Palo Alto Networks PAN-CSP Online Practice Questions and Exam Preparation

Palo Alto Networks PAN-CSP Online Questions & Answers

• Question 171:

  Web-Application and API Security (WAAS) provides protection for which two protocols? (Choose two.)

  A. HTTP
  B. SSH
  C. Tomcat Web Connector via AJP
  D. TLS
  A. HTTP
  D. TLS

  ---

  Explanation

  Web-Application and API Security (WAAS) is a feature within Prisma Cloud that focuses on protecting web applications and APIs from various threats and vulnerabilities. The primary protocols it provides protection for are HTTP (Hypertext Transfer Protocol) and TLS (Transport Layer Security). HTTP is the foundation of data communication for the World Wide Web, and TLS is a cryptographic protocol designed to provide communications security over a computer network.

  While SSH (Secure Shell) is a protocol for secure remote login and other secure network services, and Tomcat Web Connector via AJP (Apache JServ Protocol) is used for Tomcat server communication, they are not the primary focus of WAAS protection.

• Question 172:

  Which resource and policy type are used to calculate AWS Net Effective Permissions? (Choose two.)

  A. Service Linked Roles
  B. Lambda Function
  C. Amazon Resource Names (ARNs) using Wild Cards
  D. AWS Service Control Policies (SCPs)
  B. Lambda Function
  D. AWS Service Control Policies (SCPs)

  ---

  Explanation

  "The list of AWS policy types and identities that are used to calculate the net effective permissions are as follows:

  AWS IAM role

  AWS IAM policy

  AWS IAM group AWS service control policies (SCPs)

  Role trust relationships

  Permission boundaries

  NotAction

  Policies with wild card support

  If your cloud environment has additional resource types, Prisma Cloud does not factor them into the net-effective permissions. In addition, permissions can also be set by a resource-based policy. The following AWS resource-based policies are supported in the net effective permissions calculation: Lambda function

  S3 bucket

  SQS queue

  SNS topic

  ECS task definition

  Secret manager

  KMS key

  Lambda layer version"

• Question 173:

  Given the following audit event activity snippet:

  {

  "payload": {

  "requestMetadata": {

  "callerSuppliedUserAgent": "google-cloud-sdk gcloud/274.0.1 command/gcloud.compute.firewall-rules.delete invocation-id/edda7aa325264545a4322f5160c15791 environment/None environment-version/None interactive/False from-script/

  False python/2.7.15 term/ (Linux 4.14.186-146.268.amzn2.x86_64), gzip(gfe)","callerIp": "52.87.62.40"

  },

  "request": {

  "@type": "type.googleapis.com/compute.firewalls.delete"

  }

  }

  }

  Which RQL will be triggered by the audit event?

  A. event from cloud.audit_logs where operation IN ('cloudsql.instances.update', 'cloudsql.sslCerts.create', 'cloudsql.instances.create', 'cloudsql.instances.delete')
  B. event from cloud.audit_logs where operation IN ('storage.buckets.create', 'storage.setIamPermissions', 'storage.buckets.delete')
  C. event from cloud.audit_logs where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
  D. event from cloud.audit_logs where operation IN ('v1.compute.networks.delete', 'beta.compute.networks.insert', 'v1.compute.routes.delete', 'v1.compute.firewalls.insert', 'v1.compute.firewalls.delete')
  D. event from cloud.audit_logs where operation IN ('v1.compute.networks.delete', 'beta.compute.networks.insert', 'v1.compute.routes.delete', 'v1.compute.firewalls.insert', 'v1.compute.firewalls.delete')

• Question 174:

  Which feature belongs to Application Security?

  A. Cloud detection and response (CDR)
  B. Secrets scanning
  C. Unified compliance management
  D. Identity security
  B. Secrets scanning

  ---

  Explanation

  The correct answer is B because the blueprint identifies secrets scanning as an Application Security capability. CDR is a Cloud Runtime Security concept, while unified compliance management and identity security are listed under Cloud Posture Security, so A, C, and D are incorrect.

• Question 175:

  The attempted bytes count displays?

  A. traffic that is either denied by the security group or firewall rules or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.
  B. traffic that is either denied by the security group or firewall rules.
  C. traffic that is either denied by the firewall rules or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.
  D. traffic denied by the security group or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.
  A. traffic that is either denied by the security group or firewall rules or traffic that was reset by a host or virtual machine that received the packet and responded with a RST packet.

  ---

  Explanation

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/investigate-incidents-on-prisma-cloud/investigate-network-incidents-on-prisma-cloud

• Question 176:

  A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

  How should the administrator Configure Prisma Cloud Compute to satisfy this requirement?

  A. set the Container model to manual relearn and set the default runtime rule to block for process protection.
  B. set the Container model to relearn and set the default runtime rule to prevent for process protection.
  C. add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to prevent .
  D. choose copy into rule for the Container, add a ransomWare process into the denied process list, and set the action to block .
  C. add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to prevent .

  ---

  Explanation

  To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question.

  By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

• Question 177:

  Where can Defender debug logs be viewed? (Choose two.)

  A. /var/lib/twistlock/defender.log
  B. From the Console, Manage > Defenders > Manage > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs
  C. From the Console, Manage > Defenders > Deploy > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs
  D. /var/lib/twistlock/log/defender.log
  B. From the Console, Manage > Defenders > Manage > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs
  D. /var/lib/twistlock/log/defender.log

  ---

  Explanation

  In Prisma Cloud, Defender debug logs are essential for troubleshooting and understanding the Defender's operational behavior. The logs can be accessed through two primary methods:

  A. The first method (B) involves using the Prisma Cloud Console's user interface. By navigating to Manage > Defenders > Manage > Defenders, administrators can select a deployed Defender from the list and access its logs by clicking Actions > Logs. This method provides a convenient way to view logs directly from the Console without the need to access the Defender host directly.

  D. The second method (D) involves accessing the logs directly from the file system of the host where the Defender is deployed. The correct path for the Defender logs is /var/lib/twistlock/log/defender.log. This method is useful for situations where direct access to the host is available, and it allows for more in-depth troubleshooting by examining the raw log files. Options A and C are incorrect because the paths and navigation steps provided do not accurately reflect the structure and functionality of Prisma Cloud's logging system.

• Question 178:

  Which statement is true about obtaining Console images for Prisma Cloud Compute Edition?

  A. 1. Access registry.paloaltonetworks.com, and authenticate using `docker login'.2. Retrieve the Prisma Cloud Console images using `docker pull'.
  B. 1. Access registry.twistlock.com, and authenticate using `docker login'.2. Retrieve the Prisma Cloud Console images using `docker pull'.
  C. 1. Access registry-url-auth.twistlock.com, and authenticate using the user certificate.2. Retrieve the Prisma Cloud Console images using `docker pull'.
  D. 1. Access registry-auth.twistlock.com, and authenticate using the user certificate.2. Retrieve the Prisma Cloud Console images using `docker pull'.
  A. 1. Access registry.paloaltonetworks.com, and authenticate using `docker login'.2. Retrieve the Prisma Cloud Console images using `docker pull'.

  ---

  Explanation

  Prisma Cloud Compute Edition Console images are retrieved from registry.paloaltonetworks.com using basic authentication with docker login, followed by pulling the images with docker pull.

• Question 179:

  During an initial deployment of Prisma Cloud Compute, the customer sees vulnerabilities in their environment.

  Which statement correctly describes the default vulnerability policy?

  A. It blocks all containers that contain a vulnerability.
  B. It alerts on any container with more than three critical vulnerabilities.
  C. It blocks containers after 30 days if they contain a critical vulnerability.
  D. It alerts on all vulnerabilities, regardless of severity.
  D. It alerts on all vulnerabilities, regardless of severity.

  ---

  Explanation

  By default, Prisma Cloud's vulnerability policy is configured to alert on all detected vulnerabilities across containers and images, without filtering based on the severity of the vulnerabilities. This default setting ensures that administrators are made aware of all potential security issues, providing them with comprehensive visibility into the security posture of their environment. Administrators can then assess and prioritize these vulnerabilities based on their context, severity, and impact on the organization's assets.

• Question 180:

  The administrator wants to review the Console audit logs from within the Console.

  Which page in the Console should the administrator use to review this data, if it can be reviewed at all?

  A. Navigate to Monitor > Events > Host Log Inspection
  B. The audit logs can be viewed only externally to the Console
  C. Navigate to Manage > Defenders > View Logs
  D. Navigate to Manage > View Logs > History
  D. Navigate to Manage > View Logs > History

  ---

  Explanation

  References:

  https://docs.twistlock.com/docs/compute_edition/howto/review_debug_logs.html