PCNSA-Topic-3
Question #: 227
Topic #: 1
When creating an Admin Role profile, if no changes are made, which two administrative methods will you have full access to? (Choose two.)
A. web UI
B. XML API
C. command line
D. RESTAPI
Question #: 2
Topic #: 1
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing
Question #: 132
Topic #: 1
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. No notification
D. Reset Client
Question #: 111
Topic #: 1
The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall
Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering `gambling` category.
Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?
A. Add just the URL www.powerball.com to a Security policy allow rule.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the URL Filtering allow list.
D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.
Question #: 44
Topic #: 1
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
A. Path monitoring does not determine if route is useable.
B. Route with highest metric is actively used.
C. Path monitoring determines if route is useable.
D. Route with lowest metric is actively used.
Question #: 26
Topic #: 1
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?
A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation
Question #: 198
Topic #: 1
What allows a security administrator to preview the Security policy rules that match new application signatures?
A. Policy Optimizer–New App Viewer
B. Dynamic Updates–Review App
C. Review Release Notes
D. Dynamic Updates–Review Policies
Question #: 7
Topic #: 1
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
Question #: 173
Topic #: 1
Which information is included in device state other than the local configuration?
A. uncommitted changes
B. audit logs to provide information of administrative account changes
C. system logs to provide information of PAN-OS changes
D. device group and template settings pushed from Panorama
Question #: 360
Topic #: 1
The NetSec Manager asked to create a new firewall Local Administrator profile with customized privileges named New_Admin. This new administrator has to authenticate without inserting any username or password to access the WebUI.
What steps should the administrator follow to create the New_Admin Administrator profile?
A. 1. Set the Authentication profile to Local.
2. Select the “Use only client certificate authentication” check box.
3. Set Role to Role Based.
B. 1. Select the “Use only client certificate authentication” check box.
2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Certificate Name = New Admin
C. 1. Select the “Use only client certificate authentication” check box.
2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Common Name = New_Admin
D. 1. Select the “Use only client certificate authentication” check box.
2. Set Role to Role Based.
3. Issue to the Client a Certificate with Common Name = New Admin
Question #: 238
Topic #: 1
All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.
Complete the empty field in the Security policy using an application object to permit only this type of access.
Source Zone: Internal –
Destination Zone: DMZ Zone –
Application: __________
Service: application-default –
Action: allow
A. Application = “any”
B. Application = “web-browsing”
C. Application = “ssl”
D. Application = “http”
Question #: 189
Topic #: 1
Which statement best describes a common use of Policy Optimizer?
A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that exist. Admins can then manually enable policies they want to keep and delete ones they want to remove.
B. Policy Optimizer can display which Security policies have not been used in the last 90 days.
C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.
D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.
Question #: 195
Topic #: 1
According to best practices, how frequently should WildFire updates he made to perimeter firewalls?
A. every 10 minutes
B. every minute
C. every 5 minutes
D. in real time
Question #: 24
Topic #: 1
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP
`”to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
Question #: 160
Topic #: 1
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to DMZ (10.1.1.100), web browsing – Allow
B. Untrust (any) to Untrust (1.1.1.100), web browsing – Allow
C. Untrust (any) to Untrust (10.1.1.100), web browsing – Allow
D. Untrust (any) to DMZ (1.1.1.100), web browsing – Allow
Question #: 16
Topic #: 1
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?
A. Translation Type
B. Interface
C. Address Type
D. IP Address
Question #: 239
Topic #: 1
An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems.
From the Pre-defined Categories tab within the URL Filtering profile, what is the right configuration to prevent such connections?
A. Set the hacking category to continue.
B. Set the phishing category to override.
C. Set the malware category to block.
D. Set the Command and Control category to block.
Question #: 10
Topic #: 1
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Question #: 169
Topic #: 1
Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws?
A. URL filtering
B. vulnerability protection
C. file blocking
D. anti-spyware
Question #: 349
Topic #: 1
Which two Security profile actions can only be applied to DoS Protection profiles? (Choose two.)
A. Reset-server
B. Reset-both
C. SYN cookies
D. Random Early Drop
Question #: 229
Topic #: 1
Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user will be assigned?
A. 1. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
B. 1. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
C. 1. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
D. 1. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
Question #: 287
Topic #: 1
An administrator is troubleshooting an issue with an accounts payable application.
Which log setting could be temporarily configured to improve visibility?
A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start and Log at Session End both disabled
C. Log at Session Start enabled, Log at Session End disabled
D. Log at Session Start disabled, Log at Session End enabled
Question #: 5
Topic #: 1
Which two configuration settings shown are not the default? (Choose two.)
A. Enable Security Log
B. Server Log Monitor Frequency (sec)
C. Enable Session
D. Enable Probing
Question #: 123
Topic #: 1
Which tab would an administrator click to create an address object?
A. Objects
B. Monitor
C. Device
D. Policies
Question #: 323
Topic #: 1
Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?
A. DNS Malicious signatures
B. DNS Security signatures
C. DNS Malware signatures
D. DNS Block signatures
Question #: 94
Topic #: 1
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?
A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.
Question #: 367
Topic #: 1
An administrator is reviewing the Security policy rules shown in the screenshot.
Why are the two fields in the Security policy EDL-Deny highlighted in red?
A. Because antivirus inspection is enabled for this policy
B. Because the destination zone, address, and device are all “any”
C. Because the action is Deny
D. Because the Security-EDL tag has been assigned the red color
Question #: 194
Topic #: 1
An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?
A. interzone
B. intrazone
C. default
D. universal
Question #: 181
Topic #: 1
Which administrative management services can be configured to access a management interface?
A. HTTPS, HTTP, CLI, API
B. HTTPS, SSH, telnet, SNMP
C. SSH, telnet, HTTP, HTTPS
D. HTTP, CLI, SNMP, HTTPS
Question #: 108
Topic #: 1
At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?
A. after clicking Check Now in the Dynamic Update window
B. after committing the firewall configuration
C. after installing the update
D. after downloading the update
Question #: 52
Topic #: 1
Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?
A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect
Question #: 51
Topic #: 1
The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)
A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the allow list
D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.
Question #: 50
Topic #: 1
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)
A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware
Question #: 48
Topic #: 1
Which Palo Alto Networks component provides consolidated policy creation and centralized management?
A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus
Question #: 45
Topic #: 1
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.
A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective
Question #: 42
Topic #: 1
Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?
A. global
B. intrazone
C. interzone
D. universal
Question #: 373
Topic #: 1
An administrator wants to enable users to access retail websites that are considered minimum risk.
Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)
A. e-commerce
B. known-good
C. shopping
D. low-risk
Question #: 378
Topic #: 1
The administrator profile “SYS01 Admin” is configured with authentication profile “Authentication Sequence SYS01,” and the authentication sequence SYS01 has a profile list with four authentication profiles:
• Auth Profile LDAP
• Auth Profile Radius
• Auth Profile Local
• Auth Profile TACACS
After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “SYS01 Admin” username and password.
What is the “SYS01 Admin” login capability after the outage?
A. Auth KO because RADIUS server lost user and password for SYS01 Admin
B. Auth OK because of the Auth Profile TACACS
C. Auth OK because of the Auth Profile Local
D. Auth KO because LDAP server is not reachable
Question #: 381
Topic #: 1
By default, what is the maximum number of templates that can be added to a template stack?
A. 6
B. 8
C. 10
D. 12
Question #: 382
Topic #: 1
What does rule shadowing in Security policies do?
A. It shows rules with the same Source Zones and Destination Zones.
B. It indicates that a broader rule matching the criteria is configured above a more specific rule.
C. It indicates rules with App-ID that are not configured as port-based.
D. It shows rules that are missing Security profile configurations.
Question #: 383
Topic #: 1
Which two types of profiles are needed to create an authentication sequence? (Choose two.)
A. Security profile
B. Authentication profile
C. Server profile
D. Interface Management profile
Question #: 389
Topic #: 1
When is an event displayed under threat logs?
A. When traffic matches a corresponding Security Profile
B. When traffic matches any Security policy
C. Every time a session is blocked
D. Every time the firewall drops a connection
Question #: 118
Topic #: 1
Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?
A. URL filtering
B. vulnerability protection
C. anti-spyware
D. antivirus
Question #: 285
Topic #: 1
An administrator needs to allow users to use only certain email applications.
How should the administrator configure the firewall to restrict users to specific email applications?
A. Create an application filter and filter it on the collaboration category.
B. Create an application filter and filter it on the collaboration category, email subcategory.
C. Create an application group and add the email applications to it.
D. Create an application group and add the email category to it.
Question #: 379
Topic #: 1
Which three types of Source NAT are available to users inside a NGFW? (Choose three.)
A. Static Port
B. Dynamic IP and Port (DIPP)
C. Dynamic IP
D. Static IP and Port (SIPP)
E. Static IP
Question #: 376
Topic #: 1
Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?
A. Signature Policies
B. Signature Exceptions
C. Machine Learning Policies
D. Inline Cloud Analysis
Question #: 375
Topic #: 1
Which situation is recorded as a system log?
A. A connection with an authentication server has been dropped.
B. A file that has been analyzed is potentially dangerous for the system.
C. An attempt to access a spoofed website has been blocked.
D. A new asset has been discovered on the network.
Question #: 372
Topic #: 1
Review the screenshot below. Which statement is correct about the information it contains?
A. Highlight Unused Rules is checked.
B. Tunnel Traffic has the High Risk tag applied.
C. There are six Security policy rules on this firewall.
D. View Rulebase as Groups is checked.
Question #: 260
Topic #: 1
What is a function of application tags?
A. automated referenced applications in a policy
B. application prioritization
C. IP address allocations in DHCP
D. creation of new zones
Question #: 205
Topic #: 1
What is the main function of the Test Policy Match function?
A. ensure that policy rules are not shadowing other policy rules
B. confirm that rules meet or exceed the Best Practice Assessment recommendations
C. confirm that policy rules in the configuration are allowing donning the correct traffic
D. verify that policy rules from Expedition are valid
Question #: 4
Topic #: 1
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
Question #: 146
Topic #: 1
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall’s data plane? (Choose three.)
A. SAML 2.0
B. Kerberos
C. TACACS
D. TACACS+
E. SAML 1.0
Question #: 167
Topic #: 1
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
A. The web session was unsuccessfully decrypted.
B. The traffic was denied by security profile.
C. The traffic was denied by URL filtering.
D. The web session was decrypted.
Question #: 244
Topic #: 1
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.
Which security policy action causes this?
A. Drop
B. Drop, send ICMP Unreachable
C. Reset both
D. Reset client
Question #: 212
Topic #: 1
Given the detailed log information above, what was the result of the firewall traffic inspection?
A. It was blocked by the Vulnerability Protection profile action
B. It was blocked by the Security policy action
C. It was blocked by the Anti-Virus Security profile action
D. It was blocked by the Anti-Spyware Profile action
