Network Security Architect Intermediate Practice Exam: Medium Difficulty 2025

An enterprise is redesigning its internet edge. Requirements: consistent security policy for all outbound internet traffic, scalable throughput growth, and minimal operational overhead. They also want to decrypt outbound TLS where appropriate and use threat prevention and URL filtering consistently. Which architecture best meets these goals with Palo Alto Networks?

A company must segment east-west traffic in a data center hosting multi-tier applications. They want to reduce rulebase complexity, ensure only approved application flows are allowed between tiers, and maintain visibility into which applications are actually running. Which approach best aligns with Palo Alto Networks best practices?

A global organization uses active/active data centers and wants to protect inbound web applications with a consistent security posture. Requirements include advanced threat protection, bot protection, and reducing exposure of origin IPs. Which design best satisfies these requirements?

A company is implementing Zero Trust for internal applications accessed by employees and contractors. They want to continuously verify user identity, device posture, and reduce lateral movement if a device becomes compromised. Which combination best aligns with a Zero Trust approach using Palo Alto Networks capabilities?

An organization wants to adopt Zero Trust in a campus network. They need to ensure that unmanaged devices (e.g., BYOD) can only reach specific SaaS apps and not internal resources. They also want policy decisions to be based on user and device context. Which solution is the best fit?

A security architect must design a policy model where access to a sensitive HR application is allowed only from corporate-managed laptops that are compliant, and only for HR staff. Contractors must be blocked even if they authenticate successfully. Which design best meets the requirement?

A SOC wants to automatically quarantine endpoints that generate high-confidence malware alerts from Cortex XDR. The quarantine must immediately restrict the host’s network access while still allowing remediation traffic (e.g., to update servers). Which approach is most appropriate?

A company uses Panorama to manage hundreds of firewalls. They want changes to be validated and deployed through an automated pipeline with approvals, and they need an auditable record of what was deployed. Which design best meets these requirements?

A network team wants to automatically populate firewall objects with the current IP ranges of a SaaS provider to avoid manual updates. They also want the policy to update quickly when the provider changes ranges. What is the best mechanism to use?

A customer requests a new security architecture. Business requirements: enable rapid cloud adoption, minimize downtime during migrations, and satisfy regulatory needs for logging and access control. Technical constraints: limited staff, multiple cloud accounts/subscriptions, and a mix of on-prem and cloud workloads. What is the best next step for the architect?