Palo Alto Networks Network Security Analyst Sample Questions:

1. An internal server (10.0.1.5) on the 'Trust' zone needs to access a specific public service (example.com, 1.1.1.1) on TCP port 80. Due to a complex network design and a requirement for strict outbound traffic control, all traffic from this server to 1.1.1.1:80 must be translated to a specific public IP 203.0.113.20. All other traffic from 10.0.1.5 to the Internet should use the firewall's egress interface IP (203.0.113.1 Additionally, any return traffic from 1.1.1.1 to 203.0.113.20 should be automatically translated back to 10.0.1.5. Which of the following NAT configurations achieves this with the highest specificity and ensures bi-directional communication for the dedicated service?

A) A single NAT rule with a U-Turn NAT for the specific service.
B)

C)

D) This requires two separate security policies, one for 1.1.1.1 and another for general internet access, with no specific NAT configuration.
E)

2. You are a Network Security Analyst managing a Palo Alto Networks firewall. A critical internal application, 'Project-Zeus', connects to an external SaaS provider over TCP/443. This SaaS service uses a highly customized TLS implementation that consistently causes App- ID to identify the traffic as 'ssl-unknown' or 'unknown-tcp', even though the service is legitimate and approved. The security team wants to ensure 'Project-Zeus' traffic is explicitly identified as 'project-zeus-app' (a pre-defined custom application) to apply a specific set of security profiles, including advanced threat prevention and decryption, that are tailored to its known behavior. The SaaS provider's IP range is dynamic but always resides within a specific FQDN object (saas.example.com) that resolves to multiple IPs.
Which combination of configuration elements will reliably achieve this goal?

A) 1. Create an Application Filter including 'ssl-unknown' and 'unknown-tcp'.
B) 1. Create a Service Object for TCP/443.
C) 1. Create an Application Override rule with Application: 'project-zeus-app', Protocol: 'tcp', Port: '443', Source: 'Internal-Zeus-Server-IP', Destination: 'Any'.
D) 1. Create an Application Override rule with Application: 'project-zeus-app', Protocol: 'tcp', Port: '443', Source: 'Internal-Zeus-Server-IP', Destination:
E) 1. Configure SSL Decryption for traffic destined to 'saas.example.com'.

3. A critical application behind a Palo Alto Networks firewall intermittently loses connectivity. Packet captures on the firewall show SYN packets from the client reaching the firewall, but no SYN-ACK is returned. The firewall's session browser shows sessions in a 'DOWN' state for this traffic. The security policy rule permitting this traffic has 'Service: application-default' and 'Application: '. The security logs show 'Permit' actions, but the session never establishes. Which of the following is the MOST PROBABLE cause?

A) A fragmented packet from the client is being dropped due to a max-fragment-size setting, preventing session setup.
B) Asymmetric routing causing the return traffic to bypass the firewall.
C) A conflicting security policy rule with a more specific match is denying the traffic, but due to session state, initial logs show 'Permit'.
D) The server hosting the application is not responding to SYN requests due to being overloaded or misconfigured.
E) The firewall's TCP session setup timeout is too aggressive for the application's response time.

4. A Palo Alto Networks firewall is configured with User-ID and integrated with Active Directory. The network team reports that users from the 'Guest Wi-Fi' network are occasionally accessing internal resources. The current security policy allows 'Guest_Wi-Fi' users only to specific internet sites. Investigation reveals that the Guest Wi-Fi SSID is configured to assign IPs from a different subnet than the corporate network, but the User-ID mapping is still showing internal corporate users mapped to some Guest Wi-Fi IPs due to cached logins or session sharing. How would you prevent 'Guest_Wi-Fi' users, regardless of their User-ID mapping, from accessing internal resources while maintaining their internet access?

A) Create a new Security Policy rule with Source Zone: Guest_Zone, Source User: any, Destination Zone: Internal_Zone, Action: deny. Place this rule above all other internal access rules.
B) Modify the existing rules for 'Guest_Wi-Fi' internet access by adding Destination Zone: Untrust and ensuring no rules allow Guest_Wi-Fi to Internal_Zone. Clear User-ID cache periodically.
C) Configure a User-ID exclusion list for the Guest_Wi-Fi subnet to prevent any User-ID mappings for those IPs, then create a deny rule for Guest_Zone to Internal Zone.
D) Implement an explicit Policy-Based Forwarding (PBF) rule for the Guest_Wi-Fi subnet to route all traffic directly to the internet, bypassing security policy evaluation for internal destinations.
E) Create a new Security Policy rule with Source Zone: Guest_Zone, Source Address: Guest_Wi-Fi_Subnet, Source User: any, Destination Zone: Internal_Zone, Action: deny. Place this rule with the highest priority.

5. An organization is using a custom External Dynamic List (EDL) for IP addresses, sourced from an internal HTTP server. The firewall's data plane interfaces are in an 'internal' zone, and the EDL source server is in a 'dmz' zone. The security policy allowing EDL updates is as follows:

However, the EDL consistently fails to update, and logs show no attempts to reach the EDL server from the 'internal' zone. What is the most likely reason for this failure?

A) The 'Service' should be 'application-default' to cover both HTTP and HTTPS.
B) The 'Application' should be 'paloalto-updates' instead of 'web-browsing'.
C) The 'Source Zone' should be 'management' because EDL fetching is a management plane operation.
D) A NAT policy is missing to allow the firewall to reach the DMZ.
E) The firewall requires a security profile attached to this policy.

Solutions: