PCNSA Exam 59 Questions with Verified Answers
A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire
... [Show More] subscription. The Security policy rule shown above matches the client HTTP session: Which three actions take place when the firewall's Content-ID engine detects a virus in the file and the decoder action is set to "block"? (Choose three.) - CORRECT ANSWER A threat log entry is generated.
The file download is terminated.
The client receives a block page.
A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL Filtering Profiles are in place and properly configured on both inbound and outbound policies. A Security Operation Center (SOC) engineer starts his shift and faces the traffic logs presented in the screenshot shown above. He notices that the traffic is being allowed outbound. Which actions should the SOC engineer take to safely allow known but not yet qualified applications, without disrupting the remaining traffic policies? - CORRECT ANSWER Create Application Override policies after a packet capture to identify the applications that are triggering the "unknown-tcp". Then create new custom applications for those policies, and add these new policies above the current policy that allows the traffic.
A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside. All users are located on the Inside zone and are using public DNS servers for name resolution. The company hosts a publicly accessible web application on a server in the DMZ zone. Which NAT rule configuration will allow users on the Inside zone to access the web application using its public IP address? - CORRECT ANSWER Three zone U-turn NAT
A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-L3 DMZ Trust-L3. The company hosts a publicly accessible web application on a server that resides in the Trust-L3 zone. The web server is associated with the following IP addresses: Web Server Public IP: 2.2.2.1/24 , Web Server Private IP: 192.168.1.10/24 . The security administrator configures the following two-zone U-Turn NAT rule to allow users using 10.10.1.0/24 on the "Trust-L3" zone to access the web server using its public IP address in the Untrust-L3 zone: Which statement is true in this situation? - CORRECT ANSWER The traffic will be considered intra-zone based on the translated destination zone.
A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing. Which High Availability (HA) mode best supports this design requirement? - CORRECT ANSWER Active-Active mode
A company policy dictates that logs must be retained in their original format for a period of time that would exceed the space limitations of the Palo Alto Networks firewall's internal storage. Which two options will allow the company to meet this requirement? (Choose two.) - CORRECT ANSWER Palo Alto Networks Log Collector
Panorama Virtual Machine with NFS storage
A company uses Active Directory and RADIUS to capture User-ID information and implement user-based policies to control web access. Many Linux and Mac computers in the environment that do not have IP-address-to-user mappings. What is the best way to collect user information for those systems? - CORRECT ANSWER Use Captive Portal to capture user information
A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be using HA-Lite. Which capability can be used in this situation? - CORRECT ANSWER Configuration Sync
A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will happen when someone attempts to initiate an SSH connection to ethernet1/1? - CORRECT ANSWER SSH access to the interface will be denied because intra-zone traffic is denied.
A network administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware, and selects the default Profile. What should be done next? - CORRECT ANSWER Click the Exceptions tab and then click Show all signatures.
A Palo Alto Networks firewall has been configured with multiple virtual systems and is administered by multiple personnel. Several administrators are logged into the firewall and are making configuration changes to separate virtual systems at the same time. Which option will ensure that no single administrator's changes are interrupted or undone by another administrator while still allowing all administrators to complete their changes prior to issuing a commit? - CORRECT ANSWER Each administrator sets a configuration and commit lock for the vsys to which they are making changes.
A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of bogus TCP connections to internal servers behind the firewall. This traffic is allowed by security policies, and other than creating half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which Zone Protection Profile with SYN Flood Protection action, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic? - CORRECT ANSWER SYN Cookies applied on the internet-facing zone
A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following source translation: Which filters need to be configured to match traffic originating from 192.168.1.10 in the "Trust-L3" zone to 2.2.2.2 in the "Untrust-L3" zone in the Transmit stage? - CORRECT ANSWER Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is configured to forward syslogs individually. The security engineer wants to leverage their two M-100 appliances to send syslog messages from a single source and already has deployed one in Panorama mode and the other as a Log Collector. What is the remaining step in this solution? - CORRECT ANSWER Configure Collector Log Forwarding
A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not to share this list outside of the organization. The Chief Information Security Officer has requested that all user access to these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline Palo Alto Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access to these URLs? - CORRECT ANSWER Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set to deny.
A US-CERT notification is published regarding a newly discovered piece of malware. The infection is spread using spear phishing emails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to dynamically update to the latest databases automatically. Which component and implementation will detect and prevent this threat? - CORRECT ANSWER Antivirus Profiles applied to outbound Security policy rules with action set to block high-severity threats
A US-CERT notification is published regarding a newly-discovered piece of malware. The infection is spread using spear phishing e-mails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to dynamically update to the latest databases automatically. Which component and implementation will detect and prevent this threat? - CORRECT ANSWER Antivirus profiles applied to outbound security policy rules with action set to block high severity threats
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL Decryption? - CORRECT ANSWER 2048 bits
A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released an antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic related to the infection. However, the Traffic log shows traffic between the workstation and the command-and-control server. Given the company's Dynamic Updates configuration: What is the cause of traffic not matching a malware signature? - CORRECT ANSWER The update schedule is set to "download only" and not to "download and install".
American Textile Corporation has acquired Fab Fabric Limited. American Textile uses a SIP-based VoIP phone system, which has been working well through a Palo Alto Networks firewall. However, integrating Fab Fabric's SIP phone system into American Textile's network has not been successful. The network security administrator for the combined company determines that the firewall is the cause of the failed phone system integration. Which action will disable the Application Level Gateway (ALG) firewall feature for the Fab Fabric phones while not affecting the American Textile Corporation phone system? - CORRECT ANSWER Create an Application Override policy that assigns traffic to and from the Fab Fabric phones to a custom application
Company employees have been given access to the GlobalProtect Portal at https:// portal.company.com: Assume the following: The URL portal.company.com resolves to the external interface of the firewall on the company's external DNS server and to the internal interface of the firewall on the company's internal DNS server. The URL gateway1.company.com resolves to the external interface of the firewall on the company's external DNS server and to the internal interface of the firewall on the company's internal DNS server. The DNS entry for gateway1 resolves to the internal interface of the firewall on the company's internal DNS server. The URL resolves both inside and outside the network. This Gateway configuration will have which two outcomes? (Choose two.) - CORRECT ANSWER Clients inside the network will be able to connect to the internal gateway Gateway1.
Clients outside the network will NOT be able to connect to the external gateway Gateway1.
Consider this graphic representation of the Threat Monitor report: What does this report display? - CORRECT ANSWER It displays the Top 10 Threat types over the last 6 hours.
Each week, a company wants to know the list of employees in the "mgt" group who are the biggest users of network bandwidth. Assume that the "mgt" group is properly configured on the company's Domain Controller, and that User-ID also is configured correctly. The firewall administrator starts to create the Custom report shown above: What must the administrator do or change to complete this Custom report? - CORRECT ANSWER 'Source User' must be selected from the 'Available Columns' option.
Given the Application Override policy shown above, what will be the effect of this policy? - CORRECT ANSWER 10.66.24.93
Given the following Security Policy and information about traffic traversing the firewall: Source Address: 192.168.64.10 Source Zone: Trust-L3 - Destination Address: 199.167.55.50 Destination Zone: Untrust-L3 Destination port: 85 - Application: web-browsing. Which rule will match the specified traffic? - CORRECT ANSWER Rule number 3
In which scenario would an active/active High Availability (HA) deployment be recommended instead of an active/passive HA pair? - CORRECT ANSWER There is a potential for asymmetric routing to occur.
The network is experiencing routing problems and the firewall administrator needs to determine the root cause. Which CLI command should the administrator use to verify routing behavior while watching the current flow of routed logs? - CORRECT ANSWER less mp-log routed.log
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? (Choose two.) - CORRECT ANSWER URLFiltering
Threat Prevention
WebandNetTrends Unlimited's new web server software is discovered to produce traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic. Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? (Choose two.) - CORRECT ANSWER An Application Override policy that assigns the new web server traffic to the built-in application "web-browsing"
A custom application with content and threat detection enabled, which includes a signature, identifying the new web server's traffic
What can be used to push network and device configurations from Panorama to firewalls running PAN-OS software? - CORRECT ANSWER Templates
What is the proper method to determine which active sessions on the firewall matched a security rule named "ftp-out"? - CORRECT ANSWER In the CLI, run the command "show session all filter rule ftp-out".
When would there be a benefit from the creation of a custom application signature? - CORRECT ANSWER When a company wants to know who is watching World Cup soccer matches during work hours
Where can the oversubscription rate be adjusted on platforms that support NAT oversubscription? - CORRECT ANSWER In the GUI, under Device -> Setup -> Session -> Session Settings
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day? - CORRECT ANSWER ACC->Application
Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since the last reboot? - CORRECT ANSWER In the GUI, select the Highlight Unused Rules option under Policies -> NAT.
Which action will display the NAT policies that are being enforced by the firewall? - CORRECT ANSWER From the command line, check the NAT policies loaded on the data plane using the command "show running nat-policy".
Which component must be configured before a User Activity report can be generated? - CORRECT ANSWER User Identification
Which feature of the Palo Alto Networks firewall was designed to minimize network latency on the data plane? - CORRECT ANSWER Single-Pass Parallel Processing Architecture
Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL? - CORRECT ANSWER Decryption Profile
Which function resides on the management plane? - CORRECT ANSWER System logging
Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint without incurring hosting fees for physical equipment? - CORRECT ANSWER VM-Series for AWS (Amazon Web Services)
Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)? - CORRECT ANSWER Layer3
Which Panorama feature allows for aggregated device logs to be forwarded to an external security information and event management (SIEM) system? - CORRECT ANSWER Collector Log Forwarding for Collector Groups
Which public key infrastructure component is required to implement SSL Forward Proxy? - CORRECT ANSWER CertificateAuthoritycertificate
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule? - CORRECT ANSWER Dynamic IP and Port
Which statement is true about how Palo Alto Networks firewalls monitor traffic on the network? - CORRECT ANSWER Unlike traditional firewalls that use port or protocol to identify applications, the Palo Alto Networks firewalls use the application signature (the App-ID technology) to identify applications.
Which statement is true if a Security policy contains two rules that would both match a proposed new session? - CORRECT ANSWER The first rule that matches while evaluating the rules from top to bottom is the one that will be applied.
Which statement is true of an OSPFv3 configuration on the Palo Alto Networks firewall? - CORRECT ANSWER It uses IPv4 addresses for the area ID.
Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall? - CORRECT ANSWER Inspecting HTTP data streams to detect instances of the POST method
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose three.) - CORRECT ANSWER Recognizing when SSH sessions are using SSH v1 instead of SSH v2
Identifying unauthorized applications that attempt to connect over non-standard ports
Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server
Which two external authentication methods can be used with Authentication Profiles in PAN-OS? (Choose two.) - CORRECT ANSWER LDAP
RADIUS
Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose two.) - CORRECT ANSWER Inspecting traffic at the application layer
Checking for suspicious, but technically compliant, protocol behavior
Which two statements regarding next-generation and legacy firewalls are true? (Choose two) - CORRECT ANSWER Both legacy firewalls and next-generation firewalls can reassemble packets in a given HTTP stream that arrive in an incorrect order.
A next-generation firewall detects when traffic shifts from "normal" web browsing to a specific web application, not a more specific protocol.
Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks next-generation firewall? (Choose two.) - CORRECT ANSWER Distinguishing between SSH v1 and SSH v2 in a traffic stream
Differentiating between traffic for the base Facebook application and traffic using Facebook Chat
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? - CORRECT ANSWER Alert
Which x509 attribute is required for "Forward Trust Certificate" to be enabled? - CORRECT ANSWER CertificateAuthority
Why is "Browsing to IP domains" an event that appears in the Botnet report? - CORRECT ANSWER Web browsing to an IP address instead of a URL may indicate an attempt to avoid proper categorization when traffic passes through a URL Filtering system.
You are analyzing a specific device group from Panorama and notice there are a very large number of "insufficient-data" log entries. What is known for certain about the "insufficient-data" in this display? Consider the following data: - CORRECT ANSWER The number of bytes sent in packets where the application could not be identified
You are the network security engineer for a large corporation. On the same night you finished a successful migration, you receive an after-hours call from the Network Operations Center (NOC). After the latest firewall migration, traffic coming from the internal network (inside zone) is not reaching its destination on several rules present in the Security Policy that have the DMZ zone as target and are allowing the traffic. The NOC sends you an email message received on your phone with the information shown above. Given that there is no current internet access, which steps should the NOC engineer take to fix the problem? - CORRECT ANSWER SSH into the device, enter in configure mode, and add the following static route command: set network virtual-router vr1 routing-table ip static-route dmzroute interface ethernet1/2 destination 10.15.26.0/24 nexthop ip-address 10.15.25.1 [Show Less]