PCNSA Exam 31 Questions with Verified Answers
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A.
... [Show More] Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces - CORRECT ANSWER C. Device>Setup>Operations
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches - CORRECT ANSWER A. Review Policies
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount . - CORRECT ANSWER A. Select a Security policy rule, and then select Hit Count > Reset.
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation - CORRECT ANSWER C. Aggregate
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?
A. EDL in URL Filtering Profile
B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile - CORRECT ANSWER C. Custom URL category in Security policy rule
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing - CORRECT ANSWER A. management
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications - CORRECT ANSWER C. No impact because the firewall automatically adds the rules to the App-ID interface
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces - CORRECT ANSWER A. Signature Matching
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology - CORRECT ANSWER B. Category, Subcategory, Technology, Risk, and Characteristic
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List - CORRECT ANSWER A. Block List
D. Allow List
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified. - CORRECT ANSWER C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent - CORRECT ANSWER C. Captive Portal
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office - CORRECT ANSWER A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture - CORRECT ANSWER B. It provides a percentage of adoption for each assessment area
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
A. intrazone-default
B. Deny Google
C. allowed-security services
D. interzone-default - CORRECT ANSWER D. interzone-default
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic. - CORRECT ANSWER D. after it is matched by a security policy rule that allows or blocks traffic.
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?
A. Translation Type
B. Interface
C. Address Type
D. IP Address - CORRECT ANSWER A. Translation Type
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback - CORRECT ANSWER A. Virtual Wire
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days - CORRECT ANSWER D. Rule Usage Filter > Hit Count > Unused in 90 days
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy - CORRECT ANSWER A. An implicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?
A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links - CORRECT ANSWER A. Windows-based agent deployed on the internal network
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP
ג€"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers - CORRECT ANSWER A. syslog
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewallג€™s signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies - CORRECT ANSWER B. anti-spyware profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
01. What are two predefined AntiSpyware profiles?
(Choose two.)
a) Default
b) Standard
c) Secure
d) Strict - CORRECT ANSWER a) Default
d) Strict
02. What are three methods of mapping usernames to IP addresses?
(Choose three.)
a) Server Monitoring
b) Traps
c) Minemeld
d) syslog
e) AutoFocus
f) port mapping - CORRECT ANSWER a) Server Monitoring
d) syslog
f) port mapping
03. Config logs display entries for which kind of firewall changes?
a) configuration
b) system logs
c) debugs
d) resets - CORRECT ANSWER a) configuration
04. A Heatmap provides an adoption rate for which three features?
(Choose three.)
a) WildFire
b) Traps
c) File Blocking
d) User-ID
e) SSL certificates
f) authentication profiles - CORRECT ANSWER a) WildFire
c) File Blocking
d) User-ID
05. The data plane provides which two data processing features of the firewall?
(Choose two.)
a) signature matching
b) reporting
c) network processing
d) logging - CORRECT ANSWER a) signature matching
c) network processing
06. In path monitoring, what is used to monitor remote network devices?
a) Ping
b) SSL
c) HTTP
d) HTTPS
e) Link State - CORRECT ANSWER a) Ping
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?
A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama - CORRECT ANSWER A. GlobalProtect
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
A. Path monitoring does not determine if route is useable.
B. Route with highest metric is actively used.
C. Path monitoring determines if route is useable.
D. Route with lowest metric is actively used. - CORRECT ANSWER C. Path monitoring determines if route is useable.
D. Route with lowest metric is actively used. [Show Less]