Palo Alto Networks PAN-NSG Online Practice Questions and Exam Preparation

Palo Alto Networks PAN-NSG Online Questions & Answers

• Question 1:

  In conjunction with Advanced URL Filtering, which feature can be enabled after usemame-to-IP mapping is set up?

  A. Host information profile (HIP)
  B. Credential phishing prevention
  C. Client probing
  D. Indexed data matching
  B. Credential phishing prevention

  ---

  explanation:

  WhenAdvanced URL Filteringis enabled,Credential Phishing Preventioncan be activated toprotect against phishing attacksby blocking unauthorized credential submissions.

  Uses Username-to-IP Mapping - Identifies usersbased on their IP and login credentials.

  Prevents Credential The ft - Blocks users from submitting corporate credentials tountrusted or malicious websites.

  Works Alongside Advanced URL Filtering - Detects and categorizesphishing domains in real-time, stopping credential leaks.

  Can Enforce Action-Based Policies - Configures policies toalert, block, or validate credential submissions.

  A. Host Information Profile (HIP)#

  Incorrect, becauseHIP checks device healthbut does notprevent credential phishing.

  C. Client Probing#

  Incorrect, becauseClient Probing is used for User-ID mapping, notphishing prevention.

  D. Indexed Data Matching#

  Incorrect, becauseIndexed Data Matching is used for DLP (Data Loss Prevention), not for credential protection.

  Firewall Deployment - Protectsuser credentials from phishing attacks.

  Security Policies - Ensuresusers do not submit credentials to malicious sites.

  VPN Configurations - Protectsremote users connecting via GlobalProtectfrom credential theft.

  Threat Prevention - Works withThreat Intelligenceto detect new phishing sites.

  WildFire Integration - Scansunknown websites for phishing behaviors.

  Panorama - Centralized enforcement ofCredential Phishing Prevention policies.

  Zero Trust Architectures - Ensuresonly legitimate authentication events occur within trusted environments. How Credential Phishing Prevention Works:Why Other Options Are Incorrect?References to Firewall Deployment and Security Features:Thus, the correct answer is:#B. Credential phishing prevention

• Question 2:

  At a minimum, which action must be taken to ensure traffic coming from outside an organization to the DMZ can access the DMZ zone for a company using private IP address space?

  A. Configure static NAT for all incoming traffic.
  B. Create NAT policies on post-NAT addresses for all traffic destined for DMZ.
  C. Configure NAT policies on the pre-NAT addresses and post-NAT zone.
  D. Create policies only for pre-NAT addresses and any destination zone.
  C. Configure NAT policies on the pre-NAT addresses and post-NAT zone.

  ---

  explanation:

  When setting upNAT for inbound traffic to a DMZusingprivate IP addressing, the correct approach is to configure NAT policies on: Pre-NAT addresses - Refers to thepublic IP addressthat external users access. Post-NAT zone - Refers to theinternal (DMZ) zonewhere the private IP resides. This ensures thatinbound requests are translated correctlyfrom public to private addresses and that firewall policies can enforce access control.

  NAT Rules Must Use Pre-NAT Addresses

  The firewallprocesses NAT rules first, meaningfirewall security policies reference pre-NAT IPs.

  This ensures incoming traffic is properly matched before translation.

  Post-NAT Zone Ensures Correct Forwarding

  The destination zone must match the actual (post-NAT) zoneto allow correct security policy enforcement.

  (A)

  Configure Static NAT for All Incoming Traffic-

  Static NAT alone does not ensure correct security policy enforcement.

  Pre-NAT and post-NAT rules are still required for proper traffic flow.

  (B)

  Create NAT Policies on Post-NAT Addresses for All Traffic Destined for DMZ-

  Incorrect, as NAT policies arealways based on pre-NAT addresses.

  (D)

  Create Policies Only for Pre-NAT Addresses and Any Destination Zone-

  Firewall rules must match the correct post-NAT zoneto ensure proper traffic handling.

  Firewall Deployment - Ensures correct NAT configuration for public-to-private access.

  Security Policies - Policies must match pre-NAT IPs and post-NAT zones for proper enforcement.

  Why is Pre-NAT Address and Post-NAT Zone the Correct Choice?Other Answer Choices AnalysisReferences and Justification:Thus,Configuring NAT policies on Pre-NAT addresses and Post-NAT zone (C) is the correct answer, as it ensures proper NAT and security policy enforcement.

• Question 3:

  Which type of traffic can a firewall use for proper classification and visibility of internet of things (loT) devices?

  A. DHCP
  B. RTP
  C. RADIUS
  D. SSH
  A. DHCP

  ---

  explanation:

  To properly classify and gain visibility intoInternet of Things (IoT) devices, a firewall can analyzeDHCP traffic, asIoT devices frequently use DHCP for network connectivity.

  IoT Devices Often Use DHCP for IP Assignment-Most IoT devices (smart cameras, sensors, medical devices, industrial controllers)dynamically obtain IP addressesviaDHCP.

  Firewalls caninspect DHCP requests to identify device typesbased onDHCP Option 55 (Parameter Request List)andOption 60 (Vendor Class Identifier).

  Enhances IoT Security with Granular Policies-Palo Alto NetworksIoT Securityuses DHCP data toassign risk scores, enforce access control policies, and detect anomalies.

  Does Not Require Deep Packet Inspection-UnlikeRTP, RADIUS, or SSH, which focus onspecific protocols for media streaming, authentication, and encryption,DHCP data is lightweight and easily analyzed.

  B. RTP (Real-Time Transport Protocol)#

  Incorrect, becauseRTP is used for media streaming (VoIP, video conferencing), notdevice classification.

  C. RADIUS (Remote Authentication Dial-In User Service)#

  Incorrect, becauseRADIUS is an authentication protocol, nota traffic type used for IoT device classification.

  D. SSH (Secure Shell)#

  Incorrect, becauseSSH is an encrypted protocolused forremote device access, notidentifying IoT devices. Firewall Deployment - Firewallsuse DHCP fingerprinting for IoT visibility. Security Policies - DHCP data enablesdynamic security policy enforcement for IoT devices. VPN Configurations - EnsuresIoT devices using VPN connections are correctly classified. Threat Prevention - Detectsmalicious IoT devices based on DHCP metadata. WildFire Integration - PreventsIoT devices from being used in botnet

  attacks.

• Question 4:

  Which Panorama centralized management feature allows native and third-party integrations to monitor VM-Series NGFW logs and objects?

  A. Plugin
  B. Template
  C. Device Group
  D. Log Forwarding profile
  A. Plugin

  ---

  explanation:

  InPanorama centralized management,Pluginsenablenative and third-party integrationsto monitorVM-Series NGFW logs and objects.

  Native Integrations - Panorama plugins providebuilt-in support for cloud environmentslikeAWS, Azure, GCP, as well asVM-Series firewalls.

  Third-Party Integrations - Plugins allow Panorama tosend logs and security telemetryto third-party systems likeSIEMs, SOARs, and IT automation tools.

  Log Monitoring and Object Management - Plugins helpexport logs, monitor firewall events, and manage dynamic firewall configurationsin cloud deployments.

  Automation and API Support - Pluginsextend Panorama's capabilitiesby integrating with external systems via APIs.

  B. Template#

  Incorrect, becauseTemplates are used for configuring firewall settingslike network interfaces, not forlog monitoring or third-party integrations.

  C. Device Group#

  Incorrect, becauseDevice Groups manage firewall policies and objects, but donot handle log forwarding or third-party integrations.

  D. Log Forwarding Profile#

  Incorrect, becauseLog Forwarding Profiles define how logs are sent, butdo not provide integration capabilities with third-party tools.

  Firewall Deployment-Panoramauses pluginsto integrate VM-Series NGFWs with cloud platforms. Security Policies - Plugins supportpolicy-based log forwarding and integrationwith external security tools.

  VPN Configurations - Cloud-based VPNs can bemanaged and monitored using plugins.

  Threat Prevention - Plugins enableSIEM integrationto monitor threat logs.

  WildFire Integration - Some plugins supportautomated malware analysis and reporting.

  Zero Trust Architectures - Supportslog-based security analyticsfor Zero Trust enforcement.

  How Plugins Enable Integrations in PanoramaWhy Other Options Are Incorrect?References to Firewall Deployment and Security Features:Thus, the correct answer is:#A. Plugin

• Question 5:

  Which action must a firewall administrator take to incorporate custom vulnerability signatures into current Security policies?

  A. Create custom objects.
  B. Download WildFire updates.
  C. Download threat updates.
  D. Create custom policies.
  A. Create custom objects.

  ---

  explanation:

  To incorporate custom vulnerability signatures into current Security policies, administrators must create custom objects. The se objects define the specific signature patterns for vulnerabilities, and they can then be applied to security profiles or policies.

  Custom Objects: Allow administrators to define and configure unique vulnerability signatures tailored to the organization's specific needs.

  Integration into Security Policies: Once created, these custom objects can be referenced in Security policies to detect and mitigate the specified vulnerabilities effectively.

  This approach ensures that custom threats not covered by default threat signatures are adequately addressed, enhancing the firewall's threat prevention capabilities.

  References:

  Custom Vulnerability Signatures in Palo Alto Networks

  Threat Prevention Customization

• Question 6:

  Which firewall attribute can an engineer use to simplify rule creation and automatically adapt to changes in server roles or security posture based on log events?

  A. Dynamic Address Groups
  B. Dynamic User Groups
  C. Predefined IP addresses
  D. Address objects
  A. Dynamic Address Groups

  ---

  explanation:

  ADynamic Address Group (DAG)is a firewall feature thatautomatically updates firewall rules based on changing attributes of devices, servers, or endpoints. This allows engineers tosimplify rule creationand ensure policies remainup-to-date without manual intervention. Automatically Adapts to Changes DAGs uselog events, tags, and attributesto dynamically update firewall rules. If aserver role changes(e.g., a web server becomes an application server), it isautomatically placed in the correct security rulewithout requiring manual updates. Simplifies Rule Creation

  Instead of manually definingstatic IP addresses, engineers uselogical groupingsbased on metadata, such asVM tags, cloud attributes, or user roles. Ensurespolicies remain accurateeven whenIP addresses or security postures change.

  (B)

  Dynamic User Groups - Controls policies based onuser identity, notserver roles or log-based attributes.

  (C)

  Predefined IP Addresses-Static and does not adaptto infrastructure changes.

  (D)

  Address Objects - Manually defined and does not dynamically adjust based on log events or security posture. Firewall Deployment - DAGs help dynamically assign security policies based on real-time data.

  Security Policies - Automatically applies correct rules based on changing attributes.

  Threat Prevention and WildFire - Ensures that compromised systems are automatically placed under restrictive security policies.

  Panorama - DAGs are managed centrally, ensuringuniform policy enforcementacross multiple firewalls. Zero Trust Architectures-Dynamic adaptation ensures least-privilege access enforcementas environments change. Why Dynamic Address Groups?Other Answer Choices AnalysisReferences and Justification:Thus,Dynamic Address Groups (A) is the correct answer, as it simplifies rule creation and ensures automatic adaptation to changes in server roles or security posture.

• Question 7:

  What are two ways to create an App-ID for unknown applications? (Choose two.)

  A. Provide a packet capture to Palo Alto Networks and request an App-ID.
  B. Create a custom application by using signatures.
  C. Create a security profile that maps the signature to the unknown application.
  D. Use WildFire API to map signatures to the unknown application.
  A. Provide a packet capture to Palo Alto Networks and request an App-ID.
  B. Create a custom application by using signatures.

  ---

  explanation:

  Providing a Packet Capture to Palo Alto Networks: You can collect traffic data of the unknown application and send it to Palo Alto Networks for App-ID development. The team analyzes the packet capture and creates an official App-ID that can be used by all customers.

  Creating a Custom Application Using Signatures: Administrators can define a custom application by developing specific traffic signatures. This approach allows immediate recognition and control of the unknown application without waiting for an official App-ID from Palo Alto Networks.

  The se methods ensure that unknown or proprietary applications can be identified, monitored, and controlled within the network using App-ID technology.

  References:

  Palo Alto Networks App-ID Customization

  Custom Applications and Signatures

• Question 8:

  What should be reviewed when log forwarding from an NGFW to Strata Logging Service becomes disconnected?

  A. Device certificates
  B. Decryption profile
  C. Auth codes
  D. Software warranty
  A. Device certificates

  ---

  explanation:

  When log forwarding from aPalo Alto Networks NGFWto theStrata Logging Service (formerly Cortex Data Lake)becomes disconnected, the primary aspect to review isdevice certificates. This is because the firewall usescertificatesfor mutual authentication with the logging service. If these certificates are missing, expired, or invalid, the firewall will fail to establish a secure connection, preventing log forwarding. Authentication Requirement - The NGFW uses a Palo Alto Networks-issued device certificate for authentication before it can send logs to the Strata Logging Service. Expiration Issues - If the certificate has expired, the NGFW will be unable to authenticate, causing a disconnection. Misconfiguration or Revocation - If the certificate is not properly installed, revoked, or incorrectly assigned, the logging service will reject log forwarding attempts. Cloud Trust Relationship - The firewall relies on secure cloud-based authentication, where certificates validate the NGFW's identity before log ingestion. Check Certificate Status Navigate toDevice > Certificatesin the NGFW web interface. Verify the presence of a validPalo Alto Networks device certificate. Look for expiration dates and renew if necessary. Reinstall Certificates If the certificate is missing or invalid, reinstall it by retrieving the correct device certificate from thePalo Alto Networks Customer Support Portal (CSP). Ensure Correct Certificate Chain Verify that the correct root CA certificate is installed and trusted by the firewall. Confirm Connectivity to Strata Logging Service Ensure that outbound connections to the logging service are not blocked due to misconfigured security policies, firewalls, or proxies.

  (B)

  Decryption Profile - SSL/TLS decryption settings affect traffic inspection but have no impact on log forwarding.

  (C)

  Auth Codes - Authentication codes are used during theinitial device registrationwith Strata Logging Service but do not impact ongoing log forwarding.

  (D)

  Software Warranty - The firewall'swarrantydoes not influence log forwarding; however, anactive

  support licenseis required for continuous access to Strata Logging Service.

  Firewall Deployment - Certificates are fundamental to secure NGFW cloud communication.

  Security Policies - Proper authentication ensures logs are securely transmitted.

  Threat Prevention and WildFire - Logging failures could impact threat visibility and WildFire analysis.

  Panorama - Uses the same authentication mechanisms for centralized logging.

  Zero Trust Architectures - Requires strict identity verification, including valid certificates. Key Reasons Why Device Certificates Are CriticalHow to Verify and Fix Certificate IssuesOther Answer Choices AnalysisReferences and Justification:Thus,Device Certificates (A)is the correct answer, as log forwarding depends on a valid, authenticated certificate to establish connectivity with Strata Logging Service.

• Question 9:

  Which feature is available in both Panorama and Strata Cloud Manager (SCM)?

  A. Template stacks
  B. Configuration snippets
  C. Policy Optimizer
  D. Plug-ins
  C. Policy Optimizer

  ---

  explanation:

  Both Panorama and Strata Cloud Manager (SCM) offer the Policy Optimizer feature, which assists administrators in refining and enhancing security policies. Policy Optimizer identifies overly permissive or unused security rules and provides recommendations to convert them into more specific, application-based rules, thereby strengthening the organization's security posture.

  In Panorama, Policy Optimizer analyzes traffic logs to detect security rules that are too broad or unused. It then suggests modifications to these rules, enabling administrators to implement more precise policies that align with actual network traffic patterns.

  Similarly, Strata Cloud Manager incorporates Policy Optimizer to help organizations clean up and streamline their security policies. It offers insights into rule usage and provides actionable recommendations to replace broad rules with more specific ones, ensuring that security policies are both effective and efficient.

• Question 10:

  How are content updates downloaded and installed for Cloud NGFWs?

  A. Through the management console
  B. Through Panorama
  C. Automatically
  D. From the Customer Support Portal
  C. Automatically

  ---

  explanation:

  Cloud NGFWs receive content updates automaticallyas part ofcloud-native security services. The se updates include:

  Threat prevention updates(IPS, malware signatures).

  App-ID updatesto maintain accurate application identification.

  WildFire updatesfor new malware detection.

  A. Through the management console#

  The management console provides visibility and controls, butupdates are not manually downloaded from here-they are pushed automatically.

  B. Through Panorama#

  Panorama canmanage policies and configurations, butCloud NGFW updates are delivered automatically by Palo Alto Networks.

  D. From the Customer Support Portal#

  Customer Support Portal provides manual update downloads for on-prem firewalls, butCloud NGFW updates are handled automatically.

  Firewall Deployment - Cloud NGFW receivesautomatic threat and application updates.

  Security Policies - Ensures updatesare always in sync with the latest threat intelligence.

  VPN Configurations - EnsuresVPN security mechanisms stay updated.

  Threat Prevention - Maintainscontinuous security enforcementwithout requiring manual updates.

  WildFire Integration - Cloud NGFWs automaticallyreceive new malware signaturesfrom WildFire.

  Zero Trust Architectures - Ensurescontinuous enforcement of Zero Trust policieswith up-to-date security intelligence. Why Other Options Are Incorrect?References to Firewall Deployment and Security Features:Thus, the correct answer is:#C. Automatically