TEST F PCNSA

What are three DNS policy actions? (Choose three.). Block. Allow. Alert. Sinkhole. Strict.

Which System log severity level would be displayed as a result of a user password change?. Low. Medium. High. Critica.

An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates. Which filter should the administrator configure in the application filter object?. The category is media, and the characteristic includes Evasive. The subcategory is audio-streaming, and the risk is 1. The subcategory is audio-streaming, and the risk is 5. The category is media, and the tag is high risk.

An administrator receives a notification about new malware that is being used to attack hosts. The malware exploits a software bug in a common application. Which Security Profile will detect and block access to this threat after the administrator updates the firewall's threat signature database?. Vulnerability Profile applied to inbound Security policy rules. Antivirus Profile applied to outbound Security policy rules. Data Filtering Profile applied to outbound Security policy rules. Data Filtering Profile applied to inbound Security policy rules.

The NetSec Manager asked to create a new firewall Local Administrator profile with customized privileges named New_Admin. This new administrator has to authenticate without inserting any username or password to access the WebUI. What steps should the administrator follow to create the New_Admin Administrator profile?. 1. Set the Authentication profile to Local. 2. Select the "Use only client certificate authentication" check box. 3. Set Role to Role Based. 1. Select the "Use only client certificate authentication" check box. 2. Set Role to Dynamic. 3. Issue to the Client a Certificate with Certificate Name = New Admin. 1. Select the "Use only client certificate authentication" check box. 2. Set Role to Dynamic. 3. Issue to the Client a Certificate with Common Name = New_Admin. 1. Select the "Use only client certificate authentication" check box. 2. Set Role to Role Based. 3. Issue to the Client a Certificate with Common Name = New Admin.

Which Security profile prevents users from submitting valid corporate credentials online?. WildFire. URL filtering. Advanced threat prevention. SSL decryption.

Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.). It contains all the features already in a Threat Prevention subscription. It provides the ability to identify evasive and previously unseen command-and-control (C2) threats. When it is active, a WildFire profile is no longer needed. Due to its more advanced signatures, it provides the ability to identify new threats.

With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?. Vulnerability Exceptions. Advanced Rules. Inline Cloud Analysis. WildFire Inline ML.

Drag the steps into the correct order to create a static route. Enter the IP address for the specific next hope. Add an IPV4 or IPV6 route by name. Specify the outgoing interface for packets to use to go to the next hop. Enter the route and netmask.

What are the two ways to implement an exception to an external dynamic list? (Choose two.). Edit the external dynamic list by removing the entries to exclude. Select the entries to exclude from the List Entries list. Manually add an entry to the Manual Exceptions list. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.

An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ or Untrust zones. The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where the source and destination zones are VPN. Which Security policy rule type should they use?. Interzone. Universal. Intrazone. Default.

An administrator is reviewing the Security policy rules shown in the screenshot. Why are the two fields in the Security policy EDL-Deny highlighted in red?. Because antivirus inspection is enabled for this policy. Because the destination zone, address, and device are all "any". Because the action is Deny. Because the Security-EDL tag has been assigned the red color.

What are two differences between an application group and an application filter? (Choose two.). Application groups enable access to sanctioned applications explicitly, while application filters enable access to sanctioned applications implicitly. Application groups are static, while application filters are dynamic. Application groups dynamically group applications based on attributes, while application filters contain applications that are statically grouped. Application groups can be added to application filters, while application filters cannot be added to application groups.

An administrator reads through the following Applications and Threats Content Release Notes before an update. a. b. c. d.

Which two events can be found in data-filtering logs? (Choose two.). Specific users attempting to authenticate. Sensitive information attempting to exit the network. An unsuccessful attempt to establish a TLS session. A download attempt of a blocked file type.

Which statement applies to the Intrazone Security policy rule?. The traffic within the same security zone will not be allowed. It requires a Zone Protection pro le to be applied. It applies regardless of whether it is from the same security zone or a different one. It applies to all matching traffic within the specified source security zones.

Review the screenshot below. Which statement is correct about the information it contains?. Highlight Unused Rules is checked. Tunnel Trac has the High Risk tag applied. There are six Security policy rules on this firewall. View Rulebase as Groups is checked.

An administrator wants to enable users to access retail websites that are considered minimum risk. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.). e-commerce. known-good. shopping. low-risk.

What are three advantages of user-to-group mapping? (Choose three.). It does not require additional objects to be configured. It does not require a Server profile. It simplifies user administration. It automatically adds new users to the appropriate group. It allows an administrator to write more granular policies.

Which situation is recorded as a system log?. A connection with an authentication server has been dropped. A file that has been analyzed is potentially dangerous for the system. An attempt to access a spoofed website has been blocked. A new asset has been discovered on the network.

Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?. Signature Policies. Signature Exceptions. Machine Learning Policies. Inline Cloud Analysis.

Which two statements correctly describe how pre-rules and local device rules are viewed and modified? (Choose two.). Pre-rules can be modified by the local administrator or by a Panorama administrator who has switched to a local firewall. Pre-rules and local device rules can be modified in Panorama. Pre-rules can be viewed on managed firewalls. Pre-rules are modified in Panorama only, and local device rules are modified on local firewalls only.

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles: • Auth Profile LDAP • Auth Profile Radius • Auth Profile Local • Auth Profile TACACS After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password. What is the "SYS01 Admin" login capability after the outage?. Auth KO because RADIUS server lost user and password for SYS01 Admin. Auth OK because of the Auth Profile TACACS. Auth OK because of the Auth Profile Local. Auth KO because LDAP server is not reachable.

Which three types of Source NAT are available to users inside a NGFW? (Choose three.). Dynamic IP and Port (DIPP). Dynamic IP. Static IP and Port (SIPP). Static IP. Static Port.

What are the two main reasons a custom application is created? (Choose two.). To change the default categorization of an application. To visually group similar applications. To correctly identify an internal application in the traffic log. To reduce unidentified traffic on a network.

By default, what is the maximum number of templates that can be added to a template stack?. 6. 8. 10. 12.

What does rule shadowing in Security policies do?. It shows rules with the same Source Zones and Destination Zones. It indicates that a broader rule matching the criteria is configured above a more specific rule. It indicates rules with App-ID that are not configured as port-based. It shows rules that are missing Security profile configurations.

Which two types of profiles are needed to create an authentication sequence? (Choose two.). Security profile. Authentication profile. Server profile. Interface Management profile.

Which order of steps is the correct way to create a static route?. 1) Enter the route and netmask 2) Specify the outgoing interface for packets to use to go to the next hop 3) Enter the IP address for the specific next hop 4) Add an IPv4 or IPv6 route by name. 1) Enter the IP address for the specific next hop 2) Add an IPv4 or IPv6 route by name 3) Enter the route and netmask 4) Specify the outgoing interface for packets to use to go to the next hop. 1) Enter the route and netmask 2) Enter the IP address for the specific next hop 3) Specify the outgoing interface for packets to use to go to the next hop 4) Add an IPv4 or IPv6 route by name. 1) Enter the IP address for the specific next hop 2) Enter the route and netmask 3) Add an IPv4 or IPv6 route by name 4) Specify the outgoing interface for packets to use to go to the next.

Which two actions are needed for an administrator to get real-time WildFire signatures? (Choose two.). Enable Dynamic Updates. Obtain a Threat Prevention subscription. Obtain a WildFire subscription. Move within the WildFire public cloud region.

Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.). Dynamic IP. Dynamic IP and Port (DIPP). Static IP. Dynamic IP / Port Fallback.

What are three ways application characteristics are used? (Choose three.). As a setting to define a new custom application. As a global filter in the Application Command Center (ACC). As an attribute to define an application group. As an object to define Security policies. As an attribute to define an application filter.

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.). Antivirus. URL Filtering. Vulnerability Protection. Anti-spyware.

When is an event displayed under threat logs?. When traffic matches a corresponding Security Profile. When traffic matches any Security policy. Every time a session is blocked. Every time the firewall drops a connection.

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?. Network. Policies. Objects. Device.

Which profile should be used to obtain a verdict regarding analyzed files?. Advanced threat prevention. Vulnerability profile. WildFire analysis. Content-ID.

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.). Objects tab > Applications. Objects tab > Application Groups. Objects tab > Application Filters. ACC tab > Global Filters. Policies tab > Security.

Where within the firewall GUI can an administrator create a local user database?. Device > Local User Database > Guests. Device > Local User Database > End Users. Device > Local User Database > Admins. Device > Local User Database > Users.

How are service routes used in PAN-OS?. By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network. To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services. For routing, because they are the shortest path selected by the BGP routing protocol. To route management plane services through data interfaces rather than the management interface.

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?. Select the unified log entry in the side menu. Modify the number of columns visible on the page. Modify the number of logs visible on each page. Select the system logs entry in the side menu.

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?. Group Mapping. Domain Credential. Valid Username Detected Log Severity. IP User.

Which step is mandatory to create a static route in PAN-OS?. Apply the autonomous system number. Specify the outgoing interface. Select the dynamic routing protocol. Select the virtual router.

Which security profile should be used to classify malicious web content?. URL Filtering. Web Content. Antivirus. Vulnerability Protection.

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition the configuration was not saved prior to making the changes. Which action will allow the administrator to undo the changes?. Revert to running configuration. Load named configuration snapshot, and choose the first item on the list. Revert to last saved configuration. Load configuration version, and choose the first item on the list.

An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out. What are two possible reasons the OK button is grayed out? (Choose two.). The entry matches a list entry. The entry doesn't match a list entry. The entry contains wildcards. The entry is duplicated.

Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose three.). Static. Tap. Dynamic. Layer 3. Virtual Wire.

A network security manager is asked to save a configuration to be used after a firewall reboot. When the configuration is ready, how should it be saved so that the changes are not lost?. Save named configuration snapshot. Load named configuration snapshot. Revert to last saved configuration. Save candidate configuration.

Which action should be taken to identify threats that have been detected by using inline cloud analysis?. Filter Threat logs by Type. Filter Threat logs by Application. Filter Threat logs by Action. Filter Threat logs by Threat Category.

What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.). Zone. Service. User. Application. Address.

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?. Device > Dynamic Updates > Review App-IDs. Objects > Dynamic Updates > Review App-IDs. Objects > Dynamic Updates > Review Policies. Device > Dynamic Updates > Review Policies.

What are three configurable interface types for a data-plane ethernet interface? (Choose three.). VWire. Layer 2. Management. HSCI. Layer 3.

An administrator wants to enable access to www.paloaltonetworks.com while denying access to all other sites in the same category. Which object should the administrator create to use as a match condition for the security policy rule that allows access to www.paloaltonetworks.com?. Service. Address. URL category. Application group.

Which Security profile should be applied in order to protect against illegal code execution?. Vulnerability Protection profile on allowed traffic. Vulnerability Protection profile on denied traffic. Antivirus profile on denied traffic. Antivirus profile on allowed traffic.

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?. >request show system fqdn. >show system fqdn. >request fqdn show system. >request system fqdn show.

An administrator should filter NGFW traffic logs by which attribute column to determine if the entry is for the start or end of the session?. Source. Type. Receive Time. Destination.

What is a default setting for NAT Translated Packets when the destination NAT translation is selected as Dynamic IP (with session distribution)?. IP Hash. Round Robin. Least Sessions. Source IP Hash.

Which two options does the firewall use to dynamically populate address group members? (Choose two.). Tag-based filters. MAC Addresses. IP Addresses. Tags.

Which feature enables an administrator to review the Security policy rule base for unused rules?. Test Policy Match. View Rulebase as Groups. Security policy tags. Policy Optimizer.

In the PAN-OS Web Interface, which is a session distribution method offered under NAT Translated Packet Tab to choose how the firewall assigns sessions?. Max Sessions. IP Modulo. Destination IP Hash. Concurrent Sessions.

Which administrative role type allows a custom set of firewall permissions to be configured for administrators?. Superuser. Role based. Device administrator. Virtual system administrator.

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on Panorama?. NAT Policies General Tab. NAT Active/Active HA Binding Tab. NAT Target Tab. NAT Translated Packet Tab.

Which log type would be used to find commit entries for a firewall?. Config. Alarms. Correlation. System.

What must first be created on the firewall for SAML authentication to be configured?. Server Profile. Server Policy. Server Location. Server Group.

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?. Monitor > Packet Capture. Objects > Schedules. Policies > Policy Optimizer. Monitor > Reports.

What two actions can be taken when Implementing an exception to an External Dynamic List? (Choose two.). Exclude a URL entry by making use of wildcards. Exclude a URL entry by making use of regular expressions. Exclude an IP address by making use of wildcards. Exclude an IP address by making use of regular expressions.