PCNSA-Topic-5
Question #: 312
Topic #: 1
An interface can belong to how many Security Zones?
A. 1
B. 2
C. 3
D. 4
Question #: 311
Topic #: 1
Review the screenshot below. Based on the information it contains, which protocol decoder will detect a machine-learning match, create a Threat log entry, and permit the traffic?
A. smb
B. imap
C. ftp
D. http2
Question #: 158
Topic #: 1
What must be considered with regards to content updates deployed from Panorama?
A. Content update schedulers need to be configured separately per device group.
B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
C. A PAN-OS upgrade resets all scheduler configurations for content updates.
D. Panorama can only download one content update at a time for content updates of the same type.
Question #: 153
Topic #: 1
Which dynamic update type includes updated anti-spyware signatures?
A. PAN-DB
B. Applications and Threats
C. GlobalProtect Data File
D. Antivirus
Question #: 192
Topic #: 1
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-control server.
Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control connection?
A. Anti-Spyware Profile
B. Data Filtering Profile
C. Antivirus Profile
D. Vulnerability Protection Profile
Question #: 185
Topic #: 1
Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?
A. reconnaissance
B. delivery
C. installation
D. exploitation
Question #: 183
Topic #: 1
Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP Addresses list?
A. source address
B. destination address
C. source zone
D. destination zone
Question #: 28
Topic #: 1
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow
A. Destination IP: 192.168.1.123/24
B. Application = “Telnet”
C. Log Forwarding
D. USER-ID = “Allow users in Trusted”
Question #: 345
Topic #: 1
When creating an address object, which option is available to select from the Type drop-down menu?
A. IPv6 Address
B. IP Netmask
C. IPv4 Address
D. IP Address Class
Question #: 368
Topic #: 1
What are two differences between an application group and an application filter? (Choose two.)
A. Application groups enable access to sanctioned applications explicitly, while application filters enable access to sanctioned applications implicitly.
B. Application groups are static, while application filters are dynamic.
C. Application groups dynamically group applications based on attributes, while application filters contain applications that are statically grouped.
D. Application groups can be added to application filters, while application filters cannot be added to application groups.
Question #: 259
Topic #: 1
An administrator would like to see the traffic that matches the intrazone-default rule in the traffic logs.
What is the correct process to enable this logging?
A. Select the intrazone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Question #: 221
Topic #: 1
How is an address object of type IP range correctly defined?
A. 192.168.40.1-192.168.40.255
B. 192.168.40.1-255
C. 192.168.40.1, 192.168.40.255
D. 192.168.40.1/24
Question #: 232
Topic #: 1
An administrator wants to prevent hacking attacks through DNS queries to malicious domains.
Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)
A. deny
B. block
C. sinkhole
D. override
Question #: 272
Topic #: 1
The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new EMEA Regional Panorama Administrator should be able to:
Access only EMEA-Regional device groups with read-only privileges
Access only EMEA-Regional templates with read-only privileges
What is the correct configuration for the new EMEA Regional Panorama Administrator profile?
A. Administrator Type = Device Group and Template Admin
Admin Role = EMEA_Regional_Admin_read_only
Access Domain = EMEA-Regional
B. Administrator Type = Dynamic –
Admin Role = Superuser (read-only)
C. Administrator Type = Dynamic –
Admin Role = Panorama Administrator
D. Administrator Type = Custom Panorama Admin
Profile = EMEA Regional Admin_read_only
Question #: 263
Topic #: 1
What is a prerequisite before enabling an administrative account which relies on a local firewall user database?
A. Configure an authentication profile.
B. Configure an authentication sequence.
C. Isolate the management interface on a dedicated management VLAN.
D. Configure an authentication policy.
Question #: 224
Topic #: 1
What are two valid selections within a Vulnerability Protection profile? (Choose two.)
A. deny
B. drop
C. default
D. sinkhole
Question #: 327
Topic #: 1
To protect against illegal code execution, which Security profile should be applied?
A. Antivirus profile on allowed traffic
B. Antivirus profile on denied traffic
C. Vulnerability Protection profile on allowed traffic
D. Vulnerability Protection profile on denied traffic
Question #: 219
Topic #: 1
After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?
A. Revert to running configuration
B. Load named configuration snapshot
C. Revert to last saved configuration
D. Import named config snapshot
Question #: 363
Topic #: 1
With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?
A. Vulnerability Exceptions
B. Advanced Rules
C. Inline Cloud Analysis
D. WildFire Inline ML
Question #: 230
Topic #: 1
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)
A. server profile
B. admin role
C. password profile
D. access domain
Question #: 325
Topic #: 1
In order to protect users against exploit kits that exploit a vulnerability and then automatically download malicious payloads, which Security profile should be configured?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
Question #: 199
Topic #: 1
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?
A. Configure a Primary Employee ID number for user-based Security policies.
B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389.
C. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL.
D. Configure a frequency schedule to clear group mapping cache.
Question #: 289
Topic #: 1
What is the maximum volume of concurrent administrative account sessions?
A. 2
B. Unlimited
C. 10
D. 1
Question #: 348
Topic #: 1
Which Security profile must be added to Security policies to enable DNS Signatures to be checked?
A. URL Filtering
B. Vulnerability Protection
C. Anti-Spyware
D. Antivirus
Question #: 122
Topic #: 1
How are Application Filters or Application Groups used in firewall policy?
A. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
B. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
C. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
D. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.
Question #: 110
Topic #: 1
Which statement is true regarding a Best Practice Assessment?
A. It runs only on firewalls.
B. It shows how current configuration compares to Palo Alto Networks recommendations.
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
Question #: 136
Topic #: 1
Which license is required to use the Palo Alto Networks built-in IP address EDLs?
A. DNS Security
B. Threat Prevention
C. WildFire
D. SD-Wan
Question #: 270
Topic #: 1
If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should E1/1 be configured as?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Question #: 131
Topic #: 1
Based on the screenshot, what is the purpose of the group in User labelled `it`?
A. Allows ג€anyג€ users to access servers in the DMZ zone.
B. Allows users to access IT applications on all ports.
C. Allow users in group ג€itג€ to access IT applications.
D. Allow users in group ג€DMZג€ to access IT applications.
Question #: 241
Topic #: 1
Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.)
A. HTTPS
B. RDP
C. SCP
D. SSH
Question #: 216
Topic #: 1
An administrator would like to create a URL Filtering log entry when users browse to any gambling website.
What combination of Security policy and Security profile actions is correct?
A. Security policy = deny, Gambling category in URL profile = block
B. Security policy = drop, Gambling category in URL profile = allow
C. Security policy = allow, Gambling category in URL profile = alert
D. Security policy = allow, Gambling category in URL profile = allow
Question #: 215
Topic #: 1
When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?
A. Layer 3
B. Virtual Wire
C. Tap
D. Tunnel
Question #: 172
Topic #: 1
What is a recommended consideration when deploying content updates to the firewall from Panorama?
A. Before deploying content updates, always check content release version compatibility.
B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
C. Content updates for firewall A/A HA pairs need a defined master device.
D. After deploying content updates, perform a commit and push to Panorama.
Question #: 343
Topic #: 1
Which feature dynamically analyzes and detects malicious content by evaluating various web page details using a series of machine learning (ML) models?
A. Antivirus Inline ML
B. URL Filtering Inline ML
C. Anti-Spyware Inline ML
D. WildFire Inline ML
Question #: 218
Topic #: 1
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
A. It requires an active subscription to a third-party DNS Security service
B. It requires a valid URL Filtering license
C. It uses techniques such as DGA/DNS tunneling detection and machine learning
D. It requires a valid Threat Prevention license
E. It enables users to access real-time protections using advanced predictive analytics
Question #: 143
Topic #: 1
An administrator would like to use App-ID’s deny action for an application and would like that action updated with dynamic updates as new content becomes available.
Which security policy action causes this?
A. Reset server
B. Reset both
C. Deny
D. Drop
Question #: 31
Topic #: 1
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Question #: 6
Topic #: 1
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces
Question #: 249
Topic #: 1
What are two valid selections within an Antivirus profile? (Choose two.)
A. deny
B. drop
C. block-ip
D. default
Question #: 231
Topic #: 1
An administrator is configuring a NAT rule.
At a minimum, which three forms of information are required? (Choose three.)
A. source zone
B. name
C. destination interface
D. destination zone
E. destination address
Question #: 72
Topic #: 1
Given the topology, which zone type should you configure for firewall interface E1/1?
A. Tap
B. Tunnel
C. Virtual Wire
D. Layer3
Question #: 273
Topic #: 1
An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices groups and five templates.
Which configuration action should the administrator take when creating the address object?
A. Ensure that Disable Override is cleared.
B. Ensure that the Shared option is cleared.
C. Ensure that the Shared option is checked.
D. Tag the address object with the Global tag.
Question #: 97
Topic #: 1
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?
A. global
B. intrazone
C. interzone
D. universal
Question #: 329
Topic #: 1
The Administrator profile “PCNSA Admin” is configured with an Authentication profile “Authentication Sequence PCNSA”.
The Authentication Sequence PCNSA has a profile list with four Authentication profiles:
Auth Profile LDAP –
Auth Profile Radius –
Auth Profile Local –
Auth Profile TACACS –
After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “PCNSA Admin” username and password.
Which option describes the “PCNSA Admin” login capabilities after the outage?
A. Auth OK because of the Auth Profile TACACS
B. Auth KO because RADIUS server lost user and password for PCNSA Admin
C. Auth OK because of the Auth Profile Local
D. Auth KO because LDAP server is not reachable
Question #: 33
Topic #: 1
To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?
A. domain controller
B. TACACS+
C. LDAP
D. RADIUS
Question #: 109
Topic #: 1
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server.
Which Security Profile detects and prevents this threat from establishing a command-and-control connection?
A. Vulnerability Protection Profile applied to outbound Security policy rules.
B. Anti-Spyware Profile applied to outbound security policies.
C. Antivirus Profile applied to outbound Security policy rules
D. Data Filtering Profile applied to outbound Security policy rules.
Question #: 149
Topic #: 1
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
A. interzone
B. shadowed
C. intrazone
D. universal
Question #: 23
Topic #: 1
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?
A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links
Question #: 134
Topic #: 1
Which Security profile can you apply to protect against malware such as worms and Trojans?
A. antivirus
B. data filtering
C. vulnerability protection
D. anti-spyware
Question #: 113
Topic #: 1
In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?
A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
B. Reboot the firewall
C. Use the Reset Rule Hit Counter > All Rules option
D. Use the CLI enter the command reset rules all
Question #: 93
Topic #: 1
Based on the screenshot, what is the purpose of the Included Groups?
A. They are groups that are imported from RADIUS authentication servers.
B. They are the only groups visible based on the firewall’s credentials.
C. They contain only the users you allow to manage the firewall.
D. They are used to map users to groups.
Question #: 133
Topic #: 1
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?
A. If it is a block rule, then Security Profile action is applied last.
B. If it is an allow rule, then the Security policy rule is applied last.
C. If it is a block rule, then the Security policy rule action is applied last.
D. If it is an allowed rule, then the Security Profile action is applied last.
Question #: 79
Topic #: 1
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.
Source Zone: Internal –
Destination Zone: DMZ Zone –
Application: _________?
Service: ____________?
Action: allow –
(Choose two.)
A. Service = ג€application-defaultג€
B. Service = ג€service-telnetג€
C. Application = ג€Telnetג€
D. Application = ג€anyג€
Question #: 58
Topic #: 1
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall’s management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
A. Windows-based agent on a domain controller
B. Captive Portal
C. Citrix terminal server agent with adequate data-plane resources
D. PAN-OS integrated agent
Question #: 98
Topic #: 1
You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would you need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Question #: 256
Topic #: 1
An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets.
What are two security policy actions the administrator can select? (Choose two.)
A. Reset server
B. Deny
C. Drop
D. Reset both
Question #: 222
Topic #: 1
An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn’t see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.
Why doesn’t the administrator see the traffic?
A. The interzone-default policy is disabled by default.
B. Traffic is being denied on the interzone-default policy.
C. Logging on the interzone-default policy is disabled.
D. The Log Forwarding profile is not configured on the policy.
Question #: 278
Topic #: 1
An administrator is reviewing packet captures to troubleshoot a problem with an application, and they observe TCP resets to the client and the server.
Which security policy action causes this?
A. Drop
B. Reset server
C. Reset client
D. Reset both
Question #: 225
Topic #: 1
Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)
A. Tap
B. HA
C. Layer 3
D. Layer 2
E. Virtual Wire
Question #: 141
Topic #: 1
Which component is a building block in a Security policy rule?
A. decryption profile
B. destination interface
C. timeout (min)
D. application
Question #: 213
Topic #: 1
An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.
What is the best way to do this?
A. Create a static NAT rule translating to the destination interface.
B. Create a static NAT rule with an application override.
C. Create a Security policy rule to allow the traffic.
D. Create a new NAT rule with the correct parameters and leave the translation type as None.
Question #: 331
Topic #: 1
A Panorama administrator would like to create an address object for the DNS server located in the New York City office, but does not want this object added to the other Panorama managed firewalls.
Which configuration action should the administrator take when creating the address object?
A. Tag the address object with the New York Office tag.
B. Ensure that Disable Override is cleared.
C. Ensure that the Shared option is checked.
D. Ensure that the Shared option is cleared.
