Palo Alto Networks PCNSA Exam Dumps Updated (V16.02) Good Tip To Pass Exam

1. Which statement best describes the use of Policy Optimizer?

2. Which option lists the attributes that are selectable when setting up an Application filters?

3. Complete the statement. A security profile can block or allow traffic____________

4. When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

5. An administrator would like to determine the default deny action for the application dns-over-https

Which action would yield the information?

6. In which profile should you configure the DNS Security feature?

7. Which interface does not require a MAC or IP address?

8. Which information is included in device state other than the local configuration?

9. A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago .

Which utility should the company use to identify out-of-date or unused rules on the firewall?

10. What is considered best practice with regards to committing configuration changes?

11. An administrator wishes to follow best practices for logging traffic that traverses the firewall

Which log setting is correct?

12. Which objects would be useful for combining several services that are often defined together?

13. Which two configuration settings shown are not the default? (Choose two.)

14. Given the detailed log information above, what was the result of the firewall traffic inspection?

15. How do you reset the hit count on a security policy rule?

16. Which administrator type utilizes predefined roles for a local administrator account?

17. The firewall sends employees an application block page when they try to access Youtube.

Which Security policy rule is blocking the youtube application?

18. A network administrator is required to use a dynamic routing protocol for network connectivity.

Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

19. An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

20. Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

21. The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

22. CORRECT TEXT

Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

23. Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

24. Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

25. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

26. Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

27. Which statement is true about Panorama managed devices?

28. An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

29. DRAG DROP

Match the cyber-attack lifecycle stage to its correct description.

30. What is the main function of the Test Policy Match function?

31. An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address .

What is the most appropriate NAT policy to achieve this?

32. If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

33. Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized.

Which user-ID agent sufficient in your network?

34. Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

35. DRAG DROP

Match each rule type with its example

36. Which type of address object is www.paloaltonetworks.com?

37. Given the image, which two options are true about the Security policy rules. (Choose two.)

38. Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

39. Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

40. Which the app-ID application will you need to allow in your security policy to use facebook-chat?

41. DRAG DROP

Place the following steps in the packet processing order of operations from first to last.

42. Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

43. Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

44. Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

45. Which statement is true regarding a Prevention Posture Assessment?

46. What are two valid selections within an Antivirus profile? (Choose two.)

47. Access to which feature requires the PAN-OS Filtering license?

48. Which interface type can use virtual routers and routing protocols?

49. An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity.

Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

50. An administrator is reviewing another administrator s Security policy log settings

Which log setting configuration is consistent with best practices tor normal traffic?

51. Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location .

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

52. Which type of address object is "10 5 1 1/0 127 248 2"?

53. Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

54. Which dynamic update type includes updated anti-spyware signatures?

55. A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone .

What configuration-changes should the Firewall-admin make?

56. DRAG DROP

Match the network device with the correct User-ID technology.

57. Given the topology, which zone type should zone A and zone B to be configured with?

58. You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

59. Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management?

60. How is the hit count reset on a rule?

61. What must be configured before setting up Credential Phishing Prevention?

62. URL categories can be used as match criteria on which two policy types? (Choose two.)

63. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two)

64. Which administrative management services can be configured to access a management interface?

65. Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)

66. DRAG DROP

Match the Cyber-Attack Lifecycle stage to its correct description.

67. Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

68. How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

69. What must be considered with regards to content updates deployed from Panorama?

70. An administrator would like to see the traffic that matches the interzone-default rule in the

traffic logs.

What is the correct process to enable this logging1?

71. What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

72. View the diagram.

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

B)

C)

D)

73. Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?

74. DRAG DROP

Place the steps in the correct packet-processing order of operations.

75. What is the correct process tor creating a custom URL category?

76. A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications.

Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

77. Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

78. What can be achieved by selecting a policy target prior to pushing policy rules from Panorama?

79. An administrator has configured a Security policy where the matching condition includes a single application and the action is deny

If the application s default deny action is reset-both what action does the firewall take*?

80. How are Application Fillers or Application Groups used in firewall policy?

81. In a security policy what is the quickest way to rest all policy rule hit counters to zero?

82. At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

83. The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

84. You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server.

Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

85. Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment?

86. Which three configuration settings are required on a Palo Alto networks firewall management interface?

87. What allows a security administrator to preview the Security policy rules that match new application signatures?

88. An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

89. In the example security policy shown, which two websites fcked? (Choose two.)

90. An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets .

What are two security policy actions the administrator can select? (Choose two.)