PCNSA-Topic-2
Question #: 404
Topic #: 1
What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)
A. Zone
B. Service
C. User
D. Application
E. Address
Question #: 398
Topic #: 1
Which security profile should be used to classify malicious web content?
A. URL Filtering
B. Web Content
C. Antivirus
D. Vulnerability Protection
Question #: 374
Topic #: 1
What are three advantages of user-to-group mapping? (Choose three.)
A. It does not require additional objects to be configured.
B. It does not require a Server profile.
C. It simplifies user administration.
D. It automatically adds new users to the appropriate group.
E. It allows an administrator to write more granular policies.
Question #: 366
Topic #: 1
An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ or Untrust zones.
The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where the source and destination zones are VPN.
Which Security policy rule type should they use?
A. Interzone
B. Universal
C. Intrazone
D. Default
Question #: 365
Topic #: 1
What are the two ways to implement an exception to an external dynamic list? (Choose two.)
A. Edit the external dynamic list by removing the entries to exclude.
B. Select the entries to exclude from the List Entries list.
C. Manually add an entry to the Manual Exceptions list.
D. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.
Question #: 357
Topic #: 1
Which System log severity level would be displayed as a result of a user password change?
A. Low
B. Medium
C. High
D. Critical
Question #: 351
Topic #: 1
Which interface types are assigned to IEEE 802.1Q VLANs?
A. Tunnel interfaces
B. Layer 2 subinterfaces
C. Layer 3 subinterfaces
D. Loopback interfaces
Question #: 347
Topic #: 1
Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?
A. URL Filtering > Categories
B. URL Filtering > URL Filtering Settings
C. URL Filtering > Inline Categorization
D. URL Filtering > HTTP Header Insertion
Question #: 341
Topic #: 1
With the PAN-OS 11.0 Nova release, which two attack options can new inline deep learning analysis engines detect and prevent? (Choose two.)
A. Command injection attacks
B. SSL attacks
C. SQL injection attacks
D. HTTP attacks
Question #: 328
Topic #: 1
Which three types of entries can be excluded from an external dynamic list? (Choose three.)
A. IP addresses
B. Applications
C. User-ID
D. Domains
E. URLs
Question #: 326
Topic #: 1
Which verdict may be assigned to a WildFire sample?
A. Phishing
B. Spyware
C. PUP
D. Malware
Question #: 324
Topic #: 1
Which Security policy action will message a user’s browser that their web session has been terminated?
A. Reset client
B. Deny
C. Drop
D. Reset server
Question #: 321
Topic #: 1
What is the function of an application group object?
A. It contains applications that you want to treat similarly in policy
B. It groups applications dynamically based on application attributes that you define
C. It represents specific ports and protocols for an application
D. It identifies the purpose of a rule or configuration object and helps you better organize your rulebase
Question #: 318
Topic #: 1
How does the Policy Optimizer policy view differ from the Security policy view?
A. It provides sorting options that do not affect rule order
B. It specifies applications seen by rules
C. It displays rule utilization
D. It details associated zones
Question #: 315
Topic #: 1
Within the WildFire Analysis profile, which three items are configurable? (Choose three.)
A. FileType
B. Direction
C. Service
D. Application
E. Objects
Question #: 314
Topic #: 1
The Net Sec Manager asked to create a new Firewall Operator profile with customized privileges.
In particular, the new firewall operator should be able to:
Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML as Server profiles to be used inside an Authentication profile.
The firewall operator should not be able to access anything else.
What is the right path m order to configure the new firewall Administrator Profile?
A. Device > Admin Roles > Add > Web UI > Device > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else
D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else
Question #: 313
Topic #: 1
What are the two types of Administrator accounts? (Choose two.)
A. Role Based
B. Superuser
C. Dynamic
D. Local
Question #: 310
Topic #: 1
Which rule type is appropriate for matching traffic occurring within a specified zone?
How should the administrator configure the firewall to restrict users to specific email applications?
A. Create an application filter and filter it on the collaboration category.
B. Create an application filter and filter it on the collaboration category, email subcategory.
C. Create an application group and add the email applications to it.
D. Create an application group and add the email category to it.
Question #: 309
Topic #: 1
Which policy set should be used to ensure that a policy is applied just before the default security rules?
A. Shared post-rulebase
B. Local firewall policy
C. Parent device-group post-rulebase
D. Child device-group post-rulebase
Question #: 305
Topic #: 1
Where in Panorama would Zone Protection profiles be configured?
A. Templates
B. Device Groups
C. Shared
D. Panorama tab
Question #: 304
Topic #: 1
How many levels can there be in a device-group hierarchy, below the shared level?
A. 2
B. 3
C. 4
D. 5
Question #: 302
Topic #: 1
What is a valid Security Zone type in PAN-OS?
A. Management
B. Logical
C. Transparent
D. Tap
Question #: 299
Topic #: 1
Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
A. Pre-NAT address
B. Post-NAT address
C. Pre-NAT zone
D. Post-NAT zone
Question #: 297
Topic #: 1
In which threat profile object would you configure the DNS Security service?
A. Antivirus
B. Anti-Spyware
C. WildFire
D. URL Filtering
Question #: 296
Topic #: 1
Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?
A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add
B. Panorama > Device Deployment > Content Updates > Schedules > Add
C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add
D. Panorama > Content Updates > Device Deployment > Schedules > Add
Question #: 294
Topic #: 1
A NetSec manager was asked to create a new firewall administrator profile with customized privileges. The new firewall administrator must be able to download TSF File and Starts Dump File but must not be able to reboot the device.
Where does the NetSec manager go to configure the new firewall administrator role profile?
A. Device > Admin Roles > Add > XML API > Configuration
B. Device > Admin Roles > Add > XML API > Operational Request
C. Device > Admin Roles > Add > Web UI > Support
D. Device > Admin Roles > Add > Web UI > Operations
Question #: 292
Topic #: 1
What is the Anti-Spyware Security profile default action?
A. Sinkhole
B. Reset-client
C. Drop
D. Reset-both
Question #: 283
Topic #: 1
If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
A. Source Zone: Trusted –
Destination Zone: DMZ –
Services: SSH –
Applications: Any –
Action: Allow
B. Source Zone: Trusted –
Destination Zone: DMZ –
Services: Application-Default –
Applications: SSH –
Action: Allow
C. Source Zone: Trusted –
Destination Zone: DMZ –
Services: Application-Default –
Applications: SSH –
Action: Deny
D. Source Zone: Trusted –
Destination Zone: DMZ –
Services: SSH –
Applications: Any –
Action: Deny
Question #: 282
Topic #: 1
An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny.
What deny action will the firewall perform?
A. Discard the session’s packets and send a TCP reset packet to let the client know the session has been terminated
B. Drop the traffic silently
C. Perform the default deny action as defined in the App-ID database for the application
D. Send a TCP reset packet to the client- and server-side devices
Question #: 279
Topic #: 1
An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.
Which Security profile should be used?
A. Vulnerability protection
B. Anti-spyware
C. URL filtering
D. Antivirus
Question #: 275
Topic #: 1
With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?
A. Within five minutes, after downloading updates
B. Instantly, after downloading updates
C. Within five minutes, without downloading updates
D. Instantly, without downloading updates
Question #: 274
Topic #: 1
Which type of policy allows an administrator to both enforce rules and take action?
A. Authentication
B. Security
C. NAT
D. Decryption
Question #: 265
Topic #: 1
An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red.
What would cause this error?
A. Entries contain symbols.
B. Entries are wildcards.
C. Entries contain regular expressions.
D. Entries are duplicated.
Question #: 157
Topic #: 1
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A. Disable automatic updates during weekdays
B. Automatically ג€download and installג€ but with the ג€disable new applicationsג€ option used
C. Automatically ג€download onlyג€ and then install Applications and Threats later, after the administrator approves the update
D. Configure the option for ג€Thresholdג€
Question #: 401
Topic #: 1
Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose three.)
A. Static
B. Tap
C. Dynamic
D. Layer 3
E. Virtual Wire
Question #: 53
Topic #: 1
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall’s signature database has been updated?
A. antivirus profile applied to outbound security policies
B. data filtering profile applied to inbound security policies
C. data filtering profile applied to outbound security policies
D. vulnerability profile applied to inbound security policies
Question #: 399
Topic #: 1
A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition the configuration was not saved prior to making the changes.
Which action will allow the administrator to undo the changes?
A. Revert to running configuration.
B. Load named configuration snapshot, and choose the first item on the list.
C. Revert to last saved configuration.
D. Load configuration version, and choose the first item on the list.
Question #: 397
Topic #: 1
Which step is mandatory to create a static route in PAN-OS?
A. Apply the autonomous system number.
B. Specify the outgoing interface.
C. Select the dynamic routing protocol.
D. Select the virtual router.
Question #: 377
Topic #: 1
Which two statements correctly describe how pre-rules and local device rules are viewed and modified? (Choose two.)
A. Pre-rules can be modified by the local administrator or by a Panorama administrator who has switched to a local firewall.
B. Pre-rules and local device rules can be modified in Panorama.
C. Pre-rules can be viewed on managed firewalls.
D. Pre-rules are modified in Panorama only, and local device rules are modified on local firewalls only.
Question #: 396
Topic #: 1
Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?
A. Group Mapping
B. Domain Credential
C. Valid Username Detected Log Severity
D. IP User
Question #: 391
Topic #: 1
Which profile should be used to obtain a verdict regarding analyzed files?
A. Advanced threat prevention
B. Vulnerability profile
C. WildFire analysis
D. Content-ID
Question #: 255
Topic #: 1
Which statement is true regarding NAT rules?
A. Translation of the IP address and port occurs before security processing.
B. Firewall supports NAT on Layer 3 interfaces only.
C. Static NAT rules have precedence over other forms of NAT.
D. NAT rules are processed in order from top to bottom.
Question #: 393
Topic #: 1
Where within the firewall GUI can an administrator create a local user database?
A. Device > Local User Database > Guests
B. Device > Local User Database > End Users
C. Device > Local User Database > Admins
D. Device > Local User Database > Users
Question #: 163
Topic #: 1
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
A. by minute
B. hourly
C. daily
D. weekly
Question #: 13
Topic #: 1
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Question #: 352
Topic #: 1
Which three factors can be used to create malware based on domain generation algorithms? (Choose three.)
A. Time of day
B. URL custom categories
C. Other unique values
D. Cryptographic keys
E. IP address
Question #: 27
Topic #: 1
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4
Question #: 61
Topic #: 1
Which Security Profile mitigates attacks based on packet count?
A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile
Question #: 57
Topic #: 1
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?
A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute
Question #: 220
Topic #: 1
What are three valid ways to map an IP address to a username? (Choose three.)
A. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent
B. WildFire verdict reports
C. DHCP Relay logs
D. using the XML API
E. usernames inserted inside HTTP Headers
Question #: 390
Topic #: 1
In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?
A. Network
B. Policies
C. Objects
D. Device
Question #: 300
Topic #: 1
If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?
A. Some traffic between A & B
B. Some traffic within A
C. All traffic within zones A & B
D. Some traffic within B
Question #: 254
Topic #: 1
What are the two default behaviors for the intrazone-default policy? (Choose two.)
A. Allow
B. Log at Session End
C. Deny
D. Logging disabled
Question #: 68
Topic #: 1
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces
Question #: 41
Topic #: 1
Given the image, which two options are true about the Security policy rules. (Choose two.)
A. The Allow-Office-Programs rule is using an Application Filter.
B. In the Allow-FTP policy, FTP is allowed using App-ID.
C. The Allow-Office-Programs rule is using an Application Group.
D. The Allow-Social-Media rule allows all of Facebook’s functions.
Question #: 290
Topic #: 1
An administrator is updating Security policy to align with best practices.
Which Policy Optimizer feature is shown in the screenshot below?
A. Rules without App Controls
B. New App Viewer
C. Rule Usage – Unused
D. Unused Apps
