PCNSA
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
1-Step 2 2-Step 6 3-Step 1 4-Step 4 5-Step 3 6-Step 5
Based on the security policy rules shown, ssh will be allowed on which port? A. 22 B. 23 C. 53 D. 80
A
Given the screenshot what two types of route is the administrator configuring? (Choose two ) A. default route B. OSPF C. BGP D. static route
A
Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information? A. Prisma SaaS B. AutoFocus C. Panorama D. GlobalProtect
A
Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall? A. Signature Matching B. Network Processing C. Security Processing D. Security Matching
A
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources? A. Windows-based agent deployed on the internal network B. PAN-OS integrated agent deployed on the internal network C. Citrix terminal server deployed on the internal network D. Windows-based agent deployed on each of the WAN Links
A -
Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address? A. DoS protection B. URL filtering C. packet buffering D. anti-spyware
A -
Which statement is true regarding NAT rules? A. Static NAT rules have precedence over other forms of NAT. B. Translation of the IP address and port occurs before security processing. C. NAT rules are processed in order from top to bottom. D. Firewall supports NAT on Layer 3 interfaces only.
A -
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID? A. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL B. Configure a frequency schedule to clear group mapping cache C. Configure a Primary Employee ID number for user-based Security policies D. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389
A - P. 21
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures? A. Review Policies B. Review Apps C. Pre-analyze D. Review App Matches
A - p. 108
When is the content inspection performed in the packet flow process? A. after the application has been identified B. after the SSL Proxy re-encrypts the packet C. before the packet forwarding process D. before session lookup
A - p. 122
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP -to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures. Given the scenario, choose the option for sending IP-to-user mappings to the NGFW. A. syslog B. RADIUS C. UID redistribution D. XFF headers
A - p. 123
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers? A. Active Directory monitoring B. Windows session monitoring C. Windows client probing D. domain controller monitoring
A - p. 160
Which file is used to save the running configuration with a Palo Alto Networks firewall? A. running-config.xml B. run-config.xml C. running-configuration.xml D. run-configuratin.xml
A - p. 24
Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location. What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome? A. save named configuration snapshot B. export device state C. export named configuration snapshot D. save candidate config
A - p. 28
What is considered best practice with regards to committing configuration changes? A. Disable the automatic commit feature that prioritizes content database installations before committing B. Validate configuration changes prior to committing C. Wait until all running and pending jobs are finished before committing D. Export configuration after each single configuration change performed
A - p. 32
Which interface does not require a MAC or IP address? A. Virtual Wire B. Layer3 C. Layer2 D. Loopback
A - p. 49-50
Which attribute can a dynamic address group use as a filtering condition to determine its membership? A. tag B. wildcard mask C. IP address D. subnet mask
A - p. 85-86
What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice? A. any supported Palo Alto Networks firewall or Prisma Access firewall B. an additional subscription free of charge C. a firewall device running with a minimum version of PAN-OS 10.1 D. an additional paid subscription
A - p. 95
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material? A. Palo Alto Networks Bulletproof IP Addresses B. Palo Alto Networks C&C IP Addresses C. Palo Alto Networks Known Malicious IP Addresses D. Palo Alto Networks High-Risk IP Addresses
A - p. 95
An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones. Which Security policy rule type should they use? A. default B. universal C. intrazone D. interzone
A - this feels wrong tho p. 112
In the example security policy shown, which two websites are blocked? (Choose two.) A. LinkedIn B. Facebook C. YouTube D. Amazon
A, B
What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.) A. SAML B. TACACS+ C. LDAP D. Kerberos
A, B - p. 21-23
An administrator wants to prevent access to media content websites that are risky. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two) A. streaming-media B. high-risk C. recreation-and-hobbies D. known-risk
A, C - i think it would be A,B ?
Given the image, which two options are true about the Security policy rules. (Choose two.) A. The Allow Office Programs rule is using an Application Filter B. In the Allow FTP to web server rule, FTP is allowed using App-ID C. The Allow Office Programs rule is using an Application Group D. In the Allow Social Networking rule, allows all of Facebook's functions
A, D
During the packet flow process, which two processes are performed in application identification? (Choose two.) A. pattern based application identification B. application override policy match C. session application identified D. application changed from content inspection
A,B -
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.) A. It uses techniques such as DGA/DNS tunneling detection and machine learning. B. It requires a valid Threat Prevention license. C. It enables users to access real-time protections using advanced predictive analytics. D. It requires a valid URL Filtering license. E. It requires an active subscription to a third-party DNS Security service.
A,B,C - p. 157
Which three configuration settings are required on a Palo Alto networks firewall management interface? A. default gateway B. netmask C. IP address D. hostname E. auto-negotiation
A,B,C - p. 9
A network administrator is required to use a dynamic routing protocol for network connectivity. Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.) A. RIP B. OSPF C. IS-IS D. EIGRP E. BGP
A,B,E-p.64
An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets. What are two security policy actions the administrator can select? (Choose two.) A. Reset server B. Reset both C. Drop D. Deny
A,C - p. 147-148
Which two settings allow you to restrict access to the management interface? (Choose two ) A. enabling the Content-ID filter B. administrative management services C. restricting HTTP and telnet using App-ID D. permitted IP addresses
A,C - p.13
What are three valid ways to map an IP address to a username? (Choose three.) A. using the XML API B. DHCP Relay logs C. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent D. usernames inserted inside HTTP Headers E. WildFire verdict reports
A,C,D - p. 124
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.) A. An implicit dependency does not require the dependent application to be added in the security policy B. An implicit dependency requires the dependent application to be added in the security policy C. An explicit dependency does not require the dependent application to be added in the security policy D. An explicit dependency requires the dependent application to be added in the security policy
A,D - p. 114
Which two security profile types can be attached to a security policy? (Choose two.) A. antivirus B. DDoS protection C. threat D. vulnerability
A,D - p. 140
Actions can be set for which two items in a URL filtering security profile? (Choose two.) A. Block List B. Custom URL Categories C. PAN-DB URL Categories D. Allow List
A,D - p. 141
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways? A. GlobalProtect B. AutoFocus C. Aperture D. Panorama
A. GlobalProtect
Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management? A. Prisma SaaS B. Panorama C. AutoFocus D. GlobalProtect
B
Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites? A. reconnaissance B. delivery C. exploitation D. installation
B
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make? A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
B -
An administrator is reviewing the Security policy rules shown in the screenshot below. Which statement is correct about the information displayed? A. Eleven rules use the "Infrastructure* tag. B. The view Rulebase as Groups is checked. C. There are seven Security policy rules on this firewall. D. Highlight Unused Rules is checked.
B -
Complete the statement. A security profile can block or allow traffic____________ A. on unknown-tcp or unknown-udp traffic B. after it is matched by a security policy that allows traffic C. before it is matched by a security policy D. after it is matched by a security policy that allows or blocks traffic
B -
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane? A. Kerberos user B. SAML user C. local database user D. local user
B -
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones? A. intrazone B. interzone C. universal D. global
B - p. 112
Which option lists the attributes that are selectable when setting up an Application filters? A. Category, Subcategory, Technology, and Characteristic B. Category, Subcategory, Technology, Risk, and Characteristic C. Name, Category, Technology, Risk, and Characteristic D. Category, Subcategory, Risk, Standard Ports, and Technology
B - p. 118
Which URL profiling action does not generate a log entry when a user attempts to access that URL? A. Override B. Allow C. Block D. Continue
B - p. 151
In which profile should you configure the DNS Security feature? A. URL Filtering Profile B. Anti-Spyware Profile C. Zone Protection Profile D. Antivirus Profile
B - p. 157
After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration. Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this? A. Import named config snapshot B. Load named configuration snapshot C. Revert to running configuration D. Revert to last saved configuration
B - p. 23
What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures? A. every 5 minutes B. every 1 minute C. every 24 hours D. every 30 minutes
B - p. 42
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping? A. Layer 2 B. Tap C. Layer 3 D. Virtual Wire
B - p. 48
Which license is required to use the Palo Alto Networks built-in IP address EDLs? A. DNS Security B. Threat Prevention C. WildFire D. SD-Wan
B - p. 95
Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule? A. local username B. dynamic user group C. remote username D. static user group
B - p. 96
Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two ) A. Network Processing Engine B. Single Stream-based Engine C. Policy Engine D. Parallel Processing Hardware
B, D
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.) A. vulnerability protection profile applied to outbound security policies B. anti-spyware profile applied to outbound security policies C. antivirus profile applied to outbound security policies D. URL filtering profile applied to outbound security policies
B, D - p. 140-141
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.) A. GlobalProtect agent B. XML API C. User-ID Windows-based agent D. log forwarding auto-tagging
B,C - p. 124, 160
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security Policy rules that permits only this type of access. Choose two. A. Service = "any" B. Application = "Telnet" C. Service - "application-default" D. Application = "any"
B,C - p. 136
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.) A. Packets sent/received B. IP Protocol C. Action D. Decrypted
B,D -
Which the app-ID application will you need to allow in your security policy to use facebook-chat? A. facebook-email B. facebook-base C. facebook D. facebook-chat
B,D -
An administrator is configuring a NAT ruleAt a minimum, which three forms of information are required? (Choose three.) A. name B. source zone C. destination interface D. destination address E. destination zone
B,D,E - p. 133-134
Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.) A. Layer 2 B. Virtual Wire C. Tap D. Layer 3 E. HA
B,D,E - p. 61
Which interface type can use virtual routers and routing protocols? A. Tap B. Layer3 C. Virtual Wire D. Layer2
B. - p. 56
Based on the screenshot, what is the purpose of the included groups? A. They are only groups visible based on the firewall's credentials. B. They are used to map usernames to group names. C. They contain only the users you allow to manage the firewall. D. They are groups that are imported from RADIUS authentication servers.
B. They are used to map usernames to group names.
Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications Which policy achieves the desired results? A B C D
C
Which statement is true regarding a Best Practice Assessment? A. The BPA tool can be run only on firewalls B. It provides a percentage of adoption for each assessment data C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C
You need to allow users to access the office-suite application of their choice. How should you configure the firewall to allow access to any office-suite application? A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office B. Create an Application Group and add business-systems to it. C. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory. D. Create an Application Filter and name it Office Programs then filter on the business-systems category.
C
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access? A. 80 B. 443 C. 4443 D. 8443
C (tcp/udp/https substitue) Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8SCAS
How do you reset the hit count on a security policy rule? A. First disable and then re-enable the rule. B. Reboot the data-plane. C. Select a Security policy rule, and then select Hit Count > Reset. D. Type the CLI command reset hitcount <POLICY-NAME>.
C - p. 111-112
Which action results in the firewall blocking network traffic without notifying the sender? A. Deny B. No notification C. Drop D. Reset Client
C - p. 142
Which option is part of the content inspection process? A. IPsec tunnel encryption B. Packet egress process C. SSL Proxy re-encrypt D. Packet forwarding process
C - p. 146
An administrator would like to create a URL Filtering log entry when users browse to any gambling website. What combination of Security policy and Security profile actions is correct? A. Security policy = drop, Gambling category in URL profile = allow B. Security policy = deny. Gambling category in URL profile = block C. Security policy = allow, Gambling category in URL profile = alert D. Security policy = allow. Gambling category in URL profile = allow
C - p. 151
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data. Which Security profile feature could have been used to prevent the communications with the command-and-control server? A. Create a Data Filtering Profile and enable its DNS sinkhole feature. B. Create an Antivirus Profile and enable its DNS sinkhole feature. C. Create an Anti-Spyware Profile and enable its DNS sinkhole feature. D. Create a URL Filtering Profile and block the DNS sinkhole URL category.
C - p. 158
What is a prerequisite before enabling an administrative account which relies on a local firewall user database? A. Configure an authentication policy B. Configure an authentication sequence C. Configure an authentication profile D. Isolate the management interface on a dedicated management VLAN
C - p. 23
What is the purpose of the automated commit recovery feature? A. It reverts the Panorama configuration. B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama. C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change. D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.
C - p. 32
Which statement is true about Panorama managed devices? A. Panorama automatically removes local configuration locks after a commit from Panorama B. Local configuration locks prohibit Security policy changes for a Panorama managed device C. Security policy rules configured on local firewalls always take precedence D. Local configuration locks can be manually unlocked from Panorama
C - p. 35
Which plane on a Palo alto networks firewall provides configuration logging and reporting functions on a separate processor? A. data B. network processing C. management D. security processing
C - p. 9
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions? A. SAML B. Multi-Factor Authentication C. Role-based D. Dynamic
C - p.23
Which path is used to save and load a configuration with a Palo Alto Networks firewall? A. Device>Setup>Services B. Device>Setup>Management C. Device>Setup>Operations D. Device>Setup>Interfaces
C - p.26
Which administrator type utilizes predefined roles for a local administrator account? A. Superuser B. Role-based C. Dynamic D. Device administrator
C - p.88
The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering "gambling" category. Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the "gambling" URL category? A. Add just the URL www.powerball.com to a Security policy allow rule. B. Manually remove powerball.com from the gambling URL category. C. Add *.powerball.com to the URL Filtering allow list. D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.
C, D
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.) A. password profile B. access domain C. admin rote D. server profile
C, D - p. 23
Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry? A. Palo Alto Networks C&C IP Addresses B. Palo Alto Networks Bulletproof IP Addresses C. Palo Alto Networks High-Risk IP Addresses D. Palo Alto Networks Known Malicious IP Addresses
D
Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment? A. outbound B. north south C. inbound D. east west
D
What must be considered with regards to content updates deployed from Panorama? A. Content update schedulers need to be configured separately per device group. B. Panorama can only install up to five content versions of the same type for potential rollback scenarios. C. A PAN-OS upgrade resets all scheduler configurations for content updates. D. Panorama can only download one content update at a time for content updates of the same type.
D Source: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama
Which component is a building block in a Security policy rule? A. decryption profile B. destination interface C. timeout (min) D. application
D -
Which tab would an administrator click to create an address object? A. Device B. Policies C. Monitor D. Objects
D - duh
An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released. Which object should the administrator use as a match condition in the Security policy? A. the Content Delivery Networks URL category B. the Online Storage and Backup URL category C. an application group containing all of the file-sharing App-IDs reported in the traffic logs D. an application filter for applications whose subcategory is file-sharing
D - p. 108
What is the main function of the Test Policy Match function? A. verify that policy rules from Expedition are valid B. confirm that rules meet or exceed the Best Practice Assessment recommendations C. confirm that policy rules in the configuration are allowing/denying the correct traffic D. ensure that policy rules are not shadowing other policy rules
D - p. 114
What action will inform end users when their access to Internet content is being restricted? A. Create a custom 'URL Category' object with notifications enabled. B. Publish monitoring data for Security policy deny logs. C. Ensure that the 'site access" setting for all URL sites is set to 'alert'. D. Enable 'Response Pages' on the interface providing Internet access.
D - p. 13
Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password? A. exclude B. continue C. hold D. override
D - p. 151-152
Identify the correct order to configure the PAN-OS integrated USER-ID agent. 3. add the service account to monitor the server(s) 2. define the address of the servers to be monitored on the firewall 4. commit the configuration, and verify agent connection status 1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent A. 2-3-4-1 B. 1-4-3-2 C. 3-1-2-4 D. 1-3-2-4
D - p. 160
Which solution is a viable option to capture user identification when Active Directory is not in use? A. Cloud Identity Engine B. group mapping C. Directory Sync Service D. Authentication Portal
D - p. 21
Which information is included in device state other than the local configuration? A. uncommitted changes B. audit logs to provide information of administrative account changes C. system logs to provide information of PAN-OS changes D. device group and template settings pushed from Panorama
D - p. 28
Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall? A. URL filtering B. Antivirus C. WildFire D. Threat Prevention
D - p. 41
What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures? A. every 30 minutes B. every 5 minutes C. once every 24 hours D. every 1 minute
D - p. 42
The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW? A. Add zones attached to interfaces to the virtual router B. Add interfaces to the virtual router C. Enable the redistribution profile to redistribute connected routes D. Add a static routes to route between the two interfaces
D - p. 68
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones; 1. trust for internal networks 2. untrust to the internet Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two ) A. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application B. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application. C. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic. D. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic
D, C ?
Match the network device with the correct User-ID technology.
Linux Auth- Syslog Citrix Client-Terminal Ser Microsoft - server monitoring Window Clients-Client Probing
