Paloalto Networks NetSec-Architect 시험

Question No : 1

An organization with offices throughout the world has an SD-WAN solution in which all traffic is backhauled to a central set of data centers. Many of the offices have IoT / OT devices.
Which IoT Security requirement must be taken into consideration by the security architect when determining which Zero Trust network solution will help this organization evolve its security architecture?

• A.Either a Prisma SD-WAN ION or an NGFW device must be present for accurate IoT / ОТ detection.
• B.A local sensor must be deployed as either an agent on the DHCP server or as a container on the virtual infrastructure.
• C.All DHCP requests must traverse the Prisma SD-WAN fabric for IoT / ОТ detection.
• D.The organization must have local NGFW for enforcement.

답을 확인하기

정답:

Question No : 2

An organization is designing the Prisma Access service connections for its data centers. Each data center has 10 Gb redundant links to the internet. Each data center will need to support a minimum of 1. 5 Gbps of throughput from Prisma Access connected users and branches.
Which diagram depicts a solution that meets the requirements of this use case?
A )



B.



C.



D.

• A.Option A
• B.Option B
• C.Option C
• D.Option D

답을 확인하기

정답:

Question No : 3

A large organization is building a hybrid AI environment. The plan is to develop proprietary machine learning (ML) models on-premises in a VMware NSX environment and create separate, cloud-native AI applications in a Google Kubernetes Engine (GKE) cluster environment. The CISO has requested a single solution that can offer runtime protection and visibility for the two environments.
Which Prisma AIRS component or form factor should a security architect recommend to this customer?

• A.AI Agent Security installed on each individual virtual machine (VM) and container across both environments to provide host-level protection
• B.Prisma AIRS Network Intercept deployed as security virtual appliances in both environments
• C.Prisma AIRS SaaS platform to ingest telemetry from both environments without requiring local enforcement points
• D.AI Security Posture Management (AI-SPM) scanner to connect to both on-premises and cloud environments to scan for misconfigurations

답을 확인하기

정답:

Question No : 4

Which custom component can mitigate the risk associated with an organization’s sales staff filling out a customer intake PDF form that contains corporate confidential information?

• A.App-ID matching distinct components of the PDF applied using a security rule
• B.Document type using trainable classifiers applied using a profile
• C.Threat signature blocking the file based on a hash of the PDF
• D.File blocking rule unique matching header or byte-code of the PDF

답을 확인하기

정답:

Question No : 5

An organization uses Microsoft Entra ID and wants to strictly enforce a requirement that remote users accessing highly sensitive SaaS applications can only do so when originating from Prisma Browser.
Which unique identifier must be configured within the Entra ID Conditional Access policy to effectively confirm and enforce that the access request is specifically originating from Prisma Browser and preventing standard web browsers from circumventing the Zero Trust Network Access (ZTNA) control?

• A.List of known egress IP addresses associated with Prisma Browser’s cloud proxy infrastructure
• B.Unique device token or Device-ID issued by Prisma Browser and validated by Entra ID
• C.Certificate thumbprint of Prisma Browser’s secure workspace key used for session encryption
• D.GlobalProtect mobile application installed on the user's endpoint

답을 확인하기

정답:

Question No : 6

A cloud engineer has implemented a security solution with a VM-Series firewall in a GCP centralized VPC to secure traffic between two spoke VPCs, but there is no communication between the spokes .
Which missed implementation step may cause this behavior?

• A.Security policy rule allowing inter-spoke traffic
• B.Peering connection between the two spoke VPCs
• C.Source NAT policy for traffic initiated from one spoke to the other
• D.Specific no-NAT policy rule for traffic between the spoke CIDR ranges

답을 확인하기

정답:

Question No : 7

An organization plans to deploy a full SASE architecture consisting of Prisma SD-WAN IONs at branches and data centers alongside Prisma Access remote networks, service connections, and mobile users. The business office team requires that traffic from global remote offices to public cloud is of highest criticality, and this traffic should have the greatest service-level agreement (SLA) and QoS priority while still maintaining a balance of threat inspection.
Which recommendation should the architect make to provide the lowest latency, highest throughput, and greatest resilience for the applications?

• A.Prisma Access Agent or а РАС file explicit proxy configuration connecting the end user devices directly to Prisma Access with a service connection to the public cloud provider
• B.Prisma Access remote networks with service connections directly to the cloud environment using IPSec and either static or dynamic routing
• C.Prisma SD-WAN IONs deployed within the cloud environment using BGP-to-peer to the internal route tables of the application
• D.Prisma SD-WAN ION deployed at both branch and private data center with a direct private link between the private data center and the public cloud provider

답을 확인하기

정답:

Question No : 8

A global organization plans to implement a full Zero Trust network solution to evolve its security architecture and is deciding between SASE and traditional firewall edge solutions. The organization currently has a WAN solution with all traffic backhauled to a central set of data centers and requires that branch-to-branch traffic be permitted for all 721 branch locations .
What is a crucial consideration as the solutions architect plans the end architecture for this organization?

• A.PAN-OS SD-WAN should be used for full mesh deployments of 100 or more sites that require full security capabilities
• B.Prisma Access does not support direct branch-to-branch traffic, but requires traffic to be routed by a service connection
• C.Prisma SD-WAN supports partial mesh architectures with App-ID, Threat, and DNS Security for direct branch-to-branch traffic
• D.Explicit proxy may be used in conjunction with Prisma Browser or а РАС file to access applications on a remote network

답을 확인하기

정답:

Question No : 9

An organization wants to migrate to an SSE model using Prisma Access for hybrid workforce connectivity. Following bandwidth analysis, network engineers have identified high-bandwidth requirements (>2 Gbps) sustained throughput to the data center for privately hosted applications (e.g., three tier applications active FTP and SMB file servers, EDR toolsets).
Business continuity for the organization requires the ability to use multiple cloud providers for private-application connectivity, ensuring no single cloud provider outage can disrupt operations. The network operations team has expressed concerns about migrating to SSE with legacy routing technical debt noting multiple redistribution protocols in place across the environment.
Which two network connectivity methods will meet the business requirements to access private applications from Prisma Access? (Choose two.)

• A.ZTNA Connectors
• B.Colo-Connect
• C.Cloud gateways
• D.Service connections

답을 확인하기

정답:

Question No : 10

A global organization has fully adopted Prisma Access to provide security for its mobile workforce and remote offices, and user identity is managed in Okta. The security team wants to create consistent Security policies that grant access to specific SaaS applications based on a users' departments, regardless of whether they work from home or a from branch office connected via an SD-WAN device
Which architecture ensures that consistent user-to-group mapping is available to Prisma Access for policy enforcement in this use case?

• A.Install the Palo Alto Networks User-ID agent and configure it to sync user information from Okta to Prisma Access
• B.Deploy Panorama to manage Prisma Access and configure it to pull user and group information from Okta via the Cloud Identity Engine
• C.Configure SAML federation between Prisma Access and Okta to provide user identity for every web request
• D.Configure each remote office SD-WAN device and each user’s GlobalProtect client to query Okta directly for user information

답을 확인하기

정답:

Question No : 11

A large organization uses Palo Alto Networks VM-Series firewalls deployed across multiple availability zones in Microsoft Azure. These are managed by an Azure Virtual Machine Scale Set (VMSS) and integrated with an Azure Load Balancer for high availability (HA) traffic inspection within a Transit VNet.
The security team needs to perform a critical PAN-OS software upgrade across the entire fleet of firewalls with the requirement of minimal application downtime.
Following Palo Alto Networks best practices for highly available cloud deployments, what is the recommended approach for safely performing this software upgrade with the least downtime?

• A.Update the image in an Azure VMSS and then initiate an upgrade of the instances
• B.Configure Azure Load Balancer probes to handle the health check failover during upgrades
• C.Provision a new, parallel VMSS with the new PAN-OS version, validate it, and redirect traffic from the old VMSS to the new one
• D.Use Azure Update Manager to push the PAN-OS upgrade package directly to all firewall instances simultaneously during a scheduled maintenance window

답을 확인하기

정답:

Question No : 12

An architect is reviewing a use case with the following requirements:
Visibility on the health of an end user's path for the five most critical applications
Metrics on the impact of endpoint health for application
Centralized call quality analytics from Zoom video conferencing solution
Insights into the supporting protocols, such as DNS
Support 600 users on Windows desktops in a single sales office
Which solution should be recommended to meet these requirements?

• A.Remote networks with ADEM enabled and an ION device
• B.Global Protect with a Prisma Access portal configured and ADEM enabled
• C.Prisma SD-WAN using the native application dashboard and link quality monitoring
• D.Prisma Browser or the Prisma Browser extension with RUM metrics

답을 확인하기

정답:

Question No : 13

A technology company is deploying its own AI applications on a Google Kubernetes Engine (GKE) cluster. The development team is concerned about protecting the complex, microservices-based AI stack from both internal and external threats: such as data poisoning and lateral movement between containerized components .
Which solution should be proposed to address these concerns?

• A.AI Access Security with Advanced URL Filtering
• B.AI Access Security with App-ID Cloud Engine
• C.Prisma AIRS Network Intercept
• D.Prisma AIRS API Intercept

답을 확인하기

정답: