Paloalto Networks Network Security Administrator NetSec-Generalist Question # 12 Topic 2 Discussion

ADynamic Address Group (DAG)is a firewall feature thatautomatically updates firewall rules based on changing attributes of devices, servers, or endpoints. This allows engineers tosimplify rule creationand ensure policies remainup-to-date without manual intervention.

Automatically Adapts to Changes

DAGs uselog events, tags, and attributesto dynamically update firewall rules.

If aserver role changes(e.g., a web server becomes an application server), it isautomatically placed in the correct security rulewithout requiring manual updates.

Simplifies Rule Creation

Instead of manually definingstatic IP addresses, engineers uselogical groupingsbased on metadata, such asVM tags, cloud attributes, or user roles.

Ensurespolicies remain accurateeven whenIP addresses or security postures change.

(B) Dynamic User Groups– Controls policies based onuser identity, notserver roles or log-based attributes.

(C) Predefined IP Addresses–Static and does not adaptto infrastructure changes.

(D) Address Objects– Manually defined and does not dynamically adjust based on log events or security posture.

Firewall Deployment– DAGs help dynamically assign security policies based on real-time data.

Security Policies– Automatically applies correct rules based on changing attributes.

Threat Prevention & WildFire– Ensures that compromised systems are automatically placed under restrictive security policies.

Panorama– DAGs are managed centrally, ensuringuniform policy enforcementacross multiple firewalls.

Zero Trust Architectures–Dynamic adaptation ensures least-privilege access enforcementas environments change.

Why Dynamic Address Groups?Other Answer Choices AnalysisReferences and Justification:Thus,Dynamic Address Groups (A) is the correct answer, as it simplifies rule creation and ensures automatic adaptation to changes in server roles or security posture.