Network Security Analyst Practice Exam 2025: Latest Questions

An analyst is creating a Security policy rule and wants it to match traffic to a group of servers whose IPs may change over time. What is the BEST object type to use in the destination field?

A rule is configured to allow users in the AD group "Finance" to access an internal application. The rule still does not match traffic, and logs show the source user as "unknown". What should the analyst check FIRST?

In Strata Cloud Manager, an administrator wants to apply the same baseline security policy to multiple firewalls while still allowing each firewall to have small local exceptions. What approach is MOST appropriate?

Which security subscription is primarily responsible for identifying and blocking known malware and malicious command-and-control traffic using signature-based detection?

A company wants to reduce the risk of overly permissive access. When creating a new Security policy rule for outbound web access, what is the BEST practice for the service field?

An analyst needs a policy rule to match a constantly changing list of known malicious IP addresses maintained by a threat intel team on an internal web server. Which object should be used to reference that list in policy?

After adding a new allow rule above an existing deny rule, users still report being blocked. The traffic log shows the session matched the deny rule. What is the MOST likely cause?

In Strata Cloud Manager, an administrator wants to limit who can approve and push security policy changes to production devices while allowing other analysts to propose edits. What is the BEST approach?

A Security policy allows outbound web-browsing and ssl to the Internet with URL Filtering set to block "malware" and "phishing." Users report they can still reach known malicious sites over HTTPS. The traffic log shows the application as "ssl" and the URL field is blank. What is the MOST effective fix?

An organization uses multiple security profiles (Anti-Spyware, Vulnerability Protection, Antivirus, and WildFire analysis) and wants to ensure consistent inspection across all Internet-bound allow rules, while still being able to update profile settings centrally. What is the BEST design approach?

An analyst is creating objects on a Palo Alto Networks firewall and wants a single object that represents multiple non-contiguous IP addresses (for example, a few servers spread across different subnets). Which object type is best suited for this requirement?

A firewall has a Security policy rule allowing users to access a SaaS application using the application name. The rule is not matching; traffic hits a more general rule instead. Which change is most likely to make the application-based rule match as intended?

In Strata Cloud Manager, an administrator wants to ensure a consistent baseline of Security policy rules is applied to multiple managed firewalls while still allowing each site to add site-specific rules. Which approach best supports this goal?

A company uses tags to identify workloads by function (for example, "db" and "web"). The analyst wants Security policy rules to automatically include new workloads as they appear without manually updating address groups. Which object configuration is most appropriate?

An analyst needs to create a Security policy rule that allows only Microsoft DNS (TCP/UDP 53) from internal DNS servers to the internet, while blocking all other DNS-like traffic. Which configuration is the best practice for reducing the chance of evasive traffic using port 53?

After enabling a security subscription, an analyst expects to see URL categories populated when creating URL Filtering profiles, but the categories appear unavailable or incomplete. Which is the most likely cause?

In Strata Cloud Manager, a team wants to prevent accidental policy changes from being pushed to production firewalls without review. Which workflow best supports this requirement?

Users report that an internal application intermittently fails after a new Security policy rule is added. The traffic sometimes matches the new rule and sometimes a different rule. The analyst sees both rules could match the same session based on zones and addresses. Which configuration change most directly resolves inconsistent matching?

A security team wants to block newly registered domains and known phishing sites for users without having to manually maintain lists. Which solution best meets this requirement on Palo Alto Networks firewalls?

A company manages multiple locations using Strata Cloud Manager. They want to deploy a global policy that allows outbound web traffic but requires each location to enforce additional restrictions (for example, blocking specific URL categories) based on local regulations. Which design best satisfies this requirement while minimizing duplicated configuration?

An analyst is asked to create an address object for a partner server that can change IPs, but will always be reachable via a DNS name. The security policy should automatically match the current IP without manual updates. What is the best approach?

A rule is configured to allow users to access a new internal application. The rule uses the application name, but sessions are still being denied. The traffic log shows the application as "ssl" and the rule above it is a broad deny. What change is the best practice to ensure the allow rule can match the traffic?

In Strata Cloud Manager, an admin wants to prevent local changes on individual firewalls from causing configuration drift. They want changes to be made centrally and then pushed to devices. Which approach best supports this goal?

Users report that newly registered malicious domains are not being blocked, even though DNS Security is licensed. The firewall is correctly forwarding DNS traffic and security policy is allowing it. Which configuration is MOST likely missing?

A company wants to use Dynamic Address Groups (DAGs) to automatically quarantine endpoints based on tags received from an external system. The quarantine rule references a DAG, but no traffic matches it. The external system is sending IP-to-tag mappings. What is the MOST likely cause?