View all questions & answers for the Palo Alto Network Security Professional (NetSec-Pro) Exam Materials exam
Question 27 Discussion
Comments
Selected Answers: C
When a negated region is used in a Security policy in Prisma Access, it means that traffic not originating from the specified region is matched. However, this can unintentionally exclude legitimate traffic if not handled carefully.
To prevent connectivity loss, you should:
• Create a separate Security policy that explicitly matches the negated region (i.e., the traffic that was excluded in the original rule).
• Set the destination address to “any” to ensure that traffic from the negated region is still evaluated and allowed or denied based on appropriate criteria.
This ensures that all traffic—both matching and excluded by the negated region—is covered by at least one policy, avoiding unintended drops.
❌ Why the Other Options Are Incorrect:
• A. Add all regions with private IPs: This doesn’t address the issue caused by negation logic.
• B. Set service to application-default: This controls port matching, not source region logic.
• D. Add a Dynamic Application Group: Useful for app-based policies, but unrelated to region-based source matching
-
Brave-Dumps Admin
2025-11-03 15:17:57
please write your reference with the answer
Selected Answers: A
This recommendation is provided to prevent unintended blocking of traffic from private IP addresses that might otherwise be inadvertently excluded when a region is negated in the source address field of a security rule
https://docs.paloaltonetworks.com/network-security/security-policy/administration/internet-access-rules/create-an-internet-access-policy-rule/create-an-internet-access-policy-rule-cloud-management
A network security engineer has created a Security policy in Prisma Access that includes a negated region in the source address. Which configuration will ensure there is no connectivity loss due to the negated region? (Choose one answer)
Brave-Dump Clients Votes