Palo Alto Networks Exam NetSec-Pro Topic 2 Question 7 Discussion

Actual exam question for Palo Alto Networks's NetSec-Pro exam

Question #: 7
Topic #: 2

A network administrator obtains Palo Alto Networks Advanced Threat Prevention and Advanced DNS Security subscriptions for edge NGFWs and is setting up security profiles. Which step should be included in the initial configuration of the Advanced DNS Security service?

ACreate a decryption policy rule to decrypt DNS-over-TLS / port 853 traffic.

BCreate overrides for all company owned FQDNs.

CConfigure DNS Security signature policy settings to sinkhole malicious DNS queries.

DEnable Advanced Threat Prevention with default settings and only focus on high-risk traffic.

Show Suggested Answer

Suggested Answer: C

Advanced DNS Security uses a signature policy to sinkhole malicious DNS queries and prevent them from resolving.

''The DNS Security service integrates with Anti-Spyware profiles, and you must configure signature policy settings to sinkhole malicious queries. This proactively stops traffic to known malicious domains.''

(Source: Configure DNS Security)

Sinkholing ensures that DNS queries to malicious FQDNs are redirected to a safe IP, preventing compromise.

by Casey at Jul 03, 2025, 04:26 PM

Limited Time Offer

25%

Off

Get Premium NetSec-Pro Questions as Interactive Web-Based Practice Test or PDF