New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Questions 4

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

Options:

A.

Server profile

B.

Authentication profile

C.

Security profile

D.

Interface Management profile

Buy Now
Questions 5

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Buy Now
Questions 6

In which two types of NAT can oversubscription be used? (Choose two.)

Options:

A.

Static IP

B.

Destination NAT

C.

Dynamic IP and Port (DIPP)

D.

Dynamic IP

Buy Now
Questions 7

What are two valid selections within an Anti-Spyware profile? (Choose two.)

Options:

A.

Default

B.

Deny

C.

Random early drop

D.

Drop

Buy Now
Questions 8

What is the main function of Policy Optimizer?

Options:

A.

reduce load on the management plane by highlighting combinable security rules

B.

migrate other firewall vendors’ security rules to Palo Alto Networks configuration

C.

eliminate “Log at Session Start” security rules

D.

convert port-based security rules to application-based security rules

Buy Now
Questions 9

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

Options:

A.

Auth KO because RADIUS server lost user and password for SYS01 Admin

B.

Auth KO because LDAP server is not reachable

C.

Auth OK because of the Auth Profile Local

D.

Auth OK because of the Auth Profile TACACS -

Buy Now
Questions 10

When is the content inspection performed in the packet flow process?

Options:

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Buy Now
Questions 11

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

Options:

A.

At the CLI enter the command reset rules and press Enter

B.

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

C.

Reboot the firewall

D.

Use the Reset Rule Hit Counter > All Rules option

Buy Now
Questions 12

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

Options:

A.

Layer-ID

B.

User-ID

C.

QoS-ID

D.

App-ID

Buy Now
Questions 13

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

Options:

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Buy Now
Questions 14

Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

Options:

A.

It functions like PAN-DB and requires activation through the app portal.

B.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

C.

IT eliminates the need for dynamic DNS updates.

D.

IT is automatically enabled and configured.

Buy Now
Questions 15

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

Options:

A.

change the logging action on the rule

B.

review the System Log

C.

refresh the Traffic Log

D.

tune your Traffic Log filter to include the dates

Buy Now
Questions 16

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

Options:

A.

Tagged

B.

Intrazone

C.

Universal

D.

Interzone

Buy Now
Questions 17

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Before deploying content updates, always check content release version compatibility.

B.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C.

Content updates for firewall A/A HA pairs need a defined master device.

D.

After deploying content updates, perform a commit and push to Panorama.

Buy Now
Questions 18

Which definition describes the guiding principle of the zero-trust architecture?

Options:

A.

never trust, never connect

B.

always connect and verify

C.

never trust, always verify

D.

trust, but verity

Buy Now
Questions 19

You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Options:

A.

Antivirus Profile

B.

Data Filtering Profile

C.

Vulnerability Protection Profile

D.

Anti-Spyware Profile

Buy Now
Questions 20

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

Options:

A.

Panorama > Device Deployment > Dynamic Updates > Schedules > Add

B.

Panorama > Device Deployment > Content Updates > Schedules > Add

C.

Panorama > Dynamic Updates > Device Deployment > Schedules > Add

D.

Panorama > Content Updates > Device Deployment > Schedules > Add

Buy Now
Questions 21

What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

Options:

A.

authentication sequence

B.

LDAP server profile

C.

authentication server list

D.

authentication list profile

Buy Now
Questions 22

A website is unexpectedly allowed due to miscategorization.

What are two way-s to resolve this issue for a proper response? (Choose two.)

Options:

A.

Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.

B.

Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category to block.

C.

Review the categorization of the website on https://urlfiltering.paloaltonetworks.com.

Submit for "request change*, identifying the appropriate categorization, and wait for confirmation before testing again.

D.

Create a URL category and assign the affected URL.

Add a Security policy with a URL category qualifier of the custom URL category below the original policy. Set the policy action to Deny.

Buy Now
Questions 23

What must be considered with regards to content updates deployed from Panorama?

Options:

A.

Content update schedulers need to be configured separately per device group.

B.

Panorama can only install up to five content versions of the same type for potential rollback scenarios.

C.

A PAN-OS upgrade resets all scheduler configurations for content updates.

D.

Panorama can only download one content update at a time for content updates of the same type.

Buy Now
Questions 24

An administrator would like to override the default deny action for a given application and instead would like to block the traffic and send the ICMP code "communication with the destination is administratively prohibited"

Which security policy action causes this?

Options:

A.

Drop

B.

Drop, send ICMP Unreachable

C.

Reset both

D.

Reset server

Buy Now
Questions 25

Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

Options:

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on the Objective

Buy Now
Questions 26

What is used to monitor Security policy applications and usage?

Options:

A.

Policy Optimizer

B.

App-ID

C.

Security profile

D.

Policy-based forwarding

Buy Now
Questions 27

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on Panorama?

Options:

A.

NAT Target Tab

B.

NAT Active/Active HA Binding Tab

C.

NAT Translated Packet Tab

D.

NAT Policies General Tab

Buy Now
Questions 28

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

Options:

A.

Create an anti-spyware profile and enable DNS Sinkhole

B.

Create an antivirus profile and enable DNS Sinkhole

C.

Create a URL filtering profile and block the DNS Sinkhole category

D.

Create a security policy and enable DNS Sinkhole

Buy Now
Questions 29

Match each rule type with its example

Options:

Buy Now
Questions 30

Why should a company have a File Blocking profile that is attached to a Security policy?

Options:

A.

To block uploading and downloading of specific types of files

B.

To detonate files in a sandbox environment

C.

To analyze file types

D.

To block uploading and downloading of any type of files

Buy Now
Questions 31

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

Options:

A.

Anti-Spyware

B.

Antivirus

C.

Vulnerability Protection

D.

URL Filtering

Buy Now
Questions 32

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Options:

A.

Destination IP: 192.168.1.123/24

B.

Application = ‘Telnet’

C.

Log Forwarding

D.

USER-ID = ‘Allow users in Trusted’

Buy Now
Questions 33

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

Options:

A.

Dynamic IP and Port (DIPP)

B.

Static IP

C.

Static Port

D.

Dynamic IP

E.

Static IP and Port (SIPP)

Buy Now
Questions 34

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

Options:

A.

tag

B.

wildcard mask

C.

IP address

D.

subnet mask

Buy Now
Questions 35

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

Options:

A.

Block List

B.

Custom URL Categories

C.

PAN-DB URL Categories

D.

Allow List

Buy Now
Questions 36

Which policy set should be used to ensure that a policy is applied just before the default security rules?

Options:

A.

Parent device-group post-rulebase

B.

Child device-group post-rulebase

C.

Local Firewall policy

D.

Shared post-rulebase

Buy Now
Questions 37

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic

Which statement accurately describes how the firewall will apply an action to matching traffic?

Options:

A.

If it is an allowed rule, then the Security Profile action is applied last

B.

If it is a block rule then the Security policy rule action is applied last

C.

If it is an allow rule then the Security policy rule is applied last

D.

If it is a block rule then Security Profile action is applied last

Buy Now
Questions 38

Arrange the correct order that the URL classifications are processed within the system.

Options:

Buy Now
Questions 39

A Security Profile can block or allow traffic at which point?

Options:

A.

after it is matched to a Security policy rule that allows traffic

B.

on either the data plane or the management plane

C.

after it is matched to a Security policy rule that allows or blocks traffic

D.

before it is matched to a Security policy rule

Buy Now
Questions 40

How are service routes used in PAN-OS?

Options:

A.

By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network

B.

To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services

C.

For routing, because they are the shortest path selected by the BGP routing protocol

D.

To route management plane services through data interfaces rather than the management interface

Buy Now
Questions 41

Which license is required to use the Palo Alto Networks built-in IP address EDLs?

Options:

A.

DNS Security

B.

Threat Prevention

C.

WildFire

D.

SD-Wan

Buy Now
Questions 42

Review the Screenshot:

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the

SERVER zone to the DMZ on SSH only.

Which rule group enables the required traffic?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 43

By default, which action is assigned to the interzone-default rule?

Options:

A.

Reset-client

B.

Reset-server

C.

Deny

D.

Allow

Buy Now
Questions 44

Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

Options:

A.

URL filtering

B.

Antivirus

C.

WildFire

D.

Threat Prevention

Buy Now
Questions 45

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)

Options:

A.

Antivirus

B.

URL Filtering

C.

Vulnerability Protection

D.

Anti-spyware

Buy Now
Questions 46

Which action results in the firewall blocking network traffic with out notifying the sender?

Options:

A.

Drop

B.

Deny

C.

Reset Server

D.

Reset Client

Buy Now
Questions 47

What action will inform end users when their access to Internet content is being restricted?

Options:

A.

Create a custom 'URL Category' object with notifications enabled.

B.

Publish monitoring data for Security policy deny logs.

C.

Ensure that the 'site access" setting for all URL sites is set to 'alert'.

D.

Enable 'Response Pages' on the interface providing Internet access.

Buy Now
Questions 48

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Options:

A.

pattern based application identification

B.

application override policy match

C.

session application identified

D.

application changed from content inspection

Buy Now
Questions 49

Which Security profile can you apply to protect against malware such as worms and Trojans?

Options:

A.

data filtering

B.

antivirus

C.

vulnerability protection

D.

anti-spyware

Buy Now
Questions 50

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

Options:

A.

SAML

B.

TACACS+

C.

LDAP

D.

Kerberos

Buy Now
Questions 51

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

Options:

A.

Objects tab > Application Filters

B.

Policies tab > Security

C.

ACC tab > Global Filters

D.

Objects tab > Application Groups

E.

Objects tab > Applications

Buy Now
Questions 52

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?

Options:

A.

check now

B.

review policies

C.

test policy match

D.

download

Buy Now
Questions 53

Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

Options:

A.

global

B.

intrazone

C.

interzone

D.

universal

Buy Now
Questions 54

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped.

Which type of NAT was configured?

Options:

A.

Static IP

B.

Dynamic IP

C.

Destination NAT

D.

Dynamic IP and Port

Buy Now
Questions 55

Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

Options:

A.

DoS protection

B.

URL filtering

C.

packet buffering

D.

anti-spyware

Buy Now
Questions 56

Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

Options:

A.

local username

B.

dynamic user group

C.

remote username

D.

static user group

Buy Now
Questions 57

What is the purpose of the automated commit recovery feature?

Options:

A.

It reverts the Panorama configuration.

B.

It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.

C.

It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.

D.

It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

Buy Now
Questions 58

Which situation is recorded as a system log?

Options:

A.

An attempt to access a spoofed website has been blocked.

B.

A connection with an authentication server has been dropped.

C.

A file that has been analyzed is potentially dangerous for the system.

D.

A new asset has been discovered on the network.

Buy Now
Questions 59

Which profile should be used to obtain a verdict regarding analyzed files?

Options:

A.

WildFire analysis

B.

Vulnerability profile

C.

Content-ID

D.

Advanced threat prevention

Buy Now
Questions 60

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

Options:

A.

Windows-based agent deployed on the internal network

B.

PAN-OS integrated agent deployed on the internal network

C.

Citrix terminal server deployed on the internal network

D.

Windows-based agent deployed on each of the WAN Links

Buy Now
Questions 61

At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

Options:

A.

after clicking Check New in the Dynamic Update window

B.

after connecting the firewall configuration

C.

after downloading the update

D.

after installing the update

Buy Now
Questions 62

How many zones can an interface be assigned with a Palo Alto Networks firewall?

Options:

A.

two

B.

three

C.

four

D.

one

Buy Now
Questions 63

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall handle the traffic?

Options:

A.

It allows the traffic because the profile was not set to explicitly deny the traffic.

B.

It drops the traffic because the profile was not set to explicitly allow the traffic.

C.

It uses the default action assigned to the virus signature.

D.

It allows the traffic but generates an entry in the Threat logs.

Buy Now
Questions 64

Which rule type is appropriate for matching traffic occurring within a specified zone?

Options:

A.

Interzone

B.

Universal

C.

Intrazone

D.

Shadowed

Buy Now
Questions 65

What are the two default behaviors for the intrazone-default policy? (Choose two.)

Options:

A.

Allow

B.

Logging disabled

C.

Log at Session End

D.

Deny

Buy Now
Questions 66

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)

Options:

A.

Post-NAT address

B.

Post-NAT zone

C.

Pre-NAT zone

D.

Pre-NAT address

Buy Now
Questions 67

Which statements is true regarding a Heatmap report?

Options:

A.

When guided by authorized sales engineer, it helps determine te areas of greatest security risk.

B.

It provides a percentage of adoption for each assessment area.

C.

It runs only on firewall.

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Buy Now
Questions 68

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

Options:

A.

default

B.

universal

C.

intrazone

D.

interzone

Buy Now
Questions 69

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

Options:

A.

on the App Dependency tab in the Commit Status window

B.

on the Policy Optimizer's Rule Usage page

C on the Application tab in the Security Policy Rule creation window

C.

on the Objects > Applications browser pages

Buy Now
Questions 70

In the example security policy shown, which two websites fcked? (Choose two.)

Options:

A.

LinkedIn

B.

Facebook

C.

YouTube

D.

Amazon

Buy Now
Questions 71

How do you reset the hit count on a security policy rule?

Options:

A.

First disable and then re-enable the rule.

B.

Reboot the data-plane.

C.

Select a Security policy rule, and then select Hit Count > Reset.

D.

Type the CLI command reset hitcount .

Buy Now
Questions 72

An administrator wants to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 device groups and five templates.

Which configuration action should the administrator take when creating the address object?

Options:

A.

Ensure that the Shared option is checked.

B.

Ensure that the Shared option is cleared.

C.

Ensure that Disable Override is cleared.

D.

Tag the address object with the Global tag.

Buy Now
Questions 73

Based on the screenshot what is the purpose of the included groups?

Options:

A.

They are only groups visible based on the firewall's credentials.

B.

They are used to map usernames to group names.

C.

They contain only the users you allow to manage the firewall.

D.

They are groups that are imported from RADIUS authentication servers.

Buy Now
Questions 74

What are three valid ways to map an IP address to a username? (Choose three.)

Options:

A.

using the XML API

B.

DHCP Relay logs

C.

a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

D.

usernames inserted inside HTTP Headers

E.

WildFire verdict reports

Buy Now
Questions 75

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

Options:

A.

Management

B.

High Availability

C.

Aggregate

D.

Aggregation

Buy Now
Questions 76

An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

Options:

A.

name

B.

source zone

C.

destination interface

D.

destination address

E.

destination zone

Buy Now
Questions 77

Which setting is available to edit when a tag is created on the local firewall?

Options:

A.

Location

B.

Color

C.

Order

D.

Priority

Buy Now
Questions 78

Which statement is true regarding a Prevention Posture Assessment?

Options:

A.

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C.

It provides a percentage of adoption for each assessment area

D.

It performs over 200 security checks on Panorama/firewall for the assessment

Buy Now
Questions 79

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.

Which security policy action causes this?

Options:

A.

Reset server

B.

Reset both

C.

Deny

D.

Drop

Buy Now
Questions 80

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 81

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?

Options:

A.

Objects > Schedules

B.

Policies > Policy Optimizer

C.

Monitor > Packet Capture

D.

Monitor > Reports

Buy Now
Questions 82

Which interface does not require a MAC or IP address?

Options:

A.

Virtual Wire

B.

Layer3

C.

Layer2

D.

Loopback

Buy Now
Questions 83

Files are sent to the WildFire cloud service via the WildFire Analysis Profile. How are these files used?

Options:

A.

WildFire signature updates

B.

Malware analysis

C.

Domain Generation Algorithm (DGA) learning

D.

Spyware analysis

Buy Now
Questions 84

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Options:

A.

GlobalProtect agent

B.

XML API

C.

User-ID Windows-based agent

D.

log forwarding auto-tagging

Buy Now
Questions 85

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

Options:

A.

Blometric scanning results from iOS devices

B.

Firewall logs

C.

Custom API scripts

D.

Security Information and Event Management Systems (SIEMS), such as Splun

E.

DNS Security service

Buy Now
Questions 86

Which Security policy set should be used to ensure that a policy is applied first?

Options:

A.

Child device-group pre-rulebase

B.

Shared pre-rulebase

C.

Parent device-group pre-rulebase

D.

Local firewall policy

Buy Now
Questions 87

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Buy Now
Questions 88

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

Options:

A.

create the service object in the specific template

B.

uncheck the shared option

C.

ensure that disable override is selected

D.

ensure that disable override is cleared

Buy Now
Questions 89

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

Options:

A.

URL Filtering profile applied to inbound Security policy rules.

B.

Data Filtering profile applied to outbound Security policy rules.

C.

Antivirus profile applied to inbound Security policy rules.

D.

Vulnerability Prote

ction profile applied to outbound Security policy rules.

Buy Now
Questions 90

Which two DNS policy actions in the anti-spyware security profile can prevent hacking attacks through DNS queries to malicious domains? (Choose two.)

Options:

A.

Deny

B.

Sinkhole

C.

Override

D.

Block

Buy Now
Questions 91

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.

Which Security profile feature could have been used to prevent the communications with the command-and-control server?

Options:

A.

Create a Data Filtering Profile and enable its DNS sinkhole feature.

B.

Create an Antivirus Profile and enable its DNS sinkhole feature.

C.

Create an Anti-Spyware Profile and enable its DNS sinkhole feature.

D.

Create a URL Filtering Profile and block the DNS sinkhole URL category.

Buy Now
Questions 92

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

Options:

A.

override

B.

allow

C.

block

D.

continue

Buy Now
Questions 93

What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

Options:

A.

Implement a threat intel program.

B.

Configure a URL Filtering profile.

C.

Train your staff to be security aware.

D.

Rely on a DNS resolver.

E.

Plan for mobile-employee risk

Buy Now
Questions 94

Match the Cyber-Attack Lifecycle stage to its correct description.

Options:

Buy Now
Questions 95

What are the two main reasons a custom application is created? (Choose two.)

Options:

A.

To correctly identify an internal application in the traffic log

B.

To change the default categorization of an application

C.

To visually group similar applications

D.

To reduce unidentified traffic on a network

Buy Now
Questions 96

A network administrator creates an intrazone security policy rule on a NGFW. The source zones are set to IT. Finance, and HR.

To which two types of traffic will the rule apply? (Choose two.)

Options:

A.

Within zone HR

B.

Within zone IT

C.

Between zone IT and zone HR

D.

Between zone IT and zone Finance

Buy Now
Questions 97

Given the detailed log information above, what was the result of the firewall traffic inspection?

Options:

A.

It was blocked by the Anti-Virus Security profile action.

B.

It was blocked by the Anti-Spyware Profile action.

C.

It was blocked by the Vulnerability Protection profile action.

D.

It was blocked by the Security policy action.

Buy Now
Questions 98

After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

Options:

A.

Import named config snapshot

B.

Load named configuration snapshot

C.

Revert to running configuration

D.

Revert to last saved configuration

Buy Now
Questions 99

Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

Options:

A.

save named configuration snapshot

B.

export device state

C.

export named configuration snapshot

D.

save candidate config

Buy Now
Questions 100

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

Options:

A.

80

B.

8443

C.

4443

D.

443

Buy Now
Questions 101

An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

Options:

A.

NAT policy with source zone and destination zone specified

B.

post-NAT policy with external source and any destination address

C.

NAT policy with no source of destination zone selected

D.

pre-NAT policy with external source and any destination address

Buy Now
Questions 102

Based on the show security policy rule would match all FTP traffic from the inside zone to the outside zone?

Options:

A.

internal-inside-dmz

B.

engress outside

C.

inside-portal

D.

intercone-default

Buy Now
Questions 103

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

Options:

A.

Review Policies

B.

Review Apps

C.

Pre-analyze

D.

Review App Matches

Buy Now
Questions 104

All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.

Complete the empty field in the Security policy using an application object to permit only this type of access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: __________

Service: application-default -

Action: allow

Options:

A.

Application = "any"

B.

Application = "web-browsing"

C.

Application = "ssl"

D.

Application = "http"

Buy Now
Questions 105

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?

Options:

A.

>show system fqdn

B.

>request fqdn show system

C.

>request show system fqdn

D.

>request system fqdn show

Buy Now
Questions 106

What is the correct process tor creating a custom URL category?

Options:

A.

Objects > Security Profiles > URL Category > Add

B.

Objects > Custom Objects > URL Filtering > Add

C.

Objects > Security Profiles > URL Filtering > Add

D.

Objects > Custom Objects > URL Category > Add

Buy Now
Questions 107

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

Options:

A.

Aperture

B.

AutoFocus

C.

Parisma SaaS

D.

GlobalProtect

Buy Now
Questions 108

Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

Options:

A.

Signature Matching

B.

Network Processing

C.

Security Processing

D.

Security Matching

Buy Now
Exam Code: PCNSA
Exam Name: Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)
Last Update: Dec 27, 2024
Questions: 364
PCNSA pdf

PCNSA PDF

$25.5  $84.99
PCNSA Engine

PCNSA Testing Engine

$30  $99.99
PCNSA PDF + Engine

PCNSA PDF + Testing Engine

$40.5  $134.99