Maximize Your Success with ITPrepare's Latest PCNSA Exam Dumps V17.02

Maximize Your Success with ITPrepare’s Latest PCNSA Exam Dumps V17.02

Eleanor2023-02-08T01:52:41+00:00

By Eleanor Palo Alto Networks, PCNSA PCNSA, PCNSA exam dumps, PCNSA exam questions 0 Comments

Are you looking to demonstrate your ability to operate the Palo Alto Networks firewall and protect networks from cyber threats? ITPrepare has the solution you need with its updated PCNSA exam dumps. The latest PCNSE exam dumps V17.02 of ITPrepare are based on the actual exam objectives and, we have full confidence to ensure your success. With ITPrepare’s PCNSA exam dumps questions, you can focus your study efforts and maximize your chance of passing the Palo Alto Networks Certified Network Security Administrator exam. We have collected the most current and relevant questions and answers to give you a comprehensive understanding of the exam material. With our comprehensive and up-to-date information, you’ll have the confidence and knowledge you need to pass the PCNSA exam and reach your goals.

You can check the Palo Alto Networks PCNSA free demo questions:

Page 1 of 10

1. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Root

Dynamic

Role-based

Superuser

2. Which Security profile can you apply to protect against malware such as worms and Trojans?

data filtering

antivirus

vulnerability protection

anti-spyware

3. An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.

Which security policy action causes this?

Reset server

Reset both

Deny

Drop

4. Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )

Network Processing Engine

Single Stream-based Engine

Policy Engine

Parallel Processing Hardware

5. Given the detailed log information above, what was the result of the firewall traffic inspection?

It was blocked by the Vulnerability Protection profile action.

It was blocked by the Anti-Virus Security profile action.

It was blocked by the Anti-Spyware Profile action.

It was blocked by the Security policy action.

6. Which administrator type utilizes predefined roles for a local administrator account?

Superuser

Role-based

Dynamic

Device administrator

7. Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

Exploitation

Installation

Reconnaissance

Act on the Objective

8. What are three differences between security policies and security profiles? (Choose three.)

Security policies are attached to security profiles

Security profiles are attached to security policies

Security profiles should only be used on allowed traffic

Security profiles are used to block traffic by themselves

Security policies can block or allow traffic

9. When is the content inspection performed in the packet flow process?

after the application has been identified

after the SSL Proxy re-encrypts the packet

before the packet forwarding process

before session lookup

10. An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.

Why doesn't the administrator see the traffic?

Traffic is being denied on the interzone-default policy.

The Log Forwarding profile is not configured on the policy.

The interzone-default policy is disabled by default

Logging on the interzone-default policy is disabled

Page 2 of 10

11. An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

default

universal

intrazone

interzone

12. Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

save named configuration snapshot

export device state

export named configuration snapshot

save candidate config

13. Which plane on a Palo alto networks firewall provides configuration logging and reporting functions on a separate processor?

data

network processing

management

security processing

14. If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

Configure a frequency schedule to clear group mapping cache

Configure a Primary Employee ID number for user-based Security policies

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

15. What are three valid ways to map an IP address to a username? (Choose three.)

using the XML API

DHCP Relay logs

a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

usernames inserted inside HTTP Headers

WildFire verdict reports

16. Complete the statement. A security profile can block or allow traffic____________

on unknown-tcp or unknown-udp traffic

after it is matched by a security policy that allows traffic

before it is matched by a security policy

after it is matched by a security policy that allows or blocks traffic

17. Which object would an administrator create to block access to all high-risk applications?

HIP profile

application filter

application group

Vulnerability Protection profile

18. An administrator wishes to follow best practices for logging traffic that traverses the firewall

Which log setting is correct?

Disable all logging

Enable Log at Session End

Enable Log at Session Start

Enable Log at both Session Start and End

19. An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

Security policy rule

ACC global filter

external dynamic list

NAT address pool

20. What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

SAML

TACACS+

LDAP

Kerberos

Page 3 of 10

21. An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

Reset-server

Block

Deny

Drop

22. What must be configured before setting up Credential Phishing Prevention?

Anti Phishing Block Page

Threat Prevention

Anti Phishing profiles

User-ID

23. Which statement is true about Panorama managed devices?

Panorama automatically removes local configuration locks after a commit from Panorama

Local configuration locks prohibit Security policy changes for a Panorama managed device

Security policy rules configured on local firewalls always take precedence

Local configuration locks can be manually unlocked from Panorama

24. What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

every 30 minutes

every 5 minutes

once every 24 hours

every 1 minute

25. Which interface type can use virtual routers and routing protocols?

Tap

Layer3

Virtual Wire

Layer2

26. Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Destination IP: 192.168.1.123/24

Application = ‘Telnet’

Log Forwarding

USER-ID = ‘Allow users in Trusted’

27. What allows a security administrator to preview the Security policy rules that match new application signatures?

Review Release Notes

Dynamic Updates-Review Policies

Dynamic Updates-Review App

Policy Optimizer-New App Viewer

28. Which solution is a viable option to capture user identification when Active Directory is not in use?

Cloud Identity Engine

group mapping

Directory Sync Service

Authentication Portal

29. An administrator would like to determine the default deny action for the application dns-over-https

Which action would yield the information?

View the application details in beacon paloaltonetworks.com

Check the action for the Security policy matching that traffic

Check the action for the decoder in the antivirus profile

View the application details in Objects > Applications

30. If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

A)

Option A

Option B

Option C

Option D

Page 4 of 10

31. DRAG DROP

Match each rule type with its example

32. Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

Untrust (any) to Untrust (1.1.1.100), web browsing - Allow

Untrust (any) to Untrust (10.1.1.100), web browsing -Allow

Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

33. Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications.

Which policy achieves the desired results?

A)

Option

34. What do you configure if you want to set up a group of objects based on their ports alone?

Application groups

Service groups

Address groups

Custom objects

35. Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)

facebook

facebook-chat

facebook-base

facebook-email

36. Which statement best describes the use of Policy Optimizer?

Policy Optimizer can display which Security policies have not been used in the last 90 days

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications

Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists Admins can then manually enable policies they want to keep and delete ones they want to remove

37. An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile.

If a virus gets detected, how wilt the firewall handle the traffic?

It allows the traffic because the profile was not set to explicitly deny the traffic.

It drops the traffic because the profile was not set to explicitly allow the traffic.

It uses the default action assigned to the virus signature.

It allows the traffic but generates an entry in the Threat logs.

38. Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

global

intrazone

interzone

universal

39. Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

GlobalProtect

AutoFocus

Aperture

Panorama

40. Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

antivirus profile applied to outbound security policies

data filtering profile applied to inbound security policies

data filtering profile applied to outbound security policies

vulnerability profile applied to inbound security policies

Page 5 of 10

41. DRAG DROP

Place the steps in the correct packet-processing order of operations.

42. An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

the Content Delivery Networks URL category

the Online Storage and Backup URL category

an application group containing all of the file-sharing App-IDs reported in the traffic logs

an application filter for applications whose subcategory is file-sharing

43. 1.After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

Import named config snapshot

Load named configuration snapshot

Revert to running configuration

Revert to last saved configuration

44. What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

any supported Palo Alto Networks firewall or Prisma Access firewall

an additional subscription free of charge

a firewall device running with a minimum version of PAN-OS 10.1

an additional paid subscription

45. Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

At the CLI enter the command reset rules and press Enter

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

Reboot the firewall

Use the Reset Rule Hit Counter > All Rules option

46. An administrator would like to create a URL Filtering log entry when users browse to any gambling website.

What combination of Security policy and Security profile actions is correct?

Security policy = drop, Gambling category in URL profile = allow

Security policy = deny. Gambling category in URL profile = block

Security policy = allow, Gambling category in URL profile = alert

Security policy = allow. Gambling category in URL profile = allow

47. What is a recommended consideration when deploying content updates to the firewall from Panorama?

Before deploying content updates, always check content release version compatibility.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

Content updates for firewall A/A HA pairs need a defined master device.

After deploying content updates, perform a commit and push to Panorama.

48. Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Active Directory monitoring

Windows session monitoring

Windows client probing

domain controller monitoring

49. An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.

What is the most appropriate NAT policy to achieve this?

Dynamic IP and Port

Dynamic IP

Static IP

Destination

50. Which prevention technique will prevent attacks based on packet count?

zone protection profile

URL filtering profile

antivirus profile

vulnerability profile

Page 6 of 10

51. Which interface does not require a MAC or IP address?

Virtual Wire

Layer3

Layer2

Loopback

52. Which administrative management services can be configured to access a management interface?

HTTP, CLI, SNMP, HTTPS

HTTPS, SSH telnet SNMP

SSH: telnet HTTP, HTTPS

HTTPS, HTT

CLI, API

53. Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic

Which statement accurately describes how the firewall will apply an action to matching traffic?

If it is an allowed rule, then the Security Profile action is applied last

If it is a block rule then the Security policy rule action is applied last

If it is an allow rule then the Security policy rule is applied last

If it is a block rule then Security Profile action is applied last

54. What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?

every 5 minutes

every 1 minute

every 24 hours

every 30 minutes

55. Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

It functions like PAN-DB and requires activation through the app portal.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

IT eliminates the need for dynamic DNS updates.

IT is automatically enabled and configured.

56. You need to allow users to access the officeCsuite application of their choice.

How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

57. What are the two default behaviors for the intrazone-default policy? (Choose two.)

Allow

Logging disabled

Log at Session End

Deny

58. Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

Exploitation

Installation

Reconnaissance

Act on Objective

59. Which three statement describe the operation of Security Policy rules or Security Profiles? (Choose three)

Security policy rules inspect but do not block traffic.

Security Profile should be used only on allowed traffic.

Security Profile are attached to security policy rules.

Security Policy rules are attached to Security Profiles.

Security Policy rules can block or allow traffic.

60. What is the main function of the Test Policy Match function?

verify that policy rules from Expedition are valid

confirm that rules meet or exceed the Best Practice Assessment recommendations

confirm that policy rules in the configuration are allowing/denying the correct traffic

ensure that policy rules are not shadowing other policy rules

Page 7 of 10

61. An administrator is reviewing another administrator s Security policy log settings

Which log setting configuration is consistent with best practices tor normal traffic?

Log at Session Start and Log at Session End both enabled

Log at Session Start disabled Log at Session End enabled

Log at Session Start enabled Log at Session End disabled

Log at Session Start and Log at Session End both disabled

62. Which statement is true regarding a Best Practice Assessment?

The BPA tool can be run only on firewalls

It provides a percentage of adoption for each assessment data

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

63. Which statement best describes a common use of Policy Optimizer?

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

Policy Optimizer can display which Security policies have not been used in the last 90 days.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

64. Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

User identification

Filtration protection

Vulnerability protection

Antivirus

Application identification

Anti-spyware

65. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

NAT policy with source zone and destination zone specified

post-NAT policy with external source and any destination address

NAT policy with no source of destination zone selected

pre-NAT policy with external source and any destination address

66. Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

67. Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

Data redistribution

Dynamic updates

SNMP setup

Service route

68. Which action results in the firewall blocking network traffic with out notifying the sender?

Drop

Deny

Reset Server

Reset Client

69. Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

TACACS

SAML2

SAML10

Kerberos

TACACS+

70. Based on the screenshot what is the purpose of the group in User labelled ''it"?

Allows users to access IT applications on all ports

Allows users in group "DMZ" lo access IT applications

Allows "any" users to access servers in the DMZ zone

Allows users in group "it" to access IT applications

Page 8 of 10

71. How are Application Fillers or Application Groups used in firewall policy?

An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group

An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group

An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group

An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group

72. Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

on the App Dependency tab in the Commit Statuswindow

on the Policy Optimizer'sRule Usagepage C ontheApplication tab in the Security Policy Rulecreation window

ontheObjects>Applicationsbrowser pages

73. Given the screenshot what two types of route is the administrator configuring? (Choose two )

default route

OSPF

BGP

static route

74. Which type firewall configuration contains in-progress configuration changes?

backup

running

candidate

committed

75. An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

Rules without App Controls

New App Viewer

Rule Usage

Unused Unused Apps

76. In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

Weaponization

Reconnaissance

Installation

Command and Control

Exploitation

77. You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

URL Filtering profile applied to inbound Security policy rules.

Data Filtering profile applied to outbound Security policy rules.

Antivirus profile applied to inbound Security policy rules.

Vulnerability Protection profile applied to outbound Security policy rules.

78. Selecting the option to revert firewall changes will replace what settings?

The running configuration with settings from the candidate configuration

The candidate configuration with settings from the running configuration

The device state with settings from another configuration

Dynamic update scheduler settings

79. Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

DoS protection

URL filtering

packet buffering

anti-spyware

80. Which tab would an administrator click to create an address object?

Device

Policies

Monitor

Objects

Page 9 of 10

81. An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

name

source zone

destination interface

destination address

destination zone

82. An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.

Which two fields could help in determining if this is normal? (Choose two.)

Packets sent/received

IP Protocol

Action

Decrypted

83. You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

Admin Role profile

virtual router

DNS proxy

service route

84. Which type of address object is "10 5 1 1/0 127 248 2"?

IP subnet

IP wildcard mask

IP netmask

IP range

85. DRAG DROP

Match the cyber-attack lifecycle stage to its correct description.

86. Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

Palo Alto Networks Bulletproof IP Addresses

Palo Alto Networks C&C IP Addresses

Palo Alto Networks Known Malicious IP Addresses

Palo Alto Networks High-Risk IP Addresses

87. What is considered best practice with regards to committing configuration changes?

Disable the automatic commit feature that prioritizes content database installations before committing

Validate configuration changes prior to committing

Wait until all running and pending jobs are finished before committing

Export configuration after each single configuration change performed

88. Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

Apps Allowed

Name

Apps Seen

Service

89. DRAG DROP

Place the following steps in the packet processing order of operations from first to last.

90. Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

It defines the SSUTLS encryption strength used to protect the management interface.

It defines the CA certificate used to verify the client's browser.

It defines the certificate to send to the client's browser from the management interface.

It defines the firewall's global SSL/TLS timeout values.

Page 10 of 10

91. Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

GlobalProtect agent

XML API

User-ID Windows-based agent

log forwarding auto-tagging

92. Which the app-ID application will you need to allow in your security policy to use facebook-chat?

facebook-email

facebook-base

facebook

facebook-chat

93. What is a function of application tags?

creation of new zones

application prioritization

automated referenced applications in a policy

IP address allocations in DHCP

94. What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

Implement a threat intel program.

Configure a URL Filtering profile.

Train your staff to be security aware.

Rely on a DNS resolver.

Plan for mobile-employee risk

95. The firewall sends employees an application block page when they try to access Youtube.

Which Security policy rule is blocking the youtube application?

intrazone-default

Deny Google

allowed-security services

interzone-default

96. Which object would an administrator create to enable access to all applications in the office-programs subcategory?

application filter

URL category

HIP profile

application group

97. Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

Windows-based agent deployed on the internal network

PAN-OS integrated agent deployed on the internal network

Citrix terminal server deployed on the internal network

Windows-based agent deployed on each of the WAN Links

98. Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

Layer 3

Virtual Wire

Tap

Layer 2

99. What is an advantage for using application tags?

They are helpful during the creation of new zones

They help with the design of IP address allocations in DHC

They help content updates automate policy updates

They help with the creation of interfaces

100. At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

after clicking Check New in the Dynamic Update window

after connecting the firewall configuration

after downloading the update

after installing the update

Maximize Your Success with ITPrepare’s Latest PCNSA Exam Dumps V17.02