Palo Alto Networks Network Security Architect 認定 NetSec-Architect 試験問題:

1. A firewall must block known vulnerabilities and exploits in real time. Which security profile is MOST relevant?

A) Vulnerability Protection
B) WildFire
C) URL Filtering
D) DNS Security

2. An architect is designing a security solution for a large AWS environment with numerous application virtual private clouds (VPCs). These applications have diverse and sometimes conflicting inbound security requirements, making a single, unified ruleset challenging to create and maintain. The solution must secure inbound traffic for different application groups while also centrally securing all outbound and east-west traffic via an AWS Transit Gateway. Which design model recommendation will simplify rule complexity for inbound traffic while meeting all security requirements?

A) Isolated model deploying a separate non-connected security VPC for each application VPC
B) Transit Gateway model focused on establishing connectivity by creating a full mesh of direct peering connections between all application VPCs
C) Combined model using dedicated inbound NGFWs for logical application groups and a central NGFW for east-west and outbound traffic
D) Centralized model to consolidating all security functions by directing all inbound, outbound, and east-west traffic through a single, shared security VPC

3. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution.
- Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications.
- Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents.
Data exfiltration and insider risk have been identified as the primary threats for this class of user.
- Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot.
Which statement applies in the context of securing the developers' applications?

A) GlobalProtect mobile users and explicit proxy users share the same configuration scope for policy configuration
B) ZTNA Connector requires DNS for all applications it publishes and does not permit direct IP address-based access
C) Mobile users, remote networks, and explicit proxy all provide the same Cloud-Delivered Security Services (CDSS) capabilities.
D) Explicit proxy on ramps can only provide security for HTTP, HTTPS, and proxy-aware applications

4. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution.
- Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications.
- Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents.
Data exfiltration and insider risk have been identified as the primary threats for this class of user.
- Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot.
Which two parameters should the architect take into account regarding GlobalProtect gateway selection? (Choose two.)

A) Gateway geo IP mapping
B) Proximity to users
C) Gateway priority
D) Proximity to destination resources

5. The network security architect leading a Zero Trust migration has successfully completed identifying and classifying all mission-critical Data, Applications, Assets, and Services (DAAS).
The architect must now gather the necessary data to inform the technical design of the micro- perimeters and the placement of the VM-Series virtual firewalls in Azure. According to the Palo Alto Networks Zero Trust implementation methodology, what is the mandatory next step to gather the necessary data for designing the segmentation and the placement of security controls?

A) Monitor and maintain the network by inspecting and logging all traffic flows
B) Create the Zero Trust policy using the Kipling Method
C) Identify the five essential components to be validated
D) Map the transaction flows to and from the protect surface

質問と回答：