PCNSA Flash Cards Exam 117 Questions with Verified Answers
1. The Palo Alto Networks Cybersecurity Portfolio focuses on which three principle
... [Show More] technologies? (Choose three.)
A. securing operations response
B. securing the enterprise
C. securing third-party application access
D. securing the cloud
E. securing the internet of things - CORRECT ANSWER ABD
2. What are four components of the Palo Alto Networks Cybersecurity Portfolio? (Choose four.)
A. Cortex DynamicDNS
B. Wildfire
C. Cortex XDR
D. OpenConnect
E. Prisma Access
F. Autofocus - CORRECT ANSWER BCEF
3. Which cloud-delivered security service provides instant access to community-based threat data?
A. Prisma Saas
B. Autofocus
C. Unit 42
D. Cortex XOR - CORRECT ANSWER B
4. Which cloud-delivered security service provides security and connectivity for branches and mobile users?
A. Cortex XSOAR
B. Cortex XOR
C. AutoFocus
D. Prisma Access - CORRECT ANSWER D
5. Which Palo Alto Networks Cybersecurity Portfolio product provides access to applications from Palo Alto Networks, third parties, and customers?
A. WildFire
B. Cortex Data Lake
C. Network Security
D. Prisma Access - CORRECT ANSWER B
6. Which Palo Alto Networks firewall feature provides all the following abilities?
• Stops malware, exploits, and ransomware before they can compromise endpoints
• Provides protection while endpoints are online and offline, on network and off
• Coordinates enforcement with network and cloud security to prevent successful attacks
• Detects threats and automates containment to minimize impact
• Creates zero-day malware signatures with cloud-based threat analysis
• Integrates with Palo Alto Networks Cortex Data Lake
A. Cortex XDR
B. Prisma Saas
C. WildFire
D. AutoFocus - CORRECT ANSWER A
7. Which three management features does the Control Plane provide? (Choose three .)
A. security processing
B. logging
C. reporting
D. firewall configuration
E. signature matching
F. network processing - CORRECT ANSWER BCD
8. Which three data processing features does the data plane provide? (Choose three .)
A. security processing
B. logging
C. reporting
D. firewall configuration
E. signature matching
F. network processing - CORRECT ANSWER AEF
9. What are three components of the Network Processing module? (Choose three.)
A. QoS
B. NAT
C. App-ID
D. flow control
E. URL match
F. spyware - CORRECT ANSWER ABD
10. Which approach most accurately defines the Palo Alto Networks SP3 architecture?
A. prioritize first
B. sequential processing
C. scan it all, scan it once
D. Zero Trust segmentation platform - CORRECT ANSWER C
11. What is the result of using a stream-based architectural design?
A. superior performance
B. increased latency
C. detailed logging
D. increased functionality - CORRECT ANSWER A
12. Which security model does Palo Alto Networks recommend that you deploy?
A. separation-of-trust
B. Zero Trust
C. trust-then-verify
D. never trust - CORRECT ANSWER B
13. The Zero Trust model is implemented to specifically inspect which type of traffic?
A. east-west
B. north-south
C. left-right
D. up-down - CORRECT ANSWER A
14. What are the three main concepts of Zero Trust? (Choose three.)
A. All resources are accessed in a secure manner, regardless of location.
B. Access control is on a "need-to-know" basis and is strictly enforced.
C. Credentials need to be verified.
D. All traffic is logged and inspected.
E. Internal users are trusted implicitly .
F. External users are trusted explicit ly. - CORRECT ANSWER ABD
15. Which two statements are true about the Zero Trust model? (Choose two.)
A. Traffic is inspected laterally.
B. Traffic is inspected east-west.
C. Internal traffic is implicitly trusted.
D. External traffic is implicitly trusted. - CORRECT ANSWER AB
16. Which three Palo Alto Networks products secure your network? (Choose three.)
A. MineMerge
B. Prisma Saas
C. URL filtering
D. Containers
E. TrapContent
F. Wildfire - CORRECT ANSWER BCF
Page 33
17. True or false: Blockage of just one stage in the cyberattack lifecycle will protect a company's network from attack.
A. true
B. false - CORRECT ANSWER A
18. What are two stages of the cyberattack lifecycle? (Choose two.)
A. weaponization and delivery
B. manipulation
C. extraction
D. command and control - CORRECT ANSWER AD
19. Command and control can be prevented through which two methods? (Choose two.)
A. exploitation
B. DNS Sinkholing
C. URL filtering
D. reconnaissance - CORRECT ANSWER BC
20. Exploitation can be mitigated by which two actions? (Choose two.)
A. keeping systems patched
B. using local accounts
C. blocking known and unknown vulnerability exploits on the endpoint
D. providing admin credentials - CORRECT ANSWER AC
21. What are two firewall management methods? (Choose two.)
A. CLI
B. RDP
C. VPN
D. XML API - CORRECT ANSWER AD
22. Which two devices are used to connect a computer to the firewall for management purposes? (Choose two.)
A. rollover cable
B. serial cable
C. RJ-45 Ethernet cable
D. USB cable - CORRECT ANSWER BC
23. What is the default IP address on the MGT interfaces of a Palo Alto Networks firewall?
A. 192.168.1.1
B. 1 92.168.1.254
C. 10.0.0.1
D. 10.0.0.254 - CORRECT ANSWER A
24. What are the two default services that are available on the MGT interface? (Choose two.)
A. HTTPS
B. SSH
C. HTTP
D. Telnet - CORRECT ANSWER AB
Page 39
25. True or false. Service route traffic has Security policy rules applied against it.
A. true
B. false - CORRECT ANSWER A
26. Service routes may be used to forward which two traffic types out of a data port? (Choose two.)
A. External Dynamic Lists
B. MineMeld
C. Skype
D. Palo Alto Networks updates - CORRECT ANSWER AD
Page 45
27. Which firewall plane does the running-configuration reside on?
A. management
B. control
C. data
D. security - CORRECT ANSWER C
28. Which firewall plane does the candidate configuration reside on?
A. management
B. control
C. data
D. security - CORRECT ANSWER B
29. Candidate config and running config files are saved as which file type?
A. TXT
B. HTML
C. XML
D. RAR - CORRECT ANSWER C
30. Which command must be performed on the firewall to activate any changes?
A. commit
B. save
C. load
D. import - CORRECT ANSWER A
31. Which command backs up configuration files to a remote network device?
A. import
B. load
C. copy
D. export - CORRECT ANSWER D
32. The command load named configuration snapshot overwrites the current candidate configuration with which three items? (Choose three .)
A. custom-named candidate configuration snapshot (instead of the default snapshot)
B. custom-named running configuration that you imported
C. snapshot .xml
D. current running configuration (running-config.xml)
E. Palo Alto Networks updates - CORRECT ANSWER ABD
33. What is the shortest time interval that you can configure a Palo Alto Networks firewall to download WildFire updates?
A. 1 minute
B. 5 minutes
C. 15 minutes
D. 60 minutes - CORRECT ANSWER A
34. What is the publishing interval for WildFire updates, with a valid WildFire license?
A. 1 minute
B. 5 minutes
C. 15 minutes
D. 60 minutes - CORRECT ANSWER B
Page 58
35. True or false. A Palo Alto Networks firewall automatically provides a backup of the configuration during a software upgrade.
A. true
B. false - CORRECT ANSWER A
36. If you have a Threat Prevention subscription but not a WildFire subscription, how long must you wait for the WildFire signatures to be added into the antivirus update?
A. 1 to 2 hours
B. 2 to 4 hours
C. 10 to 12 hours
D. 24 to 48 hours - CORRECT ANSWER D
Page 58
37. Which three actions should you complete before you upgrade to a newer version of software? (Choose t hree .)
A. Review the release notes to determine any impact of upgrading to a newer version of software.
B. Ensure the firewall is connected to a reliable power source.
C. Export the device state.
D. Create and externally store a backup before you upgrade.
E. Put the firewall in maintenance mode. - CORRECT ANSWER ABD
38. Which two statements are true about a Role Based Admin Role Profile role? (Choose two.)
A. It is a built-in role.
B. It can be used for CU commands.
C. It can be used for XML API.
D. Superuser is an example. - CORRECT ANSWER BC
39. PAN-OS software supports which two authentication types? (Choose two.)
A. RADIUS
B. SMB
C. TACACS+
D. AWS - CORRECT ANSWER AC
40. Which two Dynamic Admin Role types are available on the PAN-OS software? (Choose two.)
A. superuser
B. superuser (write only)
C. device user
D. device administrator (read-only) - CORRECT ANSWER AD
41. Which type of profile does an Authentication Sequence include?
A. Security
B. Authorization
C. Admin
D. Authentication - CORRECT ANSWER D
42. An Authentication Profile includes which other type of profile?
A. Server
B. Admin
C. Customized
D. Built-in - CORRECT ANSWER A
43. True or false: Dynamic Admin Roles are called "dynamic " because you can customize them.
A. true
B. false - CORRECT ANSWER B
44. What is used to override global Minimum Password Complexity Requirements?
A. Authentication
B. Local
C. User
D. Password - CORRECT ANSWER D
45. Which two default zones are included with the PAN-OS software? (Choose two.)
A. lnterzone
B. Extrazone
C. lntrazone
D. Extranet - CORRECT ANSWER AC
46. Which two zone types are valid? (Choose two.)
A. trusted
B. tap
C. virtual wire
D. untrusted
E. dmz - CORRECT ANSWER BC
There are five primary zone types: Tap, Virtual Wire, Layer 2, Layer 3, and Tunnel. Some of these are only supported on certain interface types.
47. The External zone type is used to pass traffic between which type of objects?
A. Layer 2 inte rfaces
B. Layer 3 interfaces
C. virtual routers
D. virtual systems - CORRECT ANSWER D
48. Which two statements about interfaces are correct? (Choose two.)
A. Interfaces must be configured before you can create a zone.
B. Interfaces do not have to be configured before you can create a zone.
C. An interface can belong to only one zone.
D. An interface can belong to multiple zones. - CORRECT ANSWER BC
Page 68-69
49. Which three interface types can belong in a Layer 3 zone? (Choose two.)
A. loopback
B. tap
C. tunnel
D. virtual wire - CORRECT ANSWER AC
50. What are used to control traffic through zones?
A. access lists
B. Security policy lists
C. Security policy rules
D. Access policy rules - CORRECT ANSWER C
51. Which two actions can be done with a Tap interface? (Choose two.)
A. encrypt traffic
B. decrypt traffic
C. allow or block traffic
D. log traffic - CORRECT ANSWER BD
52. Which two actions can be done with a Virtual Wire interface? (Choose two.)
A. NAT
B. route
C. switch
D. log traffic - CORRECT ANSWER AD
53. Which two actions can be done with a Layer 3 interface? (Choose two.)
A. NAT
B. route
C. switch
D. create a Virtual Wire object - CORRECT ANSWER AB
Page 83
54. Layer 3 interfaces support which two items? (Choose two.)
A. NAT
B. 1Pv6
C. switching
D. spanning tree - CORRECT ANSWER AB
55. Layer 3 interfaces support which three advanced settings? (Choose three .)
A. 1Pv4 addressing
B. 1Pv6 addressing
C. NDP configuration
D. link speed configuration
E. link duplex configuration - CORRECT ANSWER CDE
56. Layer 2 interfaces support which three items? (Choose three.)
A. spanning tree blocking
B. traffic examination
C. forwarding of spanning tree BPDUs
D. traffic shaping via QoS
E. firewall management
F. routing - CORRECT ANSWER BCD
57. Which two interface types support subinterfaces? (Choose two.)
A. Virtual Wire
B. Layer 2
C. Loopback
D. Tunnel - CORRECT ANSWER AB
58. Which two statements are true regarding Layer 3 interfaces? (Choose two.)
A. You can configure a Layer 3 interface with one or more as a DHCP client.
B. You can assign only one 1Pv4 addresses to the same inter face.
C. You can enable an interface to send 1Pv4 Router Advertisements by selecting the Enable Router Advertisement check box on the Router Advertisement tab.
D. You can apply an Interface Management Profile to the interface. - CORRECT ANSWER AD
59. Which statement is true regarding aggregate Ethernet interfaces?
A. Members of an Aggregate Interface Group can be of different media types.
B. An Aggregate Interface Group can be set to a type of tap.
C. Member Ethernet interfaces of an Aggregate Interface Group must have the same transmission speeds.
D. A Layer 3 Aggregate Interface Group can have more than one IP assigned to it.
E. Member Ethernet interfaces can be assigned to different virtual routers. - CORRECT ANSWER D
60. What is the default administrative distance of a static route within the PAN-OS software?
A. 1
B. 5
C. 10
D. 100 - CORRECT ANSWER C
61. Which two dynamic routing protocols are available in the PAN-OS software? {Choose two.)
A. RIP
B. RIPv2
C. OSPFv3
D. EIGRP - CORRECT ANSWER BC
Page 94
62. Which value is used to distinguish the preference of routing protocols?
A. metric
B. weight
C. distance
D. cost
E. administrative distance - CORRECT ANSWER E
Page 92
63. Which value is used to distinguish the best route within the same routing protocol?
A. metric
B. weight
C. distance
D. cost
E. administrative distance - CORRECT ANSWER A
64. In path monitoring, what is used to monitor remote network devices?
A. ping
B. SSL
C. HTTP
D. HTTPS
E. link state - CORRECT ANSWER A
65. What are the two default (predefined) security policy rule types in PAN-OS software? (Choose two.)
A. Universal
B. lnterzone
C. lntrazone
D. Extrazone - CORRECT ANSWER BC
66. True or false. Because the first rule that matches the traffic is applied, the more specific rules must follow the more general ones.
A. true
B. false - CORRECT ANSWER B
67. Which statement is true?
A. For lntrazone traffic, traffic logging is enabled by default .
B. For lnterzone traffic, traffic logging is enabled by default .
C. For Universal traffic, traffic logging is enabled by default.
D. For any rule type, traffic logging is enabled by default. - CORRECT ANSWER C
68. What are the two default (predefined) Security policy rule types in PAN-OS software? (Choose two.)
A. Universal
B. lnterzone
C. lntrazone
D. Extrazone - CORRECT ANSWER BC
69. True or false? Best practice is to enable logging for the two predefined Security policy rules.
A. true
B. false - CORRECT ANSWER A
70. What will be the result of one or more occurrences of shadowing?
A. a failed commit
B. an invalid configuration
C. a warning
D. an alarm window - CORRECT ANSWER C
71. Which type of Security policy rules most often exist above the two predefined security policies?
A. intrazone
B. interzone
C. universal
D. global - CORRECT ANSWER C
72. What are two source NAT types? (Choose two.)
A. universal
B. static
C. dynamic
D. extrazone - CORRECT ANSWER BC
73. Which phrase is a simple way to remember how to configure Security policy rules where NAT was implemented?
A. post-NAT zone, post-NAT zone
B. post-NAT IP, post-NAT zone
C. pre-NAT IP, post-NAT zone
D. pre-NAT IP, pre-NAT zone - CORRECT ANSWER C
74. What are two types of destination NAT? (Choose two.)
A. dynamic IP (with session distribution)
B. DIPP
C. global
D. static - CORRECT ANSWER AD
75. What are two possible values for DIPP NAT oversubscription? (Choose two.)
A. 1x
B. 4x
C. 16x
D. 32x - CORRECT ANSWER AB
76. Which statement is true regarding bidirectional NAT?
A. For static translations, bidirectional NAT enables the firewall to create a corresponding translation in the opposite direction of the translation you configure.
B. For static translations, bidirectional NAT enables the firewall to create a corresponding translation in the same direction of the translation you configure.
C. For dynamic translations, bidirectional NAT enables the firewall to create a corresponding translation in the opposite direction of the translation you configure.
D. For dynamic translations, bidirectional NAT enables the firewall to create a corresponding translation in the same direction of the translation you configure. - CORRECT ANSWER A
77. What are two application dependencies for adobe-connectnow-base? (Choose two.)
A. ssl
B. skype
C. rtmp
D. adobe-base
E. ssh - CORRECT ANSWER AC
Page 114, in the Commit Status graphic
78. What does an application filter enable an administrator to do?
A. manually categorize multiple service filters
B. dynamically categorize multiple service filters
C. dynamically categorize multiple applications
D. manually categorize multiple applications - CORRECT ANSWER C
Page 116
79. Which two items can be added to an application group? (Choose two.)
A. application groups
B. application services
C. application filters
D. application categories - CORRECT ANSWER AC
80. What does the TCP Half Closed setting mean?
A. maximum length of time that a session remains in the session table between reception of the first FIN and receiving the third FIN or RST
B. minimum length of time that a session remains in the session table between reception of the first FIN and receiving the second FIN or RST
C. maximum length of time that a session remains in the session table between reception of the first FIN and receiving the second FIN or RST
D. minimum length of time that a session remains in the session table between reception of the first FIN and receiving the third FIN or RST - CORRECT ANSWER C
81. What are two application characteristics? (Choose two.)
A. stateful
B. excessive bandwidth use
C. intensive
D. evasive - CORRECT ANSWER BD
82. Which column in the Applications and Threats screen includes the options Review Apps and Review Policies?
A. Features
B. Type
C. Version
D. Action - CORRECT ANSWER D
83. Which link can you select in the web interface to minimize the risk using of installing new App-ID updates?
A. Enable new apps in content
B. Disable new apps in app-id database
C. Disable new apps in content
D. Enable new apps in App-ID database - CORRECT ANSWER C
Page 122
84. The Policy Optimizer does not analyze which statistics?
A. applications allowed through port-based Security Policy rules
B. the usage of existing App-IDs in Security Policy rules
C. existing Security Policy rule App-IDs that have not matched processed traffic
D. days since the latest new application discovery in a port-based Security Policy rule - CORRECT ANSWER B
85. Which two protocols are implicitly allowed when you select the facebook-base application? (Choose two.)
A. web-browsing
B. chat
C. gaming
D. ssl - CORRECT ANSWER AD
86. What are two benefits of Vulnerability Protection Security Profiles? (Choose two.)
A. prevent compromised hosts from trying to communicate with external C2C servers
B. protect against viruses, worms, and Trojans
C. prevent exploitation of system flaws
D. prevent unauthorized access to systems - CORRECT ANSWER CD
87. Which two actions are available for Antivirus Security Profiles? (Choose two.)
A. continue
B. allow
C. block IP
D. alert - CORRECT ANSWER BD
Page 136
(Default, Allow, Alert, Drop, Reset Client, Reset Server, Reset Both)
88. Which two HTTP Header Logging options are within a URL Filtering Profile? (Choosetwo.)
A. User-Agent
B. Safe Search
C. URL redirection
D. X-Forwarded-For - CORRECT ANSWER AD
89. What are the two components of Denial-of-Service Protection? (Choose two.)
A. Zone Protection Profile
B. DoS Protection Profile and policy rules
C. flood protection
D. reconnaissance protection - CORRECT ANSWER AB
Page 153
90. Which actions are required to implement DNS security inspections of traffic? (Choose two.)
A. add an Anti-Spyware Security Profile with DNS remediations to a Security policy
B. enabled Advanced DNS Security check box in General Settings
C. configure an Anti-Spyware Security Profile with DNS remediations
D. enter the address for the Secure DNS Service in the firewalls DNS settings - CORRECT ANSWER AC
91. Which two types of attacks does the PAN-DB prevent? (Choose two.)
A. phishing sites
B. HTTP based command-and-control
C. infected JavaScript
D. flood attacks - CORRECT ANSWER AB
92. Which two valid URLs can be used in a custom URL category? {Choose two.)
A. ww.youtube.**
B. www.* *.com
C. www.youtube.com
D. *.youtube.com - CORRECT ANSWER CD
93. What are three methods of mapping usernames to IP addresses? (Choose three.)
A. Server Monitoring
B. Traps
C. syslog
D. AutoFocus
E. port mapping - CORRECT ANSWER ACE
94. Which type of Server Profile is used to create group mappings?
A. RADIUS
B. TACACS+
C. Kerberos
D. LDAP - CORRECT ANSWER D
95. The Server Monitoring user mapping method can monitor which three types of servers? (Choose three.)
A. RADIUS
B. Microsoft Domain Controllers
C. Exchange Servers
D. Novell eDirectory Servers
E. Syslog - CORRECT ANSWER BCD
Page 166
96. The Port Mapping user mapping method can monitor which two types of environments? (Choose two.)
A. Citrix
B. Microsoft terminal servers
C. Exchange Servers
D. Linux servers - CORRECT ANSWER AB
97. The Windows User-ID Agent can be installed on which two operating systems? (Choose two.)
A. Linux
B. Server 2016
C. XP
D. Server 2008 - CORRECT ANSWER BD
98. A Heatmap provides an adoption rate for which three features? (Choose three.)
A. Wildfire
B. Traps
C. File Blocking
D. User-ID
E. Authentication Profiles - CORRECT ANSWER ACD
99. What are three Best Practice Assessment tool primary categories? (Choose three.)
A. Logging
B. Vulnerability Protection
C. Security
D. Decryption
E. DoS Protection - CORRECT ANSWER CDE
100. Which two security features normally do not achieve an adoption rate of 100%? (Choose two.)
A. URL Filtering
B. App-ID
C. Logging
D. DNS Sinkhole - CORRECT ANSWER AD
101. Which type of file is used to generate the Heatmap report and the BPA report?
A. Technical Support
B. Configuration
C. Statistics
D. XML - CORRECT ANSWER A
102 What are two components of the BPA tool? (Choose two .)
A. Security Policy Adoption Heatmap
B. BPA
C. XML
D. Security policy - CORRECT ANSWER AB
How do these different methods track users?
Server Monitoring
Port Mapping
Syslog
XFF Headers
Authentication Policy and Captive Portals
GlobalProtect VPN
XML API
Client Probing - CORRECT ANSWER Server Monitoring - Microsoft Domain Controllers, Exchange, or Novell eDirectory Servers
Port Mapping - Uses Source Port via an installed agent
Syslog - Windows User-ID agent parse through syslogs
XFF Headers - Used with proxy servers. Includes the original Source IP in an extra header.
Authentication Policy and Captive Portal - Credentials entered are used
GlobalProtect VPN - Credentials are used to track user
XML API - 3rd Party VPNs or 802.1x wireless networks
Client Probing - Probes clients using WMI or NetBIOS
(PAGE 166)
What is the difference between a Zone Protection Profile and a DoS Protection Profile? - CORRECT ANSWER A Zone Protection Profile is used to protect an entire zone against DoS attacks.
A DoS Protection Profile is used to protect specific devices against DoS attacks.
Page 158-159
True/False. Palo Alto provides support for inspecting Cisco TrustSec Security Group Tags. - CORRECT ANSWER True.
Page 158
What does the X-Forward-For Option do when HTTP Header Logging is enabled? - CORRECT ANSWER Provides insight into the XFF Header that preservers a client original IP Address if that clients requests went through a proxy server or NAT translation
True/False. Safe Search Enforcement is best effort. - CORRECT ANSWER True.
Page 149
The 5 spyware severity levels are: - CORRECT ANSWER Critical
High
Medium
Low
Informational
Page 145
The 3 File Blocking Actions are: - CORRECT ANSWER Alert
Block
Continue
Page 140
When choosing the "Continue" action for File Blocking, which application can only be selected?
A. ssl
B. web-browsing
C. ftp - CORRECT ANSWER B.
Page 140
True/False. Anti-Spyware Security Profiles are used to detect and stop C2C traffic. - CORRECT ANSWER True
Page 132
Which Security Profile is used to detect infected files being transferred within an application or protocol? - CORRECT ANSWER Antivirus Security Profile
Page 132
What two criteria does File-Blocking use to track and block files? - CORRECT ANSWER Application and file type
Page 132
What two types of items are analyzed by WildFire? - CORRECT ANSWER Unknown Files and URLs
Page 132
Which Antivirus, URL Filtering, and WildFire Analysis Security Profile is loaded on to the firewall by default? - CORRECT ANSWER default
Which two Anti-Spyware and Vulnerability Protection Security Profiles are loaded on to the firewall by default? - CORRECT ANSWER default and strict
Which two File Blocking Security Profiles are loaded on to the firewall by default? - CORRECT ANSWER basic file blocking
strict file blocking [Show Less]