50 Network Security Analyst Practice Questions: Question Bank 2025

An analyst is creating a Security policy rule and wants to allow access to a specific SaaS application without managing large, changing IP ranges. Which object should be used in the rule to best meet this requirement?

A firewall rule is intended to allow users in the Finance department to reach an internal payroll application. The administrator already has User-ID enabled. Which approach is the best practice to scope the rule to Finance users?

You want to centrally manage multiple firewalls and ensure policy changes are deployed consistently from a single cloud-based console. Which Palo Alto Networks management option best fits this requirement?

A new Security policy rule is created but traffic still matches an older, more general allow rule. What is the most likely reason?

An administrator wants a single object that automatically expands to include a domain and its subdomains (for example, example.com and *.example.com) to use in Security policy rules. Which object type is most appropriate?

A team needs to block known malicious outbound connections while minimizing false positives. Which combination is the best practice approach on a Palo Alto Networks firewall?

After a commit and push from Strata Cloud Manager, one firewall shows 'Out of Sync'. Which action is most appropriate to identify what differs between intended and running configuration?

A new rule is intended to allow only a specific application and deny everything else to a destination. The administrator set the rule to allow the application but left the service as 'any'. Which change best aligns with least privilege while maintaining App-ID accuracy?

A security team wants to automatically quarantine infected endpoints by dynamically grouping them and applying a restrictive policy, without manually updating address objects. Which design best meets this requirement?

A company uses Strata Cloud Manager to manage a fleet of firewalls. A new standardized outbound policy must be applied to all sites, but each site has different internal IP ranges and different DNS/NTP servers. Which approach provides the best balance of standardization and site-specific customization?

An analyst needs to create a single object that represents multiple internal DNS servers (10.10.10.11, 10.10.10.12, 10.10.10.13) and reuse it across multiple Security policy rules. Which object type is best practice?

A new Security policy rule is intended to allow users to access a sanctioned SaaS application. After committing, traffic is still blocked by an existing rule. What is the most likely cause?

In Strata Cloud Manager, an administrator wants to ensure that a group of firewalls consistently receives the same shared configuration (objects and policies) with centralized management. What should the administrator use?

A company wants to build Security policy rules that reference business units rather than individual IP addresses, and the mappings change frequently as users move between subnets. Which approach best supports this requirement with minimal policy changes?

An analyst creates an Application-based Security policy rule allowing 'web-browsing' and 'ssl' from the user zone to the internet. Some HTTPS sites still fail because the required application shifts after initial negotiation. Which best practice should be used to reduce these failures while maintaining App-ID control?

A team wants to dynamically block newly observed malicious IPs from a threat feed without manually updating objects. Which object/service combination best meets this goal?

After onboarding firewalls to Strata Cloud Manager, an administrator can see device health but cannot push configuration changes. Which is the most likely missing step or requirement?

An organization wants to reduce false positives in URL blocking while still preventing access to newly registered or suspicious domains. Which security subscription capability most directly supports this use case?

A policy rule allowing outbound traffic uses an application filter and includes 'Any' for service. The security team wants to ensure only the standard ports for the allowed applications are permitted, reducing exposure to non-standard ports. What is the best practice configuration change?

A firewall is configured to forward logs to Strata Cloud Manager, but the analyst sees gaps in threat logs for certain time periods even though traffic was present. Which configuration issue is the MOST likely cause on the firewall side?

An administrator is creating an Address Group for a security rule that should include both individual IP addresses and entire subnets. Which Address Group type supports mixing these different object types in the same group?

A security policy rule is configured to allow traffic. Users report that the session is still being blocked, and the traffic log shows the action as "deny" with a different rule name than expected. What is the most likely reason?

In Strata Cloud Manager, an administrator wants to standardize security rules across multiple firewall locations while allowing each location to add a small set of local exceptions. Which approach best meets this goal?

A rule is configured with application set to "any" and service set to "application-default". Users report that a custom application running on TCP/8443 is failing even though the rule allows the destination. What is the most likely cause?

You want an address group to automatically include any address object tagged with "prod" and "web". Which configuration should you use?

A company uses a shared "Corporate" security rulebase in Strata Cloud Manager and wants to ensure a "Deny known bad" rule cannot be overridden by local administrators. What is the best practice approach?

An organization wants to reduce risk from newly observed threats without creating many custom signatures. Which subscription capability best supports blocking known malware and C2 traffic using regularly updated threat intelligence?

A new rule was created to allow a SaaS application, but sessions are still denied. The traffic log shows the application as "ssl" and the deny rule is app-based for the SaaS app. Decryption is not enabled. What is the best fix to reliably enforce app-based access to that SaaS application?

You create a Dynamic Address Group (DAG) based on tag "finance" and reference it in a security rule. Traffic from a recently added finance host is not matching the rule. The address object for the host exists and has the correct tag. What is the most likely operational step missing?

An administrator wants a design that allows central governance in Strata Cloud Manager while ensuring firewall locations can continue enforcing the last known good policy during a temporary loss of connectivity to the cloud service. Which design principle best addresses this requirement?

An analyst needs to create a set of destinations (CIDR ranges) that will be referenced by multiple Security policy rules and may change frequently. Which object type is the best fit?

A new Security policy rule is created to allow users to access an internal web application. The rule is not being hit, and traffic is matching a more general deny rule below it. What is the most likely issue?

In Strata Cloud Manager, an administrator wants a consistent set of security profiles applied to many allow rules without selecting each profile individually every time. What is the recommended approach?

An organization wants to reduce risk by preventing users from accidentally accessing newly registered domains. Which security subscription capability directly addresses this requirement?

A team wants to allow Microsoft 365 access for users but block personal cloud storage services. Which rule design is the best practice to minimize over-permitting while maintaining access?

An administrator uses a dynamic address group (DAG) for 'Quarantine' endpoints based on a tag from a source such as a VM system or integration. Some infected endpoints are not being blocked by the quarantine policy. Which is the most likely cause?

An analyst is troubleshooting why a user-based Security policy rule is not matching. Traffic logs show the Source User as 'unknown'. What is the most effective next step to make user-based policy work?

You manage policy in Strata Cloud Manager for multiple locations. You want to roll out a baseline set of security rules globally, while allowing each site to add a small number of local exceptions without modifying the baseline. Which approach best fits this requirement?

After adding a new URL Filtering profile to an allow rule, users report that some benign sites are being blocked unexpectedly. The security team wants to minimize disruption while keeping protections. What is the best next step?

A security rule allows outbound web traffic and has a security profile group attached. Despite this, malware is not being identified, and logs show little to no file inspection. Which configuration is MOST likely missing to enable effective file-based malware analysis for unknown threats?

An analyst wants to ensure a Security policy rule only applies when traffic is destined to a specific public SaaS provider whose IP ranges change frequently. What is the recommended approach?

A new Security policy rule is intended to block outbound SSH from user subnets to the internet, but internal SSH between data center segments must continue to work. Which rule design best meets the requirement?

In Strata Cloud Manager, an administrator wants to ensure all deployed firewalls use the same DNS server settings and NTP settings. What is the best way to standardize these settings?

A Security rule allows web-browsing from users to the internet. Users report intermittent access issues to some HTTPS sites. Logs show the traffic is allowed, but sessions reset after the TLS handshake. Which misconfiguration is the MOST likely cause?

An analyst needs to write a policy that permits only Microsoft Windows updates while blocking other web traffic for a specific subnet during a maintenance window. Which approach is most precise and maintainable?

A team uses Strata Cloud Manager to manage multiple locations. They want to deploy the same baseline Security Profiles (anti-spyware, vulnerability, antivirus) everywhere, but allow each site to customize URL Filtering categories. What design best supports this?

A rule is configured with both source user (User-ID) and source address criteria. Users complain that sometimes the same user is blocked, sometimes allowed, from the same computer. Which condition most commonly explains inconsistent matching?

An administrator wants to reduce policy complexity by using tags to group objects representing 'PCI in-scope systems' across multiple subnets and IP changes. Which object strategy best supports this goal?

A company wants to use Advanced WildFire to analyze unknown files. Some users report that certain downloads are delayed significantly, and the help desk suspects it’s related to file submission and verdict checks. Which setting change most directly reduces user-perceived download delay while still benefiting from WildFire?

An organization manages policies in Strata Cloud Manager and must ensure that a small set of emergency security rules can be deployed quickly across all sites, but only by a limited administrator group, without granting them full policy management rights. What is the best design?