Free Paloalto Networks NetSec-Generalist Practice Exams

Question #1

Which zone is available for use in Prisma Access?

A . DMZ
B . Interzone
C . Intrazone
D . Clientless VPN

Question #2

Which two configurations are required when creating deployment profiles to migrate a perpetual VM-Series firewall to a flexible VM? (Choose two.)

A . Choose "Fixed vCPU Models" for configuration type.
B . Allocate the same number of vCPUs as the perpetual VM.
C . Deploy virtual Panorama for management.
D . Allow only the same security services as the perpetual VM.

Reveal Solution Hide Solution

Question #3

A network security engineer wants to forward Strata Logging Service data to tools used by the Security Operations Center (SOC) for further investigation.

In which best practice step of Palo Alto Networks Zero Trust does this fit?

A . Implementation
B . Report and Maintenance
C . Map and Verify Transactions
D . Standards and Designs

Reveal Solution Hide Solution

Question #4

Which type of traffic can a firewall use for proper classification and visibility of internet of things (loT) devices?

A . DHCP
B . RTP
C . RADIUS
D . SSH

Reveal Solution Hide Solution

Question #5

How many places will a firewall administrator need to create and configure a custom data loss prevention (DLP) profile across Prisma Access and the NGFW?

A . One
B . Two
C . Three
D . Four

Reveal Solution Hide Solution

Question #6

What will collect device information when a user has authenticated and connected to a GlobalProtect gateway?

A . RADIUS Authentication
B . IP address
C . Host information profile (HIP)
D . Session ID

Reveal Solution Hide Solution

Question #7

What is the primary role of Advanced DNS Security in protecting against DNS-based threats?

A . It replaces traditional DNS servers with more reliable and secure ones.
B . It centralizes all DNS management and simplifies policy creation.
C . It automatically redirects all DNS traffic through encrypted tunnels.
D . It uses machine learning (ML) to detect and block malicious domains in real-time.

Reveal Solution Hide Solution

Question #8

Which action must a firewall administrator take to incorporate custom vulnerability signatures into current Security policies?

A . Create custom objects.
B . Download WildFire updates.
C . Download threat updates.
D . Create custom policies.

Reveal Solution Hide Solution

Question #8

Which action must a firewall administrator take to incorporate custom vulnerability signatures into current Security policies?

A . Create custom objects.
B . Download WildFire updates.
C . Download threat updates.
D . Create custom policies.

Reveal Solution Hide Solution

Question #10

What should be reviewed when log forwarding from an NGFW to Strata Logging Service becomes disconnected?

A . Device certificates
B . Decryption profile
C . Auth codes
D . Software warranty

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When log forwarding from a Palo Alto Networks NGFW to the Strata Logging Service (formerly Cortex Data Lake) becomes disconnected, the primary aspect to review is device certificates. This is because the firewall uses certificates for mutual authentication with the logging service. If these certificates are missing, expired, or invalid, the firewall will fail to establish a secure connection, preventing log forwarding.

Key Reasons Why Device Certificates Are Critical

Authentication Requirement C The NGFW uses a Palo Alto Networks-issued device certificate for authentication before it can send logs to the Strata Logging Service.

Expiration Issues C If the certificate has expired, the NGFW will be unable to authenticate, causing a disconnection.

Misconfiguration or Revocation C If the certificate is not properly installed, revoked, or incorrectly assigned, the logging service will reject log forwarding attempts.

Cloud Trust Relationship C The firewall relies on secure cloud-based authentication, where certificates validate the NGFW’s identity before log ingestion.

How to Verify and Fix Certificate Issues

Check Certificate Status

Navigate to Device > Certificates in the NGFW web interface.

Verify the presence of a valid Palo Alto Networks device certificate.

Look for expiration dates and renew if necessary.

Reinstall Certificates

If the certificate is missing or invalid, reinstall it by retrieving the correct device certificate from the Palo Alto Networks Customer Support Portal (CSP).

Ensure Correct Certificate Chain

Verify that the correct root CA certificate is installed and trusted by the firewall.

Confirm Connectivity to Strata Logging Service

Ensure that outbound connections to the logging service are not blocked due to misconfigured security policies, firewalls, or proxies.

Other Answer Choices Analysis

(B) Decryption Profile C SSL/TLS decryption settings affect traffic inspection but have no impact on log forwarding.

(C) Auth Codes C Authentication codes are used during the initial device registration with Strata Logging Service but do not impact ongoing log forwarding.

(D) Software Warranty C The firewall’s warranty does not influence log forwarding; however, an active support license is required for continuous access to Strata Logging Service.

Reference and Justification:

Firewall Deployment C Certificates are fundamental to secure NGFW cloud communication.

Security Policies C Proper authentication ensures logs are securely transmitted.

Threat Prevention & WildFire C Logging failures could impact threat visibility and WildFire analysis.

Panorama C Uses the same authentication mechanisms for centralized logging.

Zero Trust Architectures C Requires strict identity verification, including valid certificates.

Thus, Device Certificates (A) is the correct answer, as log forwarding depends on a valid, authenticated certificate to establish connectivity with Strata Logging Service.