PCNSA-Topic-1
Question #: 75
Topic #: 1
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?
A. EDL in URL Filtering Profile
B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile
Question #: 405
Topic #: 1
Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?
A. Device > Dynamic Updates > Review App-IDs
B. Objects > Dynamic Updates > Review App-IDs
C. Objects > Dynamic Updates > Review Policies
D. Device > Dynamic Updates > Review Policies
Question #: 317
Topic #: 1
Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto Networks firewall? (Choose three.)
A. NTP
B. IP address
C. MTU
D. DNS server
E. service routes
Question #: 186
Topic #: 1
A coworker found a USB labeled “confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?
A. DNS Sinkhole
B. WildFire Analysis
C. Antivirus
D. DoS Protection
Question #: 170
Topic #: 1
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer’s Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages
Question #: 168
Topic #: 1
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)
A. Untrust (Any) to DMZ (1.1.1.100), ssh – Allow
B. Untrust (Any) to Untrust (10.1.1.1), web-browsing – Allow
C. Untrust (Any) to Untrust (10.1.1.1), ssh – Allow
D. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing – Allow
E. Untrust (Any) to DMZ (1.1.1.100), web-browsing – Allow
Question #: 356
Topic #: 1
What are three DNS policy actions? (Choose three.)
A. Block
B. Allow
C. Strict
D. Sinkhole
E. Alert
Question #: 355
Topic #: 1
When configuring a security policy, what is a best practice for User-ID?
A. Use only one method for mapping IP addresses to usernames.
B. Allow the User-ID agent in zones where agents are not monitoring services.
C. Limit User-ID to users registered in an Active Directory server.
D. Deny WMI traffic from the User-ID agent to any external zone.
Question #: 406
Topic #: 1
What are three configurable interface types for a data-plane ethernet interface? (Choose three.)
A. VWire
B. Layer 2
C. Management
D. HSCI
E. Layer 3
Question #: 209
Topic #: 1
What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)
A. firewall logs
B. custom API scripts
C. Security Information and Event Management Systems (SIEMS), such as Splunk
D. biometric scanning results from iOS devices
E. DNS Security service
Question #: 208
Topic #: 1
What are the three DNS Security categories available to control DNS traffic? (Choose three.)
A. Parked Domains
B. Spyware Domains
C. Vulnerability Domains
D. Phishing Domains
E. Malware Domains
Question #: 350
Topic #: 1
Where can you apply URL Filtering policy in a Security policy rule?
A. Within the applications selection
B. Within a destination address
C. Within a service type
D. Within the actions tab
Question #: 15
Topic #: 1
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.
Question #: 11
Topic #: 1
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent
Question #: 271
Topic #: 1
An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped.
Which type of NAT was configured?
A. Dynamic IP
B. Static IP
C. Dynamic IP and Port
D. Destination NAT
Question #: 288
Topic #: 1
By default, which action is assigned to the interzone-default rule?
A. Allow
B. Deny
C. Reset-client
D. Reset-server
Question #: 284
Topic #: 1
An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.
If a virus gets detected, how will the firewall handle the traffic?
A. It allows the traffic but generates an entry in the Threat logs.
B. It drops the traffic because the profile was not set to explicitly allow the traffic.
C. It allows the traffic because the profile was not set the explicitly deny the traffic.
D. It uses the default action assigned to the virus signature.
Question #: 298
Topic #: 1
Which rule type is appropriate for matching traffic occurring within a specified zone?
A. Universal
B. Shadowed
C. Intrazone
D. Interzone
Question #: 295
Topic #: 1
What must exist in order for the firewall to route traffic between Layer 3 interfaces?
A. Virtual router
B. Virtual wires
C. Traffic Distribution profile
D. VLANs
Question #: 291
Topic #: 1
Where within the firewall GUI can all existing tags be viewed?
A. Policies > Tags
B. Network > Tags
C. Objects > Tags
D. Monitor > Tags
Question #: 308
Topic #: 1
An administrator is trying to understand which NAT policy is being matched.
In what order does the firewall evaluate NAT policies?
A. Dynamic IP and Port first, then Static, and finally Dynamic IP
B. From top to bottom
C. Static NAT rules first, then lop down
D. Static NAT rules first, then Dynamic
Question #: 307
Topic #: 1
When a security rule is configured as Intrazone, which field cannot be changed?
A. Destination Zone
B. Actions
C. Source Zone
D. Application
Question #: 303
Topic #: 1
An administrator is creating a Security policy rule and sees that the destination zone is grayed out.
While creating the rule, which option was selected to cause this?
A. Interzone
B. Source zone
C. Universal (default)
D. Intrazone
Question #: 301
Topic #: 1
Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Question #: 319
Topic #: 1
An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.
What type of Security policy rule is created?
A. Intrazone
B. Interzone
C. Universal
D. Tagged
Question #: 340
Topic #: 1
Which setting is available to edit when a tag is created on the local firewall?
A. Color
B. Location
C. Order
D. Priority
Question #: 339
Topic #: 1
Given the network diagram, which two statements are true about traffic between the User and Server networks? (Choose two.)
A. Traffic is permitted through the default Intrazone “allow” rule.
B. Traffic restrictions are not possible because the networks are in the same zone.
C. Traffic is permitted through the default Interzone “allow” rule.
D. Traffic restrictions are possible by modifying Intrazone rules.
Question #: 337
Topic #: 1
What is considered best practice with regards to committing configuration changes?
A. Wait until all running and pending jobs are finished before committing.
B. Export configuration after each single configuration change performed.
C. Validate configuration changes prior to committing.
D. Disable the automatic commit feature that prioritizes content database installations before committing.
Question #: 336
Topic #: 1
What is used to monitor Security policy applications and usage?
A. Security profile
B. App-ID
C. Policy-based forwarding
D. Policy Optimizer
Question #: 335
Topic #: 1
Where does a user assign a tag group to a policy rule in the policy creation window?
A. General tab
B. Usage tab
C. Application tab
D. Actions tab
Question #: 334
Topic #: 1
Application groups enable access to what?
A. Applications that are explicitly unsanctioned for use within a company
B. Applications that are not explicitly unsanctioned and that an administrator wants users to be able to access
C. Applications that are explicitly sanctioned for use within a company
D. Applications that are not explicitly sanctioned and that an administrator wants users to be able to access
Question #: 332
Topic #: 1
An administrator is troubleshooting an issue with traffic that matches the interzone-default rule, which is set to default configuration.
What should the administrator do?
A. Change the logging action on the rule
B. Tune your Traffic Log filter to include the dates
C. Refresh the Traffic Log
D. Review the System Log
Question #: 346
Topic #: 1
Ethernet 2/1 has an IP Address of 10.0 1 2 in Zone ‘trust’ (LAN).
If both interfaces are connected to the same virtual router, which IP address information will an administrator need to enter in the Destination field to access the internet?
A. 0.0.0.0
B. 10.0.2.1/32
C. 10.0.1.254/32
D. 0.0.0.0/0
Question #: 344
Topic #: 1
An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses the firewall.
When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.
What might cause this issue?
A. Office365 traffic is logged in the System Log.
B. Office365 traffic is logged in the Authentication Log.
C. Traffic matches the interzone-default rule, which does not log traffic by default.
D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.
Question #: 359
Topic #: 1
An administrator receives a notification about new malware that is being used to attack hosts. The malware exploits a software bug in a common application.
Which Security Profile will detect and block access to this threat after the administrator updates the firewall’s threat signature database?
A. Vulnerability Profile applied to inbound Security policy rules
B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to outbound Security policy rules
D. Data Filtering Profile applied to inbound Security policy rules
Question #: 358
Topic #: 1
An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates.
Which filter should the administrator configure in the application filter object?
A. The category is media, and the characteristic includes Evasive.
B. The subcategory is audio-streaming, and the risk is 1.
C. The subcategory is audio-streaming, and the risk is 5.
D. The category is media, and the tag is high risk.
Question #: 353
Topic #: 1
Which action column is available to edit in the Action tab of an Antivirus security profile?
A. Virus
B. Signature
C. Spyware
D. Trojan
Question #: 180
Topic #: 1
What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control (RBAC)? (Choose two.)
A. SAML
B. TACACS+
C. LDAP
D. Kerberos
Question #: 39
Topic #: 1
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?
A. Active Directory monitoring
B. Windows session monitoring
C. Windows client probing
D. domain controller monitoring
Question #: 36
Topic #: 1
Which administrator type utilizes predefined roles for a local administrator account?
A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
Question #: 402
Topic #: 1
A network security manager is asked to save a configuration to be used after a firewall reboot.
When the configuration is ready, how should it be saved so that the changes are not lost?
A. Save named configuration snapshot.
B. Load named configuration snapshot.
C. Revert to last saved configuration.
D. Save candidate configuration.
Question #: 25
Topic #: 1
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
Question #: 22
Topic #: 1
Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email
Question #: 403
Topic #: 1
Which action should be taken to identify threats that have been detected by using inline cloud analysis?
A. Filter Threat logs by Type
B. Filter Threat logs by Application
C. Filter Threat logs by Action
D. Filter Threat logs by Threat Category
Question #: 400
Topic #: 1
An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out.
What are two possible reasons the OK button is grayed out? (Choose two.)
A. The entry matches a list entry.
B. The entry doesn’t match a list entry.
C. The entry contains wildcards.
D. The entry is duplicated.
Question #: 395
Topic #: 1
How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?
A. Select the unified log entry in the side menu.
B. Modify the number of columns visible on the page.
C. Modify the number of logs visible on each page.
D. Select the system logs entry in the side menu.
Question #: 392
Topic #: 1
In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)
A. Objects tab > Applications
B. Objects tab > Application Groups
C. Objects tab > Application Filters
D. ACC tab > Global Filters
E. Policies tab > Security
Question #: 388
Topic #: 1
In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)
A. Antivirus
B. URL Filtering
C. Vulnerability Protection
D. Anti-spyware
Question #: 387
Topic #: 1
What are three ways application characteristics are used? (Choose three.)
A. As a setting to define a new custom application
B. As a global filter in the Application Command Center (ACC)
C. As an attribute to define an application group
D. As an object to define Security policies
E. As an attribute to define an application filter
Question #: 386
Topic #: 1
Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)
A. Dynamic IP
B. Dynamic IP and Port (DIPP)
C. Static IP
D. Dynamic IP / Port Fallback
Question #: 384
Topic #: 1
Which order of steps is the correct way to create a static route?
A. 1) Enter the route and netmask
2) Specify the outgoing interface for packets to use to go to the next hop
3) Enter the IP address for the specific next hop
4) Add an IPv4 or IPv6 route by name
B. 1) Enter the IP address for the specific next hop
2) Add an IPv4 or IPv6 route by name
3) Enter the route and netmask
4) Specify the outgoing interface for packets to use to go to the next hop
C. 1) Enter the route and netmask
2) Enter the IP address for the specific next hop
3) Specify the outgoing interface for packets to use to go to the next hop
4) Add an IPv4 or IPv6 route by name
D. 1) Enter the IP address for the specific next hop
2) Enter the route and netmask
3) Add an IPv4 or IPv6 route by name
4) Specify the outgoing interface for packets to use to go to the next hop
Question #: 380
Topic #: 1
What are the two main reasons a custom application is created? (Choose two.)
A. To change the default categorization of an application
B. To visually group similar applications
C. To correctly identify an internal application in the traffic log
D. To reduce unidentified traffic on a network
Question #: 369
Topic #: 1
An administrator reads through the following Applications and Threats Content Release Notes before an update:
Which rule would continue to allow the file upload to confluence after the update?
A.
B.
C.
D.
Question #: 320
Topic #: 1
What do application filters help provide access to?
A. Applications that are explicitly sanctioned for use within a company
B. Applications that are not explicitly sanctioned and that a company wants users to be able to access
C. Applications that are explicitly unsanctioned for use within a company
D. Applications that are not explicitly unsanctioned and that a company wants users to be able to access
Question #: 293
Topic #: 1
To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)
A. MAC
B. IPv6
C. Email
D. IPv4
Question #: 269
Topic #: 1
A website is unexpectedly allowed due to miscategorization.
What are two ways to resolve this issue for a proper response? (Choose two.)
A. Create a URL category and assign the affected URL.
Update the active URL Filtering profile site access setting for the custom URL category to block.
B. Review the categorization of the website on https://urlfiltering paloaltonetworks.com.
Submit for “request change”, identifying the appropriate categorization, and wait for confirmation before testing again.
C. Identify the URL category being assigned to the website.
Edit the active URL Filtering profile and update that category’s site access settings to block.
D. Create a URL category and assign the affected URL.
Add a Security policy with a URL category qualifier of the custom URL category below the original policy.
Set the policy action to Deny.
Question #: 258
Topic #: 1
What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)
A. Configure a URL Filtering profile
B. Train your staff to be security aware.
C. Plan for mobile-employee risk.
D. Rely on a DNS resolver.
E. Implement a threat intel program.
Question #: 233
Topic #: 1
An administrator is creating a NAT policy.
Which combination of address and zone are used as match conditions? (Choose two.)
A. Pre-NAT address
B. Pre-NAT zone
C. Post-NAT address
D. Post-NAT zone
Question #: 217
Topic #: 1
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)
A. IP Protocol
B. Packets sent/received
C. Decrypted
D. Action
Question #: 214
Topic #: 1
What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *
A. You can specify the location as pre- or post-rules to push policy rules
B. You can specify the firewalls in a device group to which to push policy rules
C. Doing so provides audit information prior to making changes for selected policy rules
D. Doing so limits the templates that receive the policy rules
Question #: 203
Topic #: 1
An administrator would like to determine the default deny action for the application dns-over-https.
Which action would yield the information?
A. View the application details in beacon.paloaltonetworks.com
B. Check the action for the Security policy matching that traffic
C. Check the action for the decoder in the antivirus profile
D. View the application details in Objects > Applications
Question #: 200
Topic #: 1
An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.
Which type of single, unified engine will get this result?
A. Content ID
B. App-ID
C. Security Processing Engine
D. User-ID
Question #: 166
Topic #: 1
URL categories can be used as match criteria on which two policy types? (Choose two.)
A. authentication
B. decryption
C. application override
D. NAT
Question #: 159
Topic #: 1
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. pattern based application identification
B. application override policy match
C. session application identified
D. application changed from content inspection
Question #: 151
Topic #: 1
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?
A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Protection profile applied to outbound Security policy rules.
Question #: 145
Topic #: 1
An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.
If the application’s default deny action is reset-both, what action does the firewall take?
A. It silently drops the traffic.
B. It silently drops the traffic and sends an ICMP unreachable code.
C. It sends a TCP reset to the server-side device.
D. It sends a TCP reset to the client-side and server-side devices.
Question #: 144
Topic #: 1
Selecting the option to revert firewall changes will replace what settings?
A. the candidate configuration with settings from the running configuration
B. dynamic update scheduler settings
C. the running configuration with settings from the candidate configuration
D. the device state with settings from another configuration
Question #: 126
Topic #: 1
An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.
What is the correct process to enable this logging?
A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Question #: 115
Topic #: 1
You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall’s threat signature database?
A. Data Filtering Profile applied to outbound Security policy rules
B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to inbound Security policy rules
D. Vulnerability Protection Profile applied to inbound Security policy rules
Question #: 71
Topic #: 1
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount <POLICY-NAME>.
Question #: 82
Topic #: 1
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. GlobalProtect agent
B. XML API
C. User-ID Windows-based agent
D. log forwarding auto-tagging
Question #: 81
Topic #: 1
Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)
A. It is automatically enabled and configured.
B. It eliminates the need for dynamic DNS updates.
C. It functions like PAN-DB and requires activation through the app portal.
D. It removes the 100K limit for DNS entries for the downloaded DNS updates.
Question #: 66
Topic #: 1
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
A. Policies> Security> Rule Usage> No App Specified
B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps
Question #: 84
Topic #: 1
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?
A. virtual router
B. Admin Role profile
C. DNS proxy
D. service route
Question #: 80
Topic #: 1
In which profile should you configure the DNS Security feature?
A. Anti-Spyware Profile
B. Zone Protection Profile
C. Antivirus Profile
D. URL Filtering Profile
Question #: 8
Topic #: 1
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
Question #: 3
Topic #: 1
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
