Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PCNSAFree trial

By palo-alto-networks

Verified

25Q per page

Question 51

An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.
If the application's default deny action is reset-both, what action does the firewall take?

A: It silently drops the traffic.
B: It silently drops the traffic and sends an ICMP unreachable code.
C: It sends a TCP reset to the server-side device.
D: It sends a TCP reset to the client-side and server-side devices.

—

Question 52

Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)

A: SAML 2.0
B: Kerberos
C: TACACS
D: TACACS+
E: SAML 1.0

—

Question 53

Which objects would be useful for combining several services that are often defined together?

A: application filters
B: service groups
C: shared service objects
D: application groups

—

Question 54

Given the screenshot, what two types of route is the administrator configuring? (Choose two.)

A: BGP
B: static route
C: default route
D: OSPF

—

Question 55

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

A: interzone
B: shadowed
C: intrazone
D: universal

—

Question 56

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A: on either the data place or the management plane.
B: after it is matched by a security policy rule that allows traffic.
C: before it is matched to a Security policy rule.
D: after it is matched by a security policy rule that allows or blocks traffic.

—

Question 57

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code
communication with the destination is administratively prohibited.
Which security policy action causes this?

A: Drop
B: Drop, send ICMP Unreachable
C: Reset both
D: Reset server

—

Question 58

You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?

A: URL Filtering profile applied to inbound Security policy rules.
B: Data Filtering profile applied to outbound Security policy rules.
C: Antivirus profile applied to inbound Security policy rules.
D: Vulnerability Protection profile applied to outbound Security policy rules.

—

Question 59

An administrator wants to prevent access to media content websites that are risky.
Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

A: recreation-and-hobbies
B: streaming-media
C: known-risk
D: high-risk

—

Question 60

Which dynamic update type includes updated anti-spyware signatures?

A: PAN-DB
B: Applications and Threats
C: GlobalProtect Data File
D: Antivirus

—

Question 61

An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?

A: Drop
B: Deny
C: Block
D: Reset-server

—

Question 62

Which object would an administrator create to block access to all high-risk applications?

A: HIP profile
B: Vulnerability Protection profile
C: application group
D: application filter

—

Question 63

Which option is part of the content inspection process?

A: Packet forwarding process
B: IPsec tunnel encryption
C: SSL Proxy re-encrypt
D: Packet egress process

—

Question 64

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

A: Disable automatic updates during weekdays
B: Automatically ג€download and installג€ but with the ג€disable new applicationsג€ option used
C: Automatically ג€download onlyג€ and then install Applications and Threats later, after the administrator approves the update
D: Configure the option for ג€Thresholdג€

—

Question 65

What must be considered with regards to content updates deployed from Panorama?

A: Content update schedulers need to be configured separately per device group.
B: Panorama can only install up to five content versions of the same type for potential rollback scenarios.
C: A PAN-OS upgrade resets all scheduler configurations for content updates.
D: Panorama can only download one content update at a time for content updates of the same type.

—

Question 66

During the packet flow process, which two processes are performed in application identification? (Choose two.)

A: pattern based application identification
B: application override policy match
C: session application identified
D: application changed from content inspection

—

Question 67

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A: Translation Type
B: Interface
C: Address Type
D: IP Address

—

Question 68

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

A: Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
B: Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
C: Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
D: Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

—

Question 69

What does an administrator use to validate whether a session is matching an expected NAT policy?

A: system log
B: test command
C: threat log
D: config audit

—

Question 70

What is the purpose of the automated commit recovery feature?

A: It reverts the Panorama configuration.
B: It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.
C: It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.
D: It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

—

Question 71

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

A: by minute
B: hourly
C: daily
D: weekly

—

Question 72

DRAG DROP -
Place the steps in the correct packet-processing order of operations.
Select and Place:

—

Question 73

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP
Addresses list?

A: destination address
B: source address
C: destination zone
D: source zone

—

Question 74

URL categories can be used as match criteria on which two policy types? (Choose two.)

A: authentication
B: decryption
C: application override
D: NAT

—

Question 75

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

A: The web session was unsuccessfully decrypted.
B: The traffic was denied by security profile.
C: The traffic was denied by URL filtering.
D: The web session was decrypted.

—

Page 3 of 17 • Questions 51-75 of 414

←

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!