PCNSA-Topic-4
Question #: 330
Topic #: 1
By default, which action is assigned to the intrazone-default rule?
A. Reset-client
B. Reset-server
C. Deny
D. Allow
Question #: 14
Topic #: 1
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
A. intrazone-default
B. Deny Google
C. allowed-security services
D. interzone-default
Question #: 385
Topic #: 1
Which two actions are needed for an administrator to get real-time WildFire signatures? (Choose two.)
A. Enable Dynamic Updates.
B. Obtain a Threat Prevention subscription.
C. Obtain a WildFire subscription.
D. Move within the WildFire public cloud region.
Question #: 354
Topic #: 1
Given the detailed log information above, what was the result of the firewall traffic inspection?
A. It denied the category DNS phishing.
B. It denied the traffic because of unauthorized attempts.
C. It was blocked by the Anti-Virus Security profile action.
D. It was blocked by the Anti-Spyware Profile action.
Question #: 250
Topic #: 1
Your company is highly concerned with their intellectual property being accessed by unauthorized resources. There is a mature process to store and include metadata tags for all confidential documents.
Which Security profile can further ensure that these documents do not exit the corporate network?
A. File Blocking
B. Data Filtering
C. Anti-Spyware
D. URL Filtering
Question #: 91
Topic #: 1
Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the policy rule?
A. Apps Allowed
B. Service
C. Name
D. Apps Seen
Question #: 228
Topic #: 1
An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.
Which object should the administrator use as a match condition in the Security policy?
A. the Online Storage and Backup URL category
B. the Content Delivery Networks URL category
C. an application group containing all of the file-sharing App-IDs reported in the traffic logs
D. an application filter for applications whose subcategory is file-sharing
Question #: 165
Topic #: 1
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP
Addresses list?
A. destination address
B. source address
C. destination zone
D. source zone
Question #: 362
Topic #: 1
Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.)
A. It contains all the features already in a Threat Prevention subscription.
B. It provides the ability to identify evasive and previously unseen command-and-control (C2) threats.
C. When it is active, a WildFire profile is no longer needed.
D. Due to its more advanced signatures, it provides the ability to identify new threats.
Question #: 361
Topic #: 1
Which Security profile prevents users from submitting valid corporate credentials online?
A. WildFire
B. URL filtering
C. Advanced threat prevention
D. SSL decryption
Question #: 78
Topic #: 1
Which definition describes the guiding principle of the zero-trust architecture?
A. trust, but verify
B. always connect and verify
C. never trust, never connect
D. never trust, always verify
Question #: 127
Topic #: 1
The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?
A. Add static routes to route between the two interfaces
B. Add interfaces to the virtual router
C. Add zones attached to interfaces to the virtual router
D. Enable the redistribution profile to redistribute connected routes
Question #: 210
Topic #: 1
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.)
A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic
B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application
C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application
D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic
Question #: 104
Topic #: 1
Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?
A. interzone-default
B. internal-inside-dmz
C. inside-portal
D. egress-outside
Question #: 371
Topic #: 1
Which statement applies to the Intrazone Security policy rule?
A. The traffic within the same security zone will not be allowed.
B. It requires a Zone Protection profile to be applied.
C. It applies regardless of whether it is from the same security zone or a different one.
D. It applies to all matching traffic within the specified source security zones.
Question #: 49
Topic #: 1
Which statement is true regarding a Prevention Posture Assessment?
A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment
Question #: 342
Topic #: 1
Which profile must be applied to the Security policy rule to block spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers?
A. Anti-spyware
B. File blocking
C. WildFire
D. URL filtering
Question #: 211
Topic #: 1
Which object would an administrator create to enable access to all applications in the office-programs subcategory?
A. HIP profile
B. URL category
C. application group
D. application filter
Question #: 187
Topic #: 1
What must be configured before setting up Credential Phishing Prevention?
A. Threat Prevention
B. Anti Phishing Block Page
C. User-ID
D. Anti Phishing profiles
Question #: 182
Topic #: 1
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently used by attackers to distribute illegal or unethical material?
A. Palo Alto Networks C&G IP Addresses
B. Palo Alto Networks High Risk IP Addresses
C. Palo Alto Networks Known Malicious IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses
Question #: 179
Topic #: 1
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?
A. 80
B. 8443
C. 4443
D. 443
Question #: 155
Topic #: 1
Which object would an administrator create to block access to all high-risk applications?
A. HIP profile
B. Vulnerability Protection profile
C. application group
D. application filter
Question #: 370
Topic #: 1
Which two events can be found in data-filtering logs? (Choose two.)
A. Specific users attempting to authenticate
B. Sensitive information attempting to exit the network
C. An unsuccessful attempt to establish a TLS session
D. A download attempt of a blocked file type
Question #: 333
Topic #: 1
What is the default action for the SYN Flood option within the DoS Protection profile?
A. Reset-client
B. Alert
C. Sinkhole
D. Random Early Drop
Question #: 202
Topic #: 1
Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from telemetry?
A. Palo Alto Networks High-Risk IP Addresses
B. Palo Alto Networks Known Malicious IP Addresses
C. Palo Alto Networks C&C IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses
Question #: 191
Topic #: 1
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
A. Security policy rule
B. ACC global fitter
C. NAT address pool
D. external dynamic list
Question #: 130
Topic #: 1
What is the main function of Policy Optimizer?
A. reduce load on the management plane by highlighting combinable security rules
B. migrate other firewall vendors’ security rules to Palo Alto Networks configuration
C. eliminate ג€Log at Session Startג€ security rules
D. convert port-based security rules to application-based security rules
Question #: 55
Topic #: 1
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?
A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
Question #: 95
Topic #: 1
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. Reset Server
D. Reset Client
Question #: 17
Topic #: 1
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
Question #: 40
Topic #: 1
Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.)
A. Security policy rules are attached to Security Profiles.
B. Security Profiles are attached to Security policy rules.
C. Security Profiles should be used only on allowed traffic.
D. Security policy rules inspect but do not block traffic.
E. Security policy rules can block or allow traffic.
Question #: 83
Topic #: 1
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the command-and-control server?
A. Create an anti-spyware profile and enable DNS Sinkhole feature.
B. Create an antivirus profile and enable its DNS Sinkhole feature.
C. Create a URL filtering profile and block the DNS Sinkhole URL category
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.
Question #: 74
Topic #: 1
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?
A. intrazone
B. interzone
C. universal
D. global
Question #: 243
Topic #: 1
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?
A. Data Filtering profile applied to outbound Security policy rules.
B. Vulnerability Protection profile applied to outbound Security policy rules.
C. URL Filtering profile applied to inbound Security policy rules.
D. Antivirus profile applied to inbound Security policy rules.
Question #: 175
Topic #: 1
An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.
What should the administrator do?
A. change the logging action on the rule
B. review the System Log
C. refresh the Traffic Log
D. tune your Traffic Log filter to include the dates
Question #: 100
Topic #: 1
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall’s data plane?
A. Kerberos user
B. SAML user
C. local database user
D. local user
Question #: 129
Topic #: 1
Which two rule types allow the administrator to modify the destination zone? (Choose two.)
A. interzone
B. shadowed
C. intrazone
D. universal
Question #: 176
Topic #: 1
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. after the SSL Proxy re-encrypts the packet
C. before the packet forwarding process
D. before session lookup
Question #: 137
Topic #: 1
Which statement is true about Panorama managed devices?
A. Panorama automatically removes local configuration locks after a commit from Panorama.
B. Local configuration locks prohibit Security policy changes for a Panorama managed device.
C. Security policy rules configured on local firewalls always take precedence.
D. Local configuration locks can be manually unlocked from Panorama.
Question #: 251
Topic #: 1
An administrator is reviewing the Security policy rules shown in the screenshot below.
Which statement is correct about the information displayed?
A. Highlight Unused Rules is checked.
B. There are seven Security policy rules on this firewall.
C. The view Rulebase as Groups is checked.
D. Eleven rules use the “Infrastructure” tag.
Question #: 201
Topic #: 1
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
A. ensure that disable override is selected
B. uncheck the shared option
C. ensure that disable override is cleared
D. create the service object in the specific template
Question #: 234
Topic #: 1
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
A. OSPF
B. EIGRP
C. IS-IS
D. BGP
E. RIP
Question #: 156
Topic #: 1
Which option is part of the content inspection process?
A. Packet forwarding process
B. IPsec tunnel encryption
C. SSL Proxy re-encrypt
D. Packet egress process
Question #: 197
Topic #: 1
Which solution is a viable option to capture user identification when Active Directory is not in use?
A. Cloud identity Engine
B. Directory Sync Service
C. group mapping
D. Authentication Portal
Question #: 277
Topic #: 1
What can be used as match criteria for creating a dynamic address group?
A. MAC addresses
B. IP addresses
C. Usernames
D. Tags
Question #: 267
Topic #: 1
Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2) servers?
A. URL Filtering
B. Antivirus
C. Vulnerability
D. Anti-Spyware
Question #: 281
Topic #: 1
Which two configurations does an administrator need to compare in order to see differences between the active configuration and potential changes if committed? (Choose two.)
A. Device state
B. Active
C. Candidate
D. Running
Question #: 37
Topic #: 1
Which two security profile types can be attached to a security policy? (Choose two.)
A. antivirus
B. DDoS protection
C. threat
D. vulnerability
Question #: 35
Topic #: 1
Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?
A. Root
B. Dynamic
C. Role-based
D. Superuser
Question #: 29
Topic #: 1
Based on the security policy rules shown, ssh will be allowed on which port?
A. 80
B. 53
C. 22
D. 23
Question #: 21
Topic #: 1
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option
Question #: 12
Topic #: 1
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
Question #: 89
Topic #: 1
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?
A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML
Question #: 171
Topic #: 1
What action will inform end users when their access to Internet content is being restricted?
A. Create a custom ג€URL Categoryג€ object with notifications enabled.
B. Publish monitoring data for Security policy deny logs.
C. Ensure that the ג€site accessג€ setting for all URL sites is set to ג€alertג€.
D. Enable ג€Response Pagesג€ on the interface providing Internet access.
Question #: 237
Topic #: 1
In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which protocol should you select when adding a new scheduled config export?
A. HTTPS
B. SMB v3
C. SCP
D. FTP
Question #: 338
Topic #: 1
Which Security profile generates an alert based on a threshold when the action is set to Alert?
A. Vulnerability Protection
B. Antivirus
C. DoS protection
D. Anti-Spyware
Question #: 306
Topic #: 1
Which parameter is used to view the Security policy rulebase as groups?
A. Tags
B. Service
C. Type
D. Action
