[Jan-9th-2021] Updated Palo Alto Networks PCNSA Exam Questions (98 Q&As)

New Palo Alto Networks PCNSA Exam Questions are updated from PassQuestion! You can download the newest PassQuestion Palo Alto Networks PCNSA Questions and Answers: https://www.passquestion.com/pcnsa.html (98 Q&As)

Test Online Palo Alto Networks PCNSA Free Questions

1. Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

GlobalProtect

AutoFocus

Aperture

Panorama

2. Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

Threat Prevention License

Threat Implementation License

Threat Environment License

Threat Protection License

3. Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

Aperture

AutoFocus

Panorama

GlobalProtect

4. To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

domain controller

TACACS+

LDAP

RADIUS

5. Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Destination IP: 192.168.1.123/24

Application = ‘Telnet’

Log Forwarding

USER-ID = ‘Allow users in Trusted’

6. How often does WildFire release dynamic updates?

every 5 minutes

every 15 minutes

every 60 minutes

every 30 minutes

7. Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

local username

dynamic user group

remote username

static user group

8. Which prevention technique will prevent attacks based on packet count?

zone protection profile

URL filtering profile

antivirus profile

vulnerability profile

9. Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

It functions like PAN-DB and requires activation through the app portal.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

IT eliminates the need for dynamic DNS updates.

IT is automatically enabled and configured.

10. Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

Signature Matching

Network Processing

Security Processing

Security Matching

11. The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.

Which Security profile feature could have been used to prevent the communications with the command-and-control server?

Create a Data Filtering Profile and enable its DNS sinkhole feature.

Create an Antivirus Profile and enable its DNS sinkhole feature.

Create an Anti-Spyware Profile and enable its DNS sinkhole feature.

Create a URL Filtering Profile and block the DNS sinkhole URL category.

12. Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized.

Which user-ID agent sufficient in your network?

PAN-OS integrated agent deployed on the firewall

Windows-based agent deployed on the internal network a domain member

Citrix terminal server agent deployed on the network

Windows-based agent deployed on each domain controller

13. DRAG DROP

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

14. In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

Weaponization

Reconnaissance

Installation

Command and Control

Exploitation

15. DRAG DROP

Match the Palo Alto Networks Security Operating Platform architecture to its description.

16. What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

An implicit dependency does not require the dependent application to be added in the security policy

An implicit dependency requires the dependent application to be added in the security policy

An explicit dependency does not require the dependent application to be added in the security policy

An explicit dependency requires the dependent application to be added in the security policy

17. Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Active Directory monitoring

Windows session monitoring

Windows client probing

domain controller monitoring

18. The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

Create an anti-spyware profile and enable DNS Sinkhole

Create an antivirus profile and enable DNS Sinkhole

Create a URL filtering profile and block the DNS Sinkhole category

Create a security policy and enable DNS Sinkhole

19. An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server.

Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

vulnerability protection profile applied to outbound security policies

anti-spyware profile applied to outbound security policies

antivirus profile applied to outbound security policies

URL filtering profile applied to outbound security policies

20. How is the hit count reset on a rule?

select a security policy rule, right click Hit Count > Reset

with a dataplane reboot

Device > Setup > Logging and Reporting Settings > Reset Hit Count

in the CLI, type command reset hitcount <POLICY-NAME>

21. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

2-3-4-1

1-4-3-2

3-1-2-4

1-3-2-4

22. Which action results in the firewall blocking network traffic with out notifying the sender?

Drop

Deny

Reset Server

Reset Client

23. TION NO: 109

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choices to block the sameURL then which choice would be the last to block access to the URL?

EDL in URL Filtering Profile.

Custom URL category in Security Policy rule.

Custom URL category in URL Filtering Profile.

PAN-DB URL category in URL Filtering Profile.

24. Which URL profiling action does not generate a log entry when a user attempts to access that URL?

Override

Allow

Block

Continue

25. How do you reset the hit count on a security policy rule?

First disable and then re-enable the rule.

Reboot the data-plane.

Select a Security policy rule, and then select Hit Count > Reset.

Type the CLI command reset hitcount <POLICY-NAME>.

26. Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

global

intrazone

interzone

universal

27. When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

Translation Type

Interface

Address Type

IP Address

28. A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.

On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.

Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application

No impact because the apps were automatically downloaded and installed

No impact because the firewall automatically adds the rules to the App-ID interface

All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

29. What is an advantage for using application tags?

They are helpful during the creation of new zones

They help with the design of IP address allocations in DHC

They help content updates automate policy updates

They help with the creation of interfaces

30. How many zones can an interface be assigned with a Palo Alto Networks firewall?

two

three

four

one

31. Based on the security policy rules shown, ssh will be allowed on which port?

32. Which administrator type utilizes predefined roles for a local administrator account?

Superuser

Role-based

Dynamic

Device administrator

33. A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications.

Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Windows-based agent on a domain controller

Captive Portal

Citrix terminal server with adequate data-plane resources

PAN-OS integrated agent

34. DRAG DROP

Arrange the correct order that the URL classifications are processed within the system.

35. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

NAT policy with source zone and destination zone specified

post-NAT policy with external source and any destination address

NAT policy with no source of destination zone selected

pre-NAT policy with external source and any destination address

36. Which option lists the attributes that are selectable when setting up an Application filters?

Category, Subcategory, Technology, and Characteristic

Category, Subcategory, Technology, Risk, and Characteristic

Name, Category, Technology, Risk, and Characteristic

Category, Subcategory, Risk, Standard Ports, and Technology

37. How frequently can wildfire updates be made available to firewalls?

every 15 minutes

every 30 minutes

every 60 minutes

every 5 minutes

38. Which interface type can use virtual routers and routing protocols?

Tap

Layer3

Virtual Wire

Layer2

39. Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

Review Policies

Review Apps

Pre-analyze

Review App Matches

40. Given the topology, which zone type should zone A and zone B to be configured with?

Layer3

Tap

Layer2

Virtual Wire

41. Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?

management

network processing

data

security processing

42. A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days. Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application

No impact because the apps were automatically downloaded and installed

No impact because the firewall automatically adds the rules to the App-ID interface

All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

43. How many zones can an interface be assigned with a Palo Alto Networks firewall?

two

three

four

one

44. Which two configuration settings shown are not the default? (Choose two.)

Enable Security Log

Server Log Monitor Frequency (sec)

Enable Session

Enable Probing

45. Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

Signature Matching

Network Processing

Security Processing

Data Interfaces

46. Which option shows the attributes that are selectable when setting up application filters?

Category, Subcategory, Technology, and Characteristic

Category, Subcategory, Technology, Risk, and Characteristic

Name, Category, Technology, Risk, and Characteristic

Category, Subcategory, Risk, Standard Ports, and Technology

47. Actions can be set for which two items in a URL filtering security profile? (Choose two.)

Block List

Custom URL Categories

PAN-DB URL Categories

Allow List

48. DRAG DROP

Match the Cyber-Attack Lifecycle stage to its correct description.

49. Which two statements are correct about App-ID content updates? (Choose two.)

Updated application content may change how security policy rules are enforced

After an application content update, new applications must be manually classified prior to use

Existing security policy rules are not affected by application content updates

After an application content update, new applications are automatically identified and classified

50. Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

Windows session monitoring via a domain controller

passive server monitoring using the Windows-based agent

Captive Portal

passive server monitoring using a PAN-OS integrated User-ID agent

51. An administrator needs to allow users to use their own office applications.

How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory

Create an Application Group and add business-systems to it

Create an Application Filter and name it Office Programs, then filter it on the business-systems category

Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

52. Which statement is true regarding a Best Practice Assessment?

The BPA tool can be run only on firewalls

It provides a percentage of adoption for each assessment area

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

53. Employees are shown an application block page when they try to access YouTube.

Which security policy is blocking the YouTube application?

intrazone-default

Deny Google

allowed-security services

interzone-default

54. Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

on either the data place or the management plane.

after it is matched by a security policy rule that allows traffic.

before it is matched to a Security policy rule.

after it is matched by a security policy rule that allows or blocks traffic.

55. When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

Translation Type

Interface

Address Type

IP Address

56. Which interface does not require a MAC or IP address?

Virtual Wire

Layer3

Layer2

Loopback

57. A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago.

Which utility should the company use to identify out-of-date or unused rules on the firewall?

Rule Usage Filter > No App Specified

Rule Usage Filter >Hit Count > Unused in 30 days

Rule Usage Filter > Unused Apps

Rule Usage Filter > Hit Count > Unused in 90 days

58. DRAG DROP

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

59. What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

An implicit dependency does not require the dependent application to be added in the security policy

An implicit dependency requires the dependent application to be added in the security policy

An explicit dependency does not require the dependent application to be added in the security policy

An explicit dependency requires the dependent application to be added in the security policy

60. Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

At the CLI enter the command reset rules and press Enter

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

Reboot the firewall

Use the Reset Rule Hit Counter > All Rules option

61. Which two App-ID applications will need to be allowed to use facebook-chat? (Choose two.)

facebook

facebook-chat

facebook-base

facebook-email

62. Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

Windows-based agent deployed on the internal network

PAN-OS integrated agent deployed on the internal network

Citrix terminal server deployed on the internal network

Windows-based agent deployed on each of the WAN Links

63. Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP Cto-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

syslog

RADIUS

UID redistribution

XFF headers

64. An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server.

Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

vulnerability protection profile applied to outbound security policies

anti-spyware profile applied to outbound security policies

antivirus profile applied to outbound security policies

URL filtering profile applied to outbound security policies

65. At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

Delivery

Reconnaissance

Command and Control

Exploitation

66. commit the configuration, and verify agent connection status

2-3-4-1

1-4-3-2

3-1-2-4

1-3-2-4

67. Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Destination IP: 192.168.1.123/24

Application = "Telnet"

Log Forwarding

USER-ID = "Allow users in Trusted"

68. Based on the security policy rules shown, ssh will be allowed on which port?

69. Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

Threat Prevention

WildFire

Antivirus

URL Filtering

70. DRAG DROP

Match the Palo Alto Networks Security Operating Platform architecture to its description.

Question 1 of 70

[Jan-9th-2021] Updated Palo Alto Networks PCNSA Exam Questions (98 Q&As)

Test Online Palo Alto Networks PCNSA Free Questions

Leave a Reply Cancel reply