NetSec-Analyst 無料問題集「Palo Alto Networks Network Security Analyst」

（A）1. Command Center: 'Threat Activity' and 'Network Activity' dashboards for real-time anomalous traffic. 2. Use dynamic filters in Command Center to pinpoint source/destination IPs, users, and applications. 3. Implement External Dynamic Lists (EDLs) or a custom Anti-Spyware profile for rapid IPIURL blocking. 4. Create Security Policy rules to quarantine infected hosts (e.g., move to a quarantine zone or block all traffic).

（B）1. Command Center: Focus on 'Application Usage' dashboard to detect new applications. 2. Manually configure a URL filtering profile to block suspicious websites. 3. Isolate the network segment.

（C）1. Command Center: 'Network Activity' dashboard filtered for high session count. 2. Activity Insights: Review 'Top Applications' for anomalies. 3. Policy Optimizer: Create a new 'Deny' rule for the suspicious application.

（D）1. Review firewall logs for 'deny' entries. 2. Use Wireshark on affected hosts for packet capture. 3. Manually update security policies on each firewall.

（E）1. Activity Insights: Generate 'User Activity' reports for suspicious logins. 2. Policy Optimizer: Recommend rules to block specific user activity. 3. Manually block user accounts.

（A）Define dedicated security policy rules for administrative access: 1. 'Allow Admin_Access': Source Zone (Admin_Workstations), Source User Group (IT_Admins), Destination Zone (Server_lnfrastructure), Destination Port (22, 3389, 443), Action: Allow, Log at Session End. Attach an 'Alert Profile' to this rule configured to generate 'low' severity alerts for 'session-start'. 2. 'Deny_Unauthorized_Admin_Access': Source Zone (Any), Destination Zone (Server_lnfrastructure), Destination Port (22, 3389, 443), Action: Deny, Log at Session End. Attach an 'Alert Profile' to this rule configured to generate 'critical' severity alerts for 'session-end' (denial). Ensure rule 1 is above rule 2.

（B）Configure 'Policy Based Forwarding' (PBF) to redirect all administrative traffic to a dedicated logging server, then use a SIEM to analyze logs and generate alerts based on custom rules. This offloads alerting from the firewall and Incidents page.

（C）Create a security policy rule allowing administrative access from specific source zones/groups to destination administrative zones/servers, with 'Application: ssl, ssh, rdp', and an 'Action: allow-log'. Create a separate 'deny' rule below it for the same traffic, and set the 'Action: deny' with an 'alert profile' configured to generate critical alerts for denied connections. Successful connections will be logged, and denied connections will generate critical alerts.

（D）Utilize 'Security Groups' and 'Dynamic Address Groups' to enforce micro-segmentation. For administrative access, create a policy allowing specific security groups to specific dynamic address groups. Rely on default logging and alerts, and review logs daily for anomalies.

（E）Implement an Authentication Policy to challenge all administrative access attempts. Configure an 'Authentication Profile' with 'Action: allow' for authorized users, and a 'fall-back' action of 'deny' with 'logging enabled'. Leverage 'User-ID' for granular user-based policies. This covers access control but not necessarily distinct alert severities for allowed/denied.

（A）The 'Application' and 'Service' fields in the 'Finance_API_Route' rule should be more specific (e.g., 'web-browsing', 'ssl') to match API traffic accurately.

（B）The PBF rules are processed after security policy rules, causing the default security policy to take precedence for API traffic.

（C）PBF rules only apply to inter-zone traffic; intra-zone traffic destined for external IPs will bypass PBF.

（D）The 'Destination Zone' in both PBF rules should be explicitly set to 'any' instead of 'Untrust' for external destinations.

（E）The 'Finance_Default_Route' rule is placed above the 'Finance_API_Route' rule in the PBF policy rulebase.

（A）Use a script to parse all firewall configurations, normalize object names, and push only unique objects to the 'Shared' folder. For conflicting names, create a custom script that injects the correct object value directly into the firewall's configuration via API post-commit.

（B）Import all configurations, then manually identify duplicate address objects and move them to the 'Shared' folder. For objects with the same name but different values, rename them uniquely before moving to 'Shared'.

（C）Implement 'Variables' or 'Templates' (if available in a future Panorama version) to define object values dynamically based on the device group context, allowing a single object name to resolve to different values depending on the firewall.

（D）Automate the import process. If an object name conflicts with a 'Shared' object during import, the import should fail for that object, requiring manual resolution. For unique regional objects, create them within their respective regional Device Group folders.

（E）Create common, identical objects in the 'Shared' folder. For objects with the same name but different values, define them at the specific Device Group level where they are unique, allowing the local definition to override the 'Shared' one if a conflicting name exists.

（A）At the Panorama Device Group level, create an SD-WAN profile containing an SD-WAN policy rule for 'Global_Sync'. Set its path selection to 'Best Quality' or 'Performance-Based' (with latency-focused SLA). Ensure all relevant inter-regional interfaces/tunnels are included in the 'Path Monitoring' profile, and apply 'QOS profiles' specifically for 'Global_Sync' application.

（B）Implement an 'SD-WAN profile' on Panorama that includes 'Path Monitoring' for all inter-regional links. Define a single SD-WAN policy rule for 'Global_Sync' with 'Best Quality' path selection. Leverage 'Shared Gateways' and 'SD-WAN Hub' configurations for inter-region connectivity. QOS policies would manage bandwidth.

（C）Configure 'VPN Monitoring' on all inter-regional VPN tunnels. Use 'Policy Based Forwarding' (PBF) rules with 'Link State Tracking' to route 'Global_Sync' traffic over the active VPN tunnel with the lowest latency. Apply QOS profiles directly on the PBF rules.

（D）On Panorama, create a 'Template Stack' for each regional hub. Within each stack, define an SD-WAN profile with an SD-WAN policy rule for 'Global_Sync'. This rule should use 'Best Quality' path selection, and the associated 'Path Monitoring' profile for each link must be configured to measure latency accurately.

（E）Define a global 'SD-WAN profile' at the Panorama 'Device Group' level, and within it, an SD-WAN policy rule for 'Global_Sync' using 'Performance-Based' path selection. Create a 'Path Quality' profile with very low latency thresholds. For bandwidth, apply QOS policies on the interfaces involved.

（A）Create two Security Policy rules. Rule 1 (higher priority): Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: AV_UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: allow. Rule 2 (lower priority): Source Zone: Trust, Source Address: any, Source User: any, Destination Zone: Trust, Destination Address: any, Application: any, Action: allow.

（B）Create a single Security Policy rule: Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: AV_UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: allow. All other traffic is implicitly allowed.

（C）Create three Security Policy rules. Rule 1 (highest priority): Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: AV UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: allow. Rule 2 (middle priority): Source Zone: Trust, Source Address: any, Source User: any, Destination Zone: Trust, Destination Address: any, Application: any, Action: allow. Rule 3 (lowest priority): Source Zone: Trust, Source Address: any, Source User: any, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: deny (implicit). This strategy is flawed.

（D）Create two Security Policy rules. Rule 1 (higher priority): Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: AV_UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: allow. Rule 2 (lower priority): Source Zone: Trust, Source Address: any, Source IJser: any, Destination Zone: Trust, Destination Address: NOT Sensitive_SharePoint_lP, Application: any, Action: allow.

（E）Create two Security Policy rules. Rule 1 (higher priority): Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: AV UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: allow. Rule 2 (lower priority): Source Zone: Trust, Source Address: any, Source User: any, Source HIP Profile: NOT AV_UpToDate_Running_Agent, Destination Zone: Trust, Destination Address: Sensitive_SharePoint_lP, Application: sharepoint-base, Action: deny. Subsequent rules would then allow other internal access.

（A）The cloud storage upload will be allowed with no alert, and the email will be allowed with an alert.

（B）Both the cloud storage upload and the email will be allowed, and no alerts will be generated.

（C）The cloud storage upload will be blocked, and the email will be allowed with an alert.

（D）The cloud storage upload will be allowed with an alert, and the email will be blocked.

（E）Both the cloud storage upload and the email will be blocked due to PII detection.

（A）The EDR solution sends syslog messages to a SIEM. The SIEM then sends API calls to Panorama to create or modify 'Dynamic Address Groups' based on device posture tags. GlobalProtect policies reference these DAGs. An example DAG filter might be: '(tag eq 'compliance-failed')' which is then used in a security policy: '(source-user is 'any') AND (source is 'DAG_Compliance_FaiIed') THEN (action is 'block'V

（B）Configure the EDR solution to export device posture to a CSV file. Manually upload this CSV to Panorama regularly to update custom address objects that are then used in GlobalProtect policies.

（C）Directly configure the GlobalProtect Gateways to query the EDR solution for each user's posture during authentication, and then apply a security profile based on the EDR response.

（D）Set up a scheduled task on Panorama to pull device posture information directly from the EDR's API every hour. This information is stored as custom variables, which are then referenced in GlobalProtect security policies. An example variable might be '_edr_posture_status_'.

（E）Integrate the EDR solution with Palo Alto Networks' 'User-ID' feature to map IP addresses to EDR-provided attributes. GlobalProtect Security Policies then utilize 'User-ID' group mapping for dynamic access control. An example might be: '(user-id is 'quarantined_group') AND (application is 'any') THEN (action is 'deny')

（A）Regularly export the candidate configuration (XML) and compare it against a baseline configuration using an external diff tool, then use 'Load Named Configuration' if a rollback is needed.

（B）Implement 'Config Locks' before making changes, ensuring only one administrator can modify the configuration at a time.

（C）Leverage the 'Validate' function before committing to check for syntax errors, combined with regular 'Config Audits' and comparing the running configuration with a golden configuration stored externally.

（D）Utilize 'Admin Roles' to restrict non-approved users from making any changes to the candidate configuration.

（E）Use 'Shared Policy' and 'Device Group Policy' hierarchies effectively, combined with the 'Revert' option for the candidate configuration if unapproved changes are found.

（A）Execute a 'commit force' command from the CLI to ensure all changes are immediately active.

（B）Navigate to 'Device > Log Settings', and under the 'System' and 'Configuration' tabs, select 'LFP_Audit_Trails' as the Log Forwarding Profile.

（C）Apply the 'LFP_Audit_Trails' profile to all relevant Security Policy rules.

（D）Reboot the firewall for the new Log Forwarding Profile to take effect.

（E）Configure a Log Export Profile under 'Monitor > Logs > Export' and associate it with 'LFP Audit_Trails'.

（A）Create a 'DoS Protection Policy' rule with 'Packet Based Attack Protection' for 'UDP Flood' and specify the target application ports, setting 'Action: Syn-Cookie' to mitigate.

（B）Apply an 'IP Address Block' profile to the ICS interface, monitoring for any source IP exceeding a 'Session Rate' of 100 sessions/second and blocking for 300 seconds.

（C）Utilize 'Packet Based Attack Protection' within a 'DoS Protection Policy' rule, targeting 'UDP Flood' on specific destination ports, and configure a 'Per-Packet Rate' threshold with 'Action: Drop'.

（D）Configure a 'Zone Protection' profile for the ICS zone with 'Flood Protection' enabled for 'UDP Flood', setting a 'Per-Packet Rate' threshold and 'Action: Drop'.

（E）Implement a 'Data Filtering' profile to identify specific UDP payload patterns associated with ICS applications and block traffic not conforming to these patterns.

（A）1. Create a Service Group including TCP/1433 and TCP/50000-50005. 2. Create a security policy allowing 'any' application with this Service Group between Cluster-A and Cluster-B, applying the security and QOS profiles.

（B）1. Create two Application Override policies:

（C）1. Create two custom application signatures, one for TCP/1433 and another for TCP/50000-50005, both named 'internal-db-replication'. 2. Create a security policy allowing 'internal-db-replication' between Cluster-A and Cluster-B, applying the desired security and QOS profiles.

（D）1. Create an Application Filter that includes 'ms-sql-smb' and 'unknown-tcp'. 2. Create a security policy allowing this Application Filter between Cluster-A and Cluster-B, with the desired profiles.

（E）1. Disable App-ID for all traffic between Cluster-A and Cluster-B. 2. Create a security policy based on IP addresses and ports, applying the security and QOS profiles.