PCNSA Dumps V18.02 – Updated Study Guide to Help You PASS Palo Alto Networks Certified Network Security Administrator Exam

1. Where in Panorama would Zone Protection profiles be configured?

2. An administrator wants to prevent access to media content websites that are risky.

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

3. Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.

4. According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

5. An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

6. What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

7. What do you configure if you want to set up a group of objects based on their ports alone?

8. A Security Profile can block or allow traffic at which point?

9. Which three filter columns are available when setting up an Application Filter? (Choose three.)

10. What are three factors that can be used in domain generation algorithms? (Choose three.)

11. Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

12. Actions can be set for which two items in a URL filtering security profile? (Choose two.)

13. Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

14. In order to protect users against exploit kits that exploit a vulnerability and then automatically download malicious payloads, which Security profile should be configured?

15. Which license is required to use the Palo Alto Networks built-in IP address EDLs?

16. Which prevention technique will prevent attacks based on packet count?

17. Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

18. An administrator reads through the following Applications and Threats Content Release Notes before an update:

Which rule would continue to allow the file upload to confluence after the update?

A)

B)

C)

D)

19. In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which protocol should you select when adding a new scheduled config export?

20. What is the function of an application group object?

A. It contains applications that you want to treat similarly in policy

B. It groups applications dynamically based on application attributes that you define

C. It represents specific ports and protocols for an application

A. D. It identifies the purpose of a rule or configuration object and helps you better organize your rulebase

21. What is a recommended consideration when deploying content updates to the firewall from Panorama?

22. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

23. Which Palo Alto Networks component provides consolidated policy creation and centralized management?

24. Which two statements are true for the DNS Security service introduced in PAN-OS version 10.0?

(Choose two.)

25. Which two settings allow you to restrict access to the management interface? (Choose two )

26. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

27. Which Security policy set should be used to ensure that a policy is applied first?

28. Where does a user assign a tag group to a policy rule in the policy creation window?

29. Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

30. Which statement is true regarding a Best Practice Assessment?

31. What are the two types of Administrator accounts? (Choose two.)

32. An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code "communication with the destination is administratively prohibited".

Which security policy action causes this?

33. An administrator wants to prevent hacking attacks through DNS queries to malicious domains.

Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)

34. Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)

35. If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?

36. A network administrator is required to use a dynamic routing protocol for network connectivity.

Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

37. A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.

On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.

Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

38. An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.

What is the maximum number of entries that they can be excluded?

39. The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges.

In particular, the new EMEA Regional Panorama Administrator should be able to:

- Access only EMEA-Regional device groups with read-only privileges

- Access only EMEA-Regional templates with read-only privileges

What is the correct configuration for the new EMEA Regional Panorama Administrator profile?

40. How are Application Filters or Application Groups used in firewall policy?

41. How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

42. How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?

43. In which threat profile object would you configure the DNS Security service?

44. An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.

Which Security profile should be used?

A. Vulnerability protection

A. B. Anti-spyware

C. URL filtering

D. Antivirus

45. An administrator receives a notification about new malware that is being used to attack hosts.

The malware exploits a software bug in a common application.

Which Security Profile will detect and block access to this threat after the administrator updates the firewall's threat signature database?

46. What are two differences between an application group and an application filter? (Choose two.)

47. Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

48. Access to which feature requires the PAN-OS Filtering license?

A. PAN-DB database

B. DNS Security

A. C. Custom URL categories

D. URL external dynamic lists

49. What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)

50. An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

51. The Net Sec Manager asked to create a new Firewall Operator profile with customized privileges.

In particular, the new firewall operator should be able to:

Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML as Server profiles to be used inside an Authentication profile.

The firewall operator should not be able to access anything else.

What is the right path m order to configure the new firewall Administrator Profile?

A. Device > Admin Roles > Add > Web UI > Device > Server Profiles

A. Device > Admin Roles > Add > Web UI > disable access to everything else

B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles Device > Admin Roles > Add > Web UI > disable access to everything else

C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile Device > Admin Roles > Add > Web UI > disable access to everything else

D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile Device > Admin Roles > Add > Web UI > disable access to everything else

52. Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

53. The Administrator profile "PCNSA Admin" is configured with an Authentication profile "Authentication Sequence PCNSA".

The Authentication Sequence PCNSA has a profile list with four Authentication profiles: Auth Profile LDAP

Auth Profile Radius Auth Profile Local Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "PCNSA Admin" username and password.

Which option describes the "PCNSA Admin" login capabilities after the outage?

54. An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

55. Which three types of entries can be excluded from an external dynamic list? (Choose three.)

56. An administrator would like to determine the default deny action for the application dns-over-

https.

Which action would yield the information?

57. An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.

If a virus gets detected, how will the firewall handle the traffic?

58. Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

59. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

60. An administrator would like to create a URL Filtering log entry when users browse to any gambling website.

What combination of Security policy and Security profile actions is correct?

61. What is considered best practice with regards to committing configuration changes?

A. Wait until all running and pending jobs are finished before committing.

B. Export configuration after each single configuration change performed.

C. Validate configuration changes prior to committing.

A. D. Disable the automatic commit feature that prioritizes content database installations before committing.

62. An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

63. How do you reset the hit count on a Security policy rule?

64. Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A. on the App Dependency tab in the Commit Status window

B. on the Policy Optimizer's Rule Usage page

C. on the Application tab in the Security Policy Rule creation window

A. D. on the Objects > Applications browser pages

65. When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

66. What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

67. Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

68. Which statement is true regarding NAT rules?

69. What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

70. Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2) servers?

71. When creating a custom URL category object, which is a valid type?

72. An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses the firewall.

When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.

What might cause this issue?

A. Office365 traffic is logged in the System Log.

B. Office365 traffic is logged in the Authentication Log.

C. Traffic matches the interzone-default rule, which does not log traffic by default.

A. D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.

73. What are two valid selections within an Anti-Spyware profile? (Choose two.)

74. Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment?

75. Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

76. Which statement is true about Panorama managed devices?

77. When an ethernet interface is configured with an IPv4 address, which type of zone is it a

member of?

78. A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.

Which two types of traffic will the rule apply to? (Choose two)

79. What is the maximum volume of concurrent administrative account sessions?

80. What are two predefined AntiSpyware profiles? (Choose two.)

81. Where within the firewall GUI can all existing tags be viewed?

82. An administrator is reviewing another administrator s Security policy log settings.

Which log setting configuration is consistent with best practices tor normal traffic?

A. Log at Session Start and Log at Session End both enabled

B. Log at Session Start disabled Log at Session End enabled

C. Log at Session Start enabled

A. Log at Session End disabled

D. Log at Session Start and Log at Session End both disabled

83. Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

84. When is the content inspection performed in the packet flow process?

85. To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)

86. An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

87. An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

88. Given the screenshot, what two types of route is the administrator configuring? (Choose two.)

89. What is a function of application tags?

90. What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

91. Which rule type is appropriate for matching traffic occurring within a specified zone?

92. Drag and Drop Question

Place the following steps in the packet processing order of operations from first to last.

93. You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server.

Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

94. The data plane provides which two data processing features of the firewall? (Choose two.)

95. Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?

96. What is an advantage for using application tags?

97. Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

98. Which two statements are correct about App-ID content updates? (Choose two.)