Master the Palo Alto Networks Certified Network Security Administrator (PCNSA) Exam with PCNSA Dumps V17.02

1. After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

2. Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

3. What is an advantage for using application tags?

4. An administrator wishes to follow best practices for logging traffic that traverses the firewall

Which log setting is correct?

5. An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

6. What is a function of application tags?

7. Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

8. An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

9. An administrator is reviewing another administrator s Security policy log settings

Which log setting configuration is consistent with best practices tor normal traffic?

10. Which type firewall configuration contains in-progress configuration changes?

11. What are the two default behaviors for the intrazone-default policy? (Choose two.)

12. Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic

Which statement accurately describes how the firewall will apply an action to matching traffic?

13. Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )

14. You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

15. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

16. Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

17. Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

18. When is the content inspection performed in the packet flow process?

19. An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

20. An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile.

If a virus gets detected, how wilt the firewall handle the traffic?

21. Given the detailed log information above, what was the result of the firewall traffic inspection?

22. Which action results in the firewall blocking network traffic with out notifying the sender?

23. Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

24. Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

25. DRAG DROP

Place the following steps in the packet processing order of operations from first to last.

26. How are Application Fillers or Application Groups used in firewall policy?

27. Based on the screenshot what is the purpose of the group in User labelled ''it"?

28. Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

29. An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

30. What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?

31. Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

32. What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

33. An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.

What is the most appropriate NAT policy to achieve this?

34. Which object would an administrator create to enable access to all applications in the office-programs subcategory?

35. What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

36. Which solution is a viable option to capture user identification when Active Directory is not in use?

37. Complete the statement. A security profile can block or allow traffic____________

38. What is considered best practice with regards to committing configuration changes?

39. Which interface type can use virtual routers and routing protocols?

40. Which administrative management services can be configured to access a management interface?

41. The firewall sends employees an application block page when they try to access Youtube.

Which Security policy rule is blocking the youtube application?

42. What are three differences between security policies and security profiles? (Choose three.)

43. You need to allow users to access the officeCsuite application of their choice.

How should you configure the firewall to allow access to any office-suite application?

44. What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

45. Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications.

Which policy achieves the desired results?

A)

B)

C)

D)

46. Which statement is true regarding a Best Practice Assessment?

47. What allows a security administrator to preview the Security policy rules that match new application signatures?

48. Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

49. Which statement best describes a common use of Policy Optimizer?

50. At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

51. An administrator would like to determine the default deny action for the application dns-over-https

Which action would yield the information?

52. Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

53. Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

54. Which tab would an administrator click to create an address object?

55. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

56. Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

57. Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

58. If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

A)

B)

C)

D)

59. An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.

Which security policy action causes this?

60. Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

61. An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.

Why doesn't the administrator see the traffic?

62. An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

63. In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

64. What do you configure if you want to set up a group of objects based on their ports alone?

65. Which Security profile can you apply to protect against malware such as worms and Trojans?

66. If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

67. Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

68. What are three valid ways to map an IP address to a username? (Choose three.)

69. Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

70. What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

71. Given the screenshot what two types of route is the administrator configuring? (Choose two )

72. DRAG DROP

Match the cyber-attack lifecycle stage to its correct description.

73. Selecting the option to revert firewall changes will replace what settings?

74. Which type of address object is "10 5 1 1/0 127 248 2"?

75. What is a recommended consideration when deploying content updates to the firewall from Panorama?

76. Which statement best describes the use of Policy Optimizer?

77. Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

78. Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

79. Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

80. Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

81. DRAG DROP

Place the steps in the correct packet-processing order of operations.

82. An administrator would like to create a URL Filtering log entry when users browse to any gambling website.

What combination of Security policy and Security profile actions is correct?

83. Which three statement describe the operation of Security Policy rules or Security Profiles? (Choose three)

84. Which plane on a Palo alto networks firewall provides configuration logging and reporting functions on a separate processor?

85. An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.

Which two fields could help in determining if this is normal? (Choose two.)

86. What is the main function of the Test Policy Match function?

87. Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

88. You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

89. Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)

90. Which the app-ID application will you need to allow in your security policy to use facebook-chat?

91. What must be configured before setting up Credential Phishing Prevention?

92. Which object would an administrator create to block access to all high-risk applications?

93. DRAG DROP

Match each rule type with its example

94. An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

95. Which statement is true about Panorama managed devices?

96. Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

97. Which administrator type utilizes predefined roles for a local administrator account?

98. Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

99. Which interface does not require a MAC or IP address?

100. Which prevention technique will prevent attacks based on packet count?