PCNSA Exam 84 Questions with Verified Answers
Recently changes were made to the firewall to optimize the policies and the security team wants to see if
... [Show More] those changes are helping. What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter>All Rules option - CORRECT ANSWER D. Use the Reset Rule Hit Counter > All Rules option
Which Two App-ID applications will you need to allow in your Security policy to use facebook-chat?
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email - CORRECT ANSWER B. facebook-chat
C. facebook-base
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?
A. Windows-based agents deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links - CORRECT ANSWER A. Windows-based agent deployed on the internal network
Your company requires positive username attribution of every IP address used by the wireless devices to support a new compliance requirement. You must collect IP to user mapping as soon as possible with the minimal configuration changes to the wireless devices themselves. the wireless devices are from various manufactures. Given the scenario, choose the option for sending IP-to user mapping to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers - CORRECT ANSWER A. syslog
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies - CORRECT ANSWER B. anti-spyware profile applied to outbound security polices
D. URL filtering profile applied to out bound security
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback - CORRECT ANSWER A. Virtual Wire
Order the steps needed to create a new security zone with a Palo Alto Networks firewall. - CORRECT ANSWER Step 1 : Select Network
Step 2: Select Zones from the list of available items
Step 3: Select add
Step 4: Specify Zone Name
Step 5: Specify Zone type
Step 6: Assign interface as needed
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy - CORRECT ANSWER A. An implicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing - CORRECT ANSWER A. management
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications - CORRECT ANSWER C. No impact because the firewall automatically adds the rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one - CORRECT ANSWER D. one
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology - CORRECT ANSWER B. Category, Subcategory, Technology, Risk, and Characteristic
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List - CORRECT ANSWER A. Block List
D. Allow List
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified. - CORRECT ANSWER C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent - CORRECT ANSWER C. Captive Portal
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office - CORRECT ANSWER B. Create an Application Group and add business-systems to it
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture - CORRECT ANSWER B. It provides a percentage of adoption for each assessment area
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic. - CORRECT ANSWER D. after it is matched by a security policy rule that allows or blocks traffic.
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days - CORRECT ANSWER D. Rule Usage Filter > Hit Count > Unused in 90 days
Which Security Profile mitigates attacks based on packet count?
A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile - CORRECT ANSWER A. zone protection profile
Which interface type uses virtual routers and routing protocols?
A. Tap
B. Layer3
C. Virtual Wire
D. Layer2 - CORRECT ANSWER B. Layer3
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
A. Override
B. Allow
C. Block
D. Continue - CORRECT ANSWER B. Allow
An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall?
A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address - CORRECT ANSWER A. NAT policy with internal zone and internet zone specified
Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packets source and destination IP addresses?
A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware - CORRECT ANSWER A. DoS protection
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
A. Policies> Security> Rule Usage> No App Specified
B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps - CORRECT ANSWER Answer : C
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID - CORRECT ANSWER B. User-ID
D. App-ID
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces - CORRECT ANSWER C. Device>Setup>Operations
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches - CORRECT ANSWER A. Review Policies
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount . - CORRECT ANSWER A. Select a Security policy rule, and then select Hit Count > Reset.
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation - CORRECT ANSWER C. Aggregate
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?
A. intrazone
B. interzone
C. universal
D. global - CORRECT ANSWER B. interzone
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?
A. EDL in URL Filtering Profile
B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile - CORRECT ANSWER C. Custom URL category in Security policy rule
When configuring a GlobalProtect Portal, what is the purpose of specifying an authentication profile? - CORRECT ANSWER To enable user authentication tot he Portal
Which CLI command can be used to export the tcpdump capture? - CORRECT ANSWER -SCP export mgmt-pcap from mgmt.pcap to
An administrator has configured the Palo Alto networks NGFW management interface to connect to the internet through a dedicated path that does not transverse back through the NGFW itself. which configuration setting or setup will allow the firewall to get automatic application signature updates? - CORRECT ANSWER A service route will need to be configured
Which three options are supported in HALite?(Choose three) - CORRECT ANSWER -Active/Passive development
-Synchronization of IPsec security associations
-Configuration Synchronization
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version and serial number? - CORRECT ANSWER show system info
During the packet flow process, which two processes are performed in application identification? (Choose Two) - CORRECT ANSWER -Application override policy match
-Session application identified
which tool provides an administrator the ability to see trends in traffic over periods of time , such as threats detected in the last 30 days? - CORRECT ANSWER Application command center
The certificate information displayed in the following images is for which type of certificate? - CORRECT ANSWER image: Name: decrypt, Algorithm: RSA, check box : certificate authority
-Self signed Root CA certificate
which three steps will reduce the CPU utilization on the management plane? (Choose Three) - CORRECT ANSWER -Disable SNMP on the management interface
-Disable logging at session start in Security polices
-Disable predefined reports
Which feature must you configure to prevent users from accidently submitting their corporate credentials to a phishing website? - CORRECT ANSWER URL Filtering Profile
How can a candidate or running configuration to be copied to a host external from Panorama? - CORRECT ANSWER Export a named configuration snapshot
If an administrator does not posses a websites certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(s) websites? - CORRECT ANSWER SSL inbound inspection
An administrator sees several inbound sessions identified as unknown-tcp in the traffic-logs. The administrator determines that these sessions are from external users accessing the company's proprietary accounting application. The administrator wants reliably identify this traffic as their accounting application and to scan this traffic for threats. which options would you achieve this result? - CORRECT ANSWER Create a custom App-ID and enable scanning on the advanced tab
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issues? - CORRECT ANSWER -View the system log and look for the error message about BGP
-View runtime stats and look from problems with BGP configuration
An administrator has enable OSPF on a virtual router on the NGFW OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? - CORRECT ANSWER -View Runtime stats in the Virtual router
-View System Logs
Which three firewalls states are valid? (Choose three) - CORRECT ANSWER -Active
-Passive
-Suspended
Which CLI command is used to stimulate traffic going through the firewall and determine which security policy rule, NAT translation, Static route, or PBF rule will be triggered by the traffic? - CORRECT ANSWER Test
An organization has Palo Alto Networks NGFWs that sends logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/ security platforms? - CORRECT ANSWER Configure log compression and optimization features on all remote firewalls
A customer wants to set up a VLAN interface for a layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface? ( Choose Two) - CORRECT ANSWER -Virtual Router
-Security Zone
An administrator has been asked to configure a Palo Alto Network NGFW to provide protection against worms and trojans. Which security profile type will protect against worms and trojans? - CORRECT ANSWER -Anti-virus
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of pre-configuration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers. Which VPN configuration would adapt to changes when deployed to the future site? - CORRECT ANSWER Pre-configured Global Protect Satellite
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall? - CORRECT ANSWER -255
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama? - CORRECT ANSWER Both active and passive firewalls independently, with no synchronization afterwards
If a template stack is assigned to a device and the stack includes three templates with overlapping setting, which setting are published to the device when the template stack is pushed? - CORRECT ANSWER The setting assigned to the template that is on top of the stack
Which method will dynamically register tags on the Palo Alto Networks NGFW? - CORRECT ANSWER XML API or the VM monitoring agent on the NGFW or on the User-ID agent
How does an administrator schedule an application and threats dynamic update while delaying installation of the update for a certain amount of time? - CORRECT ANSWER Automatically download only and then install application threats later after the administrator approves the update
To connect the Palo Alto Network Firewall to AutoFocus, which setting must be enabled? - CORRECT ANSWER Device>Setup>Management>AutoFocus
An administrator encountered problems with inbound decryption. which option should the administrator investigate as part of the triage? - CORRECT ANSWER Security policy rule allowing SSL to the target server
Which two virtualization platforms officially support the deployment of the Palo Alto Networks VM- Series firewalls? (choose two) - CORRECT ANSWER -Kernel Virtualization Module (KVM)
-Microsoft Hyper-V
Which User-ID method maps IP addresses to user names for users connecting through an 802x-enabled wireless network device that has no native integration with PAN-OS software? - CORRECT ANSWER XML API
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the traffic log? - CORRECT ANSWER SSL and 80
Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data? - CORRECT ANSWER Authentication Policy
A Security policy rule is configured with a vulnerability protection profile and an action of "Deny". which action will this cause configuration on the matched traffic? - CORRECT ANSWER The configuration will allow the matched session unless a vulnerability signature is detected. the "deny" action will supersede the per-severity defined actions in the associated vulnerability protection profile.
A user traffic traversing a Palo Alto Network NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule if the next hop does down? - CORRECT ANSWER Create and add a monitor profile with an action of failover in the PBF rule in question
What are the benefits of nested device groups in Panorama? - CORRECT ANSWER -Reuse of the existing security policy rules and objects
-All device groups inherit setting from the shared group
Which captive portal mode must be configured to supported MFA authentications? - CORRECT ANSWER Redirect
An administrator needs to implement an NGFW between their DMZ and core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement? - CORRECT ANSWER Virtual Wire interface to permit EIGRP routing to remain between the core and DMZ
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port to which it connects. How would an administrator configure the interface to 1 Gbps? - CORRECT ANSWER Set device config system speed-duplex 1 gbps-gull-duplex
A web server is hosted in the DMZ, and he servers is configured to listen for incoming connections only on the TCP port 8080. a security policy rule allowing access from the trust zone to the DMZ zone need to be configured to enable web browsing access tot he server. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080? - CORRECT ANSWER application: web browsing; service: application default
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS software? - CORRECT ANSWER RADIUS
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW? - CORRECT ANSWER Use the tcpdump command
An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications Qos natively integrates with which feature to provide service quality? - CORRECT ANSWER App-ID
A session in the traffic log is reporting the application as "incomplete". What does incomplete mean? - CORRECT ANSWER The three-way handshake did not complete
An administrator is using DNAT to map two servers to a single public IP address. traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic. Which two security policy rules will accomplish this configuration? - CORRECT ANSWER -Untrust (Any) to DMZ (10.1.1.100), web-browsing- Allow
-Untrust (Any) to DMZ (10.1.1.101), SSH-Allow
Which component of the integrated Palo Alto Networks security solution limits network-attached workstation access to a corporate mainframe?
A. threat intelligence cloud
B. advanced endpoint protection C. next-generation firewall
D. tunnel inspection - CORRECT ANSWER C. next-generation firewall
Which Palo Alto Networks product is designed primarily to provide threat context with deeper information about attacks?
A. RedLock
B. WildFire
C. AutoFocus
D. Threat Prevention - CORRECT ANSWER C. AutoFocus
Which Palo Alto Networks product is designed primarily to provide normalization of threat intelligence feeds with the potential for automated response?
A. MineMeld
B. WildFire
C. AutoFocus
D. Threat Prevention - CORRECT ANSWER A. MineMeld
Which Palo Alto Networks product is designed primarily to protect endpoints from successful cyberattacks?
A. GlobalProtect
B. Magnifier
C. Traps
D. RedLock - CORRECT ANSWER C. Traps
The Palo Alto Networks Cortex Data Lake can accept logging data from which products? (Choose two.)
A. Traps
B. next-generation firewalls
C. Aperture
D. MineMeld
E. AutoFocus - CORRECT ANSWER A. Traps
B. Next-generation firewalls
Which Palo Alto Networks product is required to deliver your product log data to a central cloud base storage service managed by Palo Alto Networks? A. RedLock
B. Traps
C. next-generation firewall
D. Cortex data lake - CORRECT ANSWER D. Cortex data lake
A potential customer says it wants to maximize the threat detection capability of its next-generation firewall. Which three additional services should it consider implementing to enhance its firewall's capability to detect Threats?
A. Traps
B. WildFire
C. URL Filtering
D. Expedition
E. DNS Security - CORRECT ANSWER B. Wildfire
C. URL filtering
E. DNS Security
Which product best secured east-west traffic within a public cloud implementation. Which product is best suited for this need?
A. RedLock
B. MineMeld
C. VM-Series firewall
D. Cortex - CORRECT ANSWER C. VM-Series firewall [Show Less]