Palo Alto Networks Network Security Architect Sample Questions:

1. Which factor must be taken into consideration when determining whether an NGFW edge architecture or a SASE architecture is appropriate to recommend to a customer planning to implement a Zero Trust Network Access (ZTNA) solution?

A) ZTNA can be implemented regardless of the whether an NGFW or SASE solution is selected
B) ZTNA is a component of SASE and can only be implemented with Prisma Access
C) ZTNA requires User-ID and Group-ID information that is not available in Prisma SD-WAN
D) ZTNA revolves around an agent on the endpoint and does not influence the overall NGFW or SASE architecture

2. An architect is reviewing a use case with the following requirements:
- Visibility on the health of an end user's path for the five most
critical applications
- Metrics on the impact of endpoint health for application
- Centralized call quality analytics from Zoom video conferencing
solution
- Insights into the supporting protocols, such as DNS
- Support 600 users on Windows desktops in a single sales office
Which solution should be recommended to meet these requirements?

A) GlobalProtect with a Prisma Access portal configured and ADEM enabled
B) Prisma SD-WAN using the native application dashboard and link quality monitoring
C) Remote networks with ADEM enabled and an ION device
D) Prisma Browser or the Prisma Browser extension with RUM metrics

3. A multinational organization has a large worldwide remote user base. This user base consists of several persona types with distinct requirements and concerns regarding the adoption of a Zero Trust Network Access (ZTNA) solution.
- Developers have a requirement to temporarily bypass security controls for business purposes, but the security team sees this as a potential risk. The developers commonly access development servers onsite in private data centers and public cloud. These development applications use web (HTTP/HTTPS), API, RPC, and SMB-based applications.
- Sales staff travel regularly and connect to the network via many different types of connections, but they are generally limited to SaaS-based web applications. They often complain about performance when any agent is installed and want the ability to temporarily disable these agents.
Data exfiltration and insider risk have been identified as the primary threats for this class of user.
- Executives have concerns about being high-value targets. Security must be consistent across the multiple endpoint types, including mobile and desktop devices. The executive team members have indicated that their primary objective is to ensure that the solution is responsive and easy to troubleshoot.
Which two parameters should the architect take into account regarding GlobalProtect gateway selection? (Choose two.)

A) Gateway geo IP mapping
B) Proximity to users
C) Proximity to destination resources
D) Gateway priority

4. A company experiences lateral movement attacks within the internal network. Which feature helps mitigate this risk?

A) NAT rules
B) QoS policies
C) Static routes
D) Internal segmentation with NGFW

5. A global manufacturing organization with 50,000 employees spanning 35 countries designs advanced industrial equipment and owns significant intellectual property. The organization operates in a highly competitive market where protecting trade secrets is critical to maintaining market advantage.
Over the past 18 months, the CISO discovered that employees across the organization have adopted hundreds of GenAI applications to improve productivity. Engineers use AI coding assistants to accelerate product development sales teams use AI tools to generate proposals, and customer service representatives use chatbots to draft responses. While this adoption has driven innovation, it has also created significant security risks.
A security audit reveals sensitive CAD files uploaded to image-generation services, proprietary source code shared with public coding assistants, and confidential customer information used in prompts. The audit identifies over 300 different GenAI applications in use, most of which had not been formally reviewed or approved.
The customer service department has also been developing internal AI applications, including a customer service copilot built on a cloud large language model (LLM) platform, an internal knowledge management assistant, and a code review tool. These internal applications access sensitive databases, customer records and internal APIs - creating additional security concerns about exploitation or misuse.
The organization has a distributed workforce in which 60% of employees work remotely or in hybrid arrangements, accessing corporate resources and AI applications from various locations using managed and unmanaged devices. Existing network security infrastructure lacks AI-specific security capabilities.
Organization leadership wants to enable AI-driven innovation while implementing comprehensive security controls. The CISO has been tasked with developing an organization-wide GenAI governance program that protects sensitive assets without hindering productivity. The program must address both external AI applications employees are using and internal AI applications being developed by IT.
In which two ways would Prisma AIRS secure AI agents deployed across multiple cloud platforms in this scenario? (Choose two.)

A) By requiring separate product installations for each cloud platform with AWS-specific agents for Bedrock and GCP-specific agents for Vertex AI that cannot share policies.
B) By offering Network Intercept for infrastructure-level protection across any cloud platform and API Intercept for application-level security embedded directly in agent code.
C) By supporting API Intercept for Multicloud deployments since Network Intercept cannot be deployed in the network architectures of different cloud providers.
D) By providing Network Intercept inline in multicloud network architectures to monitor AI agent traffic, and API Intercept as Security as Code (SaC) to scan prompts and responses before they reach models.

Solutions: