New Year Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Questions 4

An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

Options:

A.

the Content Delivery Networks URL category

B.

the Online Storage and Backup URL category

C.

an application group containing all of the file-sharing App-IDs reported in the traffic logs

D.

an application filter for applications whose subcategory is file-sharing

Buy Now
Questions 5

Which Security profile can you apply to protect against malware such as worms and Trojans?

Options:

A.

data filtering

B.

antivirus

C.

vulnerability protection

D.

anti-spyware

Buy Now
Questions 6

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

Options:

A.

Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the allow list

D.

Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Buy Now
Questions 7

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

Options:

A.

Management

B.

High Availability

C.

Aggregate

D.

Aggregation

Buy Now
Questions 8

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?

Options:

A.

Domain Credential

B.

IP User

C.

Group Mapping

D.

Valid Username Detected Log Severity

Buy Now
Questions 9

Which solution is a viable option to capture user identification when Active Directory is not in use?

Options:

A.

Cloud Identity Engine

B.

group mapping

C.

Directory Sync Service

D.

Authentication Portal

Buy Now
Questions 10

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)

Options:

A.

URL Filtering

B.

Vulnerability Protection

C.

Antivirus b

D.

Anti-spyware

Buy Now
Questions 11

Which statement is true regarding a Prevention Posture Assessment?

Options:

A.

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C.

It provides a percentage of adoption for each assessment area

D.

It performs over 200 security checks on Panorama/firewall for the assessment

Buy Now
Questions 12

What allows a security administrator to preview the Security policy rules that match new application signatures?

Options:

A.

Review Release Notes

B.

Dynamic Updates-Review Policies

C.

Dynamic Updates-Review App

D.

Policy Optimizer-New App Viewer

Buy Now
Questions 13

Which dynamic update type includes updated anti-spyware signatures?

Options:

A.

Applications and Threats

B.

GlobalProtect Data File

C.

Antivirus

D.

PAN-DB

Buy Now
Questions 14

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?

Options:

A.

check now

B.

review policies

C.

test policy match

D.

download

Buy Now
Questions 15

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security Policy rules that permits only this type of access.

PCNSA Question 15

Choose two.

Options:

A.

Service = "any"

B.

Application = "Telnet"

C.

Service - "application-default"

D.

Application = "any"

Buy Now
Questions 16

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

Options:

A.

Server profile

B.

Authentication profile

C.

Security profile

D.

Interface Management profile

Buy Now
Questions 17

PCNSA Question 17

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

Options:

A.

Rules without App Controls

B.

New App Viewer

C.

Rule Usage

D.

Unused Unused Apps

Buy Now
Questions 18

How are service routes used in PAN-OS?

Options:

A.

By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network

B.

To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services

C.

For routing, because they are the shortest path selected by the BGP routing protocol

D.

To route management plane services through data interfaces rather than the management interface

Buy Now
Questions 19

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering “gambling” category.

Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the “gambling” URL category?

Options:

A.

Add just the URL www.powerball.com to a Security policy allow rule.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the URL Filtering allow list.

D.

Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Buy Now
Questions 20

An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny. What deny action will the firewall perform?

Options:

A.

Drop the traffic silently

B.

Perform the default deny action as defined in the App-ID database for the application

C.

Send a TCP reset packet to the client- and server-side devices

D.

Discard the session's packets and send a TCP reset packet to let the client know the session has been terminated

Buy Now
Questions 21

Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized.

Which user-ID agent sufficient in your network?

Options:

A.

PAN-OS integrated agent deployed on the firewall

B.

Windows-based agent deployed on the internal network a domain member

C.

Citrix terminal server agent deployed on the network

D.

Windows-based agent deployed on each domain controller

Buy Now
Questions 22

Based on the image provided, which two statements apply to the Security policy rules? (Choose two.)

PCNSA Question 22

Options:

A.

The Allow-Office-Programs rule is using an application filter.

B.

The Allow-Office-Programs rule is using an application group.

C.

The Allow-Social-Media rule allows all Facebook functions.

D.

In the Allow-FTP policy, FTP is allowed using App-ID.

Buy Now
Questions 23

PCNSA Question 23

Based on the network diagram provided, which two statements apply to traffic between the User and Server networks? (Choose two.)

Options:

A.

Traffic is permitted through the default intrazone "allow" rule.

B.

Traffic restrictions are possible by modifying intrazone rules.

C.

Traffic restrictions are not possible, because the networks are in the same zone.

D.

Traffic is permitted through the default interzone "allow" rule.

Buy Now
Questions 24

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

Options:

A.

URL Filtering profile applied to inbound Security policy rules.

B.

Data Filtering profile applied to outbound Security policy rules.

C.

Antivirus profile applied to inbound Security policy rules.

D.

Vulnerability Prote

ction profile applied to outbound Security policy rules.

Buy Now
Questions 25

PCNSA Question 25

Given the topology, which zone type should interface E1/1 be configured with?

Options:

A.

Tap

B.

Tunnel

C.

Virtual Wire

D.

Layer3

Buy Now
Questions 26

How often does WildFire release dynamic updates?

Options:

A.

every 5 minutes

B.

every 15 minutes

C.

every 60 minutes

D.

every 30 minutes

Buy Now
Questions 27

You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

Options:

A.

Data Filtering Profile applied to outbound Security policy rules

B.

Antivirus Profile applied to outbound Security policy rules

C.

Data Filtering Profile applied to inbound Security policy rules

D.

Vulnerability Profile applied to inbound Security policy rules

Buy Now
Questions 28

Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?

Options:

A.

DNS Malicious signatures

B.

DNS Malware signatures

C.

DNS Block signatures

D.

DNS Security signatures

Buy Now
Questions 29

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

PCNSA Question 29

Options:

Buy Now
Questions 30

You need to allow users to access the office–suite application of their choice. How should you configure the firewall to allow access to any office-suite application?

Options:

A.

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

B.

Create an Application Group and add business-systems to it.

C.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

D.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Buy Now
Questions 31

When is the content inspection performed in the packet flow process?

Options:

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Buy Now
Questions 32

Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

PCNSA Question 32

Options:

A.

Path monitoring does not determine if route is useable

B.

Route with highest metric is actively used

C.

Path monitoring determines if route is useable

D.

Route with lowest metric is actively used

Buy Now
Questions 33

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Options:

A.

GlobalProtect agent

B.

XML API

C.

User-ID Windows-based agent

D.

log forwarding auto-tagging

Buy Now
Questions 34

Which setting is available to edit when a tag is created on the local firewall?

Options:

A.

Location

B.

Color

C.

Order

D.

Priority

Buy Now
Questions 35

An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address. What is the most appropriate NAT policy to achieve this?

Options:

A.

Dynamic IP and Port

B.

Dynamic IP

C.

Static IP

D.

Destination

Buy Now
Questions 36

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.)

Options:

A.

Packets sent/received

B.

IP Protocol

C.

Action

D.

Decrypted

Buy Now
Questions 37

What do dynamic user groups you to do?

Options:

A.

create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity

B.

create a policy that provides auto-sizing for anomalous user behavior and malicious activity

C.

create a policy that provides auto-remediation for anomalous user behavior and malicious activity

D.

create a dynamic list of firewall administrators

Buy Now
Questions 38

Which three configuration settings are required on a Palo Alto networks firewall management interface?

Options:

A.

default gateway

B.

netmask

C.

IP address

D.

hostname

E.

auto-negotiation

Buy Now
Questions 39

What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

Options:

A.

authentication sequence

B.

LDAP server profile

C.

authentication server list

D.

authentication list profile

Buy Now
Questions 40

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Buy Now
Questions 41

Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

PCNSA Question 41

Options:

A.

Apps Allowed

B.

Name

C.

Apps Seen

D.

Service

Buy Now
Questions 42

PCNSA Question 42

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

PCNSA Question 42

B)

PCNSA Question 42

C)

PCNSA Question 42

D)

PCNSA Question 42

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Buy Now
Questions 43

Which type firewall configuration contains in-progress configuration changes?

Options:

A.

backup

B.

running

C.

candidate

D.

committed

Buy Now
Questions 44

Which two features can be used to tag a user name so that it is included in a dynamic user group? (Choose two)

Options:

A.

XML API

B.

log forwarding auto-tagging

C.

GlobalProtect agent

D.

User-ID Windows-based agent

Buy Now
Questions 45

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?

Options:

A.

Create a Security policy rule to allow the traffic.

B.

Create a new NAT rule with the correct parameters and leave the translation type as None

C.

Create a static NAT rule with an application override.

D.

Create a static NAT rule translating to the destination interface.

Buy Now
Questions 46

What must first be created on the firewall for SAML authentication to be configured?

Options:

A.

Server Policy

B.

Server Profile

C.

Server Location

D.

Server Group

Buy Now
Questions 47

Given the image, which two options are true about the Security policy rules. (Choose two.)

PCNSA Question 47

Options:

A.

The Allow Office Programs rule is using an Application Filter

B.

In the Allow FTP to web server rule, FTP is allowed using App-ID

C.

The Allow Office Programs rule is using an Application Group

D.

In the Allow Social Networking rule, allows all of Facebook’s functions

Buy Now
Questions 48

A network administrator creates an intrazone security policy rule on a NGFW. The source zones are set to IT. Finance, and HR.

To which two types of traffic will the rule apply? (Choose two.)

Options:

A.

Within zone HR

B.

Within zone IT

C.

Between zone IT and zone HR

D.

Between zone IT and zone Finance

Buy Now
Questions 49

Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

Options:

A.

DoS protection

B.

URL filtering

C.

packet buffering

D.

anti-spyware

Buy Now
Questions 50

What can be used as match criteria for creating a dynamic address group?

Options:

A.

Usernames

B.

IP addresses

C.

Tags

D.

MAC addresses

Buy Now
Questions 51

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

Options:

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Buy Now
Questions 52

What does an administrator use to validate whether a session is matching an expected NAT policy?

Options:

A.

system log

B.

test command

C.

threat log

D.

config audit

Buy Now
Questions 53

Which policy set should be used to ensure that a policy is applied just before the default security rules?

Options:

A.

Parent device-group post-rulebase

B.

Child device-group post-rulebase

C.

Local Firewall policy

D.

Shared post-rulebase

Buy Now
Questions 54

Based on the graphic which statement accurately describes the output shown in the server monitoring panel?

PCNSA Question 54

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client.

B.

The host lab-client has been found by the User-ID agent.

C.

The host lab-client has been found by a domain controller.

D.

The User-ID agent is connected to the firewall labeled lab-client.

Buy Now
Questions 55

Which action results in the firewall blocking network traffic without notifying the sender?

Options:

A.

Deny

B.

No notification

C.

Drop

D.

Reset Client

Buy Now
Questions 56

Which statements is true regarding a Heatmap report?

Options:

A.

When guided by authorized sales engineer, it helps determine te areas of greatest security risk.

B.

It provides a percentage of adoption for each assessment area.

C.

It runs only on firewall.

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Buy Now
Questions 57

At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

PCNSA Question 57

Options:

A.

delivery

B.

command and control

C.

explotation

D.

reinsurance

E.

installation

Buy Now
Questions 58

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

Options:

A.

by minute

B.

hourly

C.

daily

D.

weekly

Buy Now
Questions 59

Match the Cyber-Attack Lifecycle stage to its correct description.

PCNSA Question 59

Options:

Buy Now
Questions 60

An administrator would like to create a URL Filtering log entry when users browse to any gambling website. What combination of Security policy and Security profile actions is correct?

Options:

A.

Security policy = drop, Gambling category in URL profile = allow

B.

Security policy = deny. Gambling category in URL profile = block

C.

Security policy = allow, Gambling category in URL profile = alert

D.

Security policy = allow. Gambling category in URL profile = allow

Buy Now
Questions 61

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

Options:

A.

Policies

B.

Network

C.

Objects

D.

Device

Buy Now
Questions 62

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

Options:

A.

Objects tab > Application Filters

B.

Policies tab > Security

C.

ACC tab > Global Filters

D.

Objects tab > Application Groups

E.

Objects tab > Applications

Buy Now
Questions 63

What is a function of application tags?

Options:

A.

creation of new zones

B.

application prioritization

C.

automated referenced applications in a policy

D.

IP address allocations in DHCP

Buy Now
Questions 64

Which firewall plane provides configuration, logging, and reporting functions on a separate processor?

Options:

A.

control

B.

network processing

C.

data

D.

security processing

Buy Now
Questions 65

Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

Options:

A.

Policies> Security> Rule Usage> No App Specified

B.

Policies> Security> Rule Usage> Port only specified

C.

Policies> Security> Rule Usage> Port-based Rules

D.

Policies> Security> Rule Usage> Unused Apps

Buy Now
Questions 66

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

Options:

A.

Dynamic IP and Port (DIPP)

B.

Static IP

C.

Static Port

D.

Dynamic IP

E.

Static IP and Port (SIPP)

Buy Now
Questions 67

Which update option is not available to administrators?

Options:

A.

New Spyware Notifications

B.

New URLs

C.

New Application Signatures

D.

New Malicious Domains

E.

New Antivirus Signatures

Buy Now
Questions 68

What must be considered with regards to content updates deployed from Panorama?

Options:

A.

Content update schedulers need to be configured separately per device group.

B.

Panorama can only install up to five content versions of the same type for potential rollback scenarios.

C.

A PAN-OS upgrade resets all scheduler configurations for content updates.

D.

Panorama can only download one content update at a time for content updates of the same type.

Buy Now
Questions 69

In which profile should you configure the DNS Security feature?

Options:

A.

URL Filtering Profile

B.

Anti-Spyware Profile

C.

Zone Protection Profile

D.

Antivirus Profile

Buy Now
Questions 70

URL categories can be used as match criteria on which two policy types? (Choose two.)

Options:

A.

authentication

B.

decryption

C application override

C.

NAT

Buy Now
Questions 71

Where in Panorama Would Zone Protection profiles be configured?

Options:

A.

Shared

B.

Templates

C.

Device Groups

D.

Panorama tab

Buy Now
Questions 72

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)

Options:

A.

QoS profile

B.

DoS Protection profile

C.

Zone Protection profile

D.

DoS Protection policy

Buy Now
Questions 73

What does an application filter help you to do?

Options:

A.

It dynamically provides application statistics based on network, threat, and blocked activity,

B.

It dynamically filters applications based on critical, high, medium, low. or informational severity.

C.

It dynamically groups applications based on application attributes such as category and subcategory.

D.

It dynamically shapes defined application traffic based on active sessions and bandwidth usage.

Buy Now
Questions 74

What are two valid selections within an Antivirus profile? (Choose two.)

Options:

A.

deny

B.

drop

C.

default

D.

block-ip

Buy Now
Questions 75

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

Options:

A.

default

B.

universal

C.

intrazone

D.

interzone

Buy Now
Questions 76

How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?

Options:

A.

The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".

B.

The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin then creates a Security policy allowing application "ssh", service "tcp-4422". and service "application-default".

C.

The admin creates a Security policy allowing application "ssh" and service "application-default".

D.

The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin also creates a custom service object named "tcp-22" with port tcp/22.

The admin then creates a Security policy allowing application "ssh", service "tcp-4422". and service "tcp-22".

Buy Now
Questions 77

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Options:

A.

Active Directory monitoring

B.

Windows session monitoring

C.

Windows client probing

D.

domain controller monitoring

Buy Now
Questions 78

An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list. What is the maximum number of entries that they can be exclude?

Options:

A.

50

B.

100

C.

200

D.

1,000

Buy Now
Questions 79

Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

Options:

A.

Layer 3

B.

Virtual Wire

C.

Tap

D.

Layer 2

Buy Now
Questions 80

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition, the configuration was not saved prior to

making the changes.

Which action will allow the administrator to undo the changes?

Options:

A.

Load configuration version, and choose the first item on the list.

B.

Load named configuration snapshot, and choose the first item on the list.

C.

Revert to last saved configuration.

D.

Revert to running configuration.

Buy Now
Questions 81

Which statement best describes a common use of Policy Optimizer?

Options:

A.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

B.

Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

C.

Policy Optimizer can display which Security policies have not been used in the last 90 days.

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

Buy Now
Questions 82

Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

Options:

A.

local username

B.

dynamic user group

C.

remote username

D.

static user group

Buy Now
Questions 83

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

Options:

A.

tag

B.

wildcard mask

C.

IP address

D.

subnet mask

Buy Now
Questions 84

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

Options:

A.

Aperture

B.

AutoFocus

C.

Parisma SaaS

D.

GlobalProtect

Buy Now
Questions 85

An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out.

What are two possible reasons the OK button is grayed out? (Choose two.)

Options:

A.

The entry contains wildcards.

B.

The entry is duplicated.

C.

The entry doesn't match a list entry.

D.

The entry matches a list entry.

Buy Now
Questions 86

Where within the firewall GUI can all existing tags be viewed?

Options:

A.

Network > Tags

B.

Monitor > Tags

C.

Objects > Tags

D.

Policies > Tags

Buy Now
Questions 87

Given the screenshot what two types of route is the administrator configuring? (Choose two )

PCNSA Question 87

Options:

A.

default route

B.

OSPF

C.

BGP

D.

static route

Buy Now
Questions 88

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

Options:

A.

vulnerability protection profile applied to outbound security policies

B.

anti-spyware profile applied to outbound security policies

C.

antivirus profile applied to outbound security policies

D.

URL filtering profile applied to outbound security policies

Buy Now
Questions 89

What can be achieved by selecting a policy target prior to pushing policy rules from Panorama?

Options:

A.

Doing so limits the templates that receive the policy rules

B.

Doing so provides audit information prior to making changes for selected policy rules

C.

You can specify the firewalls m a device group to which to push policy rules

D.

You specify the location as pre can - or post-rules to push policy rules

Buy Now
Questions 90

An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

Options:

A.

name

B.

source zone

C.

destination interface

D.

destination address

E.

destination zone

Buy Now
Questions 91

Which administrator type utilizes predefined roles for a local administrator account?

Options:

A.

Superuser

B.

Role-based

C.

Dynamic

D.

Device administrator

Buy Now
Questions 92

Which order of steps is the correct way to create a static route?

Options:

A.

1) Enter the route and netmask

2) Enter the IP address for the specific next hop

3) Specify the outgoing interface for packets to use to go to the next hop

4) Add an IPv4 or IPv6 route by name

B.

1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop

3) Enter the IP address for the specific next hop

4) Add an IPv4 or IPv6 route by name

C.

1) Enter the IP address for the specific next hop

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name

4) Specify the outgoing interface for packets to use to go to the next hop

D.

1) Enter the IP address for the specific next hop

2) Add an IPv4 or IPv6 route by name

3) Enter the route and netmask

4) Specify the outgoing interface for packets to use to go to the next hop

Buy Now
Questions 93

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

Options:

A.

on either the data place or the management plane.

B.

after it is matched by a security policy rule that allows traffic.

C.

before it is matched to a Security policy rule.

D.

after it is matched by a security policy rule that allows or blocks traffic.

Buy Now
Questions 94

Which administrative management services can be configured to access a management interface?

Options:

A.

HTTP, CLI, SNMP, HTTPS

B.

HTTPS, SSH telnet SNMP

C.

SSH: telnet HTTP, HTTPS

D.

HTTPS, HTTP. CLI, API

Buy Now
Questions 95

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

Options:

A.

Application Category

B.

Source

C.

File Size

D.

Direction

Buy Now
Questions 96

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Options:

A.

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

B.

Configure a frequency schedule to clear group mapping cache

C.

Configure a Primary Employee ID number for user-based Security policies

D.

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Buy Now
Questions 97

An administrator has an IP address range in the external dynamic list and wants to create an exception for one specific IP address in this address range.

Which steps should the administrator take?

Options:

A.

Add the address range to the Manual Exceptions list and exclude the IP address by selecting the entry.

B.

Add each IP address in the range as a list entry and then exclude the IP address by adding it to the Manual Exceptions list.

C.

Select the address range in the List Entries list. A column will open with the IP addresses. Select the entry to exclude.

D.

Add the specific IP address from the address range to the Manual Exceptions list by using regular expressions to define the entry.

Buy Now
Questions 98

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on Panorama?

Options:

A.

NAT Target Tab

B.

NAT Active/Active HA Binding Tab

C.

NAT Translated Packet Tab

D.

NAT Policies General Tab

Buy Now
Questions 99

Which two statements are correct about App-ID content updates? (Choose two.)

Options:

A.

Updated application content may change how security policy rules are enforced

B.

After an application content update, new applications must be manually classified prior to use

C.

Existing security policy rules are not affected by application content updates

D.

After an application content update, new applications are automatically identified and classified

Buy Now
Questions 100

Which type of address object is "10 5 1 1/0 127 248 2"?

Options:

A.

IP subnet

B.

IP wildcard mask

C.

IP netmask

D.

IP range

Buy Now
Questions 101

What is the best-practice approach to logging traffic that traverses the firewall?

Options:

A.

Enable both log at session start and log at session end.

B.

Enable log at session start only.

C.

Enable log at session end only.

D.

Disable all logging options.

Buy Now
Questions 102

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

Options:

A.

Use the CLI enter the command reset rules all

B.

Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

C.

use the Reset Rule Hit Counter > All Rules option.

D.

Reboot the firewall.

Buy Now
Questions 103

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

Which Security profile should be applied?

Options:

A.

antivirus

B.

anti-spyware

C.

URL filtering

D.

vulnerability protection

Buy Now
Questions 104

What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?

Options:

A.

every 5 minutes

B.

every 1 minute

C.

every 24 hours

D.

every 30 minutes

Buy Now
Questions 105

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

Options:

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Buy Now
Questions 106

Access to which feature requires the PAN-OS Filtering license?

Options:

A.

PAN-DB database

B.

DNS Security

C.

Custom URL categories

D.

URL external dynamic lists

Buy Now
Questions 107

Which System log severity level would be displayed as a result of a user password change?

Options:

A.

High

B.

Critical

C.

Medium

D.

Low

Buy Now
Questions 108

Which statement is true regarding NAT rules?

Options:

A.

Static NAT rules have precedence over other forms of NAT.

B.

Translation of the IP address and port occurs before security processing.

C.

NAT rules are processed in order from top to bottom.

D.

Firewall supports NAT on Layer 3 interfaces only.

Buy Now
Exam Code: PCNSA
Exam Name: Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)
Last Update: Dec 17, 2024
Questions: 364

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now PCNSA testing engine

PDF (Q&A)

$36.75  $104.99
buy now PCNSA pdf