PCNSA Sample Questions Answers

View the diagram.

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

B)

C)

D)

Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

By default, what is the maximum number of templates that can be added to a template stack?

Which Security profile can you apply to protect against malware such as worms and Trojans?

Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall’s

data plane?

Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

Place the steps in the correct packet-processing order of operations.

What are three ways application characteristics are used? (Choose three.)

Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

What are two valid selections within an Antivirus profile? (Choose two.)

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall handle the traffic?

How often does WildFire release dynamic updates?

Match the network device with the correct User-ID technology.

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Which rule type is appropriate for matching traffic occurring within a specified zone?

What do you configure if you want to set up a group of objects based on their ports alone?

Given the detailed log information above, what was the result of the firewall traffic inspection?

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

B)

C)

D)

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Which dynamic update type includes updated anti-spyware signatures?

How are service routes used in PAN-OS?

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

A- Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

C. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

D. Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

What is an advantage for using application tags?

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Which statement is true about Panorama managed devices?

Which object would an administrator create to block access to all high-risk applications?

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)

Which firewall plane provides configuration, logging, and reporting functions on a separate processor?

Which operations are allowed when working with App-ID application tags?

Which statement is true regarding NAT rules?

A website is unexpectedly allowed due to miscategorization.

What are two ways to resolve this issue for a proper response? (Choose two.)

When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)

Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)

What are three differences between security policies and security profiles? (Choose three.)

Given the topology, which zone type should zone A and zone B to be configured with?

Which interface type can use virtual routers and routing protocols?

Based on the screenshot what is the purpose of the group in User labelled ''it"?

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

Based on the screenshot what is the purpose of the included groups?

Which definition describes the guiding principle of the zero-trust architecture?

Why does a company need an Antivirus profile?

How many zones can an interface be assigned with a Palo Alto Networks firewall?

Which option lists the attributes that are selectable when setting up an Application filters?

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

A network administrator is required to use a dynamic routing protocol for network connectivity.

Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

B)

C)

D)

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?

You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?

What must be considered with regards to content updates deployed from Panorama?

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

Which file is used to save the running configuration with a Palo Alto Networks firewall?

Match the cyber-attack lifecycle stage to its correct description.

An administrator wishes to follow best practices for logging traffic that traverses the firewall

Which log setting is correct?

You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

What is a recommended consideration when deploying content updates to the firewall from Panorama?

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

Which Security profile should be applied?