobile user web browsing.

(B) SSL Inbound Inspection ­ Used for inbound traffic to company-hosted servers, not for securing outbound traffic from mobile users.

Reference and Justification:

Firewall Deployment ­ SSL Forward Proxy enables traffic visibility, No Decryption protects privacy.

Security Policies ­ Defines what traffic should or should not be decrypted.

Threat Prevention & WildFire ­ Decryption helps detect hidden threats while excluding sensitive personal data.

Zero Trust Architectures ­ Ensures least-privilege access while maintaining privacy compliance.

Thus, SSL Forward Proxy (C) and No Decryption (D) are the correct answers, as they balance security and privacy for mobile users in Prisma Access.



Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?

  1. Dynamic Address Groups
  2. Dynamic User Groups
  3. Predefined IP addresses
  4. Address objects

Answer(s): A

Explanation:

A Dynamic Address Group (DAG) is a firewall feature that automatically updates firewall rules based on changing attributes of devices, servers, or endpoints. This allows engineers to simplify rule creation and ensure policies remain up-to-date without manual intervention.

Why Dynamic Address Groups?

Automatically Adapts to Changes

DAGs use log events, tags, and attributes to dynamically update firewall rules.

If a server role changes (e.g., a web server becomes an application server), it is automatically placed in the correct security rule without requiring manual updates.

Simplifies Rule Creation

Instead of manually defining static IP addresses, engineers use logical groupings based on metadata, such as VM tags, cloud attributes, or user roles.

Ensures policies remain accurate even when IP addresses or security postures change.

Other Answer Choices Analysis

(B) Dynamic User Groups ­ Controls policies based on user identity, not server roles or log-based attributes.

(C) Predefined IP Addresses ­ Static and does not adapt to infrastructure changes.

(D) Address Objects ­ Manually defined and does not dynamically adjust based on log events or security posture.

Reference and Justification:

Firewall Deployment ­ DAGs help dynamically assign security policies based on real-time data.

Security Policies ­ Automatically applies correct rules based on changing attributes.

Threat Prevention & WildFire ­ Ensures that compromised systems are automatically placed under restrictive security policies.

Panorama ­ DAGs are managed centrally, ensuring uniform policy enforcement across multiple firewalls.

Zero Trust Architectures ­ Dynamic adaptation ensures least-privilege access enforcement as environments change.

Thus, Dynamic Address Groups (A) is the correct answer, as it simplifies rule creation and ensures automatic adaptation to changes in server roles or security posture.



Which two tools can be used to configure Cloud NGFWs for AWS? (Choose two.)

  1. Cortex XSIAM
  2. Cloud service provider's management console
  3. Prisma Cloud management console
  4. Panorama

Answer(s): B,D

Explanation:

Cloud NGFW for AWS is a managed next-generation firewall service provided by Palo Alto Networks, designed to secure AWS environments. It can be configured using two primary tools:

Cloud Service Provider's Management Console (AWS Console) ­

AWS users can deploy and manage Cloud NGFW for AWS directly from the AWS Marketplace or AWS Management Console.

The AWS console allows integration with AWS native services, such as VPCs, security groups, and IAM policies.

Panorama ­

Panorama provides centralized policy and configuration management for Cloud NGFW instances deployed across AWS.

It enables consistent security policy enforcement, log aggregation, and seamless integration with on- premises and multi-cloud firewalls.

Why Other Options Are Incorrect?

A) Cortex XSIAM

Incorrect, because Cortex XSIAM is an AI-driven security operations platform, not a tool for Cloud NGFW configuration.

It focuses on SOC automation, threat detection, and response rather than firewall policy management.

C) Prisma Cloud Management Console

Incorrect, because Prisma Cloud is designed for cloud security posture management (CSPM) and compliance.

While Prisma Cloud monitors security risks in AWS, it does not configure or manage Cloud NGFW policies.

Reference to Firewall Deployment and Security Features:

Firewall Deployment ­ Cloud NGFW integrates with AWS network architecture.

Security Policies ­ Panorama enforces security policies across AWS workloads.

VPN Configurations ­ Cloud NGFW supports AWS-based VPN traffic inspection.

Threat Prevention ­ Protects AWS workloads from malware, exploits, and network threats.

WildFire Integration ­ Detects unknown threats within AWS environments.

Zero Trust Architectures ­ Secures AWS cloud workloads using Zero Trust principles.

Thus, the correct answers are:
B) Cloud service provider's management console
D) Panorama






Post your Comments and Discuss Palo Alto Networks NetSec-Generalist exam with other Community members: