Network Security Professional Intermediate Practice Exam: Medium Difficulty 2025

A security engineer needs to allow employees to use Microsoft 365 while preventing uploads to personal cloud storage sites. Users sometimes access Microsoft 365 from new IP ranges, so relying on IP allowlists is unreliable. Which Security policy approach best meets the requirement on a Palo Alto Networks NGFW?

After enabling SSL decryption for outbound internet access, users report that some websites intermittently fail to load, and the Traffic logs show sessions with "decrypt-error". The engineer wants to minimize user impact while maintaining decryption where possible. What is the best next step?

A company has a policy to block all unknown traffic while allowing business applications. After implementing a strict policy, some new SaaS apps are being blocked because the firewall classifies traffic as "unknown-tcp" initially. What configuration change best preserves security while improving app identification for policy decisions?

An administrator must ensure that only domain-joined corporate laptops can access an internal HR web application through the firewall. Users authenticate with Active Directory. Which solution best enforces both user and device posture at the firewall?

A firewall deployment uses two ISPs for outbound internet access. The requirement is to use ISP1 for all normal traffic, but automatically fail over to ISP2 if ISP1 becomes unreachable beyond the provider edge. Which configuration best meets the requirement?

A change request requires allowing a new application from a DMZ web server to a backend database. The engineer must ensure that only the required port is allowed and that threats are inspected. Which Security policy configuration best aligns with Palo Alto Networks best practices?

A company wants remote users to connect to the nearest point of presence and apply consistent security policy for internet access and sanctioned SaaS applications. They also want simplified operations compared to managing multiple regional firewalls. Which Palo Alto Networks architecture best fits these goals?

An organization is adopting SaaS applications and wants to reduce data leakage. They need to enforce that only corporate-managed devices can download files from sanctioned SaaS apps, while unmanaged devices can still access the apps with restricted capabilities. Which approach best satisfies this requirement?

A security team wants to ensure that malware downloads are blocked for users whether they are on-premises or remote. They also want a single place to view malicious activity across both environments. Which combination best meets the requirement?

Users report they cannot access an internal application after a policy change. The engineer sees traffic hitting an interzone Security rule that should allow it, but sessions are still denied. Which troubleshooting step most directly helps determine why the firewall is denying the traffic?