Latest PCNSA Exam Dumps [2022] For Passing Palo Alto Networks Certified Network Security Administrator Exam

1. DRAG DROP

Match the Palo Alto Networks Security Operating Platform architecture to its description.

2. Which firewall plane provides configuration, logging, and reporting functions on a separate processor?

3. A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.

On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.

Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

4. How many zones can an interface be assigned with a Palo Alto Networks firewall?

5. Which two configuration settings shown are not the default? (Choose two.)

6. Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

7. Which option lists the attributes that are selectable when setting up an Application filters?

8. Actions can be set for which two items in a URL filtering security profile? (Choose two.)

9. DRAG DROP

Match the Cyber-Attack Lifecycle stage to its correct description.

10. Which two statements are correct about App-ID content updates? (Choose two.)

11. Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

12. An administrator needs to allow users to use their own office applications.

How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

13. Which statement is true regarding a Best Practice Assessment?

14. The firewall sends employees an application block page when they try to access Youtube.

Which Security policy rule is blocking the youtube application?

15. Complete the statement. A security profile can block or allow traffic____________

16. When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

17. Which interface does not require a MAC or IP address?

18. A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago.

Which utility should the company use to identify out-of-date or unused rules on the firewall?

19. DRAG DROP

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

20. What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

21. Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

22. Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)

23. Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

24. Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP Cto-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

25. An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server.

Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

26. In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

27. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

28. Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

29. Based on the security policy rules shown, ssh will be allowed on which port?

30. Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

31. An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity.

Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

32. Given the topology, which zone type should zone A and zone B to be configured with?

33. To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

34. Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

35. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

36. Which administrator type utilizes predefined roles for a local administrator account?

37. Which two security profile types can be attached to a security policy? (Choose two.)

38. The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

39. Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

40. What are three differences between security policies and security profiles? (Choose three.)

41. Given the image, which two options are true about the Security policy rules. (Choose two.)

42. Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

43. Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

44. Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

45. Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

46. Which file is used to save the running configuration with a Palo Alto Networks firewall?

47. In the example security policy shown, which two websites fcked? (Choose two.)

48. Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)

49. Which statement is true regarding a Prevention Posture Assessment?

50. Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

51. The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

52. Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

53. Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

54. Which update option is not available to administrators?

55. A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone.

What configuration-changes should the Firewall-admin make?

56. How often does WildFire release dynamic updates?

57. What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

58. A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications.

Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

59. DRAG DROP

Arrange the correct order that the URL classifications are processed within the system.

60. What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

61. Which prevention technique will prevent attacks based on packet count?

62. Which interface type can use virtual routers and routing protocols?

63. Which URL profiling action does not generate a log entry when a user attempts to access that URL?

64. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

65. Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

66. Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

67. Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

68. Which path is used to save and load a configuration with a Palo Alto Networks firewall?

69. DRAG DROP

Match the network device with the correct User-ID technology.

70. Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

71. How is the hit count reset on a rule?

72. Given the topology, which zone type should interface E1/1 be configured with?

73. Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

74. Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

75. Based on the show security policy rule would match all FTP traffic from the inside zone to the outside zone?

76. Which the app-ID application will you need to allow in your security policy to use facebook-chat?

77. Which type security policy rule would match traffic flowing between the inside zone and outside zone within the inside zone and within the outside zone?

78. Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

79. In a security policy what is the quickest way to rest all policy rule hit counters to zero?

80. What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?