PCNSA Full SG
Which two types of files can be sent to Wildfire for analysis if a firewall has only a standard subscription service? (choose two.) a. .dll b. .jar c. .pdf d. .exe
a. .dll d. .exe
App-ID running on a firewall identifies applications using which three methods? (Choose three). a. Application Signatures b. PAN-DB lookups c. Program heuristics d. Wildfire lookups e. Known protocol decoders
a. Application Signatures c. Program heuristics e. Known protocol decoders
Which four options are possible WildFire analysis verdicts? (Choose four.) a. Benign b. Grayware c. Malware d. Phishing e. Spyware
a. Benign b. Grayware c. Malware d. Phishing
An Antivirus Security Profile specifies Actions and Wildfire Actions. Wildfire Actions enable you to configure the firewall to perform which operation? a. Block traffic when a Wildfire virus signature is detected b. Delete packet data when a virus is suspected c. Upload traffic to Wildfire when a virus is suspected d. Download new antivirus signatures from Wildfire
a. Block traffic when a Wildfire virus signature is detected
What are two methods of certificate revocation? (Choose two.) a. CRL b. OCSP c. IKE d. SSH
a. CRL b. OCSP
A log can be exported to which format? a. CSV b. PDF c. PPT d. XLS
a. CSV
Which two statements are true regarding User-ID and firewall configuration? (Choose two.) a. Communications between the firewall and the User-ID agent are sent over an encrypted SSL connection. b. The firewall needs to have information for every User-ID agent to which it will connect. c. NetBIOS is the only client probing method supported by the User-ID agent. d. The User-ID agent must be installed on the Domain Controller.
a. Communications between the firewall and the User-ID agent are sent over an encrypted SSL connection. b. The firewall needs to have information for every User-ID agent to which it will connect.
Which three MGT port configuration settings are required in order to access the WebGUI from a remote subnet? (choose three.) a. Default gateway b. netmask c. hostname d. IP address
a. Default gateway b. netmask d. IP address
Logs can be forwarded to which four of the following Remote Logging Destinations? (Choose four.) a. Email b. Syslog c. Common access log d. Panorama e. SNMP
a. Email b. Syslog d. Panorama e. SNMP
GP clientless VPN provides secure remote access to web applications that use which three technologies? (choose three.) a. HTML5 b. Python c. Java d. JavaScript e. Ruby f. HTML
a. HTML5 d. JavaScript f. HTML
Which three attributes are true regarding WildFire? (Choose three.) a. Identifies threats by signatures, which are available for download by Palo Alto Networks firewalls in as little as 5 minutes. b. Provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors. c. Triggered by "block" or "forward" actions in a File Blocking Security Profile d. Uploads files for analysis to a WildFire solution maintained in the customer's environment and/or a hosted public cloud environment.
a. Identifies threats by signatures, which are available for download by Palo Alto Networks firewalls in as little as 5 minutes. b. Provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors. d. Uploads files for analysis to a WildFire solution maintained in the customer's environment and/or a hosted public cloud environment.
Which three statements are true regarding App-ID? (Choose three.) a. It addresses the traffic classification limitations of traditional firewalls. b. It is the Palo Alto Networks traffic classification mechanism. c. It uses multiple identification mechanisms to determine the exact identity of applications traversing the network. d. It still is in the developmental stage and is not yet released.
a. It addresses the traffic classification limitations of traditional firewalls. b. It is the Palo Alto Networks traffic classification mechanism. c. It uses multiple identification mechanisms to determine the exact identity of applications traversing the network.
Palo Alto Networks firewalls are built with a dedicated out-of-band management port that has which three attributes? (Choose three.) a. Labeled MGT by default. b. Passes only management traffic for the device and cannot be configured as a standard traffic port. c. Administrators use the out-of-band management port for direct connectivity to the management plane of the firewall. d. Cannot be configured to use DHCP.
a. Labeled MGT by default. b. Passes only management traffic for the device and cannot be configured as a standard traffic port. c. Administrators use the out-of-band management port for direct connectivity to the management plane of
Virtual routers provide support for static routing and dynamic routing using which three protocols? (Choose three.) a. OSPF b. RIPv2 c. EGP d. BGP
a. OSPF b. RIPv2 d. BGP
Which four models are the Palo Alto Networks next-generation firewall models? (Choose four.) a. PA-200 Series b. PA-2000 Series c. PA-300 Series d. PA-3200 Series e. PA-400 Series f. PA-5000 Series g. PA-7000 Series
a. PA-200 Series d. PA-3200 Series f. PA-5000 Series g. PA-7000 Series
The decryption broker feature is supported by which three PANW firewall series? (choose three.) a. PA-5200 b. PA-7000 c. PA-220 d. PA-3200 e. PA-3000 f. PA-5000
a. PA-5200 b. PA-7000 d. PA-3200
Which three statements are true regarding a GlobalProtect Gateway? (Choose three.) a. Provides security enforcement for traffic from GlobalProtect clients. b. Requires a tunnel interface for external clients. c. Tunnel interfaces are optional for internal gateways. d. Authenticates users against a Server Profile.
a. Provides security enforcement for traffic from GlobalProtect clients. b. Requires a tunnel interface for external clients. c. Tunnel interfaces are optional for internal gateways.
The firewall acts as a proxy for which two types of traffic? (Choose two.) a. SSL outbound b. SSH c. SSL inbound inspection d. Non-SSL
a. SSL outbound b. SSH
Which three statements are true regarding sessions on the firewall? (choose three.) a. Sessions are always matched to a Security policy rule. b. Return traffic is allowed. c. The only session information tracked in the session logs are the five-tuples. d. Network packets are always matched to a session.
a. Sessions are always matched to a Security policy rule. b. Return traffic is allowed. d. Network packets are always matched to a session.
Which four items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall? (Choose four.) a. Source Zone b. Username c. DNS Domain d. URL e. Application
a. Source Zone b. Username d. URL e. Application
Which three options are aspects of the basic requirements to create a VPN in a PAN-OS release? (Choose three.) a. add a static route to the virtual router b. create the tunnel interface c. configure the IPsec tunnel d. identify proxy ID errors
a. add a static route to the virtual router b. create the tunnel interface c. configure the IPsec tunnel
You should set all category actions to which level when you create a new URL Filtering Profile? a. alert b. block c. continue d. allow
a. alert
Which four actions results in a URL Filtering log entry? (Choose four.) a. alert b. allow c. block d. continue e. override
a. alert c. block d. continue e. override
Which three types of traffic flow across the HA Control link? (Choose three.) a. configuration synchronization b. session synchronization c. heartbeats d. hellos
a. configuration synchronization c. heartbeats d. hellos
Which two planes are found in Palo Alto Networks single-pass platform architecture? (Choose two.) a. control b. single pass c. data d. parallel processing
a. control c. data
Which three file types can be sent to WildFire without a WildFire license? (Choose three.) a. dll b. exe c. pdf d. scr e. xml
a. dll b. exe d. scr
Which three items are names of valid source NAT translation types? (Choose three.) a. dynamic IP b. dynamic IP/Port c. port forwarding d. static
a. dynamic IP b. dynamic IP/Port d. static
Which three are valid configuration options in a Wildfire Analysis Profile (Choose three.) a. file types b. direction c. max file size d. application
a. file types c. max file size d. application
Which three components can be sent to Wildfire for analysis? (Choose three.) a. files traversing the firewall b. email attachments c. MGT interface traffic d. URL links found in emails
a. files traversing the firewall b. email attachments d. URL links found in emails
Which are four failure detection methods in a firewall HA cluster? (Choose four.) a. heartbeats and hellos b. internal health checks c. link groups d. path groups e. polling
a. heartbeats and hellos b. internal health checks c. link groups d. path groups
Which four attributes describe an active/passive HA firewall configuration? (Choose four.) a. only one firewall actively processes traffic b. primarily designed to support asymmetric routing c. no increase in session capacity d. no increase in throughput e. supports Virtual Wire, Layer 2, and Layer 3 deployments
a. only one firewall actively processes traffic c. no increase in session capacity d. no increase in throughput e. supports Virtual Wire, Layer 2, and Layer 3 deployments
The GlobalProtect client will connect to either an internal gateway or an external gateway based on its location (inside or outside of the corporate network). This location determination is based on the result of which option? a. reverse DNS lookup b. user selection during agent startup c. IP address of the client system d. whether the user starts the client in online or offline mode
a. reverse DNS lookup
A SaaS application that you formally approve for use on your network is which type of application? a. sanctioned b. production c. unsanctioned d. service
a. sanctioned
Which two User-ID methods are use to verify known IP address-to-user mappings? (choose two.) a. session monitoring b. client probing c. captive portal d. server monitoring
a. session monitoring b. client probing
Which three statements are true regarding a public key infrastructure? (Choose three.) a. solves the problem of secure identification of public keys b. uses digital certificates to verify key owners c. relies on the manual distribution of shared keys d. has root and intermediate certificate authorities
a. solves the problem of secure identification of public keys b. uses digital certificates to verify key owners d. has root and intermediate certificate authorities
Which three attributes are true regarding a Virtual Wire (vwire) interface? (Choose three.) a. sometimes called a Bump in the Wire or Transparent In-Line b. no support for routing or device management c. supports NAT, Content-ID, and User-ID d. supports SSL Decrypt Inbound traffic only
a. sometimes called a Bump in the Wire or Transparent In-Line b. no support for routing or device management c. supports NAT, Content-ID, and User-ID
(T/F) A Backup Control link helps prevent split-brain operation in a firewall HA cluster. a. true b. false
a. true
(T/F) A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses. a. true b. false
a. true
(T/F) A Report Group must be sent as a scheduled email. It cannot be downloaded directly. a. true b. false
a. true
(T/F) A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "Allow." a. true b. false
a. true
(T/F) A URL Filtering license is not required to define and use custom URL categories. a. true b. false
a. true
(T/F) Firewall administrator accounts can be individualized for user needs, granting or restricting permissions as appropriate? a. true b. false
a. true
(T/F) Heatmap and BPA are online tool available only to partners and employees. a. true b. false
a. true
(T/F) IPsec is a set of protocols used to set up a secure tunnel for the VPN traffic. a. true b. false
a. true
(T/F) If a GlobalProtect agent fails to establish an IPsec connection, the connection type will fall back to SSL-VPN. a. true b. false
a. true
(T/F) In Palo Alto Networks terms, an application is a specific program or feature that can be detected, monitored, and blocked if necessary. a. true b. false
a. true
(T/F) Intrazone traffic is allowed by default but interzone traffic is blocked by default. a. true b. false
a. true
(T/F) Service routes can be used to configure an in-band port to access external services. a. true b. false
a. true
(T/F) The Antivirus Security Profile defines actions to be taken if an infected file is detected as part of an application. a. true b. false
a. true
(T/F) The User Credential Detection tab can be used to block traffic when users submit their corporate credentials to a website. a. true b. false
a. true
(T/F) The strength of the Palo Alto Networks firewall is its Single-Pass Parallel Processing (SP3) engine. a. true b. false
a. true
(T/F) When a malicious file or link is detected in an email, WildFire can update antivirus signatures and the PAN-DB database. a. true b. false
a. true
(T/F) When the firewall is configured to decrypt SSL traffic going to external sites, it functions as a forward proxy. a. true b. false
a. true
(T/F) When you create a static route for the VPN, no next hop IP address is required. a. true b. false
a. true
Application groups can contain applications, filters, or other application groups. a. true b. false
a. true
Which three interfaces can control or shape network traffic? (choose three.) a. vWire b. Tap c. Layer 2 d. Layer 3
a. vWire c. Layer 2 d. Layer 3
Which three network modes are supported by active/passive HA? (choose three.) a. vWire b. Tap c. Layer 2 d. Layer 3
a. vWire c. Layer 2 d. Layer 3
Firewall administration can be done using which four interfaces? (Choose four.) a. web interface b. Panorama c. command line interface d. Java API e. XML API
a. web interface b. Panorama c. command line interface e. XML API
When the firewall detects that a session has been broken as a result of the decryption process, it will cache the session information and will not attempt to decrypt the next session to the same server. How many hours does this cache entry persist? a. 8 b. 12 c. 18 d. 24
b. 12
A Server Profile enables a firewall to locate which server type? a. A server with an available VPN connection b. A server with remote user accounts c. A server with firewall software updates d. A server with firewall threat updates
b. A server with remote user accounts
Which two options are true regarding a VPN tunnel interface? (Choose two.) a. The tunnel interface always requires an IP address. b. A tunnel interface is a logical Layer 3 interface. c. The tunnel interface must be added to a Layer 3 security zone. d. The interface name "tunnel" can be renamed to anything you want, up to 20 characters in length.
b. A tunnel interface is a logical Layer 3 interface. c. The tunnel interface must be added to a Layer 3 security zone.
Which phase is not one of the three phases used in a migration from port-based firewall policies to application-based firewall policies? a. Application Visibility b. Baseline Visibility c. Consolidate, Customize, and Reduce Risk d. Next-Generation Policies
b. Baseline Visibility
On a firewall with dedicated HA ports, which option describes the function of the HA2 port? a. Control link b. Data link c. Heartbeat link d. Management link
b. Data link
Where does a GlobalProtect client connect to first when trying to connect to the network? a. GP Gateway b. GP Portal c. User-ID agent d. AD agent
b. GP Portal
Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.) a. FC b. Layer 3 c. FCoE d. Tap e. Virtual Wire
b. Layer 3 d. Tap e. Virtual Wire
Which three statements are true regarding Safe Search Enforcement? (Choose three.) a. Safe search is a web server setting. b. Safe search is a web browser setting. c. Safe search is a best-effort setting. d. Safe search is designed to block violent web content.
b. Safe search is a web browser setting. c. Safe search is a best-effort setting. d. Safe search is designed to block violent web content.
Zone Protection Profiles are applied to which item? a. ingress ports b. Security policy rules c. egress ports d. Address Groups
b. Security policy rules
Which VM-Series model was introduced with the release of PAN-OS 8.1? a. VM-300 Lite b. VM-50 Lite c. VM-100 Lite d. VM-200 Lite
b. VM-50 Lite
Which three statements are true regarding the candidate configuration? (Choose three.) a. You can roll back the candidate configuration by pressing the Undo button. b. You can revert the candidate configuration to the running configuration. c. Clicking Save creates a copy of the current candidate configuration. d. Choosing Commit updates the running configuration with the contents of the candidate configuration.
b. You can revert the candidate configuration to the running configuration. c. Clicking Save creates a copy of the current candidate configuration. d. Choosing Commit updates the running configuration with the contents of the candidate configuration.
Which feature is a dynamic grouping of applications used in Security policy rules? a. application group b. application filter c. dependent applications d. implicit applications
b. application filter
Which item is the name of an object that dynamically groups applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? a. application b. application filter c. application group d. Application Profile
b. application filter
In an HA configuration, which three functions are associate with the HA1 Control Link? (Choose three.) a. synchronizing sessions b. exchanging hellos c. synchronizing configuration d. exchanging heartbeats
b. exchanging hellos c. synchronizing configuration d. exchanging heartbeats
What are two benefits of attaching a Decryption profile to a Decryption policy no-decrypt rule? (Choose two.) a. URL category matching b. expired certificate checking c. untrusted certificate checking d. acceptable protocol checking
b. expired certificate checking c. untrusted certificate checking
What is a use case for deploying PANW NGFWs in the public cloud? a. cost savings through one-time purchase of PANW hardware and subscriptions b. extending the corporate data center into the public cloud c. centralizing your data storage on premise d. faster Wildfire analysis response time
b. extending the corporate data center into the public cloud
(T/F) Each Anti-Spyware Security Profile contains one master rule to handle all types of threats. a. true b. false
b. false
(T/F) Logging on intrazone-default and interzone-default Security policy rules is enabled by default. a. true b. false
b. false
(T/F) The intrazone-default and interzone-default rules cannot be modified. a. true b. false
b. false
(T/F) URLs always are matched to a PAN-DB URL category before they match a custom URL category. a. true b. false
b. false
(T/F) When the firewall is configured to inspect SSL traffic going to an internal server for which the firewall has the private key, it functions as a forward proxy. a. true b. false
b. false
(T/F) You must deploy the Windows-based User-ID agent to collect IP address-to-username mappings from a Windows AD Domain Controller. a. true b. false
b. false
In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.) a. link groups b. hellos c. path monitoring d. heartbeats
b. hellos d. heartbeats
Which three items are valid choices when configuring the Source User field in a Security policy rule? (Choose three.) a. all b. known-user c. any d. unknown e. none
b. known-user c. any d. unknown
Which cloud computing service model will enable an application developer to develop, manage, and test their applications without the expense of purchasing equipment? a. infrastructure as a service b. platform as a service c. software as a service d. code as a service
b. platform as a service
Which cloud computing platform provides shared resources, servers, and storage in a pay-as-you-go model? a. community b. public c. hybrid d. private
b. public
When SSL traffic passes through the firewall, which component is evaluated first? a. Decryption profile b. security policy c. decryption exclusion list d. decryption policy
b. security policy
Because a firewall examines every packet in a session, a firewall can detect application _______ a. filters b. shifts c. groups d. errors
b. shifts
In a Security profile, which action does a firewall take when the profile's action is configured as Reset Server (Choose two.) a. for UDP sessions, the connection is reset b. the traffic responder is reset c. for UDP sessions, the connection is dropped d. the client is reset
b. the traffic responder is reset c. for UDP sessions, the connection is dropped
The wildfire portal website supports which three operations? (Choose three.) a. request firewall Wildfire licenses b. view Wildfire verdicts c. upload files to Wildfire for analysis d. report incorrect verdicts
b. view Wildfire verdicts c. upload files to Wildfire for analysis d. report incorrect verdicts
On a firewall that has 32 ethernet ports and is configured with a dynamic IP and port (DIPP) NAT oversubscription rate of 2x, what is the maximum number of concurrent sessions supported by each available IP address? a. 64k b. 32 c. 128k d. 64
c. 128k
What is the max number of Wildfire appliances that can be grouped into a Wildfire appliance cluster? a. 32 b. 12 c. 20 d. 24
c. 20
The threat log records events from which three Security Profiles (Choose three.) a. File blocking b. Wildfire analysis c. Antivirus d. antispyware e. Vulnerability protection f. URL filtering
c. Antivirus d. antispyware e. Vulnerability protection
Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer? a. Allow b. Alert c. Continue d. Block
c. Continue
Which anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network? a. Data Filtering log entry b. continue response page c. DNS sinkhole d. CVE number
c. DNS sinkhole
Which statement describes a function provided by an Interface Management Profile? a. It determines which external services are accessible by the firewall. b. It determines which administrators can manage which interfaces. c. It determines which firewall services are accessible from external devices. d. It determines the NetFlow and LLDP interface management settings.
c. It determines which firewall services are accessible from external devices.
Which tab in the ACC provides an overview of traffic and user activity on your network? a. Tunnel Activity b. Blocked Activity c. Network Activity d. Threat Activity
c. Network Activity
Which new firewall model was introduced with PAN-OS 8.1 with double the data-plane memory? a. PA-5260 b. PA-5270 c. PA-5280 d. PA-5290
c. PA-5280
What is the result of performing a firewall commit operation? a. The candidate configuration becomes the saved configuration. b. The saved configuration becomes the loaded configuration. c. The candidate configuration becomes the running configuration. d. The loaded configuration becomes the candidate configuration.
c. The candidate configuration becomes the running configuration.
A security policy rule displayed in italic font indicates which condition? a. The rule has been overridden b. The rule is active c. The rule is disabled d. The rule is a clone
c. The rule is disabled
For which type of functionality can a GlobalProtect Gateway map IP addresses to the user? a. App-ID b. Content-ID c. User-ID
c. User-ID
Which interface type does NOT require any configuration changes to adjacent networks devices? a. Layer 2 b. Tap c. Virtual Wire d. Layer 3
c. Virtual Wire
Which essential cloud characteristic is designed for applications that will be required to run on all platforms including smartphones, tablets, and laptops? a. on-demand self service b. measured services c. broad network access d. rapid elasticity
c. broad network access
What are the two separate planes that make up the PAN-OS architecture? (Choose two.) a. signature processing plane b. HA plane c. control/management plane d. routing plane e. data plane
c. control/management plane e. data plane
The GlobalProtect client is available in which two formats? (Choose two.) a. dmg b. exe c. msi d. pkg
c. msi d. pkg
In a destination NAT configuration, which option accurately completes the following sentence? A security policy rule should be written to match the ______. a. original pre-NAT source and destination addresses, and the pre-NAT destination zone b. post-NAT source and destination addresses, but the pre-NAT destination zone c. original pre-NAT source and destination addresses , but the post-NAT destination zone d. post-NAT source and destination addresses, and the post-NAT destination zone
c. original pre-NAT source and destination addresses , but the post-NAT destination zone
What is a characteristic of Dynamic Admin Roles? a. they can be dynamically created or deleted by a firewall admin b. they can be dynamically modified by external authorization systems c. role privileges can be dynamically updated with newer software releases d. role privileges can be dynamically updated by a firewall admin
c. role privileges can be dynamically updated with newer software releases
SSL Inbound Inspection requires that the firewall be configured with which two components ? (Choose two.) a. client's digital certificate b. client's public key c. server's digital certificate d. server's private key
c. server's digital certificate d. server's private key
Which of the three types of Security policy rules that can be created is the default rule type? a. intrazone b. interzone c. universal
c. universal
Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you should take which action? a. re-download the URL seed database b. reboot the firewall c. validate connectivity to the PAN-DB cloud d. validate your security policy rules
c. validate connectivity to the PAN-DB cloud
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application? a. unknown-tcp b. unknown-udp c. web-browsing
c. web-browsing
For which firewall feature should you create forward trust and forward untrust certificates? a. SSL Inbound Inspection decryption b. SSH decryption c. SSL client-side certificate checking d. SSL forward proxy decryption
d. SSL forward proxy decryption
To create a Heatmap and BPA report, which type of file would you need to create and download from the firewall? a. Stats Dump File b. Config File saved in XML format c. Config File saved in CSV format d. Tech Support File
d. Tech Support File
Which statement is true about a URL filtering profile override password? a.There is a password per website. b. There is a password per session. c .There is a password per firewall administrator account. d. There is a single, per-firewall password.
d. There is a single, per-firewall password.
Which statement is true regarding User-ID and Security policy rules? a. If the user associated with an IP address cannot be determined, all traffic from that address will be dropped. b. The Source User field can match only users, not groups. c. The Source IP and Source User fields cannot be used in the same policy. d. Users can be used in policy rules only if they are known by the firewall.
d. Users can be used in policy rules only if they are known by the firewall.
Cloud security is a shared responsibility between the cloud provider and the customer. Which security platform is the cloud provider responsible for? a. identity and access management b. encryption management c. firewall and network traffic d. foundation services
d. foundation services
Which file must be downloaded from the firewall to create a heatmap/best practices assessment report? a. firewall config file b. XML file c. stats dump file d. tech support file
d. tech support file
