View all questions & answers for the Palo Alto Network Security Professional (NetSec-Pro) Exam Materials exam


Palo Alto Network Security Professional (NetSec-Pro) Exam Materials-Question 27 Discussion
Comment Image Comment Image Comment Image

A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region? (Choose one answer)

  • A. Add all regions that contain private IP addresses to the source address.
  • B. Set the service to be application-default.
  • C. Create a Security policy for the negated region with destination address “any.”
  • D. Add a Dynamic Application Group to the Security policy.
Correct Answer: A

Brave-Dump Clients Votes

A 66.67%
C 33.33%

Comments



aieasa 2025-11-03 00:16:08

Selected Answers: C


Explanation:
When a negated region is used in a Security policy in Prisma Access, it means that traffic not originating from the specified region is matched. However, this can unintentionally exclude legitimate traffic if not handled carefully.
To prevent connectivity loss, you should:
• Create a separate Security policy that explicitly matches the negated region (i.e., the traffic that was excluded in the original rule).
• Set the destination address to “any” to ensure that traffic from the negated region is still evaluated and allowed or denied based on appropriate criteria.
This ensures that all traffic—both matching and excluded by the negated region—is covered by at least one policy, avoiding unintended drops.
❌ Why the Other Options Are Incorrect:
• A. Add all regions with private IPs: This doesn’t address the issue caused by negation logic.
• B. Set service to application-default: This controls port matching, not source region logic.
• D. Add a Dynamic Application Group: Useful for app-based policies, but unrelated to region-based source matching
  • Brave-Dumps.com Admin 2025-11-03 15:17:57
    please write your reference with the answer

Ayesha 2026-02-16 03:12:30

Selected Answers: A


When a Security policy in Prisma Access includes a negated region in the source address, to ensure there is no connectivity loss, you must add all regions that contain private IP addresses to the source address .

This recommendation is provided to prevent unintended blocking of traffic from private IP addresses that might otherwise be inadvertently excluded when a region is negated in the source address field of a security rule

https://docs.paloaltonetworks.com/network-security/security-policy/administration/internet-access-rules/create-an-internet-access-policy-rule/create-an-internet-access-policy-rule-cloud-management

William Martinez 2026-05-28 18:39:21

Selected Answers: A


By adding all regions or ranges containing your private IP addresses to the Source Address field (Option A) along with the denied region, you are forcing the policy engine to understand that the rule should only apply to legitimate traffic from your authorized corporate segments, preventing the rule from attempting to process or block traffic from global infrastructure or Prisma Access inter-node routes.