Palo Alto PCNSA

Please type your email address (for verification)

Please type your phone number using the international format (use your country code, e.g: 0021699999999)

Which option shows the attributes that are selectable when setting up application filters?

Category, Subcategory, Technology, and Characteristic

Category, Subcategory, Technology, Risk, and Characteristic

Name, Category, Technology, Risk, and Characteristic

Category, Subcategory, Risk, Standard Ports, and Technology

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

Block List

Custom URL Categories

PAN-DB URL Categories

Allow List

Which statement is true regarding a Best Practice Assessment?

The BPA tool can be run only on firewalls

It provides a percentage of adoption for each assessment area

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Which interface does not require a MAC or IP address?

Virtual Wire

Layer3

Layer2

Loopback

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

Rule Usage Filter > No App Specified

Rule Usage Filter >Hit Count > Unused in 30 days

Rule Usage Filter > Unused Apps

Rule Usage Filter > Hit Count > Unused in 90 days

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

An implicit dependency does not require the dependent application to be added in the security policy

An implicit dependency requires the dependent application to be added in the security policy

An explicit dependency does not require the dependent application to be added in the security policy

An explicit dependency requires the dependent application to be added in the security policy

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping. What is the quickest way to reset the hit counter to zero in all the security policy rules?

At the CLI enter the command reset rules and press Enter

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

Reboot the firewall

Use the Reset Rule Hit Counter > All Rules option

Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)

Facebook

Facebook-chat

Facebook-base

facebook-email

In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email

Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. Add the service account to monitor the server(s)
2. Define the address of the servers to be monitored on the firewall
4. Commit the configuration, and verify agent connection status
1. Create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

2-3-4-1

1-4-3-2

3-1-2-4

1-3-2-4

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

Domain controlle

TACACS+

LDAP

RADIUS

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

Layer 2

Tap

Layer 3

Virtual Wire

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Root

Dynamic

Role-based

Superuser

Which administrator type utilizes predefined roles for a local administrator account?

Superuser

Role-based

Dynamic

Device administrator

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop. Which security profile feature could have been used to prevent the communication with the CnC server?

Create an anti-spyware profile and enable DNS Sinkhole

Create an antivirus profile and enable DNS Sinkhole

Create a URL filtering profile and block the DNS Sinkhole category

Create a security policy and enable DNS Sinkhole

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Active Directory monitoring

Windows session monitoring

Windows client probing

Domain controller monitoring

What are three differences between security policies and security profiles? (Choose three.)

Security policies are attached to security profiles

Security profiles are attached to security policies

Security profiles should only be used on allowed traffic

Security profiles are used to block traffic by themselves

Security policies can block or allow traffic

Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

Global

Intrazone

Interzone

Universal

Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)

GlobalProtect

Panorama

Aperture

AutoFocus

Which statement is true regarding a Prevention Posture Assessment?

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

It provides a percentage of adoption for each assessment area

It performs over 200 security checks on Panorama/firewall for the assessment

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category. Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow

Manually remove powerball.com from the gambling URL category

Add *.powerball.com to the allow list

Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Which update option is not available to administrators?

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Which interface type can use virtual routers and routing protocols?

Tap

Layer3

Virtual Wire

Layer2

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

Override

Allow

Block

Continue

An internal host wants to connect to servers of the internet through using source NAT. Which policy is required to enable source NAT on the firewall?

NAT policy with source zone and destination zone specified

post-NAT policy with external source and any destination address

NAT policy with no source of destination zone selected

Pre-NAT policy with external source and any destination address

Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

DoS protection

URL filtering

Packet buffering

Anti-spyware

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

Layer-ID

User-ID

QoS-ID

App-ID

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

Device>Setup>Services

Device>Setup>Management

Device>Setup>Operations

Device>Setup>Interfaces

Complete the statement. A security profile can block or allow traffic

On unknown-tcp or unknown-udp traffic

After it is evaluated by a security policy that allows traffic

Before it is evaluated by a security policy

After it is evaluated by a security policy that allows or blocks traffic

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP – to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

Syslog

RADIUS

UID redistribution

XFF headers

In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone. Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

Destination IP: 192.168.1.123/24

Application = ‘Telnet’

Log Forwarding

USER-ID = ‘Allow users in Trusted’

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

Threat Prevention License

Threat Implementation License

Threat Environment License

Threat Protection License

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Root

Dynamic

Role-based

Superuser

Which two security profile types can be attached to a security policy? (Choose two.)

Antivirus

DDoS protection

Threat

Vulnerability

Create an anti-spyware profile and enable DNS Sinkhole

Create an antivirus profile and enable DNS Sinkhole

Create a URL filtering profile and block the DNS Sinkhole category

Create a security policy and enable DNS Sinkhole

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Active Directory monitoring

Windows session monitoring

Windows client probing

Domain controller monitoring

Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

Global

Intrazone

Interzone

Universal

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

GlobalProtect

AutoFocus

Aperture

Panorama

Which file is used to save the running configuration with a Palo Alto Networks firewall?

Running-config.xml

Run-config.xml

Running-configuration.xml

Run-configuratin.xml

In the example security policy shown, which two websites would be blocked? (Choose two.)

4504916_CFOD4ZA9

Facebook

Youtube

Amazon

Given the image, which two options are true about the Security policy rules. (Choose two.)

bla

The Allow Office Programs rule is using an Application Filter

In the Allow FTP to web server rule, FTP is allowed using App-ID

The Allow Office Programs rule is using an Application Group

In the Allow Social Networking rule, allows all of Facebook’s functions

Given the topology, which zone type should zone A and zone B to be configured with?

Layer3

Tap

Layer2

Virtual Wire

Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?

Intrazone-default

Deny Google

Allowed-security services

Interzone-default

Palo Alto PCNSA

More Quizzes