View NetSec-Pro Exam Questions

Q: 11

What is a necessary step for creation of a custom Prisma Access report on Strata Cloud Manager (SCM)?

Options

Discussion

Jack Mar 10, 2026 8:50 am

Option D again with the dashboards! Palo Alto loves making you build a dashboard first so your custom report has the right widgets. Seen this in practice questions before, so betting D is correct here, unless the UI changed.

Emma J. Mar 2, 2026 9:38 am

Option D makes sense to me. In SCM, reports are usually generated from dashboards you've already set up, since that's where you decide which data and widgets get included. Without configuring the dashboard first, you can't really customize what shows up in the report. Pretty sure that's how it works but open to any other ideas.

SeasonedAnalyst9146 Mar 3, 2026 4:50 am

Logan O. Mar 5, 2026 11:10 pm

C vs D. I thought generating a PDF summary (C) might be enough since you get a report, but on SCM you actually build out the dashboards to define data first, then schedule reports from there. Kinda confusing, anyone else thought C originally?

Priya T. Feb 28, 2026 11:16 pm

Yeah, D is the way to go for custom reports. You need to configure a dashboard first in SCM before anything else.

Kevin F. Mar 9, 2026 1:12 pm

Ugh, Palo Alto loves to bury this in their menus. Option C. I keep thinking generating a PDF summary is enough for custom reports since that's what most managers want, even if it's just exporting what's on the screen. Still think it's a reasonable first step, right? Let me know if I'm missing something obvious.

EmmaW Feb 18, 2026 6:22 pm

D tbh, because in SCM you have to configure the dashboard before you can generate any custom reports. C is tempting but that's just exporting, not setting it up. Seen this trip people up on other exams.

Ivy W. Mar 8, 2026 10:24 pm

D imo

Priya W. Feb 20, 2026 1:58 am

D vs C, but pretty sure D since configuring the dashboard comes before report creation. C looks like a trap.

CuriousAuditor656 Feb 25, 2026 11:42 am

Maybe D. Custom reports in SCM pull from dashboard widgets, so configuring the dashboard is kinda required first. Could see why some go for C but pretty sure that's for exporting not creating. If I'm off, correct me.

Be respectful. No spam.

Correct Answer:

Explanation

In Strata Cloud Manager (SCM), the creation of custom reports is fundamentally linked to the dashboard functionality. To generate a custom report for Prisma Access, an administrator must first create a custom dashboard. This dashboard is populated with the specific widgets that display the desired data (e.g., threats, traffic, user activity). Once the dashboard is configured to present the required information, it can then be used as a template to schedule the generation and distribution of a custom report. This process ensures that the report's content and layout precisely match the curated view established in the dashboard.

Why Incorrect

A. Open a support ticket: This is a reactive step for troubleshooting or requesting assistance, not a standard procedural requirement for creating a custom report within the SCM interface.

B. Set up Cloud Identity Engine: While Cloud Identity Engine provides valuable user context for reports, it is not a mandatory prerequisite for the creation of the report template itself, which can be based on other data like traffic or threats.

C. Generate a PDF summary report: This is an output action performed after a report has been configured. It is a result of the process, not a necessary step in its creation.

References

1. Palo Alto Networks. (2024). Manage Custom Reports. Strata Cloud Manager Administrator's Guide. Retrieved from Palo Alto Networks TechDocs.

Reference Details: In the "Monitor > Reports" section

the documentation explicitly states: "To create a custom report

you must first create a custom dashboard that contains the widgets you want to include in the report. After you create the custom dashboard

you can create a report based on it." This directly establishes that configuring a dashboard is a necessary prerequisite.

Q: 12

Which two components of a Security policy, when configured, allow third-party contractors access to internal applications outside business hours? (Choose two.)

Options

Discussion

Ravi N. Feb 25, 2026 10:35 pm

C and D imo, User-ID lets you specify the contractor group and Schedule covers the time restriction (outside business hours). That lines up with what the official Palo Alto study guides mention for controlling both who and when. Seen this in practice exams too, but let me know if I’m missing something.

Nina F. Mar 5, 2026 9:59 pm

Guessing C and D are correct, not B. B is a classic distractor but doesn't handle who or when access happens.

Olivia Mar 7, 2026 11:34 am

C and D. User-ID lets you specify the contractors, Schedule limits access to outside business hours. Makes sense based on policy usage.

Meera Z. Feb 28, 2026 12:11 pm

Does Service (B) ever help with time or user restriction, or is it always just protocol/port?

Drew M. Feb 28, 2026 12:00 am

C/D tbh, Service is tempting but that's only if the question said something about ports or protocols. User-ID and Schedule control user/time, so those are key. Seen similar in practice sets.

ArjunN Feb 23, 2026 5:29 pm

I don’t think it’s A. C and D make more sense since User-ID handles the contractor group and Schedule covers the "outside business hours" part. Not totally sure if Service would ever fit here, but looks like C/D is correct for this scenario.

Ethan Feb 28, 2026 6:04 pm

C/D? Service (B) is tempting but doesn’t control access by user or time, just port/protocol. User-ID (C) and Schedule (D) together lock it down to who and when, which matches the scenario. Seen similar on practice so pretty sure it’s these two.

ArjunI Feb 18, 2026 8:51 pm

Seriously Palo Alto wording always messes with me-why not A? App-ID feels like it fits since apps are in scope.

Olivia M. Mar 7, 2026 1:40 am

C/D? User-ID (C) lets the policy target just the third-party contractors, while Schedule (D) sets the after-hours part. I remember similar practice questions focused on these fields in the official study guide. Pretty sure these two are what you need for user/time-based restriction.

Emma A. Mar 7, 2026 9:51 pm

C D tbh. User-ID is for identifying those contractors by user, and Schedule limits it to after-hours-so both fit exactly what they're asking. No need for App-ID or Service here since it's about who and when, not what or how. Anyone see it differently?

Be respectful. No spam.

Correct Answer:

C, D

Explanation

To control access based on user identity and time, a Security policy rule must leverage the User-ID and Schedule components. The User-ID feature allows the firewall to identify specific users or groups, such as "third-party contractors," by integrating with directory services. This addresses the "who" part of the requirement. The Schedule object allows the administrator to define specific time windows, such as "outside business hours," during which the policy rule will be active. This addresses the "when" part of the requirement. Combining these two components in a single rule enforces the specified access control.

Why Incorrect

A. App-ID: This component identifies the application (the "what") being accessed, not the user initiating the connection or the time of the connection.

B. Service: This component defines the transport protocol and port number (the "how") for the traffic, not the user or the time of access.

References

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Security Policy Rule Components": This section details the building blocks of a Security policy rule. It explicitly lists "Source User" and "Schedule" as distinct components for controlling access.

Source User: "The user or group that is the source of the traffic. The firewall must be configured to map IP addresses to usernames for this setting to be effective." This directly corresponds to using User-ID to identify the contractors.

Schedule: "The schedule that specifies the days and times the rule is enforced. Select a predefined schedule or select None (the default) to have the rule enforced at all times." This directly corresponds to the Schedule component for time-based control.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Objects > Schedules": This section describes the creation and application of Schedule objects. It states

"You can apply schedules to security policy rules to control when the rules are active." This confirms the function of the Schedule component for time-based enforcement.

3. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"User-ID": The overview of the User-ID feature explains its purpose: "The User-ID feature of Palo Alto Networks firewalls allows you to configure and enforce firewall policies based on users and groups of users rather than on IP addresses." This confirms User-ID is the correct component for identifying the "third-party contractors" group.

Q: 13

Which two types of logs must be forwarded to Strata Logging Service for IoT Security to function? (Choose two.)

Options

Discussion

Maya F. Feb 22, 2026 3:45 am

Enhanced app and threat logs, not URL filtering. Had something like this in a mock. B, C.

Leo Mar 9, 2026 1:09 pm

I don't think it's D, pretty sure B and C are right for IoT Security. URL Filtering is a common distractor here but not actually required for device baselining. Similar question came up in another set, same answer there. Agree?

CalmLead1058 Feb 28, 2026 2:08 am

B, C for sure. Enhanced application logs let IoT Security actually spot and classify the devices, while Threat logs catch anything suspicious or malicious. I think that's what the service needs, but open to pushback if anyone disagrees.

Adam Mar 1, 2026 1:46 pm

Pretty sure it's B and C. IoT Security needs enhanced application logs to identify device types, and threat logs for detecting attacks. WildFire and URL Filtering aren't required for the core profiling functions. Correct me if you see it differently.

Parker Q. Mar 2, 2026 1:38 pm

B and C tbh. Seen similar Qs in practice, IoT Security needs enhanced application and threat logs for proper profiling and threat detection. Pretty sure WildFire and URL filtering aren't required for baseline IoT monitoring.

Meera Mar 2, 2026 1:02 am

Are Enhanced application logs (B) always required, or could basic app logs work for initial IoT device profiling?

Ajay Mar 8, 2026 10:56 pm

I don’t think it’s D here. Enhanced application logs (B) and Threat logs (C) are what IoT Security uses for device discovery and behavior analysis, not URL Filtering. WildFire (A) is another trap since it’s more for malware sandboxing, not core IoT profiling. Pretty sure B and C are what the official docs mention, but chime in if you’ve seen otherwise!

Owen O. Feb 28, 2026 4:00 am

B and C get forwarded for IoT Security since you need device behavior (enhanced app logs) and threat detection. WildFire and URL Filtering aren't strictly needed here. Think that's right but open if anyone knows otherwise.

Rowan H. Mar 3, 2026 6:57 am

B/C, had something almost identical in a mock exam. Enhanced application and threat logs are core for IoT Security.

Maya G. Feb 27, 2026 3:56 am

A is wrong, B and C are the ones the IoT Security needs. Enhanced application logs give device behavior details, threat logs catch attacks. WildFire and URL filtering help elsewhere but aren’t mandatory here. Pretty sure that’s correct, but let me know if I missed anything.

Be respectful. No spam.

Correct Answer:

B, C

Explanation

Palo Alto Networks IoT Security relies on deep traffic analysis to discover, classify, and secure IoT devices. To achieve this, it requires two fundamental types of logs from the firewall. Enhanced Application Logs provide granular data on traffic, including application metadata, which is essential for device profiling and behavior baselining. Threat Logs are mandatory for detecting malicious activities, vulnerabilities, and threats targeting the IoT devices. These two log types provide the foundational data set upon which the IoT Security service builds its analysis and security posture recommendations.

Why Incorrect

A. WildFire: WildFire logs are specific to malware analysis verdicts. While valuable, they are not a foundational requirement for the core device profiling and behavior analysis functions of IoT Security.

D. URL Filtering: While URL Filtering logs are highly recommended to improve the accuracy of device identification and policy recommendations, they are not strictly mandatory for the basic functionality of the IoT Security service.

References

1. Palo Alto Networks IoT Security Administrator's Guide: In the "Set Up IoT Security" section

under "Prerequisites for IoT Security

" the documentation explicitly states the required log types. It specifies: "To enable IoT Security to analyze your network traffic and identify IoT devices

you must configure your firewalls to forward the following log types to Cortex Data Lake [now Strata Logging Service]: Threat and Enhanced Application Logs." It further clarifies that "Forwarding URL Filtering logs is highly recommended for better device identification and security policy recommendations."

Source: Palo Alto Networks. (2024). Get Started with IoT Security > Set Up IoT Security. IoT Security Administrator's Guide. Retrieved from the Palo Alto Networks Technical Documentation portal.

2. Palo Alto Networks PAN-OS® Administrator's Guide: This guide details the configuration of log forwarding and describes the contents of each log type

reinforcing the distinct and critical information provided by Threat and Enhanced Application logs for security analysis platforms like IoT Security.

Source: Palo Alto Networks. (2024). Monitor > Logs. PAN-OS® Administrator's Guide. Retrieved from the Palo Alto Networks Technical Documentation portal.

Q: 14

How does a firewall behave when SSL Inbound Inspection is enabled?

Options

Discussion

HelpfulAnalyst13 Feb 19, 2026 5:03 am

D . C looks tempting but that's outbound, here it's inbound so the firewall does MITM by having the server's private key. Can see why A or C could trip someone up on a quick read.

Ishaan J. Mar 4, 2026 1:33 pm

Option D

Riley C. Feb 20, 2026 11:37 am

Yeah, D is right for this. The firewall basically sits as MITM using the internal server's private key on inbound SSL, that's the whole point of inbound inspection. If it was asking about outbound inspection to external sites then C might be correct. Correct me if I missed something!

Aaron R. Mar 8, 2026 6:47 am

A or D? I thought A was right since it seems transparent but D is actually the MITM role for inbound. Can see why A trips folks.

Noah Mar 6, 2026 7:36 pm

Not C, D. Pretty sure the firewall has to do MITM to see inbound SSL traffic, right?

Luna S. Mar 4, 2026 3:52 pm

I don’t think it’s A. D is right, trap here is thinking transparent means inspection.

Daniel Mar 7, 2026 9:01 am

I thought A at first since the firewall just sits between client and server, kind of transparent. But now I'm thinking that's only if it's not actually doing decryption. SSL Inbound Inspection should make it act more like a MITM, but I could see why someone picks A if they focus on "transparently". Anyone else see it that way?

Sean Z. Feb 22, 2026 8:07 pm

Makes sense that it's D, the firewall has to decrypt using the server's private key so it's doing MITM. I think that's the whole inbound logic for Palo. Not 100 percent but can't see how A fits here.

Layla L. Mar 6, 2026 11:40 am

D imo. SSL Inbound Inspection makes the firewall act as a MITM because it needs the server's private key to actually decrypt traffic going to the internal server. If the cert/private key isn't available, then A would make more sense since it can't inspect anything. Pretty sure D is what exam reports expect though, anybody disagree?

Sam Feb 22, 2026 8:41 am

If the internal server uses a certificate that's not imported on the firewall, does option A fit better here?

Be respectful. No spam.

Q: 15

A network security engineer needs to implement segmentation but is under strict compliance requirements to place security enforcement as close as possible to the private applications hosted in Azure. Which deployment style is valid and meets the requirements in this scenario?

Options

Discussion

Ajay T. Feb 22, 2026 4:50 am

Option C, Layer 2 is a trap, VM-Series in Azure only supports Layer 3 interfaces so B doesn’t fit.

Jack P. Feb 22, 2026 2:39 pm

Pretty sure C. VM-Series is the only Palo Alto NGFW you can actually deploy in Azure, and for segmentation you'd want Layer 3 so it can inspect routed traffic between subnets. B looks tempting at first but PA-Series isn't supported in Azure, so that's the trap here. Agree or see a different use case?

Aaron Z. Feb 25, 2026 8:32 pm

I don’t think it’s A. C makes more sense since the VM-Series is designed for Azure and Layer 3 zones are required for proper segmentation with routing between subnets. Layer 2 isn’t really supported in Azure like in physical networks, so I think A and B might be traps here. Not totally confident but leaning C.

Rowan Feb 23, 2026 7:13 pm

I don’t think it’s C. B. The PA-Series can do Layer 2 zones for segmentation, so I picked B since it fits the logical segmentation part. Maybe I missed something with Azure support?

CarefulConsultant3255 Mar 9, 2026 1:00 am

B or C from what I've seen in the official study guide and Azure-focused labs. I've noticed most practice exams steer you toward C, but B looks possible if you aren't thinking about the cloud platform restrictions.

GraceZ Feb 25, 2026 11:34 pm

C only VM-Series with Layer 3 zones makes sense here in Azure. You can't use Layer 2 or PA-Series. Pretty confident.

Nora Z. Feb 24, 2026 2:57 am

Hard to say, C. Only VM-Series is supported in Azure, and it only does Layer 3 interfaces for segmentation there. Layer 2 options are kind of a trap because they're not available in that environment. If compliance wants security enforcement right up to the apps, Layer 3 zones on VM-Series is the correct design. Open if anyone’s seen a new Azure update that would change this.

Nathan W. Feb 21, 2026 8:10 pm

Noticed B and D mention PA-Series, but that's hardware and not for Azure. Why use those in this scenario?

Sara Mar 1, 2026 3:23 pm

Don't think A or B work since Layer 2 isn't supported by VM-Series in Azure, that's a common trap. C is the one that fits-VM-Series for Azure with Layer 3 zones gives you segmentation and meets compliance rules. If anyone thinks Layer 2 works natively in cloud, I'd double-check that, pretty sure it's unsupported.

SeasonedMentor8002 Feb 18, 2026 4:35 pm

A
I figured Layer 2 zones on the VM-Series could handle segmentation in Azure since it lets you isolate traffic without complex routing. Maybe I’m missing something with the compliance part but A looked fine to me.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires deploying a firewall within Microsoft Azure to segment private applications. The VM-Series is the virtualized form-factor of the Palo Alto Networks NGFW designed specifically for deployment in public cloud environments like Azure. To achieve logical segmentation between different network segments (e.g., subnets for web, application, and database tiers), the standard and most robust method is to deploy the firewall in Layer 3 (routed) mode. In this configuration, the VM-Series firewall has Layer 3 interfaces assigned to different security zones, and it acts as the gateway, routing and inspecting all traffic that flows between these segmented subnets. This design places security enforcement directly in the traffic path and close to the applications, fulfilling the stated requirements.

Why Incorrect

A. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

While VM-Series is the correct platform, Layer 3 mode is the standard and more scalable method for routing-based segmentation between subnets in Azure.

B. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances and cannot be deployed directly within the Azure cloud environment to protect hosted applications.

D. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances. The correct form-factor for deployment within a public cloud like Azure is the VM-Series.

References

1. Palo Alto Networks

"VM-Series Deployment Guide for Azure

" Version 11.0. This guide explicitly details the deployment of the VM-Series virtualized firewall in Azure. The reference architectures

such as the "Basic deployment with a single VM-Series firewall

" show the firewall with multiple virtual network interfaces (vNICs) connected to different subnets (e.g.

Untrust

Trust

Management)

operating in Layer 3 to route and inspect traffic between them. This is the fundamental model for segmentation. (See: Chapter 2: Plan the VM-Series Firewall Deployment in Azure

Section: "Reference Architecture: Basic Deployment with a Single VM-Series Firewall").

2. Palo Alto Networks

"VM-Series on Azure

" Datasheet. This document specifies that the VM-Series is the virtual NGFW for Azure

designed to "protect your applications and data with next-generation security features that are deployed in a virtualized form factor." It contrasts with the PA-Series

which are hardware appliances. (See: "Product Overview" section).

3. Palo Alto Networks

"Firewall Interface Types

" PAN-OS® Administrator's Guide 11.0. This documentation describes the different interface types. It clarifies that Layer 3 interfaces "participate in Layer 3 routing" and are assigned to security zones

which is the mechanism for applying policy to traffic between different network segments. This is the core concept behind Layer 3 segmentation. (See: Networking > Network Interfaces > Firewall Interface Types > Layer 3 Interfaces).

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE