Palo Alto Networks Network Security Analyst - NetSec-Analyst 模擬練習

A. Palo Alto Networks GlobaIProtect Cloud Service (GPCS) for all traffic, with no firewalls.

B. VM-Series firewalls in each cloud, managed individually, forwarding logs to a central syslog server.

C. Individual firewall UIs for management, Splunk for logging, and manual threat intelligence updates.

D. Panorama (on-premise), local log collectors, and external threat feeds.

E. Cloud-managed Panorama, Strata Logging Service, and Advanced Threat Prevention (ATP) subscriptions.

A. On Panorama, create a 'Template Stack' for each regional hub. Within each stack, define an SD-WAN profile with an SD-WAN policy rule for 'Global_Sync'. This rule should use 'Best Quality' path selection, and the associated 'Path Monitoring' profile for each link must be configured to measure latency accurately.

B. Configure 'VPN Monitoring' on all inter-regional VPN tunnels. Use 'Policy Based Forwarding' (PBF) rules with 'Link State Tracking' to route 'Global_Sync' traffic over the active VPN tunnel with the lowest latency. Apply QOS profiles directly on the PBF rules.

C. At the Panorama Device Group level, create an SD-WAN profile containing an SD-WAN policy rule for 'Global_Sync'. Set its path selection to 'Best Quality' or 'Performance-Based' (with latency-focused SLA). Ensure all relevant inter-regional interfaces/tunnels are included in the 'Path Monitoring' profile, and apply 'QOS profiles' specifically for 'Global_Sync' application.

D. Define a global 'SD-WAN profile' at the Panorama 'Device Group' level, and within it, an SD-WAN policy rule for 'Global_Sync' using 'Performance-Based' path selection. Create a 'Path Quality' profile with very low latency thresholds. For bandwidth, apply QOS policies on the interfaces involved.

E. Implement an 'SD-WAN profile' on Panorama that includes 'Path Monitoring' for all inter-regional links. Define a single SD-WAN policy rule for 'Global_Sync' with 'Best Quality' path selection. Leverage 'Shared Gateways' and 'SD-WAN Hub' configurations for inter-region connectivity. QOS policies would manage bandwidth.

A. The custom App-ID 'custom_ssh_app' is incorrectly defined and is not identifying the traffic as SSH. The solution is to redefine the custom App-ID to accurately match the SSH handshake on port 2222.

B. The issue is with Application Override. The firewall is incorrectly overriding the custom App-ID with the default 'ssh' App-I The solution is to remove any Application Override rules that might conflict with this custom application.

C. The firewall is correctly identifying the traffic as standard SSH (App-ID: ssh) despite the custom port. The solution is to modify the allowing rule to explicitly allow 'ssh' application and 'tcp/2222' as the service.

D. The security policy rule for 'custom_ssh_app' has a lower priority than a generic 'deny all SSH' rule. The solution is to move the 'custom_ssh_app' rule to a higher priority.

E. The traffic is being identified as 'application-incomplete' before the custom App-ID can classify it. The solution is to allow 'application-incomplete' for the destination IP, then refine the rule.

A. Create a new 'IoT Security Profile' object, enable 'Device Identification' for MQTT, configure a custom 'IoT Policy Rule' to permit MQTT traffic based on device attributes identified by the NGFW, and utilize 'Device Group' segmentation.

B. Rely solely on network segmentation (VLANs) to isolate IoT devices, with no specific application or device-aware security policies.

C. Deploy a dedicated IoT gateway for all sensor traffic, configure static NAT for each sensor, and apply a standard 'Antivirus' and 'Anti-Spyware' profile to the gateway's outbound traffic.

D. Use GlobalProtect VPN to secure each individual sensor's connection to the corporate network, requiring pre-shared keys for authentication.

E. Implement a custom URL filtering profile to block all non-MQTT traffic and apply a default Security Policy for all IoT zones.

A. Configure a custom Antivirus signature to bypass scanning for these specific files.

B. Adjust the WildFire analysis profile's thresholds to be less aggressive for executable files.

C. Submit the quarantined files to WildFire for re-analysis, categorizing them as 'benign' and requesting a new verdict.

D. Disable WildFire analysis for all internal traffic to prevent further quarantines.

E. Create a new security policy rule to explicitly allow the download of these specific files.

A. Restart the management server process on the firewall.

B. Clear old log files and unnecessary configurations to free up disk space, then retry the upgrade.

C. Check the hardware health of the firewall, specifically the RAM modules.

D. Downgrade to an older, smaller firmware version that might fit.

E. Verify network connectivity to the update server and retry the download.

A. Critical Data Point: 'source-user' and 'destination-ipt (as directly available fields from the incident object). API Operation:

B. Critical Data Point: 'user' (from incident context) and 'destination' (from incident context). API Operation:

C. Critical Data Point: 'src' (from log data within incident) and 'dst' (from log data within incident). API Operation:

D. Critical Data Point: 'incident-id' and 'log-entry-count'. API Operation:

E. Critical Data Point: 'threat-id'. API Operation:

A. The 'path-quality-profiles' are correctly defined, but 'Rule_1' is too generic. A new SD-WAN policy rule specifically for 'VoIP' is required, linked to the 'High_Quality_Voice' profile, and positioned at a higher priority.

B. The 'Rule_1' entry needs to be modified to specify 'application: VoIP' and its 'path-selection' changed to reference 'High_Quality_Voice' for performance-based routing.

C. The template is missing the definition of 'Path Monitoring' profiles, which are essential for the 'path-quality-profiles' to gather real-time link metrics.

D. The 'High_Quality_Voice' profile needs to be applied to specific interfaces or zones for it to take effect, which is not shown in this SD-WAN profile snippet.

E. While 'High_Quality_Voice' defines performance thresholds, it does not explicitly define which links or paths are preferred for an application, only what constitutes 'high quality'.

A. Source Zone: Internal, Source Address: Corporate_Laptop_lP_Range, Source User: Finance_AD_Group, Destination Zone: Internal, Destination Address: Internal_ERP Server_lP, Application: tcp/8443, Service: application-default, Action: allow.

B. Source Zone: Internal, Source Address: any, Source User: Finance_AD_Group, Source Hip Profile: Corporate_Laptops_HlP, Destination Zone: Internal, Destination Address: Internal_ERP Server_lP, Application: Internal_ERP_App_lD (custom), Service: application-default, Action: allow.

C. Source Zone: Internal, Source Address: any, Source User: any, Destination Zone: Internal, Destination Address: Internal_ERP_Server_lP, Application: Internal_ERP_App_lD (custom), Service: tcp/8443, Action: allow, coupled with a GlobalProtect HIP match policy on the gateway.

D. Source Zone: Internal, Source Address: any, Source User: Finance_AD_Group, Source User-ID Agent: All, Destination Zone: Internal, Destination Address: Internal_ERP_Server_lP, Application: Internal_ERP_App_lD (custom), Service: application-default, Action: allow, User-ID setup for Finance_AD_Group.

E. Source Zone: Internal, Source Address: any, Source User: Finance_AD_Group, Destination Zone: Internal, Destination Address: Internal_ERP_Server_lP, Application: any, Service: tcp/8443, Action: allow.

A. Certificate validation failure between the GlobalProtect client and the gateway, preventing session establishment beyond the initial handshake.

B. Incorrect source NAT configuration on the GlobalProtect security policy and a missing security zone for the VPN tunnel interface.

C. The 'tunnel interface' for GlobalProtect is incorrectly assigned to a virtual router that does not have routes to the internal networks.

D. Missing or incorrect security policy rules allowing traffic from the GlobalProtect tunnel zone to internal zones, combined with a 'Service: application-default' setting that is preventing proper App-ID classification initially.

E. The GlobalProtect gateway is configured for SSL VPN but the client is attempting to connect via IPsec, leading to protocol mismatch and decryption failure.

A. Implementing separate SCM instances for each customer to ensure physical isolation.

B. Utilizing a single SCM instance and relying solely on Application-ID for traffic segmentation.

C. Configuring SD-WAN overlays to segment customer traffic at the network layer.

D. Leveraging SCM's Device Groups for logical separation, combined with granular Role-Based Access Control (RBAC) and explicit permissions per device group.

E. Distributing management tasks to on-premise Panorama instances for each customer.

A. The branch office firewall's local proxy ID or remote proxy ID configuration is incorrect for the main data center's subnets.

B. An upstream ISP routing change or BGP flap on the branch office's internet connection is intermittently black-holing traffic destined for the main data center's public IP address.

C. The 'security-zone' configuration on the tunnel interface on either end of the VPN has been changed or removed, breaking policy enforcement.

D. The pre-shared key (PSK) on one end of the VPN tunnel has been changed, leading to decryption failures.

E. A duplicate IP address conflict exists on the branch office network, causing routing instability.

A. Create two separate 'Path Monitoring' profiles on BR-FW, one for the MPLS tunnel and one for the IPsec tunnel. Configure a 'Path Quality' profile for App-OnPrem that references the MPLS path monitor with an SLA. For App-AWS, a different SD-WAN rule should explicitly route traffic over the internet-based tunnel.

B. On the BR-FW, configure an SD-WAN profile. For App-OnPrem, create a policy rule using 'Link Quality' path selection, specifying the MPLS tunnel as preferred with relevant thresholds. For App-AWS, create a separate policy rule using 'Load Balancing' with 'Session Distribution' across the internet-facing interfaces only.

C. On the BR-FW, define an SD-WAN profile with two SD-WAN policy rules: one for App-OnPrem with a 'Performance-Based' path selection profile prioritizing the MPLS tunnel, and another rule for App-AWS with a 'Performance-Based' path selection profile explicitly excluding the MPLS tunnel.

D. On the BR-FW, define an SD-WAN profile. For App-OnPrem, use a 'Performance-Based' rule with a 'Path Quality' profile. For App-AWS, use a 'Best Quality' rule, ensuring that the Path Monitoring for the MPLS link is configured with very high latency/jitter to effectively 'down-prioritize' it for App-AWS traffic.

E. On the BR-FW, create an SD-WAN policy rule for App-OnPrem, utilizing a 'Performance-Based' path selection with a 'Path Quality' profile and an explicit preferred path set to the MPLS tunnel. For App-AWS, create a separate SD-WAN policy rule with 'Performance-Based' path selection, and ensure the MPLS tunnel is NOT included in the 'Applicable Paths' for this rule.

A. 1. Create a Security Policy rule: Source Zone: DMZ, Destination Zone: Untrust, Source Address: 10.1.1.100, Destination Address: api.example.com, Application: web-browsing, ssl, Action: Allow, NAT Tab: Source NAT Type: Static IP, Translated Address: 203.0.113.50.2. Ensure a default route exists via ethernet1/4 with a lower metric than the default route via ethernet1/1 .

B. 1. Create a PBF rule: Source Zone: DMZ, Source Address: 10.1 .1.100, Destination Address: (Resolved IPs for api.example.com), Egress Interface: ethernet1/4, Next Hop: (ISP Gateway for ethernet1/4), Action: Forward. 2. Create a Security Policy rule: Source Zone: DMZ, Destination Zone: Untrust, Source Address: 10.1.1.100, Destination Address: (Resolved IPs for api.example.com), Application: web-browsing, ssl, Action: Allow, NAT Tab: Source NAT Type: Dynamic IP and Port, Interface: ethernet1/4.

C. 1. Create a PBF rule: Source Zone: DMZ, Source Address: 10.1 .1.100, Destination FQDN: api.example.com, Egress Interface: ethernet1/4, Next Hop: (ISP Gateway for ethernet1/4), Action: Forward. 2. Create a Security Policy rule: Source Zone: DMZ, Destination Zone: Untrust, Source Address: 10.1.1.100, Destination Address: api.example.com, Application: web-browsing, ssl, Action: Allow, NAT Tab: Source NAT Type: Dynamic IP and Port, Interface: ethernet1/4, IP Address: 203.0.113.50.

D. 1. Create a PBF rule: Source Zone: DMZ, Source Address: 10.1.1.100, Destination FQDN: api.example.com, Egress Interface: ethernet1/4, Next Hop: (ISP Gateway for ethernet1/4), Action: Forward. 2. Create a NAT Policy rule: Source Zone: DMZ, Destination Zone: Untrust, Source Address: 10.1.1.100, Destination Address: (Resolved IPs for api.example.com), Service: any, Translated Packet Source Address Type: Dynamic IP and Port, Interface: ethernet1/4, IP Address: 203.0.113.50.

E. 1. Create a PBF rule: Source Zone: DMZ, Source Address: 10.1.1.100, Destination FQDN: api.example.com, Egress Interface: ethernet1/4, Next Hop: (ISP Gateway for ethernet1/4), Action: Forward. 2. Create a NAT Policy rule: Source Zone: DMZ, Destination Zone: Untrust, Source Address: 10.1.1.100, Destination Address: any, Service: any, Translated Packet Source Address Type: Static IP, Translated Address: 203.0.113.50, Egress Interface: ethernet1/4.

A.

B.

C.

D.

E. The

A. Create a 'File Blocking' profile: Rule 1: 'Direction: upload', 'File Type: exe, msi, dll', 'Action: Block'. Rule 2: 'Direction: upload', 'File Type: zip, rar', 'Action: Block'. Apply this profile to an outbound security policy for URL category 'cloud-storage'. Also enable 'WildFire Analysis' on the same policy for all file types.

B. Create a 'Data Filtering' profile with predefined patterns for executables and archives. Create a 'File Blocking' profile to block 'exe, msi, dll, zip, rar' on upload. Apply both to the outbound security policy for cloud storage, ensuring the 'Data Filtering' profile's action is 'Block'.

C. Configure a 'Security Policy' rule with 'Source Zone: internal', 'Destination Zone: external', 'URL Category: cloud-storage', 'Action: Allow'. Within this rule, apply a 'File Blocking' profile with a rule for 'upload' of 'exe, msi, dll' and 'Action: block' if not 'WildFire Verdict: benign'. Also, apply a 'Data Filtering' profile with a 'Nested File Blocking' rule to detect executables within archives and block.

D. Create a 'WildFire Analysis' profile: Set 'Analysis: all' for relevant zones. Create a 'File Blocking' profile: Rule 1: 'Direction: upload', 'File Type: exe, msi, dll', 'Action: Allow' with 'WildFire Action: Continue and wait for result'. Rule 2: 'Direction: upload', 'File Type: zip, rar', 'Action: Block'. Apply both to the security policy for 'cloud-storage' URL category.

E. Create a 'File Blocking' profile: Rule 1: 'Direction: upload', 'File Type: exe, msi, dll', 'Action: Continue' with 'WildFire Action: Block'. Rule 2: 'Direction: upload', 'File Type: zip, rar', 'Action: Block'. Ensure 'WildFire Analysis' is enabled on the security policy for these file types. The 'Block' for archives prevents nested executables without explicit nested file inspection by WildFire.