PCNSA Exam 92 Questions with Verified Answers
VM-Series firewalls starting with PAN-OS version 8.0, the MGT port is configured with? - CORRECT ANSWER
... [Show More] IP address DHCP
What configuration is the actual configuration which controls the firewall operation?
Service
XML
Candidate
Running - CORRECT ANSWER Running
A network engineer clicks "Save candidate configuration" to save the configuration to memory to finish the configuration later.
After the engineer continues editing and click "Save candidate configuration" again, the
configuration that is saved in memory is overwritten.
What type of memory is this saved configuration stored in?
Read only
Non-volatile memory
Volatile memory
Flash memory - CORRECT ANSWER Volatile memory
Initial firewall configuration is achieved by connecting to the MGT port or to the firewall serial console port.
This type of connection is called?
In-band
Direct
In-direct
Out-of-band - CORRECT ANSWER Out-of-band
True or false? An application filter is an object that statically groups applications based on the attributes of the application that you pick from the App-ID database. - CORRECT ANSWER False
True or false? The Palo Alto Networks firewall includes a predefined, read/write default Antivirus Security Profile. - CORRECT ANSWER False
True or false? Data Filtering Profiles are used to prevent sensitive, confidential and proprietary information from entering your network. - CORRECT ANSWER False
In which zone type the interface cannot be assigned? - CORRECT ANSWER Vwire
Layer 3
Tunnel
Tap
Layer 2
In which Next Generation Firewall feature metadata from all sources will be filtered, unduplicated, and unified, enabling security teams to determine a more actionable data set that has been enriched from multiple sources?
Aperture
Autofocus
GlobalProtect
MineMeld - CORRECT ANSWER MineMeld
Which Next Generation Firewall plane can be accessed from the console/mgt interface and provides configuration, logging, and reporting functions?
Network
Signature
Data
Security
Control - CORRECT ANSWER Control
What version of Netflow the firewall can generate and export NetFlow records to an outside NetFlow collector?
Net flow ver 1
Net flow ver 3
Net flow ver 5
Net flow ver 9 - CORRECT ANSWER Net flow ver 9
Which model of the Palo Alto Next Generation VM series needs a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity?
VM-700
VM-100
VM-50
VM-500 - CORRECT ANSWER VM-500
What is default action setting when configuring Security Policy Rule?
Reset client
Deny
Drop
Allow - CORRECT ANSWER Allow
Antivirus updated content is made available by Palo Alto Networks on the following schedule?
5 min
Monthly
Daily
Weekly - CORRECT ANSWER Daily
Applications and Threats updated content is made available by Palo Alto Networks on the following schedule?
Daily
Monthly
Weekly
5 min - CORRECT ANSWER Weekly
The PAN-OS DIPP NAT implementation supports oversubscription on some platforms.
What is DIPP NAT Oversubscription? - CORRECT ANSWER Increase port numbers available for DIPP
A Virtual Wire object is capable of blocking or allowing traffic based on?
MAC Physical address
802.1Q VLAN tag values
IPv4 logical addresses
IPv6 logical addresses - CORRECT ANSWER 802.1Q VLAN tag values
In a TCP exchange how many packets does it take to identify the application?
Three
One
Two
Four or Five - CORRECT ANSWER Four or five
Which Next Generation Firewall feature is part of the Threat Intelligence Cloud and provides direct access to security operations and analysis teams to all of the threat intelligence Palo Alto Networks gathers from clients, open source feeds, and the Unit 42 threat research team
Aperture
Panorama
Autofocus
Global protect - CORRECT ANSWER Autofocus
If you know the admin account password, what command can be used to reset a firewall to its default factory settings? - CORRECT ANSWER Request system private-data-reset
True or false? File blocking activity is logged to the Threat log. - CORRECT ANSWER False
The default logging behavior is to log only at the end of the session. Why would an administrator enable logging at the start of the session?
No login at the start of the session is possible
Troubleshooting
Disable logging at the end of session
Required for SNMP logging - CORRECT ANSWER Troubleshooting
In a single physical Palo Alto Networks firewall, Virtual Systems, or vsys, are separate logical firewall instances.
In which firewall series, virtual systems (vsys) are NOT supported?
PA-3x00
PA-5x00
PA-800
PA-7x00 - CORRECT ANSWER PA-800
DoS policy and DoS Profile protects: (choose two)
Specific hosts
Egress ports
Destination zone
Source zone - CORRECT ANSWER Specific hosts
Destination zone
To which item you apply Zone Protection Profiles?
Egress ports
Ingress ports
DNS Proxy protection
Security policy rules - CORRECT ANSWER Ingress ports
True or false? When new applications are added to the App-ID database, application groups are always automatically updated. - CORRECT ANSWER False
Which are not Security Profiles Types? (Select two)
Telemetry
Antivirus
Data Filtering
File Blocking
WildFire Analysis
URL Filtering
Anti-Spyware
Vulnerability Protection
Threat intelligence - CORRECT ANSWER Threat intelligence
Telemetry
When configuring a File Blocking Profile, what action you can set? (choose three.)
Block
Reset Both
Reset Server
Sinkhole
Reset Client
Alert
Continue - CORRECT ANSWER Block
Alert
Continue
For file transfer applications, what six protocols are in default Antivirus Profile? (choose six).
http/2
smtp
ftp
dhcp
pop3
imap
dns
smb - CORRECT ANSWER http/2
smtp
ftp
pop3
smb
What are two approaches to mitigate DoS attacks? (choose two)
Security policy rules Protection
End Host Protection
Zone-Based Protection
DNS Proxy protection - CORRECT ANSWER End Host Protection
Zone-Based Protection
In which Security Policy rule type you can not define destination zone?
Intrazone rule
Zone-to-zone rule
Universal rule
Interzone rule - CORRECT ANSWER Intrazone rule
Network Activity tab displays an overview of traffic and user activity on your network including? (choose three.)
Top applications in use
Hosts Resolving Malicious Domains
Top users who generate traffic
Most used security rules against which traffic matches occur
Applications Using Non Standard Ports - CORRECT ANSWER -Top applications in use
-Top users who generate traffic
-Most used security rules against which traffic matches occur
You may use the Palo Alto Networks firewall to deploy two firewalls as a High Availability (HA) pair.
When firewalls synchronize which of the following is NOT shared between peers?
Share certificate
IP address management interface
Session information
Policy configuration - CORRECT ANSWER IP address management interface
You may use the Palo Alto Networks firewall to deploy two firewalls as a High Availability (HA) pair.
When firewalls synchronize which of the following is shared between peers?
Application Command Center
Session information
Log data
IP address management interface - CORRECT ANSWER Session information
If WMI probing is enabled, what type of IP addresses will WMI probe?
Private IP addresses
APIPA addresses
Loopback addresses
Public IP addresses - CORRECT ANSWER Private IP addresses
What license is required to have access to Antivirus Signatures content database available within 5 minutes?
WildFire license
No license is required
Threat Prevention license
URL Filtering license - CORRECT ANSWER WildFire license
What pieces of information are passed during IKE Phase 1? (Select all that apply.)
Lifetime
Diffie-Hellman key exchange
Symmetric Key Algorithm
Hashing algorithm
Authentication method
MAC address
Domain Name - CORRECT ANSWER Lifetime
Diffie-Hellman key exchange
Symmetric Key Algorithm
Hashing algorithm
Authentication method
On the next generation firewall, which is the standard SSL port for the transport of Syslog traffic?
6514
514
8080
443 - CORRECT ANSWER 6514
A digital PKI certificate is a method of packaging and distributing public keys in a way that proves their owners' identity.
Palo Alto Networks firewalls support __________ format certificates.
X.507
X.508
X.506
X.509 - CORRECT ANSWER X.509
In HA configuration how long will the firewall wait before it will become ACTIVE if there is no peer to start the negotiation?
60-seconds
5-minutes
200 milliseconds
30-seconds - CORRECT ANSWER 60-seconds
The WildFire Regional Clouds are in: (select all that apply).
China
Europe
India
Singapore
Japan - CORRECT ANSWER Europe
Singapore
Japan
In Active/Passive HA deployment what is synchronized through Data Link (HA2)? (select three.)
Licenses
ARP tables
Forward tables
Sessions - CORRECT ANSWER ARP tables
Forward tables
Sessions
In which phase of the IKE process would the data traffic be encapsulated?
IKE Phase 1
IKE Phase 3
IKE Phase 2
Data is send in clear text always - CORRECT ANSWER IKE Phase 2
Not all traffic should be decrypted. Depending on local rules and regulations, what traffic can not legally be decrypted? (select all that apply).
Office records
Privacy concerns
Health records
Financial records - CORRECT ANSWER Privacy concerns
Health records
Financial records
The GlobalProtect client software is available in which two formats? (Choose two.)
.msi
.pkg
.exe
.rar - CORRECT ANSWER .msi
.pkg
True or False? Active/active configuration is specifically designed to serve environments that need symmetric routing. - CORRECT ANSWER False
The GlobalProtect portal includes an IP address and a DNS hostname as part of the information passed on to the client connection request
The agent performs a reverse lookup, on the IP address. Expected hostname is received as a response, to which GlobalProtect Gateway will client connect?
External gateway
Portal gateway
Internal gateway
None - CORRECT ANSWER Internal gateway
The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network.
What four predefined tabs are included by default in the ACC? (Choose four.)
Application Usage
Threat Activity
Blocked Activity
Tunnel Activity
Network Activity
User Activity - CORRECT ANSWER Threat Activity
Blocked Activity
Tunnel Activity
Network Activity
When encryption of traffic is enabled, looking at the OSI Model 7 Layers, which layers are encrypted?
Layer 6 Presentation
Layer 7 Application
Layer 5 Session (TLS/SSL)
Layer 2 Data Link (MAC Addresses)
Layer 1 Physical (Hardware)
Layer 4 Transport (Ports)
Layer 3 Network (IP Addresses) - CORRECT ANSWER Layer 6 Presentation
Layer 7 Application
Palo Alto Networks firewall with a Threat Prevention license signatures and protections are made available?
within 5 minutes
daily
within 1 minutes
weekly - CORRECT ANSWER Daily
Which pieces of information is NOT passed during IKE Phase 1? (Select all that apply.)
Hashing algorithm
Lifetime
Symmetric Key Algorithm
Diffie-Hellman key exchange
Domain Name
Authentication method - CORRECT ANSWER Domain Name
Connectivity in all parts of the GlobalProtect infrastructure is authenticated by using SSL certificates.
Which two GlobalProtect Certificates are optional?
GlobalProtect Gateway certificate
GlobalProtect client certificate
GlobalProtect Portal certificate
Certificate authority (CA) certificate - CORRECT ANSWER GlobalProtect client certificate
Certificate authority (CA) certificate
How do you know which Security policy is being used and how often?
Rule monitor
Action rule
Hit count
Rule usage - CORRECT ANSWER Hit count
Facebook-base requires web-browsing, to make sure Facebook-base will successfully communicate you have to?
Web-browsing is allowed by default in PAN firewall
App-ID database implicitly allows the parent application
Create Security Policy Rule to allow web-browsing
App-ID database needs to be updated - CORRECT ANSWER App-ID database implicitly allows the parent application
True or false? SSL/TLS (commonly referred to simply as SSL) uses asymmetric only encryption. - CORRECT ANSWER False
The GlobalProtect does not include host name and address pair as a response to the client, to which gateway will client attempt to connect first?
Portal gateway
internal gateway
none
external gateway - CORRECT ANSWER internal gateway
Which GlobalProtect gateway provides security enforcement and VPN access for remote users?
External gateways
Internal gateways
Security policy
GlobalProtect Portal - CORRECT ANSWER External gateways
On the next generation firewall, which is the default port for the transport of Syslog traffic?
8080
6514
514
443 - CORRECT ANSWER 6514
Application exceptions are usually configured when false positives occur.
The configuration of specific application exemptions allows the firewall to pass on traffic that was previously blocked.
What is used to identify specific application to be used as Application exceptions?
IP address
Threat ID
Port Number
Hint Count - CORRECT ANSWER Threat ID
True of False. The Palo Alto Networks firewall includes two predefined, read-only File Blocking Profiles? - CORRECT ANSWER False
What User-ID Mapping is Recommendations GlobalProtect VPN clients?
User-ID agent: Session monitoring
Terminal Services agent
GlobalProtect
Captive Portal
XML API
User-ID agent: Client probing
Syslog listener - CORRECT ANSWER GlobalProtect
In the Application Command Center (ACC), which filter allows you to restrict the display to the data you are interested in right now and to remove irrelevant information from the current display?
Global filter
Universal filter
Group filter
Local filter - CORRECT ANSWER Global filter
On the next generation firewall, which is the standard UDP port for the transport of Syslog traffic?
443
514
8080
6514 - CORRECT ANSWER 514
The user-ID agent is available in two forms: an integrated agent resident on the firewall or a Windows-based agent.
Which agent type uses network bandwidth more efficiently?
Windows-based agent
Integrated agent resident on the firewall
Both use bandwidth efficiently
No bandwidth is used by agents - CORRECT ANSWER Integrated agent resident on the firewall
When you select users for a Security policy, which option you will use if you want to match a specific user or group identified by User-ID?
any
unknown
pre-logon
select
known-user - CORRECT ANSWER select
True or False? When configure HA on your Palo Alto Networks, firewalls can have different set of licenses. - CORRECT ANSWER False
Before you can configure HA on your Palo Alto Networks firewalls, both firewalls must have? (select three.)
Identical management IP address
Matching Threat databases
Up-to-date application
Matching URL database - CORRECT ANSWER Matching Threat databases
Up-to-date application
Matching URL database
What action allows file transfer, and generates a log entry in the Data Filter Log?
Continue
Alert
Block
Sinkhole - CORRECT ANSWER Alert
The Windows-based agent can be installed on 32-bit or 64-bit machines running Microsoft Windows Operating system XP SP3 or later.
What TCP port will User-ID agent use to communicate with the firewall?
UDP port 389
TCP port 389
UDP port 5007
TCP port 5007 - CORRECT ANSWER TCP port 5007
GlobalProtect Clientless VPN offers secure remote access to popular enterprise web applications using HTML, HTML5, and JavaScript technologies.
How will clients have access to the GlobalProtect client software?
Http-enabled web browsers
GlobalProtect Windows server software
GlobalProtect Mac server software
SSL-enabled web browsers - CORRECT ANSWER SSL-enabled web browsers
Why must you set up server monitoring for all individual domain controllers to catch all user logon events?
Logs are not replicated between Domain Controllers
Windows-based agent requirement
PAN-OS integrated agent requirement
NAC systems requirement - CORRECT ANSWER Logs are not replicated between Domain Controllers
True or False? Each WildFire cloud analyses samples and generates malware signatures and verdicts dependent to other WildFire clouds.
False
True - CORRECT ANSWER False
When the firewall detects that a session has been broken as a result of the process of decryption, the session information is cached and the next session is not decrypted from that host to the same website.
There is no further attempt to decrypt the website for __________ after the first occurrence?
5 minutes
24 hours
30 minutes
12 hours - CORRECT ANSWER 12 hours
What is the maximum number of IPsec tunnels that each tunnel interface can have?
Each tunnel interface can have a maximum of 10 IPsec tunnels
Each tunnel interface can have a maximum of 100 IPsec tunnels
Each tunnel interface can have a maximum of 2 IPsec tunnels
Each tunnel interface can have a maximum of 1 IPsec tunnel - CORRECT ANSWER Each tunnel interface can have a maximum of 10 IPsec tunnels
When a firewall encounters a file, it will verify if the file is signed by a trusted signer. If the answer is yes, what is the next step that firewall will take?
Firewall creates a hash number and sends to Wildfire for further analysis
Firewall does not trust the signer and file is dropped.
Firewall trusts that the file does not have hidden malware and allows the file to be delivered.
Firewall creates a hash number for the file to see if the file already has been sent to WildFire. - CORRECT ANSWER Firewall trusts that the file does not have hidden malware and allows the file to be delivered.
Standard service allows firewalls to automatically send unknown Windows Portable Executable or PE files for analysis.
In Palo Alto Networks firewall with a Threat Prevention license Four Windows PE file types include EXE, SCR, FON and?
CLASS
JAR
PDF
DLL - CORRECT ANSWER DLL
During the first _____________ days of the migration process, the firewall should log enough traffic and application data to allow you to move through Phase 1 of the migration process?
7 days
15 days
10 days
30 days - CORRECT ANSWER 30 days
If malware or phishing URLs are detected, WildFire can generate a new antivirus signature or add a URL to the PAN-DB Phishing URL category, how long before this update is available worldwide?
6 Hours
1 Week
24 Hours
Minutes - CORRECT ANSWER Minutes
Administrator plans to deploy GlobalProtect to its network using the latest Next Generation Palo Alto firewall. Will the administrator be successful in deploying GlobalProtect with only one firewall?
GlobalProtect is compatible with Palo Alto.
No. Because GlobalProtect is not supported on the latest Next Generation Palo Alto firewall.
No. Because you need two firewalls GlobalProtect Portal firewall and GlobalProtect Gateway firewall.
Yes. Because gateway and portal can be configured on the same firewall - CORRECT ANSWER Yes. Because gateway and portal can be configured on the same firewall
In Active/Passive deployment HA Control link is?
Layer 1 link
Layer 2 link
Layer 3 link
Layer 4 link - CORRECT ANSWER Layer 3 link
Why would an administrator add audit comments to the Security Policy Rule?
Audit history of a Security Policy Rule
Future reference in Security Policy Rule
Logs can be audited in Security Policy Rule
Required field in Security Policy Rule - CORRECT ANSWER Audit history of a Security Policy Rule
True or false? No URL filtering license is necessary to define and use custom URL categories. - CORRECT ANSWER True
In User-ID, Windows-based agent uses?
WinRM
MS-RPC
WMI
SNMP - CORRECT ANSWER MS-RPC
In Route-Based Site-to-Site VPN Each tunnel is bound to a?
physical interface
serial interface
tunnel interface
loopback interface - CORRECT ANSWER tunnel interface
True or False? integrated agent is more suited for reading remote logs and the Windows-based agent is more suited for reading local logs. - CORRECT ANSWER True
What is Rule Shadowing?
Bottom rule hides top rules
Two rules are the same
Default rules are applied
The above rule hides rule beneath - CORRECT ANSWER The above rule hides rule beneath
Where should you install Windows-based agent?
Panorama
Domain Controller
PAN Firewall
One or more domain member - CORRECT ANSWER One or more domain member
What User-ID Mapping is Recommendations for clients that do no use the domain server?
Captive Portal
User-ID agent: Client probing
Syslog listener
XML API
Terminal Services agent
GlobalProtect
User-ID agent: Session monitoring - CORRECT ANSWER Captive Portal
GlobalProtect supports three client connection methods? (choose three.)
known user
any users
user-logon
all users
none
pre-logon
on-demand - CORRECT ANSWER user-logon
pre-logon
on-demand
Logs can be forwarded to which four of the following Remote Logging Destinations? (Choose four.)
Panorama
DHCP Server
Email
SNMP manager
Syslog/SIEM server - CORRECT ANSWER Panorama
Email
SNMP manager
Syslog/SIEM server
Before you can configure HA on your VM-Series firewalls, you need to make sure that VM machines have?
VM-Series firewalls have same IP address management interface
VM-Series firewalls have same number of CPU cores assigned to each peer
VM-Series firewalls have same Application Command Center
VM-Series firewalls have same log data - CORRECT ANSWER VM-Series firewalls have same number of CPU cores assigned to each peer
Which administrative management services and network services are enabled by default to access and manage the firewall through the MGT interface?
SSH
HTTP
SNMP
Ping
Telnet
HTTPS - CORRECT ANSWER SSH
Ping
HTTPS [Show Less]