Palo Alto Networks NetSec-Architect - Palo Alto Networks Network Security Architect Exam
Page: 2 / 9
Total 45 questions
Question #6 (Topic: Exam A)
A global organization plans to implement a full Zero Trust network solution to evolve its security architecture and is deciding between SASE and traditional firewall edge solutions. The organization currently has a WAN solution with all traffic backhauled to a central set of data centers and requires that branch-to-branch traffic be permitted for all 721 branch locations.
What is a crucial consideration as the solutions architect plans the end architecture for this organization?
What is a crucial consideration as the solutions architect plans the end architecture for this organization?
A. PAN-OS SD-WAN should be used for full mesh deployments of 100 or more sites that require full security capabilities
B. Prisma Access does not support direct branch-to-branch traffic, but requires traffic to be routed by a service connection
C. Prisma SD-WAN supports partial mesh architectures with App-ID, Threat, and DNS Security for direct branch-to-branch traffic
D. Explicit proxy may be used in conjunction with Prisma Browser or а РАС file to access applications on a remote network
Answer: C
Question #7 (Topic: Exam A)
An organization plans to deploy a full SASE architecture consisting of Prisma SD-WAN IONs at branches and data centers alongside Prisma Access remote networks, service connections, and mobile users. The business office team requires that traffic from global remote offices to public cloud is of highest criticality, and this traffic should have the greatest service-level agreement (SLA) and QoS priority while still maintaining a balance of threat inspection.
Which recommendation should the architect make to provide the lowest latency, highest throughput, and greatest resilience for the applications?
Which recommendation should the architect make to provide the lowest latency, highest throughput, and greatest resilience for the applications?
A. Prisma Access Agent or а РАС file explicit proxy configuration connecting the end user devices directly to Prisma Access with a service connection to the public cloud provider
B. Prisma Access remote networks with service connections directly to the cloud environment using IPSec and either static or dynamic routing
C. Prisma SD-WAN IONs deployed within the cloud environment using BGP-to-peer to the internal route tables of the application
D. Prisma SD-WAN ION deployed at both branch and private data center with a direct private link between the private data center and the public cloud provider
Answer: C
Question #8 (Topic: Exam A)
A cloud engineer has implemented a security solution with a VM-Series firewall in a GCP centralized VPC to secure traffic between two spoke VPCs, but there is no communication between the spokes.
Which missed implementation step may cause this behavior?
Which missed implementation step may cause this behavior?
A. Security policy rule allowing inter-spoke traffic
B. Peering connection between the two spoke VPCs
C. Source NAT policy for traffic initiated from one spoke to the other
D. Specific no-NAT policy rule for traffic between the spoke CIDR ranges
Answer: A
Question #9 (Topic: Exam A)
An organization uses Microsoft Entra ID and wants to strictly enforce a requirement that remote users accessing highly sensitive SaaS applications can only do so when originating from Prisma Browser.
Which unique identifier must be configured within the Entra ID Conditional Access policy to effectively confirm and enforce that the access request is specifically originating from Prisma Browser and preventing standard web browsers from circumventing the Zero Trust Network Access (ZTNA) control?
Which unique identifier must be configured within the Entra ID Conditional Access policy to effectively confirm and enforce that the access request is specifically originating from Prisma Browser and preventing standard web browsers from circumventing the Zero Trust Network Access (ZTNA) control?
A. List of known egress IP addresses associated with Prisma Browser’s cloud proxy infrastructure
B. Unique device token or Device-ID issued by Prisma Browser and validated by Entra ID
C. Certificate thumbprint of Prisma Browser’s secure workspace key used for session encryption
D. GlobalProtect mobile application installed on the user's endpoint
Answer: B
Question #10 (Topic: Exam A)
An IoT sensor should be deployed in the path between the IoT device and which infrastructure component for comprehensive profiling coverage?
A. IoT Gateway
B. DNS server
C. SNMP Collector
D. DHCP server
Answer: D
