Palo Alto Networks Security Operations Generalist 認定 SecOps-Generalist 試験問題:

1. A large healthcare organization is implementing Palo Alto Networks firewalls for perimeter security. Due to strict regulatory and privacy requirements (like HIPAA in the US, GDPR in Europe), they need to ensure that sensitive patient data transmitted via encrypted channels to approved healthcare providers or cloud services is NOT subjected to SSL Forward Proxy decryption, even though general web browsing is decrypted and inspected. What is the appropriate Decryption Policy action and placement for traffic involving this sensitive data?

A) Remove HTTPS from the allowed services in the Security Policy rules for sensitive traffic destinations.
B) Create a 'No Decrypt' rule in the Decryption Policy matching the sensitive traffic criteria (e.g., source users/groups, destination URL category for healthcare providers) and place this rule above any 'Decrypt' rules that would otherwise match the traffic.
C) Configure an SSL Inbound Inspection rule for the sensitive traffic, requiring the server's private key.
D) Configure an SSL Forward Proxy rule with the 'Decrypt' action for the sensitive traffic, but apply a specific Decryption Profile that is configured to bypass inspection.
E) Apply a URL Filtering profile configured to 'allow' the sensitive destinations within the Security Policy.

2. A security analyst is investigating potential policy violations involving unsanctioned SaaS application usage and attempted sensitive data uploads. They are using Prisma Access with Enterprise DLP and SaaS Security features, logging to Cortex Data Lake. The analyst needs to find instances where users attempted to access blocked social media sites, used unsanctioned file sharing apps, AND attempted to upload data containing PII. Which combination of log types and filtering criteria in Cortex Data Lake or the Cloud Management Console would help identify users involved in this set of activities? (Select all that apply)

A) File logs filtered by 'Direction: upload' and correlated with Traffic logs and Data Filtering logs for sessions involving sensitive data uploads.
B) Traffic logs filtered by 'Action: deny' and Application App-IDs for unsanctioned social media or file sharing services (e.g., 'twitter-base', 'dropbox-base').
C) Threat logs filtered by Threat Category 'phishing' or 'command-and-control'.
D) URL Filtering logs filtered by 'Action: block' and URL categories like 'Social-Networking' or 'File Sharing and Storage'.
E) Data Filtering logs filtered by 'Action: block' or 'alert' for PII patterns, correlated with session information from Traffic logs to identify the user and application.

3. When onboarding IoT devices for visibility and security using Palo Alto Networks platforms with the IoT Security subscription, which of the following is the primary method the NGFW or Prisma Access uses to gain visibility into the IoT traffic and identify the devices communicating on the network?

A) Analyzing network traffic flows passing through the firewall to identify device types based on communication patterns, protocols, and metadata.
B) Integrating with endpoint detection and response (EDR) agents deployed on IoT devices.
C) Performing active scans of network subnets to discover and profile IoT devices.
D) Installing an agent on each IoT device to report its characteristics and communication patterns.
E) Relying on SNMP traps from network switches to identify device connections.

4. An administrator is investigating a security incident involving an internal host that accessed a suspicious external IP address. They need to review logs from the Palo Alto Networks firewall that show allowed and denied connections, including source/destination IPs, zones, applications, and policy actions. Which log type should they focus on for this investigation?

A) Traffic logs
B) User-ID logs
C) System logs
D) Configuration logs
E) HIP Match logs

5. In a Palo Alto Networks Strata NGFW or Prisma Access environment, traffic is processed through either the 'slow path' or the 'fast path'. Which of the following conditions or processing stages most accurately describes an action or requirement that forces the initial packet of a new session into the slow path?

A) The packet requires basic routing lookups and interface forwarding.
B) The packet is part of an established TCP session that has already been identified and allowed.
C) The packet is dropped due to a security policy deny rule after inspection.
D) The packet is being forwarded based on an existing hardware-accelerated session lookup.
E) The packet is the first packet of a flow and requires App-ID identification and security policy lookup to build a session.

質問と回答：