Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
PCNSA
Free trial
Verified
Question 26
How are Application Filters or Application Groups used in firewall policy?
- A: An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
- B: An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
- C: An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
- D: An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.
Question 27
Which tab would an administrator click to create an address object?
- A: Objects
- B: Monitor
- C: Device
- D: Policies
Question 28
An administrator wishes to follow best practices for logging traffic that traverses the firewall.
Which log setting is correct?
- A: Enable Log at Session Start
- B: Disable all logging
- C: Enable Log at both Session Start and End
- D: Enable Log at Session End
Question 29
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)
- A: QoS profile
- B: DoS Protection profile
- C: Zone Protection profile
- D: DoS Protection policy
Question 30
An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.
What is the correct process to enable this logging?
- A: Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
- B: Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
- C: Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
- D: This rule has traffic logging enabled by default; no further action is required.
Question 31
The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?
- A: Add static routes to route between the two interfaces
- B: Add interfaces to the virtual router
- C: Add zones attached to interfaces to the virtual router
- D: Enable the redistribution profile to redistribute connected routes
Question 32
An administrator wants to prevent users from submitting corporate credentials in a phishing attack.
Which Security profile should be applied?
- A: antivirus
- B: anti-spyware
- C: URL-filtering
- D: vulnerability protection
Question 33
Which two rule types allow the administrator to modify the destination zone? (Choose two.)
- A: interzone
- B: shadowed
- C: intrazone
- D: universal
Question 34
Which statement is true regarding a Best Practice Assessment?
- A: The BPA tool can be run only on firewalls
- B: It provides a percentage of adoption for each assessment area
- C: The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
- D: It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Question 35
What is the main function of Policy Optimizer?
- A: reduce load on the management plane by highlighting combinable security rules
- B: migrate other firewall vendors' security rules to Palo Alto Networks configuration
- C: eliminate ג€Log at Session Startג€ security rules
- D: convert port-based security rules to application-based security rules
Question 36
Based on the screenshot, what is the purpose of the group in User labelled it?
- A: Allows ג€anyג€ users to access servers in the DMZ zone.
- B: Allows users to access IT applications on all ports.
- C: Allow users in group ג€itג€ to access IT applications.
- D: Allow users in group ג€DMZג€ to access IT applications.
Question 37
Which action results in the firewall blocking network traffic without notifying the sender?
- A: Drop
- B: Deny
- C: No notification
- D: Reset Client
Question 38
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?
- A: If it is a block rule, then Security Profile action is applied last.
- B: If it is an allow rule, then the Security policy rule is applied last.
- C: If it is a block rule, then the Security policy rule action is applied last.
- D: If it is an allowed rule, then the Security Profile action is applied last.
Question 39
Which Security profile can you apply to protect against malware such as worms and Trojans?
- A: antivirus
- B: data filtering
- C: vulnerability protection
- D: anti-spyware
Question 40
Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH, web-browsing and SSL applications.
Which policy achieves the desired results?
A.
B.
C.
D.
Question 41
Which license is required to use the Palo Alto Networks built-in IP address EDLs?
- A: DNS Security
- B: Threat Prevention
- C: WildFire
- D: SD-Wan
Question 42
Which statement is true about Panorama managed devices?
- A: Panorama automatically removes local configuration locks after a commit from Panorama.
- B: Local configuration locks prohibit Security policy changes for a Panorama managed device.
- C: Security policy rules configured on local firewalls always take precedence.
- D: Local configuration locks can be manually unlocked from Panorama.
Question 43
A Security Profile can block or allow traffic at which point?
- A: on either the data plane or the management plane
- B: after it is matched to a Security policy rule that allows or blocks traffic
- C: after it is matched to a Security policy rule that allows traffic
- D: before it is matched to a Security policy rule
Question 44
DRAG DROP -
Place the following steps in the packet processing order of operations from first to last.
Select and Place:
Question 45
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
- A: intrazone-default
- B: Deny Google
- C: allowed-security services
- D: interzone-default
Question 46
Which type of address object is 10.5.1.1/0.127.248.2?
- A: IP netmask
- B: IP subnet
- C: IP wildcard mask
- D: IP range
Question 47
Which component is a building block in a Security policy rule?
- A: decryption profile
- B: destination interface
- C: timeout (min)
- D: application
Question 48
You have been tasked to configure access to a new web server located in the DMZ.
Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10.1.1.0/24 network to 192.168.1.0/24?
- A: Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2.
- B: Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.10
- C: Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2.
- D: Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254.
Question 49
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.
Which security policy action causes this?
- A: Reset server
- B: Reset both
- C: Deny
- D: Drop
Question 50
Selecting the option to revert firewall changes will replace what settings?
- A: the candidate configuration with settings from the running configuration
- B: dynamic update scheduler settings
- C: the running configuration with settings from the candidate configuration
- D: the device state with settings from another configuration
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!