Palo Alto Networks Security Operations Generalist Sample Questions:

1. When integrating Palo Alto Networks NGFWs or Prisma Access with the IoT Security subscription for monitoring, what information is primarily sent from the firewall/Prisma Access to the cloud-based IoT Security service to enable device discovery and profiling?

A) Metadata about IoT traffic flows, including source/destination IP/port, protocol, application ID, and behavioral indicators.
B) Configuration files from the firewall.
C) Full packet captures of all IoT traffic.
D) Sensitive data content detected within IoT traffic.
E) Endpoint process and file system information from IoT devices.

2. A security analyst is investigating potential policy violations involving unsanctioned SaaS application usage and attempted sensitive data uploads. They are using Prisma Access with Enterprise DLP and SaaS Security features, logging to Cortex Data Lake. The analyst needs to find instances where users attempted to access blocked social media sites, used unsanctioned file sharing apps, AND attempted to upload data containing PII. Which combination of log types and filtering criteria in Cortex Data Lake or the Cloud Management Console would help identify users involved in this set of activities? (Select all that apply)

A) Data Filtering logs filtered by 'Action: block' or 'alert' for PII patterns, correlated with session information from Traffic logs to identify the user and application.
B) File logs filtered by 'Direction: upload' and correlated with Traffic logs and Data Filtering logs for sessions involving sensitive data uploads.
C) URL Filtering logs filtered by 'Action: block' and URL categories like 'Social-Networking' or 'File Sharing and Storage'.
D) Traffic logs filtered by 'Action: deny' and Application App-IDs for unsanctioned social media or file sharing services (e.g., 'twitter-base', 'dropbox-base').
E) Threat logs filtered by Threat Category 'phishing' or 'command-and-control'.

3. An organization relies on Palo Alto Networks NGFWs (PA-Series and VM-Series) to protect against the latest threats. Which dynamic updates are MOST critical for ensuring these firewalls have the most current information to identify applications, detect known malware and vulnerabilities, and identify malicious websites?

A) PAN-OS software updates
B) URL Filtering updates
C) WildFire updates
D) Threat Prevention updates (Antivirus, Vulnerability Protection, Anti-Spyware signatures)
E) App-ID updates

4. An organization with several branch offices connected to a central data center via limited-bandwidth MPLS links and broadband internet is deploying Prisma SD-WAN. Users at branch offices frequently access large files stored on central file servers (using SMB/CIFS) and download software updates. This traffic consumes significant bandwidth and is slow. Which core WAN optimization technique available in Prisma SD-WAN is MOST effective at reducing the bandwidth consumed by this type of repetitive, bulky data transfer between the same locations?

A) Forward Error Correction (FEC), which adds redundant information to packets to allow reconstruction at the destination without retransmission.
B) Protocol Acceleration, which optimizes chatty application protocols like SMB/CIFS by reducing the number of round trips.
C) Data Reduction (Compression and Deduplication), which identifies and replaces repetitive data patterns across transfers with smaller tokens.
D) Application-based Path Selection, which dynamically steers traffic for this application over the link with the lowest latency.
E) Packet Duplication, which sends identical packets over multiple paths to mitigate packet loss.

5. A company uses Palo Alto Networks Prisma Access for its remote workforce. They have a strict policy to prevent the exfiltration of sensitive customer data, specifically documents containing patterns resembling Social Security Numbers (SSNs) or Credit Card Numbers (CCNs). Users should be blocked if they attempt to upload such documents to cloud storage or webmail services. Assuming App-ID correctly identifies the applications and SSL Forward Proxy decryption is successfully enabled for relevant traffic, which Content-ID feature is used to enforce this policy, and what is a key aspect of its configuration?

A) URL Filtering profile configured to block access to all cloud storage and webmail categories.
B) Antivirus profile configured to detect data patterns associated with sensitive information.
C) Threat Prevention profile configured with signatures for SSNs and CCNs, which scans the decrypted data stream.
D) Data Filtering profile configured with specific patterns (regex or built-in) for SSNs and CCNs, applied to relevant security policy rules with an action like 'block' or 'alert'.
E) File Blocking profile configured to block document file types (like .doc, .pdf) being uploaded to the internet.

Solutions: