PCNSA Exam - Yorumlar

7/26/23, 9:41 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 1/351
Topic 1 - Single Topic
Question #1 Topic 1
DRAG DROP -
Match the Palo Alto Networks Security Operating Platform architecture to its description.
Select and Place:
Correct Answer:
  prseedd Highly Voted  2 years, 9 months ago

Correct Answer
upvoted 6 times
  MEDO162 Most Recent  1 month, 3 weeks ago

All correct
upvoted 1 times
  nolox 4 months, 2 weeks ago

I think the key for distinguishing right from wrong answer is "endpoints located within the network".
Because of that I think the answer should be as @FahmiZnd replied:
T.I.C -- > Identifies and inspects all traffic to block known threats
NGF -- > Gathers, analyzes, correlates and disseminates threat to and from the network and endpoints located within the network
A.E.P -- > Inspects process and files to prevent known and unknown exploits.
upvoted 2 times
  cutemomo 4 months, 3 weeks ago

these are all incorrect

I think this is the answer
NGF--> Identifies and inspects all traffic to block known threats
T.I.C -- >Gathers, analyzes, correlates and disseminates threat to and from the network and endpoints located within the network
upvoted 2 times
  BMRobertson 6 months ago

These are incorrect, think about it:
NGFirewalls block inspect and block traffic, nothing to do with endpoints
The cloud is where information is disseminated about networks and endpoints
AEP inspects processes and files (on endpoints) to prevent known/unknown exploits; files are coming through FWs b/c its not network traffic
upvoted 1 times
  FahmiZnd 1 year ago

T.I.C -- > Identifies and inspects all traffic to block known threats
NGF -- > Gathers, analyzes, correlates and disseminates threat to and from the network and endpoints located within the network
upvoted 3 times
Question #2 Topic 1
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing
Correct Answer: A
Community vote distribution

A (100%)
  MEDO162 1 month, 3 weeks ago

Selected Answer: A
A is correct.
upvoted 1 times
  Viga1991 4 months, 2 weeks ago

control plan (A)
upvoted 1 times
  baccalacca 4 months, 3 weeks ago

Threat Intelligence Cloud Gathers, analyzes, correlates, and disseminates threats to and from the network and endpoints located within the
network.
Next-Generation Firewall Identifies and inspects all traffic to block known threats
Advanced Endpoint Protection - Inspects processes and files to prevent known and unknown
upvoted 1 times
  all_nicknames_are_taken 4 months, 3 weeks ago

A is correct
upvoted 1 times
  Wing123 7 months, 2 weeks ago

Selected Answer: A
This is bug but C
upvoted 1 times
  Freakezoid 11 months, 2 weeks ago

Selected Answer: A
A is correct
upvoted 2 times
  error_909 1 year, 4 months ago

Selected Answer: A
Answer A is Correct
upvoted 3 times
  Cyril_the_Squirl 1 year, 9 months ago

A is Correct.
Management plane = Log, Report, Configure
Data Plane = AV, exploits, UF, Spyware, VPN, QoS, NAT, CC#, etc
upvoted 3 times
  jc1515 2 years ago

A is correct.
upvoted 2 times
Question #3 Topic 1
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an
application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be
deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the
applications
Correct Answer: C

A (100%)
  rebet Highly Voted  3 years, 5 months ago

The correct answer is:
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
upvoted 23 times
  rach91 Highly Voted  3 years, 5 months ago

I agree with you @Rebet. To allow the new applications, we need to modify or add a new policy.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-
impact-on-existing-policy-rules
upvoted 9 times
  j4v13rh4ack Most Recent  5 months, 3 weeks ago

Selected Answer: A
Letter A.
upvoted 1 times
  daytonadave2011 6 months, 4 weeks ago

Selected Answer: A
I believe the answer is A because if the new App-IDs are being blocked, it will show in the policy optimizer that those App-IDs are being blocked
and must be added again for functionality.
upvoted 1 times
  kewokil120 1 year, 2 months ago

Selected Answer: A
The correct answer is: A
upvoted 3 times

Selected Answer: A
All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
upvoted 4 times

Selected Answer: A
A is the only one that make sense
upvoted 3 times
  Gaven 1 year, 4 months ago

Selected Answer: A
A. You need to modify the policy to include the new application. I have seen in the past these updates denying traffic due to this. I would also refer
to @Rebet.
upvoted 3 times
  Kane002 1 year, 9 months ago
A is correct. For example, Facebook-chat is a dependency on Facebook-base, and must be specifically allowed through a dependency commit,
explicit security policy, etc. It would not be implicitly allowed, things that are implicitly allowed would be ssl and web-browsing, as facebook-base
could not function without those.
upvoted 2 times
  DatBroNZ 1 year, 9 months ago

It all depends on how the security policy is configured. If it is using the parent SuperApp, then anything new added under that category will be
automatically allowed, so no impact, answer C.
But if the security policy is locked to the SuperApp-base, then the traffic to the new apps would be blocked, option A.
upvoted 3 times

A is Correct.
When new APP-IDs are downloaded and added to device, the security policy must exist to explicitly allow them. But because they're "new" they will
get dropped until you modify/add security policy to explicitly allow them otherwise they're dropped by InterZone polcy which drops the traffic by
default.
upvoted 2 times
  Rowdy_47 1 year, 10 months ago

Rediculous canf find a clear answer on this!!!
Cisco all over again
upvoted 3 times

Edit:update
Spoke to one of my colleagues who have been working with PAs for 2 years
He has never once had to redefine apps and change policies, seems to be in line with the way PaloAlto does things so I am going to choose C
PS - he said he also got that question in his exam and chose C
upvoted 2 times

Update
This is wrong, the correct answer is A
upvoted 4 times
  Micutzu 2 years, 1 month ago

The correct answer is "C. No impact because the firewall automatically adds the rules to the App-ID interface".
The question is refering to SuperApp and SuperApp is the upper level for SuperApp_base, SuperApp_chat and SuperApp_download.
As an example we have the top level FACEBOOK ans subcategories: FACEBOOK_BASE, FACEBOOK_CHAT, FACEBOOK_DOWNLOAD, ...
upvoted 3 times
  ramasamymuthiah 2 years, 2 months ago

Correct answer is A
upvoted 2 times
  debabani 2 years, 5 months ago

A is the correct answer
upvoted 1 times
  prseedd 2 years, 9 months ago

Ans Correct ans-C...Otherwise it will be huge disadvantage
upvoted 1 times
  sid_2020 2 years, 11 months ago

C is the correct answer.
upvoted 2 times
Question #4 Topic 1
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-zones/security-zone-overview

D (83%) C (17%)
  error_909 Highly Voted  1 year, 4 months ago

Selected Answer: D
Answer is correct
upvoted 5 times
  all_nicknames_are_taken Most Recent  4 months, 3 weeks ago

D is correct
upvoted 1 times
  Najmmm 5 months, 1 week ago

A zone can have multiple interfaces of the same type assigned to it (such as tap, layer 2, or layer 3 interfaces), but an interface can belong to only
one zone. So the answer is D
upvoted 3 times
  Ankitkumar2029 6 months, 2 weeks ago

Selected Answer: C
C. four
upvoted 1 times

D is Correct.
upvoted 2 times

An interface can only be part of one zone, but a zone can have multiple interfaces and subnets associated with it.
upvoted 2 times

Correct ans
upvoted 4 times
Question #5 Topic 1
Which two configuration settings shown are not the default? (Choose two.)
A. Enable Security Log
B. Server Log Monitor Frequency (sec)
C. Enable Session
D. Enable Probing
Correct Answer: BC
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/enable-
server- monitoring

BC (67%) CD (22%) 11%
  Outlaw87 Highly Voted  3 years, 2 months ago

B & C true answers.
By default - Server Log Monitor Frequency (sec) - 2
By default - Enable Session - disabled
upvoted 18 times
  rmoreirac 1 year, 1 month ago

Correct answers, yep. Thanks!
upvoted 2 times
  Sanjug2022 Most Recent  3 weeks, 4 days ago

B & C Correct , Checked with Device
upvoted 1 times
  Gilmarcio 2 months ago

B&C Corretas - Padrão do Frequency é 2 e Enable Session "Disable"
upvoted 1 times
  o0ZACK0o 4 months, 2 weeks ago

Selected Answer: CD
For PAN-OS 10.0 Enable Session + Client Probing are disabled by default for Integrated User-ID Agent
upvoted 1 times
  BeforeScope 6 months, 1 week ago

Selected Answer: BC
answer bc
upvoted 1 times
Selected Answer: A
A. Enable Security Log
upvoted 1 times
  argyris23 6 months, 2 weeks ago

Selected Answer: BC
just checked it on a PA-VM, I totally agree with Outlaw87
upvoted 1 times

Selected Answer: BC
B and C are correct. Looked at a default PA-220.
upvoted 1 times
  Miho_GG 7 months ago

Selected Answer: CD
Enable session and enable options are not default
upvoted 1 times
  rmoreirac 1 year, 1 month ago

Updated doc @ https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/user-identification/device-user-identification-user-
mapping/user-id-agent-setup/user-id-agent-setup-server-monitoring#id3f6fc5de-993d-4538-9f06-17fe9d9a4130
upvoted 1 times

Selected Answer: BC
By default - Server Log Monitor Frequency (sec) - 2
By default - Enable Session - disabled
upvoted 3 times

Correct answers are B and C
The incorrect 2 below with their default settings
Server Log Monitor Frequency (sec) 2

Enable Session - off / unchecked
Screengrabed the default settings for PAN OS 10 from CBT nuggets course with Keith Barker
upvoted 4 times
  ada07 2 years, 2 months ago

B & C are true ; D is not correct ; probing is not selected
upvoted 2 times

The correct answer is C & D (100% Correct)
upvoted 1 times

B and C--checked in firewall
upvoted 4 times
  lgkhan 2 years, 10 months ago

C & D the correct answers.
upvoted 1 times
  simkm 2 years, 10 months ago

C and d. Devices ->user ID->user mapping
upvoted 1 times
Question #6 Topic 1
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces
Correct Answer: A

A (86%) 14%
  mr_flubber 2 months, 3 weeks ago

Selected Answer: A
Palo Alto Networks regularly updates its threats and application databases. Updates include new antivirus and
spyware definitions, new malicious domains and URLs, and new application signatures.
upvoted 2 times

Correct is A
upvoted 1 times

Selected Answer: D
D. Data Interfaces
upvoted 1 times

Selected Answer: A
Answer is Correct
upvoted 4 times
  Cessar 1 year, 8 months ago

Correct A
PCNSA study guide Page 30
upvoted 1 times

pcnsa-study-guide page 34
upvoted 4 times
  AbdallahMusa 11 months, 2 weeks ago

Hi ... can you provide me with pcnsa-study-guide ??
upvoted 2 times
Question #7 Topic 1
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-application-filters

B (100%)
  DilT Highly Voted  2 years, 7 months ago

B. is the correct answer.
Category, Subcategory, Technology, Risk, and Characteristic
Checked and confirmed this from the Firewall

upvoted 11 times

Selected Answer: B
Palo Alto Networks Certified Network
Security Administrator
(PCNSA)
Study Guide
Jan 2023
Page 36
An administrator can dynamically categorize multiple applications into an application filter based
on the specific attributes Category, Subcategory, Tags, Risk, and Characteristic.
upvoted 1 times
  TunaSD 2 months, 2 weeks ago

There are no characteristics. Tried in lab RN.
upvoted 1 times

Selected Answer: B
B. Category, Subcategory, Technology, Risk, and Characteristic
upvoted 1 times
  javim 1 year, 1 month ago

Selected Answer: B
Correct answer is B
PCNSA Study Guide 2021 page 112, but instead of technology is Tags
upvoted 2 times

Selected Answer: B
TAG Column is added starting from PANOS 9.1:
PANOS 9.1 and higher:

without technology column:
Catg., Sub, Risk, Tag, Charch
with technology column:

Catg., Sub, Tech, Risk, Tag, Charch.
PANOS 8.1:
Catg., Sub, Tech, Risk, Charch.
upvoted 2 times
Selected Answer: B
Answer B is correct
upvoted 2 times
  Kevin310 1 year, 6 months ago

Selected Answer: B
B is correct.
upvoted 1 times

B is Correct.
upvoted 1 times

I agree with Angel and MrLo
Category, Subcategory, Tags, Risk, and Characteristic
In PANOS10 you need to click a button "Show Technology Column" to see the technology tab
upvoted 2 times
  Angel123 2 years, 3 months ago

I agree with MrLO - Category, Subcategory, Risk, Tags, and Characteristic
PCNSA Study guide 2020, p.117
upvoted 2 times
  MrLO 2 years, 7 months ago

Category, Subcategory, Tags, Risk, and Characteristic
upvoted 4 times
Question #8 Topic 1
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
Correct Answer: AD

BC (88%) 13%
  CiscoSannin Highly Voted  2 years, 9 months ago

Ans is B and C. Look at the wording of the question:
"ACTIONS(eg Block, Allow etc) can be set for WHICH TWO ITEMS in a URL filtering security profile?"
The question is NOT worded like:

"WHAT Actions can be set for items in a URL filtering security profile?"
Hence the correct answers are B & C.

upvoted 26 times

I believe B & C are the correct answers.
Starting from panos v.9 url override (that's where allow and deny lists were) is removed from the url profile and only categories are used...
upvoted 9 times
  vigoras Most Recent  2 months, 3 weeks ago

Selected Answer: BC
B and C
upvoted 1 times

A, D: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/url-categories/url-filtering-profile-actions
upvoted 1 times
  hugodiaz 4 months, 3 weeks ago

Is this a typo thing for this question? did they forget to add the word "What" to the beginning of the question?
What actions.... is how I instinctively read it as.
upvoted 1 times
  BMRobertson 5 months, 2 weeks ago

I believe the answer is B & C based on PAN's website (https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-
basics/url-categories). You don't find allow/block lists spoken of, only Custom, Predefined, Malicious, and Security Focused. You create custom
yourself, but PAN-DB does the other three.
upvoted 1 times
  OhEmGee 5 months, 3 weeks ago

It can't be "Allow List" and "Block List" as actions cannot be associated to 'lists' therefore it is B and C.
upvoted 1 times

Selected Answer: AD
A. Block List,D Allow list
upvoted 1 times
  coboo 1 year, 1 month ago

Selected Answer: BC
B&C are correct
upvoted 1 times

Selected Answer: BC
Ans is B and C.
upvoted 3 times
  Gaven 1 year, 4 months ago
Selected Answer: BC
See @ciscoSannin comment. The question is asking for Action on WHICH ITEMS.A and D are actions not Items
upvoted 2 times

B & C are Correct.
upvoted 2 times

People saying A and D misread the question. It's not asking for which ACTIONS but which ITEMS.
upvoted 2 times
  Dahem 1 year, 9 months ago

The correct answer is (A,D), you can make sure in paloalto > objects > security profile > URL Filtering
upvoted 1 times

I don't think that takes into account what the question is asking; take a look at this site: https://docs.paloaltonetworks.com/advanced-url-
filtering/administration/url-filtering-basics/url-categories....this points to Custom URL categories and Security Focused URL categories; the latter
is done via PAN-DB
upvoted 1 times

According to PCNSE Study Guide 2020, p.165
B & C are correct answers
upvoted 2 times
  Rasta2 2 years, 6 months ago

The correct answers are B and C . The questions asks on WHICH CATEGORIES can you apply the actions ( allow,block etc)
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/url-filtering-multi-category.html
upvoted 4 times
  DilT 2 years, 7 months ago

Actions here are "Block List and Allow List".
The two items are in URL security profiles are "Custom URL Categories and PAN-DB URL Categories"
Questions is " Actions can be set for which two items in a URL filtering security profile? "
So the according to the question the correct answer should be B and C since its asking which profiles the actions can be set.
Reference
URL Filtering Categories - https://docs.paloaltonetworks.com/pan-Aos/9-0/pan-os-web-interface-help/objects/objects-security-profiles-url-
filtering/url-filtering-categories
URL Filtering Profile Actions - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-

actions
upvoted 1 times
Question #9 Topic 1
DRAG DROP -
Match the Cyber-Attack Lifecycle stage to its correct description.
Select and Place:
Correct Answer:

Reconnaissance – stage where the attacker scans for network vulnerabilities and services that can be exploited.
Installation – stage where the attacker will explore methods such as a root kit to establish persistence
Command and Control – stage where the attacker has access to a specific server so they can communicate and pass data to and from infected
devices within a network.
Act on the Objective – stage where an attacker has motivation for attacking a network to deface web property
upvoted 1 times

Correct
upvoted 1 times
  khaled_ellaboudy 5 months ago

Correct Answer
upvoted 1 times
Question #10 Topic 1
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Correct Answer: CD

AD (89%) 11%

The correct answers are:
A. Updated application content may change how security policy rules are enforced
D. After an application content update, new applications are automatically identified and classified
'B' is not correct as there is no need to do any manual classification of applications.

upvoted 31 times
  ichnos 3 years, 2 months ago

I agree
upvoted 1 times
  PANW 3 years, 2 months ago

I agree A & D are correct
As new App-IDs are introduced and delivered to the firewall via weekly updates, dynamic filters are automatically updated for those applications
that meet the filter criteria. This helps
minimize administrative effort associated with security policy management.
Source: https://www.paloaltonetworks.com/resources/techbriefs/app-id-tech-brief.html
upvoted 5 times
  RedByte Highly Voted  3 years, 8 months ago

The answer should be A and B:
"A firewall admin must be careful before they install any App‐ID updates because some applications may have changed since the last App‐ID
update (content update). For example, an application that was previously categorized under web‐browsing now may be categorized under its own
unique App‐ID. Categorization of applications into more specific applications allows more granularity and control of applications within security
policies. Because the new App‐ID no longer will be categorized as web‐browsing, no security policy now will contain this new App‐ID.
Consequently, the new App‐ID will be blocked."
upvoted 6 times
  blu_gandalf Most Recent  2 months, 1 week ago

i just answer it in practice exam , A & D
upvoted 1 times
  vigoras 2 months, 3 weeks ago

Selected Answer: AD
A and D
upvoted 1 times

A,D: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases
upvoted 1 times

The answer(s) are A&D. Please look at the following link: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/software-and-content-
updates/app-and-threat-content-updates states "As the firewall automatically retrieves and installs the latest application and threat signatures
(based on your custom settings), it starts enforcing security policy based on the latest App-IDs and threat protection without any additional
configuration." This means B is incorrect and D is correct; further down it states, "Because new App-IDs can change how the security policy enforces
traffic..." (this means A is correct and C is not);
upvoted 1 times
  argyris23 6 months ago

Selected Answer: AD
A,D
source: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-
app-id-impact-on-existing-policy-rules
upvoted 1 times
Selected Answer: A
A. Updated application content might change how Security policy rules are enforced.
upvoted 1 times
  yurakoresh 1 year ago

Selected Answer: AD
A & D should be the correct answers!
upvoted 2 times
  LordScorpius 1 year, 4 months ago

Please DON'T take this exam IF you believe that App-ID updates can't break some of Security Policy Rules. The training Palo writes spends a great
deal of time explaining how it can! Secondly, stop wishfully thinking everything is automatic. Dependencies must be allowed or denied after they
are created. The answer here is clearly A and D.
upvoted 1 times
  Raimz 1 year, 4 months ago

I go with A & B
upvoted 1 times

Selected Answer: AD
The correct answers are:
A. Updated application content may change how security policy rules are enforced
D. After an application content update, new applications are automatically identified and classified.
For any manual process in app-id updates, the option disable content update must be done first, then the admin must allow new signatures
manually
upvoted 4 times

A & B are correct.
Updated or changed application identifiers MIGHT surely change the way security policy is applied if there's been changes or new additions. (A is
correct). Therefore where there are NEW additions to applications and app identifiers, all the new app-IDs MUST be explicitly/manually included
correctly in the security policy.(B is correct).
C is wrong.... it's silly to think security policy is not affected by app-id when it's in the app-id profile is used.
D is wrong...lost me at "automatically"
upvoted 2 times
  vdsdrs 1 year, 7 months ago

All apps are automatically identified and classified if they match the signature...
A&D are correct.
upvoted 2 times

A and D. For people arguing for B, the wording seems to imply that an admin would have to manually classify new applications via application
overrides or custom application signatures, which they do not have to do, this is done automatically, it's the whole point of the content update.
upvoted 1 times

A and D
As the firewall automatically retrieves and installs the latest application and threat signatures (based on your custom settings), it starts enforcing
security policy based on the latest App-IDs and threat protection without any additional configuration.
Because new App-IDs can change how the security policy enforces traffic, this more limited release of new App-IDs is intended to provide you with
a predictable window in which you can prepare and update your security policy.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/app-and-threat-content-updates
upvoted 2 times

A and d.
It is automatically downloaded and installed.
An option to check and disable new apps in content update is introduced > panos 7.0
upvoted 3 times
  Mr_Yoso 2 years, 11 months ago

did anyone answered C and D that stated on the exam is correct?
upvoted 1 times
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent
Correct Answer: C

C (100%)
  vigoras 2 months, 3 weeks ago

Selected Answer: C
Answer is C
upvoted 1 times

Selected Answer: C
C. Captive Portal
upvoted 1 times

Selected Answer: C
C is Correct
upvoted 2 times

C is Correct.
upvoted 3 times
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple
applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
Correct Answer: A

A (100%)
  Jako2252 Highly Voted  3 years, 6 months ago

I would say, that A is correct:
App Filter = dynamic grouping of apps
App Group = static, by admin defined set(s) of apps
upvoted 8 times
  argyris23 Most Recent  6 months ago

Selected Answer: A
correct is A
upvoted 1 times

Selected Answer: A
upvoted 2 times

Selected Answer: A
upvoted 1 times
  Bobyly 1 year, 5 months ago

Answer A. The question is "allow multiple applications in a dynamic environment?", The key word is dynamic, so if B must choice manual office
programes
upvoted 1 times

Correct answer is 'A'
'B' cannot be correct answer since "Multiple applications and multiple application filters can be combined into an application group" (as per PCNSA
Study Guide 2020, p.118). "business-systems" shown on answ.B is neither App filter, nor App group, but rather a category.
upvoted 4 times
  vfejzaj 2 years, 7 months ago

B. Because multiple applications and multiple application filters can be combined into an application group. That's were you get "dynamic" part -
Nesting.
upvoted 1 times

A is correct. App filter dynamically group apps based on attributes select from app ID database. App filters enable access to apps that matches
filter criteria than specific app names.
1. Create app filter that matches on the category business-aystems
2.subcategory office programs
Any new apps will automatically match the app filter and added dynamically to the dynamic app group
upvoted 2 times
  Migue2891 2 years, 11 months ago

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-
filter.html#id377ee768-8176-4aac-ad50-e9e4993609a6
upvoted 1 times
  Peter_T 2 years, 11 months ago

You cannot add a category to an Application Group, only applications within that category, so the answer cannot be B. Since the question is about
office applications, I think A is the best answer.
upvoted 3 times
I think its B only. If you see the question it categorically says 'their own office application' They are not saying Office application in general.
upvoted 2 times
  Mr_Yoso 2 years, 11 months ago

I agree 'their own office application', so letter b
upvoted 1 times
  DAC3 3 years ago

A is correct
upvoted 2 times
  nk12 3 years, 2 months ago

dynamic environment..App Filter is the solution.. A is correct one..
upvoted 2 times
  Ab121213 3 years, 2 months ago

A is correct.
upvoted 2 times
  datasec919 3 years, 2 months ago

I agree A is correct Answer
upvoted 2 times
  John555 3 years, 4 months ago

Correct Answer:A
Reference:https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-in -policy/create-an-application-filter.html
upvoted 4 times
  Abiedv 3 years, 6 months ago

Yes A is the correct because the app filter is dynamic and you need to choose the subcategory office programms
upvoted 2 times
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention
activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-
networks- assessment-and-review-tools

B (100%)

I can only hope all the exam questions have non-answers as stupid as these.
B, obviously.
upvoted 1 times

B
networks-assessment-and-review-tools
upvoted 1 times
  dawlims 1 year, 7 months ago

Selected Answer: B
B is correct. https://docs.paloaltonetworks.com/best-practices/9-0/bpa-getting-started/evaluate-security-policy-capability-adoption/review-the-
adoption-summary.html
upvoted 1 times
  vvss 2 years, 1 month ago

the answer is B. Just scroll down and watch this video https://www.paloaltonetworks.com/services/bpa
upvoted 2 times
  AhmedAlnakib1986 2 years, 3 months ago

B is the correct answer
upvoted 4 times
  DC787 2 years, 7 months ago

B
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide-latest.pdf
upvoted 2 times
  LuigiG 2 years, 8 months ago

Acording to https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-
alto-networks-assessment-and-review-tools , I think the correct answer is C
upvoted 1 times
  alenalenir 2 years, 9 months ago

I think Correct Answer is D
upvoted 3 times
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
A. intrazone-default
B. Deny Google
C. allowed-security services
D. interzone-default
Correct Answer: D

D (86%) 14%
  Cyril_the_Squirl Highly Voted  1 year, 9 months ago

D is Correct.
upvoted 8 times
  Angel123 Highly Voted  2 years, 3 months ago

D is indeed correct answer.
You can check application categories on:
https://applipedia.paloaltonetworks.com/
upvoted 5 times
  CHICCONUMBER1 Most Recent  10 months, 3 weeks ago

D is correct. Remember Security Policies are a match condition, and then action is applied to the matching traffic.
upvoted 1 times
  scanossa 1 year, 1 month ago

Selected Answer: D
D is correct, B will filter Google Docs only
upvoted 1 times
  j4v13rh4ack 1 year, 1 month ago

Selected Answer: D
D works
upvoted 1 times

Selected Answer: D
D is correct
upvoted 1 times

Google is in a completely different classification than YouTube, owned or not. Also, there is no dependency in AppID. Answer: D
upvoted 2 times

Selected Answer: D
The answer is D inter-zone default.
upvoted 3 times
  xeonsyn 1 year, 4 months ago

D is correct because this is google-doc base not google base
upvoted 1 times

Yes D. I tested on my LAB the answer B can't block youtube.
upvoted 3 times
  RameshKaku 1 year, 5 months ago
Selected Answer: B
B- Because Youtube depends on Google-base
upvoted 1 times
  delorean 1 year ago

The application on the policy is google-docs-base. As it is different from google-base, B cannot be the right answer. D is correct
upvoted 1 times
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html

B (92%) 8%
  Angel123 Highly Voted  2 years, 3 months ago

'B' is correct answer according PCNSA Study Guide 2020, p.131
After a packet has been allowed by the Security policy, Security Profiles are used to scan packets for threats, vulnerabilities, viruses, spyware,
malicious URLs, data exfiltration, and exploitation software.
upvoted 20 times
  nabilzay Highly Voted  2 years, 7 months ago

B is the correct answer, the security policy has to allow the traffic for the security profile to take action
upvoted 15 times
  vigoras Most Recent  2 months, 3 weeks ago

Selected Answer: B
B is correct answer.
upvoted 2 times

B: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-profiles
upvoted 1 times

Security policy rules allow or block traffic in network, while security profiles scans the applications for threats, such as viruses, malware, spyware,
and DDOS attacks. So the answer B is correct as the traffic will need to be allowed first for security profiles scans
upvoted 1 times

While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan rule, which
scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks
upvoted 1 times
  argyris23 6 months ago

Selected Answer: C
Definitely C!, if the security rule blocks the traffic it will never make it to the security profiles
upvoted 1 times

Selected Answer: B
B is correct. Remember the Security Policy at the end of the Policy must be set to Allow, then you can add additional policies to check prior to
allowing the traffic.
upvoted 1 times
  DDisGR8 11 months ago

Selected Answer: B
upvoted 1 times
  seb_berlin 1 year ago

Selected Answer: B
Of course is B the right answer.
Took the PAN-EDU-210 a few weeks ago the course material says so as well as ->
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan rule, which scans
allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks. When traffic matches the allow rule defined in the security
policy, the security profile(s) that are attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.
upvoted 1 times
  scanossa 1 year, 1 month ago
Selected Answer: B
B is correct
upvoted 1 times
  Gerza27 1 year, 2 months ago

B is correct answer! Of course!
upvoted 2 times

Selected Answer: B
B. Why would you put denied traffic through an IPS.
upvoted 1 times
  jjb1989 1 year, 2 months ago

I feel like this is a trick question. The statement says "A Security profile can BLOCK OR ALLOW traffic ......", so why if B only says allow would it be
correct over D which says allows or blocks?
upvoted 1 times
  Letrange 1 year, 2 months ago

Security profiles are applied to allowed traffic by the security policy rule. It has no sense to apply a security profile on a policy rule that denies
traffic.
upvoted 1 times
  N1KH1L 1 year, 3 months ago

B is correct answer
upvoted 1 times
  zeebo340 1 year, 4 months ago

Selected Answer: B
Answer is B
upvoted 2 times

Selected Answer: B
B is the correct answer, the security policy has to allow the traffic for the security profile to take action
upvoted 2 times

This is absolutely correct. Without an "allow", things don't progress from Policy -->Profile.
upvoted 1 times

B is the answer, only Allow Security policies processes Security profiles.
upvoted 1 times
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and
None?
A. Translation Type
B. Interface
C. Address Type
D. IP Address
Correct Answer: A

A (100%)
  Guardion94 5 months, 1 week ago

Selected Answer: A
A is correct, view the Study Guide pague 129
upvoted 1 times

Selected Answer: A
A. Translation Type
upvoted 2 times

A is Correct
upvoted 4 times
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
Correct Answer: A

A (100%)
  D_Ham 1 year, 4 months ago

Selected Answer: A
Virtual Wire interface does not need IP or MAC
upvoted 3 times
  darkonzy 1 year, 4 months ago

Selected Answer: A
No IP or MAC addresses are assigned to Virtual Wire interfaces. No routing or
switching is done on a Virtual Wire interface.
upvoted 3 times
  lessimos 1 year, 8 months ago

PCNSA Study Guide 2020, p.75, Paragraph 2
upvoted 2 times

A is Correct
upvoted 2 times
  modatruhio 2 years, 11 months ago

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces.html
upvoted 3 times
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify
out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days
Correct Answer: D

D (100%)
  LuisLfr Highly Voted  3 years, 8 months ago

exactly, for that reason it is the correct answer. If you choose the option of 30 days, some rule could be used within 30 to 60, therefore the answer
that I assure that it has not been used for more than 60 days is the "D"
upvoted 11 times
  Darude Most Recent  4 months, 2 weeks ago

Selected Answer: D
Guys I check it on our production firewall the 90 days it is timeframe so it includes the 30 days as well. I check the policies inside and the 90
includes the 30 ones as well. So to see 60 days you have to pick 90 for sure. (iven if it make NO sense)
upvoted 1 times
  KirinKev 6 months, 3 weeks ago

D is correct, the filter is applied to the within the last 90 days, that includes the 60 days,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-policy-rule-usage
upvoted 1 times
  Ptopics 1 year ago

The point of the 30 and 90 day filters in policy optimizer is identifying policies that haven't had hits in a long time so you can assume you can
delete them. Thus the 90 day filter looks for policies that have gone 90 OR MORE days without a hit. The firewall in this scenario is only 61 days old
so answer D does not apply. I think C is the best answer.
upvoted 2 times

Selected Answer: D
Answer is D
Policies --> Policy Optimizer --> Unused in 90 days
upvoted 3 times

D is the most accurate answer but all are actually wrong
In PAN OS v10, if we select "Policies" at the top of the page and then navigate to the bottom left we can see "Policy Optimizer", where the options
are
New App Viewer
Rules Without App Controls
Unused Apps
Rule Usage
With Rule Usage having the following options
Unused in 30 days
Unused in 90 days
Unused
So the actual correct answer is
Policies --> Policy Optimizer --> Unused in 90 days

upvoted 2 times

C is Correct
upvoted 2 times

I'm currently loggon into PA-VM with PAN-OS version 10.1.3. You can only do this from the bottom left of the screen under Rule Optimizer. A &
C are wrong because there is no such option.
There is no "Hit Count" option either so for the sake of this question I think B & D would be correct but B is our best option.
The real available options on the firewall are:
1. Unused in 30 days
2. Unused in 90 days
3. Unused
upvoted 2 times
  diego1984 1 year, 9 months ago
C is correct, there is no "Hit Count" option
upvoted 2 times
  AngelXavier 2 years, 6 months ago

D is correct. With 30 don´t cover all the uptime.
upvoted 1 times
  Ab121213 3 years, 2 months ago

D is correct. That covers all starting from 61 days ago.
upvoted 2 times

The question is, if you put unused in 30 days does that mean 30 days or more, surely it can't mean only used in 30 days.
upvoted 2 times
  Theo11M 3 years, 2 months ago

I think the answer to your question is that whatever you pick, it will show you "this number" and downwards, so I would say that choosing
Unused in 90 days, would show you rules unused for 1-90 days which includes 60 days (something that Unused in 30 days doesn't).
upvoted 1 times
  John555 3 years, 4 months ago

I'm thinking the answer is B
upvoted 2 times
  RedByte 3 years, 8 months ago

If they only migrated 60 days ago, there can't be any rules that haven't been hit for more than 90 days.
upvoted 2 times
DRAG DROP -
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Select and Place:
Correct Answer:

correct
upvoted 2 times

Why is step two a necessary step to "creating a new" zone? If we are creating a new zone, there is no need to choose from an existing zone.
upvoted 2 times
  cawoyev 2 months, 1 week ago

I was also confused on that part but found out why once I recreated the steps. If you go to Network tab you see on the left site a bunch of items
and there you need to click on the Zones that's what they mean.
upvoted 1 times

Correct Answer
upvoted 3 times
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Correct Answer: AD

AD (100%)

A & D are correct
upvoted 6 times
  error_909 Highly Voted  1 year, 4 months ago

Selected Answer: AD
A & D are correct
upvoted 5 times
  LordScorpius Most Recent  1 year, 4 months ago

"He knew implicitly without having to ask". "She produced a long list of verbal explicative."
"I trust you implicitly". "Clicking the button produces the explicit result".
upvoted 1 times

A & D is correct -according to Firewall 10.1 Essentials: Configuration and Management Version B
upvoted 3 times
  gg87 1 year, 11 months ago

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
upvoted 4 times
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/creating-and-managing-policies

D (100%)

D is Correct.
Under Policies > Security, at the bpttom os the bottom of the screen, choose Reset Rule Hit Counter, available options are 1) All rules or 2)Selected
Rules
upvoted 5 times
  LordScorpius Most Recent  1 year, 4 months ago

D is correct
upvoted 1 times

Selected Answer: D
Since: reset the hit counter to zero in all the security policy rules
Answer is D
upvoted 2 times

Selected Answer: D
D is correct.
upvoted 3 times
  JOHN_SPARTAN 1 year, 6 months ago

Selected Answer: D
Fully agree
upvoted 3 times
Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email
Correct Answer: BC
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

BC (100%)
  yurakoresh 1 year, 4 months ago

Selected Answer: BC
Should be B and C
From Palo Alto if you go to facebook-chat and look dependencies
Depends on Applications:
facebook-base,mqtt-base
upvoted 4 times

A & B is correct
check on Application Research Centre
upvoted 1 times
  Bubu3k 1 year, 4 months ago

Should have used the link you posted... if you go there and look at facebook chat it says:
Depends on Applications:
facebook-base,mqtt-base
upvoted 4 times
  Arty1234123 1 year, 5 months ago

B C is the correct answers .
"If you wanted to chat, then facebook-base and facebook-chat would need to be allowed in the same rule."
upvoted 3 times
  Awoh 1 year, 6 months ago

Mistake, sorry you can delete my answers
upvoted 2 times

AB instead of BC
upvoted 3 times

Facebook included facebook-chat not facebook-base
upvoted 2 times
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management
plane resources?
A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links
Correct Answer: A

A (75%) D (25%)
  Outlaw87 Highly Voted  3 years, 3 months ago

From PCNSA Study Guide, page 162:
Another reason to choose the Windows agent over the integrated PAN-OS agent is to save processing cycles on the firewall’s management plane.
However, if network bandwidth is an issue, you might want to use the PAN-OS integrated agent.
But I think multiple WAN links will solve the network bandwidth issue, so the main issue is the management plane resources, so for me answer is A.
upvoted 14 times
  CiscoNinja Highly Voted  3 years, 2 months ago

D is the correct answer because,
1- LDAP authentication doesn't replicate across ADs.
2- Having the remote sites forward the relevant user-ID will keep the mgmt plane on the FW low
upvoted 7 times
  Koume Most Recent  3 months, 1 week ago

I spottet for 'A' and seeing the discussion between A or D I still go for 'A' for the following reasons.
The question is not mentioning that is a remote site, just a network that have 2 slow wan links and few resources on the management plane. So as
say only a network in the question, the 'D' deploying agents on the wan sites does not fit because wan links are slow. and also no mentioning if
across wan links could be the remote site or main site, so I think D would not fit the question.
But answer A Windows-based agent deployed on the internal network, would fit better on it because the key phrase here is "internal network" that
may refer that the network mentioned main site where servers could be stored. user based agent is best practice to locate the agent near the
servers to be monitored, so make much sense on A as an answer
upvoted 1 times

This question is actually quoted from EDU-210 book. Here I quote the statement from User_ID (Module 10). "In an infrastructure with remote
networks separated by WAN links, the integrated agent is more appropriate for reading remote logs and the Windows-based agent is more
appropriate for reading local logs. However, use of the integrated agent is not without cost: It consumes more of the firewall's management plane
resources. For this reason, deployment of the Windows agent at the remote sites and having the forward the relevant User-ID information to a
firewall on a central network often is beneficial.
upvoted 1 times

Selected Answer: D
From PAN-OS Admin guide: "As a best practice, locate your User-ID agents near the servers it will monitor (that is, the monitored servers and the
Windows User-ID agent should not be across a WAN link from each other). This is because most of the traffic for user mapping occurs between the
agent and the monitored server, with only a small amount of traffic—the delta of user mappings since the last update—from the agent to the
firewall." This suggests D is the correct answer.
upvoted 1 times

No way "A". They are basically giving the prescription of cure in Answer D. Don't use PAN-OS because limited cycles and, putting the Windows
Agent on each link solves bandwidth across WAN. Answer: D
upvoted 1 times

Selected Answer: A
The way you configure the User-ID agent depends on the size of your environment and the location of your domain servers. As a best practice,
locate your User-ID agents near the servers it will monitor (that is, the monitored servers and the Windows User-ID agent should not be across a
WAN link from each other). This is because most of the traffic for user mapping occurs between the agent and the monitored server, with only a
small amount of traffic—the delta of user mappings since the last update—from the agent to the firewall.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-
user-id-agent.html
upvoted 3 times
  Luongchacha1 1 year, 4 months ago

from this URL, https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D8S7AAK&field=Attachment_1__Body__s . at
page 13. Both Windows based and PAN-OS based agent are approprited for this enviroment but notice that in question contain "litmited firewall
management resource", so A is Correct.
upvoted 2 times
  rcptryk 1 year, 8 months ago

I think correct answer is D because digital learning on beacon.paloaltonetworks.com at EDU-110 they recommend if you have multiple wan link you
deploy each site windows aged because of cosuming controlplane resources.
upvoted 3 times
  deezy0804 1 year, 10 months ago

For anyone looking to understand how to decide which agent to use and when, see this article:
https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D8S7AAK&field=Attachment_1__Body__s
upvoted 1 times
  webmanau 2 years, 3 months ago

D and D only.
Bandwidth for A (reading ALL logs) is 10 times bandwidth for B (WMI to read selected logs) and that is 10 times bandwidth for D (transfer of
User/IP address pairs)
upvoted 2 times

The bandwidth for A is not 10x WMI probing. It's the other way around. The question is also saying that the bandwidth across the sites (WAN
links) is low, so D is not optimal. The correct answer is A. Here is a good article that describes the process:
https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D8S7AAK&field=Attachment_1__Body__s
upvoted 1 times
  inyakis 2 years, 6 months ago

Because FW ressources are critical, we have to use Windows-based Agent and because bandwidth is an issue the agent must be placed in the
internal network. So answer A.
upvoted 7 times
  ffernandez_86 3 years, 4 months ago

Answer is B: If bandwidth is an issue, you may want to use PAN-OS integrated agent because it communicated directly with the servers, whereas
the Windows agent communicated with the servers and then communicated the User-ID information to the firewall so that it can update the
firewall database.
upvoted 3 times
  TinyT 3 years, 4 months ago

It also said Management Plane resources was an issue, so B wouldn’t work either.
upvoted 3 times
  Outlaw87 3 years, 3 months ago

for me answer is A
upvoted 6 times
  Jako2252 3 years, 6 months ago

Windows-based agent is more appropriate for reading local logs
i vote for Opt D:
deployment of the Windows agent at remote sites and having them forward the relevant User-ID information to a firewall
upvoted 4 times
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You
must collect IP
`"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The
wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
Correct Answer: A

A (100%)
  dawlims Highly Voted  1 year, 6 months ago

Selected Answer: A
A. Syslog is correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-
monitor-syslog-senders-for-user-mapping
upvoted 5 times
  Grace_Shu Most Recent  1 month, 3 weeks ago

A. Check this 'To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple
Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User
Mapping. '----https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users
upvoted 1 times
  Rider85 1 year, 5 months ago

A, is the correct answer
upvoted 2 times
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to
contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
Correct Answer: BD
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/create-best-practice-security-profiles

BC (75%) BD (25%)

B & D are Correct
upvoted 9 times
  BMRobertson Most Recent  5 months, 2 weeks ago

Its B&C; Take a look at the PCNSA studyguide
(https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf) and do a ctrl-F for
"C2"...the only things that come up explicitly are Antispyware (p. 86, 90) and Antivirus (p. 35). Page 86 connects Antivirus with Wildfire which "also
provides signatures for the persistent threats that are
more evasive and have not yet been discovered by other antivirus solutions. As WildFire discovers threats, signatures are quickly created and then
integrated into the standard antivirus signatures, which Threat Prevention subscribers can then download daily (sub-hourly for WildFire
subscribers)"
upvoted 1 times
  83KG 5 months, 2 weeks ago

Selected Answer: BC
Page 35
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf
upvoted 2 times
  argyris23 5 months, 3 weeks ago

I was thinking B and D and I gmade this question to ChatGPT. It replied C and D and here is what is answers when I asked why B is not a correct
answer:
B. Anti-spyware profile is a type of security profile that is typically used to prevent spyware and other malicious software from being installed on a
network's endpoints. It may not be the best solution to detect and prevent malware that has already infected a host and is attempting to
communicate with a C2 server.
In this case, an antivirus profile (C.), which specifically detects and prevents the spread of viruses and other malicious software, would be more
appropriate. Additionally, a URL filtering profile (D.), which blocks access to malicious or undesirable websites, could be used to prevent the
infected host from communicating with the C2 server.
upvoted 1 times
  halifax 3 months ago

ChatGPT is stupid lol - How is website address blocking going to help you? The malware is already inside your network. The malware isn't going
to use url to contact the C2 server it is already on the same network; it will use other protocols for the special delivery to C2 server.
upvoted 1 times
  gbongain 6 months, 1 week ago

Selected Answer: BC
This is Anti-Spyware but also Antivirus. The question says how the FW will detect it after 'signature update', meaning the malware signatures that
the device can detect. URL filtering provide another solution but nothing to do with signatures.
upvoted 2 times
  Merlin0o 6 months, 3 weeks ago

Selected Answer: BC
B & C Should be correct, pages of the study guide:
36: Antivirus
133 4.1.2 Anti-Spyware
upvoted 1 times
  PunkSp 7 months, 3 weeks ago
Selected Answer: BC
upvoted 1 times
  PLO 11 months ago

Selected Answer: BD
B & D are correct
upvoted 2 times
  domesticpig 12 months ago

A & D - Page 134
upvoted 1 times

B & D do not seem correct, especially if you've just taken a Security+ or high course. However, in Palo's world "Command and Control" are Control
= Spyware and Command = bad URLs so, the answer is actually B & D. You need anti-Spyware and URL filtering.
upvoted 3 times
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?
A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation
Correct Answer: D

A (96%) 4%
  Grandslam Highly Voted  1 year, 6 months ago

Selected Answer: A
PALO ALTO NETWORKS: PCNSA Study Guide 26:
Delivery: This stage marks the transition from the attacker working outside of an organization’s network to working within an organization’s
network. Malware delivered during this stage is designed to exploit existing software vulnerabilities. To deliver its initial malware, the attacker might
choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email message. For highly targeted attacks, an
attacker might craft a deliverable related to the specific interests of an individual that might entice the individual into accessing a malicious website
or opening an infected email message
upvoted 14 times

This is very confusing! it defies all the security related training I've attended and books I've read. an attacker sending a random infected
attachment via email seems to me, it is the first stage (exploration or reconnaissance).
upvoted 1 times
  Ermbmx2 3 months ago

Exploration and reconnaissance would not involve sending any infected attachments. Those first stages are used only to gather intel to
determine individuals to target, possible vulnerabilities in the network, etc. This can involve looking at organizational structures/job
positions, network port/vulnerability scans, etc.
Those stages do not include any actual exploitation or attempted exploitation. its only to gather information to determine the best possible
method for attack and successful installation or an exploitation. That is done in the delivery phase.
So A is the correct answer.
upvoted 1 times
  Oteslar 7 months, 2 weeks ago

i agree with you.
upvoted 1 times
  LordScorpius Highly Voted  1 year, 3 months ago

When reading Security+ and other sources, the matter is clearer.
"Deliver" is creating the package, not sending the package.
"Exploit" is the initial attack. Thus, the answer: D Exploit
upvoted 6 times
  Gerza27 1 year, 2 months ago

Exactly, D is correct:
Exploitation: In this stage, attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized
document. This allows the attack to gain an initial entry point into the organization.
upvoted 2 times
  eric11 1 year, 3 months ago

Answer is D
https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle
upvoted 3 times
  leeban Most Recent  1 week, 4 days ago

Selected Answer: D
the answer is D. Exploitation
The Delivery stage the Attackers will then determine which methods to use in order to deliver malicious payloads. such as exploit kits, spear
phishing attacks with malicious links, or attachments and malvertizing.
in Exploitation stage Attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized document.
This is determined by the delivery method the chose in delivery stage.
check this link:- https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-
lifecycle#:~:text=Exploitation%3A%20In%20this%20stage%2C%20attackers,entry%20point%20into%20the%20organization.
upvoted 1 times
  mlj23 2 months ago

Answer A. But should read Weaponization and Delivery. Exploitation is once the infected pdf, doc, etc is opened and the the attack is deployed on
the network.
upvoted 1 times

It must be Delivery: the attacker in the question is just attaching a document to an email, therefore the email has not been yet sent at all: from what
we know at this point, there might not be any exploitation phase (e.g. if the attacker does not hit "send")
upvoted 1 times
  FahmiZnd 5 months, 3 weeks ago

The Answer is D, You can refer link below
upvoted 1 times

Selected Answer: A
A.
When you think of the attacker attaching the exploit, it's prior to Exploitation so that could only mean Delivery.
upvoted 2 times
  coboo 1 year, 1 month ago

Selected Answer: A
Absoluut A
upvoted 3 times
  on2it 1 year, 1 month ago

correct, coboo
upvoted 1 times

Selected Answer: A
To deliver its initial malware, the attacker might choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email
message.
upvoted 3 times

Selected Answer: A
A is correct
upvoted 2 times
  Flixis 1 year, 2 months ago

Delivery, IF the question were worded: At which stage of the Cyber-Attack Lifecycle would the attacker send an email with an infected PDF file
attached? Attaching an infected PDF file to an email happens @ Weaponization. PCNSA Study guide "All Weaponization activity occurs on
machines away from the target." Sending the email would be at the Delivery phase.
upvoted 2 times

I think This question is Missing a answer.
upvoted 4 times

Selected Answer: A
Answer A is Correct
upvoted 1 times
  AG15808 1 year, 6 months ago

Answer is "A". This answer comes right our of the PCNSA Study guide Aug 2020, pg 31.
upvoted 4 times
  yub16 1 year, 7 months ago

D is correct
THERE IS NO "DELIVERY" STATE IN PALOALTO :
"Exploitation: In this stage, attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized
document. This allows the attack to gain an initial entry point into the organization."
upvoted 1 times
  Grandslam 1 year, 6 months ago

Answer A:
PALO ALTO NETWORKS: PCNSA Study Guide 26:
network. Malware delivered during this stage is designed to exploit existing software vulnerabilities. To deliver its initial malware, the attacker
might choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email message. For highly targeted attacks,
an attacker might craft a deliverable related to the specific interests of an individual that might entice the individual into accessing a malicious
website or opening an infected email message
upvoted 2 times

The question is about delivery. Exploitation is when the PDF is already INSIDE. Delivery is the transition from Inside to Outside.
upvoted 1 times
  Alizadeh 1 year, 10 months ago

A correct
upvoted 2 times
  Windows98 1 year, 11 months ago

A - Delivery. This from the study guide:
network. Malware delivered during this stage is designed to exploit existing software vulnerabilities. To deliver its initial malware, the attacker might
choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email message.
upvoted 3 times
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4
Correct Answer: D

D (100%)

1-3-2-4
From the existing option 1-3-2-4 is correct. 1-2-3-4 would be correct as well, as there is no difference what you do first, add servers to be
monitored, or define a useraccount
upvoted 8 times
  ahfed Most Recent  1 year ago

Selected Answer: D
since you are working on two different devices here creation of the account on the domain controller can be done before or after the FW config
commit, but I would go with 1324
upvoted 2 times

The correct answer is 1-2-3-4. There isn't here.
upvoted 1 times
  Jako2252 3 years, 6 months ago

correct order in this case is: 1 2 3 4
upvoted 4 times
  frodo1791 3 years, 6 months ago

I guess the correct order is 1324, becuase first you create the account, then you add the, account in the firewall, then you add the servers you
want to monitor and finally you apply the changes.
upvoted 4 times
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow
A. Destination IP: 192.168.1.123/24
B. Application = "Telnet"
C. Log Forwarding
D. USER-ID = "Allow users in Trusted"
Correct Answer: B

B (100%)

Selected Answer: B
B is correct.
upvoted 2 times
  manami 5 months, 2 weeks ago

D. USER-ID = "Allow users in Trusted"
upvoted 1 times
Based on the security policy rules shown, ssh will be allowed on which port?
A. 80
B. 53
C. 22
D. 23
Correct Answer: C

C (100%)
  Guardion94 5 months, 1 week ago

Selected Answer: C
The C is correct, beacuse the security rule talk "Application default" and the port default is "22"
upvoted 1 times

Selected Answer: C
Good old 22
upvoted 1 times

Application-defaults.
upvoted 3 times
  poppop 1 year, 4 months ago

your answer not in choices :D
upvoted 2 times
Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?
A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/install-content-and-software-updates.html

A (100%)

Selected Answer: A
Not Wildfire and not URL Filtering. Definitely not AV. Has to be Threat Prevention.
upvoted 2 times
  vvss 2 years, 1 month ago

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/all-subscriptions.html#idcaa6fc0b-3d53-4870-884d-a00d474bf98e
upvoted 4 times
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image
shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Correct Answer: D

D (100%)

Selected Answer: D
Internal, not going to/from the internet = East-West
upvoted 1 times

Selected Answer: D
Left-to-right. Internal. D
upvoted 1 times

It's like looking at a Map. N is up. S is down. With networks that would be upstream (North) and downstream (South). Then there is peer or LAN or
WAN-to-WAN (East to West)
upvoted 1 times
  olexx 1 year, 4 months ago

The question is not about zone names, it's bout traffic directions!
The arrows at the bottom of the image (from left to right & from right to left ) are called east-west traffic;
Same thing for the ones on the right edge of the image (up to down & down to up) are called north-south traffic.
upvoted 2 times
  mfhashmi 1 year, 5 months ago

I am unable to find where is east west zone
upvoted 1 times

I can't see where is east-west zone?
upvoted 1 times
Given the topology, which zone type should zone A and zone B to be configured with?
A. Layer3
B. Tap
C. Layer2
D. Virtual Wire
Correct Answer: A

A (100%)
  KTruong Highly Voted  2 years, 7 months ago

Using IP address is layer 3. Mac address is layer 2.
upvoted 6 times
  PLO Most Recent  11 months ago

Selected Answer: A
Layer 3. IP address and Virtual Router dead giveaway
upvoted 1 times
  Jheax 1 year, 5 months ago

The key here is the virtual router in the middle. This means that the subnets on the sides are different. So the answer for me is Layer3.
upvoted 2 times
To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?
A. domain controller
B. TACACS+
C. LDAP
D. RADIUS
Correct Answer: C

C (100%)

Selected Answer: C
LDAP is needed for AD for Authentication
upvoted 3 times

Based on PCNSA Study Guide page 105 the correct answer is LDAP.
upvoted 3 times

th LDAP in page 105 is used as example, in fact we can use Tacacs, Radius en LDAP as profile Authentication.
upvoted 1 times

The question didn't make it obvious, but it is asking (indirectly) which protocol is supported in active directory to do the authentication. And
the answer is Kerberos and Lightweight Directory Access Protocol (LDAP). Since Kerberos is not in the option the answer is LDAP.
upvoted 1 times
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?
A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire
Correct Answer: B

B (100%)

Selected Answer: B
TAP is used for monitoring only.
upvoted 1 times

If you are thinking "Cisco", the word is "SPAN". With Open Systems, it's "mirror". In Palo's world, it's "TAP". Same thing, all around.
SPAN=MIRROR=TAP. All only monitor.
upvoted 2 times

TAP is correct answer based on PALO ALTO NETWORKS: PCNSA Study Guide p 73
upvoted 1 times

upvoted 1 times
Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator
account?
A. Root
B. Dynamic
C. Role-based
D. Superuser
Correct Answer: C

C (100%)

There is only an answer because of the poverty of the answers provided. That's sad. C is the answer because it is dynamic AND role-based and the
answer can't be one without the other.
upvoted 1 times

Selected Answer: C
PCNSA Study Guide page 103.
upvoted 4 times
Which administrator type utilizes predefined roles for a local administrator account?
A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/get-started-with-the-cli/give-administrators-access-to-the-
cli/administrative- privileges?PageSpeed=noscript

C (100%)

Selected Answer: C
C is correct
upvoted 3 times

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-
types.html#id8b324bf1-eac8-40e1-82d5-6f82ff761fa9
upvoted 2 times
  ToadRobertson2 1 year, 8 months ago

Dynamic refers to how when the firewall is updated with new features, new screens etc, the priviledges are automatically updated. With role based
profiles, when a new feature is added the administrator must go into the profile and manually update it to include the new feature.
upvoted 2 times

C is Correct.
In Palo Alto thre are only 2 Admin types. Admin can be created as either DYNAMIC or Role-based, role-based means you decide what priviledges
your admin will have so it's custom.
Dynamic includes predefined admin profiles such as Superuser + Superuser(RO), VirtSys + VirtSys(RO), etc
upvoted 2 times

Let's take a minute to appreciate this question's implicit lambasting of PA's naming conventions.
upvoted 4 times

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types
upvoted 2 times
Which two security profile types can be attached to a security policy? (Choose two.)
A. antivirus
B. DDoS protection
C. threat
D. vulnerability
Correct Answer: AD
Reference:

AD (100%)
  webmanau Highly Voted  2 years, 3 months ago

A and D. Threat is just the superset and DDos cannot be applied to a security rule. That needs a DDoS Protection rule
upvoted 12 times
  ZZL Highly Voted  1 year, 9 months ago

Under Policy -> Action -> Profile Setting, you can see the below options:
Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, File blocking, Data Filtering and Wildfire Analysis.
upvoted 6 times
  dawlims Most Recent  1 year, 6 months ago

Selected Answer: AD
Should be A & D. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html
upvoted 2 times
  AJH 2 years, 5 months ago

A and B
upvoted 2 times

B is wrong, only relevant to Zones and hosts.
upvoted 1 times
  aoshy 2 years, 10 months ago

upvoted 1 times
  Channange 2 years, 10 months ago

upvoted 1 times
The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto
their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from
the laptop.
Which security profile feature could have been used to prevent the communication with the CnC server?
A. Create an anti-spyware profile and enable DNS Sinkhole
B. Create an antivirus profile and enable DNS Sinkhole
C. Create a URL filtering profile and block the DNS Sinkhole category
D. Create a security policy and enable DNS Sinkhole
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile

A (100%)

A is correct
upvoted 1 times

Selected Answer: A
A is correct
upvoted 2 times
  javim 1 year, 4 months ago

Yes, the correct answer is A. DNS Sinkhole is not a Category of URL Filtering.
upvoted 1 times

DNS sinkhole can only be configured on the antispyware security profile. Answer is A.
upvoted 3 times
  rodobrian 3 years, 2 months ago

Because they mention 'known C2 server' I think that URL filtering & DNS sinkhole is also a legitimate answer here. Known URLs that are associated
with C2 are blocked via Pan-DB
upvoted 3 times

Answer C is saying block DNS Sinkhole which is incorrect
The answer is A
upvoted 11 times
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?
A. Active Directory monitoring
B. Windows session monitoring
C. Windows client probing
D. domain controller monitoring
Correct Answer: A

D (83%) A (17%)
  LordScorpius Highly Voted  1 year, 3 months ago

Selected Answer: D
"A" sounds so correct until you sit back and think, "Active Directory" isn't a thing on a LAN or WAN. It's an LDAP running on multiple domain
controllers. "Monitor AD" isn't really a thing. Monitor Domain Controllers is.
upvoted 6 times
  DC787 Highly Voted  2 years, 7 months ago

D
To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to
map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.
upvoted 5 times
  mr_flubber Most Recent  2 months, 3 weeks ago

It's just a badly formulated question with questionable answers.
upvoted 2 times

I'm thinking D for two reasons: 1. You don't find the phrase "Active Directory Monitoring" anywhere in the documentation (I stand to be corrected);
and 2. domain controller monitoring fits with EDU 110 (https://www.routeprotocol.com/palo-altro-edu-110-user-id/). But honestly...this is a stupid
question that should have had "Server Monitoring" as the straight answer. I guess the implicit thought is that a domain controller is a server so in a
weird way domain controller monitoring = server monitoring.
upvoted 1 times
  seb_berlin 6 months, 2 weeks ago

Selected Answer: A
Path:
Device/User Identification/Server Monitoring
and then as type: Microsoft Active Directory
So answer A seems correct to me.
upvoted 2 times

IDK, take a look at this link: https://www.routeprotocol.com/palo-altro-edu-110-user-id/....my question is, why don't we find Active Directory
Monitoring at all in the studyguide? I do find this: In terms of Domain Controllers User-ID, When a user logs into their laptop, which is an Active
Directory member, the AD domain controller logs a logon event with the username and IP address of the station." Again, not sure but you won't
find "AD monitoring as a term/phrase anywhere (at least that I've found). For that reason I'd go with D.
upvoted 1 times

Selected Answer: D
I think D is the most accuratte following, accordin to this,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring#id89aad143-05b8-4805-
8e7c-b123994edd30
upvoted 1 times

None of these answers are correct. The answer you're looking for is "Server Monitoring".
upvoted 2 times
  nuWat 9 months, 1 week ago

I think the correct answer should be "Server Monitoring"
upvoted 1 times
  Hargert 1 year ago
Selected Answer: D
D is correct you monitor domain controllers
upvoted 1 times
  Sandman77 1 year, 1 month ago

Selected Answer: D
D is correct
upvoted 2 times
  ryel92 1 year, 7 months ago

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring.html#id89aad143-05b8-
4805-8e7c-b123994edd30
upvoted 1 times

A is correct.
In an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server
access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be
configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server
monitoring for all servers to capture all user login events.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring.html#id89aad143-05b8-
4805-8e7c-b123994edd30
upvoted 3 times
  vvss 1 year, 11 months ago

D:
"...To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to
map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.>"
upvoted 3 times

user-id-agent/install-the-windows-based-user-id-agent
upvoted 1 times
Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.)
A. Security policy rules are attached to Security Profiles.
B. Security Profiles are attached to Security policy rules.
C. Security Profiles should be used only on allowed traffic.
D. Security policy rules inspect but do not block traffic.
E. Security policy rules can block or allow traffic.
Correct Answer: ABC

BCE (100%)
  Lyubo Highly Voted  2 years, 3 months ago

B, C, and E seem to be correct answers.
upvoted 19 times
  ramasamymuthiah Highly Voted  2 years, 3 months ago

Correct Answer is B, C & E
upvoted 9 times

Correct B,C,E
upvoted 1 times

Selected Answer: BCE
A and B contradict anyway
upvoted 1 times
  3osuwa 4 months, 2 weeks ago

by process of elimination, A and D are obviously wrong.
upvoted 2 times

B, C, and E are the correct answers.
upvoted 2 times
  Mang_One 9 months ago

BCE seems to be the right answer
upvoted 1 times
  SamWBish 10 months, 1 week ago

B,C,E.
A contradicts with B, correct?
upvoted 1 times
  Freakezoid 11 months, 2 weeks ago

Correct answer: B,C,E
upvoted 2 times
  elbi05 1 year, 1 month ago

B. Security profiles are the ones attached to Sec policy rules not the other way around.
C. It doesn't make sense if you have a security profile on a denied traffic by the Security policy rule
E. Security policy rules can block and allow traffic
upvoted 2 times
  Alessandr0 1 year, 1 month ago
B,C and D if the question says Security policy and Security profile (means togheter) security policy cannot block must allow always in order to
inspect the traffic and let the Security profile works
upvoted 1 times

upvoted 1 times
  cabra 1 year, 2 months ago

Correct Answer is B, C & E
upvoted 1 times
  JustinoFigueiredo 1 year, 2 months ago

B, C, and E seem to be correct answers
upvoted 1 times

"A" is plain and simply backwards and incorrect.
upvoted 1 times

Answer is: B>C>E
upvoted 1 times

upvoted 1 times
Given the image, which two options are true about the Security policy rules. (Choose two.)
A. The Allow-Office-Programs rule is using an Application Filter.
B. In the Allow-FTP policy, FTP is allowed using App-ID.
C. The Allow-Office-Programs rule is using an Application Group.
D. The Allow-Social-Media rule allows all of Facebook's functions.
Correct Answer: BC

AD (100%)
  CHICCONUMBER1 Highly Voted  10 months, 3 weeks ago

Correct answer is A and D.
Allow-Office-Program rule is indeed using Application Filter as seen on the Application Icon.
The Allow-Social-Media rule allows all Facebook's function as, the Facebook App ID is the Parent App-ID
B and C are incorrect.

FTP is allowed using service not App-IDThe allo-Office-Program rule is using an application filter not an Application Group
upvoted 11 times

Answer is C and D.
upvoted 1 times
  seb_berlin 6 months, 2 weeks ago

The answers are crap!
Of course A and D!
upvoted 1 times
  Barakath 6 months, 2 weeks ago

Correct Answer A and D 100%
upvoted 1 times

Selected Answer: AD
Correct Answer is A and D.
upvoted 1 times
  Mouna_cert 7 months, 2 weeks ago

A and D
upvoted 2 times

Selected Answer: AD
Correct answer is A and D.
Allow-Office-Program rule is indeed using Application Filter as seen on the Application Icon.
The Allow-Social-Media rule allows all Facebook's function as, the Facebook App ID is the Parent App-ID
B and C are incorrect.

FTP is allowed using service not App-IDThe allo-Office-Program rule is using an application filter not an Application Group
upvoted 2 times
  Najmmm 9 months ago

Selected Answer: AD
the correct answer is AD

upvoted 1 times
  Mang_One 9 months ago
Correct answer is A and D
upvoted 1 times
  TheMaster01 10 months ago

Selected Answer: AD
FTP is allowed using service not App-ID
The allo-Office-Program rule is using an application filter not an Application Group
upvoted 2 times
Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the
Outside zone?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

D (100%)

Selected Answer: D
Universal. Don’t confuse with global.
upvoted 2 times

In a security policy, only the "universal" type will work with intra and interzone traffic.
upvoted 1 times

Page 101
upvoted 1 times

page 123 in the newer version
upvoted 2 times
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet
gateways?
A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama
Correct Answer: A

A (100%)

Selected Answer: A
GP is for mobile/VPN use
upvoted 1 times
  piper_james_cannoli 1 year, 4 months ago

Answer is GlobalProtect
PCNSA 2021 page 14: GlobalProtect: GlobalProtect safeguards your mobile workforce by inspecting all traffic using your next-generation firewalls
deployed as internet gateways, whether at the perimeter, in the Demilitarized Zone (DMZ), or in the cloud.
upvoted 1 times
  evazquez 1 year, 6 months ago

It is now prisma access.
upvoted 3 times
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
A. Path monitoring does not determine if route is useable.
B. Route with highest metric is actively used.
C. Path monitoring determines if route is useable.
D. Route with lowest metric is actively used.
Correct Answer: CD

CD (100%)

Selected Answer: CD
C and D is correct; PCNSA Study Guide Page 96 and 97
upvoted 4 times
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.
A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective
Correct Answer: A

A (100%)
  ada07 Highly Voted  2 years, 2 months ago

correct
upvoted 7 times
  blahblah1234567890000 Most Recent  6 months ago

Selected Answer: A
Answer is A as per the study guide.
upvoted 1 times
  Letrange 8 months, 3 weeks ago

I think the answer is B. An exploit is not malicious, but allows the attacker to get access to a system and then run malicious code. The definition of
the installation stage is "Installation: Once they’ve established an initial foothold, attackers will install malware in order to conduct further
operations, such as maintaining access, persistence and escalating privileges."
upvoted 3 times
  blahblah1234567890000 6 months ago

It is actually A, installation from your definition "is after an initial foothold", running exploits occurs before gaining a foothold in the network.
upvoted 1 times

Selected Answer: A
A is correct. https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle
upvoted 4 times
Which file is used to save the running configuration with a Palo Alto Networks firewall?
A. running-config.xml
B. run-config.xml
C. running-configuration.xml
D. run-configuration.xml
Correct Answer: A

A (100%)

A is Correct
upvoted 6 times
  PLO Most Recent  11 months ago

Selected Answer: A
Everyone in the field calls it running config. It’s a universal term and PA implemented that.
upvoted 4 times

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-
configurations
upvoted 3 times
In the example security policy shown, which two websites would be blocked? (Choose two.)
A. LinkedIn
B. Facebook
C. YouTube
D. Amazon
Correct Answer: AB

AB (100%)
  Dahem Highly Voted  1 year, 9 months ago

AB is true.
upvoted 9 times
  hugodiaz Most Recent  4 months, 3 weeks ago

Selected Answer: AB
AB TRUE
upvoted 1 times

Selected Answer: AB
A & B are correct, this question is in Palo Alto PCNSA official practice questions, beside that Youtube is streaming and amazon is shopping.
upvoted 3 times

Selected Answer: AB
Youtube is streaming and Amazon is shopping. Facebook and Linkedin are Social networks.
upvoted 4 times
Which Palo Alto Networks component provides consolidated policy creation and centralized management?
A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus
Correct Answer: B
Reference:
https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management-datasheet

B (100%)

Selected Answer: B
PANorama
upvoted 1 times

The answer is Panorama.
upvoted 3 times
Which statement is true regarding a Prevention Posture Assessment?
A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture,
and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment
Correct Answer: B
Reference:
networks- assessment-and-review-tools

B (100%)
  Emanc21 Highly Voted  1 year, 8 months ago

Selected Answer: B
"Prevention Posture Assessment (PPA)—The PPA is a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture. The PPA not only helps to identify all security risks, it also provides detailed suggestions on how to prevent the
risks and close the gaps. The assessment, guided by an experienced Palo Alto Networks sales engineer, helps determine the areas of greatest risk
where you should focus prevention activities. You can run the PPA on firewalls and on Panorama."
upvoted 5 times

Selected Answer: B
upvoted 1 times
  Kalender 1 year, 3 months ago

i think that, the correct answer should be 'c'......'adoption' is key word
'The Heatmap analyzes a Palo Alto Networks deployment, measuring the adoption rate of features and capabilities across a targeted network
infrastructure.' Study guide Page:171
'The Heatmap measures the adoption rate of the following features. The results display the adoption rate based on source zone to destination
zone.' Study guide Page:171
upvoted 1 times
  Micutzu 2 years, 2 months ago

Correct answer is B.
upvoted 1 times

Correct answer is B
networks-assessment-and-review-tools#:~:text=Prevention%20Posture%20Assessment%20(PPA),risks%20and%20close%20the%20gaps.
upvoted 3 times
  ColonelPanic 2 years, 10 months ago

It'd help if the reference material was actually up to date
upvoted 2 times
  Jaz1981 2 years, 10 months ago

The keyword to identify could be "prevention" which is in option B & relates to PPA.
upvoted 2 times
  Jaz1981 2 years, 10 months ago

I think that "B" should be correct as other 3 options are features of BPA.
upvoted 2 times
  Peter_T 2 years, 11 months ago

B is correct, because the other 3 choices are describing the BPA (Best Practice Assessment), and the question is asking about PPA (Prevention
Posture Assessment)
upvoted 2 times
  pingilleyj 2 years, 11 months ago

B would be correct in this case. Page 171 of the latest Study Guide states that the BPA has over 200 checks.
upvoted 2 times

D is the correct answer
upvoted 2 times
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)
A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware
Correct Answer: ACDEF

ACDEF (100%)

Selected Answer: ACDEF
B is never mentioned. If you don’t recognize then it’s not the answer.
upvoted 1 times

The Firewall... IS the "filtration protection"
upvoted 1 times

Correct.
upvoted 4 times
The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check
the number, but doesn't want to unblock the gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category?
(Choose two.)
A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to
allow.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the allow list
D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.
Correct Answer: CD

CD (100%)
  regie Highly Voted  1 year, 6 months ago

Selected Answer: CD
C,D is the best answer here
upvoted 5 times
  nolox Most Recent  3 months, 2 weeks ago

Selected Answer: CD
Yes, C & D
upvoted 1 times
Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive
information?
A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect
Correct Answer: A

A (100%)
  Mauradas Highly Voted  2 years, 1 month ago

Prisma Saas (correct answer)
upvoted 6 times
  aymanbenarfa Highly Voted  2 years, 4 months ago

Prisma SaaS (formerly Aperture)
upvoted 6 times
  Viga1991 Most Recent  4 months, 1 week ago

Selected Answer: A
Prisma Saas is the correct answer
upvoted 3 times

Selected Answer: A
Prisma SaaS (formerly Aperture)
upvoted 3 times
  amadeu 2 years, 4 months ago

Prisma Saas -- line A is the correct answer.
upvoted 4 times
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to
contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?
A. antivirus profile applied to outbound security policies
B. data filtering profile applied to inbound security policies
C. data filtering profile applied to outbound security policies
D. vulnerability profile applied to inbound security policies
Correct Answer: C

A (90%) 10%
  bobby14 Highly Voted  2 years, 1 month ago

Correct answer is A, only AV, URL filtering, Wilfire & Anti spyware can block C2. Data filtering is DLP (data lost prevention) so wrong answer.
upvoted 13 times
  colintkn 2 years ago

agreed A is the answer
upvoted 1 times
  fatehz 2 years ago

totally agree
upvoted 1 times
  Merlin0o Most Recent  6 months, 3 weeks ago

Selected Answer: A
Should be A
upvoted 1 times

answer A :
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/dynamic-content-
updates#:~:text=Antivirus%20updates%20are%20released%20every,ll%20need%20a%20WildFire%20subscription.
upvoted 1 times
  DDisGR8 11 months, 1 week ago

Selected Answer: A
A is the correct option
upvoted 2 times
  AHMEDEMAM 12 months ago

Which administrator receives a global notification for a new malware that infects hosts. The infection will result
in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall`s signature database has
been updated?
upvoted 1 times
  AHMEDEMAM 12 months ago

I think the correct answer is absent
the correct answer "Spyware profile applied to outbound security policies"
Not AV or sure Data Filtering .
But AV profile may be near to the right
upvoted 3 times
  delorean 1 year ago

Selected Answer: C
The best answer is C. Data filtering can be used for blocking uploads that match file and data pattern upload. It is explaind in PCNSA Study Guide
at page 27.
upvoted 1 times
  Hargert 1 year ago

Selected Answer: A
The correct answer is A.

upvoted 1 times
Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
"data filtering" cannot be correct. URL filtering would be however, it ain't no where's to be seen.
upvoted 1 times

Best answer is C, read PCNSA Study Guide at page 27.
Because Antivirus Profile can prevent downloading spyware from internet (inboud traffic).
In this question, user has been infected. Now malware establish a connection with C2 Server and leak client's data to outsite (Outbound).
You can use Data Filter to prevent exfiltration.
Also use Anti-spam profile but that's not listed in this question.
upvoted 4 times

That's not what the question reads.
upvoted 1 times

Selected Answer: A
Palo Alto Networks Certified Network Security Administrator Study Guide
page 61
Antivirus: Includes new and updated antivirus signatures, including WildFire signatures and
automatically generated command-and-control (C2) signatures. WildFire signatures detect malware seen first by firewalls from around the world.
You must have a Threat Prevention subscription to get these updates. New antivirus signatures are published daily.
upvoted 3 times
  bariloch1 1 year, 8 months ago

Only A
upvoted 1 times

A. C is technically possible, but it's talking about updating signature databases, the answer is clearly hinting at the AV profile.
upvoted 2 times
  Whiskey20 1 year, 11 months ago

but you can block outbound C2 communications with traffic that matches file and data patterns with a Data filtering profile. Study Guide (July 2021
page 37) Actions on the Objective.
upvoted 2 times

while this is true, the question is only asking which one will inherently prevent C2. You have to manually configure a solution in the case of
answer C. Answer A will protect against this communication as the signature is updated.
upvoted 2 times
Which update option is not available to administrators?
A. New Spyware Notifications
B. New URLs
C. New Application Signatures
D. New Malicious Domains
E. New Antivirus Signatures
Correct Answer: B

B (100%)

Threat Prevention subscription takes care of everything except URLs. PA used to provide option of updating URL DB but its no more available. Now
URL filtering works more like look ups.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/software-and-content-updates/dynamic-content-updates
So, the answer is certainly B.
upvoted 3 times

Selected Answer: B
All are correct except B.
Option A is done by configuring Wildfire to send an alert when something new is discovered
upvoted 1 times
  ToadRobertson2 1 year, 8 months ago

I believe this refers to when you go to Device and Dynamic Updates. You can't update the URL list from here as it automatically connects to PAN-
DB to check the URL before blocking or allowing. You can update AV and App-ID signatures from there. I don't think you can update malicious
domains from there, I can't remember from memory
upvoted 2 times

Odd question, but I believe the answer is A. New URLs and domains can be updated via EDLs, new application signatures via content updates, new
AV signatures via a threat update, but no "Spyware notifications". The AS updates would be "spyware signatures", iirc.
upvoted 2 times
  Whiskey20 1 year, 11 months ago

Does anyone know what this is relating to ?
upvoted 4 times
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other
required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-
admin make?
A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE
to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-
address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second
security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any
destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-
IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
Correct Answer: B

B (100%)
  manami 5 months, 1 week ago

not a good question because in the first words it mentions a user not any asthe source user, but in overall B is better tahn the other options!
upvoted 3 times

Selected Answer: B
The others are already pre-defined in a way. SSH is already port 22
upvoted 2 times
  RahulGawale19 1 year ago

B is Correct
upvoted 1 times
How often does WildFire release dynamic updates?
A. every 5 minutes
B. every 15 minutes
C. every 60 minutes
D. every 30 minutes
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-wildfire-updates

A (100%)

From PANOS 10 and later, the updates are available in "real time".
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/dynamic-content-updates.
upvoted 1 times
  markeloff23 9 months, 1 week ago

WF check can be configured "real-time". Updates are released each 5 min. If you have this question and the options are: real-time, 1 minute, 5
minutes, 1 hour. I would choose "5 minutes"
upvoted 2 times

Selected Answer: A
WildFire Provides near real-time malware and antivirus signatures created as a result of the analysis done by the WildFire public cloud. WildFire
signature updates are made available every five minutes. You can set the firewall to check for new updates as frequently as every minute to ensure
that the firewall retrieves the latest WildFire signatures within a minute of availability. Without the WildFire subscription, you must wait at least 24
hours for the signatures to be provided in the Antivirus update.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/software-and-content-updates/dynamic-content-updates
upvoted 2 times

Old question. Now real-time is possible.
upvoted 2 times
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?
A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-wildfire-updates

D (100%)
  ToadRobertson2 Highly Voted  1 year, 8 months ago

In 10.1 you can now select the option realtime as waiting a whole minute for an update is far too long apparently.
upvoted 8 times
  markeloff23 Most Recent  9 months, 1 week ago

wildfire check can be configured to "zero seconds" but wildfire update are released each 5 minutes
upvoted 1 times

As time goes on, Wildfire is getting closer and closer to "zero seconds". Chose the answer closes to zero.
upvoted 2 times
  tamim56 1 year, 6 months ago

Selected Answer: D
pg 184
upvoted 2 times
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link
has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
A. Windows-based agent on a domain controller
B. Captive Portal
C. Citrix terminal server agent with adequate data-plane resources
D. PAN-OS integrated agent
Correct Answer: A

A (100%)
  ericli87 3 months, 3 weeks ago

if A is "Windows-based User-ID agent on a standalone server", so maybe C is the better solution?
upvoted 1 times

Selected Answer: A
With passive server monitoring, a User-ID agent(either a Windows-based or integrated User-ID agent) monitors the Security logs for user login or
logout events for the specified Microsoft domain controllers:
[Palo Alto Networks]
upvoted 1 times

Selected Answer: A
I think A
In an infrastructure with remote networks separated by WAN links, the integrated agent is more appropriate for reading remote logs and the
Windows-based agent is more appropriate for reading local logs. However, use of the integrated agent is not without cost: It consumes more of
the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them forward the
relevant User-ID information to a firewall on a central network often is beneficial.
upvoted 1 times

A is Correct.
https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-agent.html#id8f750af3-799f-4546-8b9e-
a44a23b5b5c0
upvoted 1 times

Although, the Windows-based agent and the PAN-OS integrated agent perform the same basic tasks, they use different underlying communication
protocols. This difference makes each agent more appropriate for different environments.
The Windows-based agent uses MS-RPC, which requires the full Windows Security logs to be sent to the agent, where they are filtered for the
relevant User-ID information.
The PAN-OS integrated agent uses either the Windows Management Instrumentation, of WMI, or the Windows Remote Management Protocol, or
WinRM which enables the agent to retrieve only the User-ID information from the Windows Security logs.
The result is that, in an infrastructure with remote networks separated with WAN links, the integrated agent is more appropriate for reading remote
logs and the Windows-based agent is more appropriate for reading local logs.However, uses of the integrated agent is not without cost: it
consumes more of the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them
forward the relevant User-ID information to firewall on a central network often is beneficial.
upvoted 4 times
DRAG DROP -
Arrange the correct order that the URL classifications are processed within the system.
Select and Place:
Correct Answer:

Answer is connect
upvoted 1 times
  Flixis 1 year, 2 months ago

My mnemonic (?) is "inside, outside". Block inside firewall, allow out the firewall, Cust URL in the firewall, ExternalDL outside, PAN-DB inside,
Download PAN-DB from outside.
upvoted 4 times

Block first. Allowed next. Custom next. EDL (These first four are admin defined), then,
Already Downloaded PA and Cloud last.
upvoted 3 times

Not sure on the cloud one, but it seems to be correct
https://live.paloaltonetworks.com/t5/general-topics/understanding-url-filtering-order-url-filtering-precedence/td-p/238682
upvoted 1 times
What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?
A. authentication sequence
B. LDAP server profile
C. authentication server list
D. authentication list profile
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/framemaker/pan-os/7-1/pan-os-admin.pdf page 144

A (100%)

Selected Answer: A
If you have configured an authentication sequence, the firewall checks against each profile in sequence until one profile successfully authenticates
the user.
upvoted 2 times

Selected Answer: A
Local should be put first in that sequence.
upvoted 1 times

Same with AAA, same with Switches and Routers. Answer = A
You need a 1,2,3 choice in a list.
upvoted 1 times
  piper_james_cannoli 1 year, 4 months ago

Answer=A
PCNSA 2021, page 107
Authentication Sequence Admin Roles for external administrator accounts can be assigned to an Authentication Sequence, which includes a
sequence of one or more Authentication Profiles that are processed in a specific order. The firewall checks against each Authentication Profile
within the Authentication Sequence until one Authentication Profile successfully authenticates the user.
upvoted 2 times
Which Security Profile mitigates attacks based on packet count?
A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile
Correct Answer: A

A (100%)
  poseido 8 months, 2 weeks ago

is dos/zone protection stuff in the new PCNSA exam ? I don't see this in the 2022 blue print or the study guide
upvoted 1 times

Selected Answer: A
DoS Zone Protection
upvoted 3 times

Off the web: "DoS Protection adds another layer of defense against attacks on individual devices, which can succeed if the Zone Protection profile
thresholds are above the CPS rate of the attack on the device." Yes it is a vulnerability but, those are handled in this type by a Zone Profile on Palo.
upvoted 1 times

Correct answer is A PALO ALTO NETWORKS: PCNSA Study Guide 159
upvoted 1 times
Which interface type uses virtual routers and routing protocols?
A. Tap
B. Layer3
C. Virtual Wire
D. Layer2
Correct Answer: B

B (100%)

Selected Answer: B
Routers are L3
upvoted 2 times
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
A. Override
B. Allow
C. Block
D. Continue
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions

B (100%)

Selected Answer: B
I wanted to update the url for the source of the answer:
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/url-filtering-profiles
" allow: The website is allowed and no log entry is generated.

NOTE: Don’t set allow as the Action for categories of traffic you don’t block because you lose visibility into traffic you don’t log. Instead, set alert as
the Action for categories of traffic you don’t block to log and provide visibility into the traffic. "
upvoted 1 times
  Adilon 6 months ago

upvoted 1 times

Selected Answer: B
correct answer is B
"allow traffic destined for that URL category; allowed traffic is not logged."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/configure-url-filtering.html
upvoted 2 times
  yub16 1 year, 7 months ago

correct answer is B
"allow traffic destined for that URL category; allowed traffic is not logged."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/configure-url-filtering.html
upvoted 3 times
  ZZL 1 year, 8 months ago

It should be B - ALLOW.
If you read the below url, and it's clear only Allow will not generate any log.
upvoted 1 times

I believe that both for Continue and Override a log entry is not generated unless the user persists to actually go to the website, nevertheless, Allow
is the best answer.
upvoted 1 times
An internal host needs to connect through the firewall using source NAT to servers of the internet.
Which policy is required to enable source NAT on the firewall?
A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address
Correct Answer: A

A (100%)

Selected Answer: A
INSIDE going to OUTSIDE
upvoted 1 times

A is Correct
upvoted 1 times
Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP
addresses?
A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware
Correct Answer: A

A (100%)

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-
policy-rules/dos-protection-profiles
DoS Protection profiles protect specific devices (classified profiles) and groups of devices (aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and
Other IP flood attacks
DoS protection profiles and policy rules are granular and targeted, and can even be classified to a single device (IP address)
upvoted 1 times

Selected Answer: A
Zone Protection profile which provide DoS protection
upvoted 3 times

Correct awnser is A PALO ALTO NETWORKS: PCNSA Study Guide 169
upvoted 3 times
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
A. Policies> Security> Rule Usage> No App Specified
B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps
Correct Answer: C

A (100%)
  deepu Highly Voted  2 years, 5 months ago

All the options are wrong : the correct path is ::::::
Policies ---- Security -------- Policy Optimizer ------------ No Apps Specified
upvoted 22 times
  fenilp1 Highly Voted  2 years, 11 months ago

The answer should be A
upvoted 17 times

Yes, https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-
based-security-policy-rules.html
upvoted 8 times
  SessoConPupoPazzo Most Recent  2 months, 4 weeks ago

Selected Answer: A
The answer should be A
upvoted 1 times

There is a step missed on all of these answers, "Policy Optimizer" should be accessed before selected "Rule Usage"
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-
filtering-security-policy-rules
You can filter Security policy rules to see all the port-based rules, which have no applications configured (Policies > Security > Policy Optimizer >
No App Specified).
You can also filter to see all the rules that have applications configured but traffic doesn’t hit all of the applications (Policies > Security > Policy
Optimizer > Unused Apps).
upvoted 2 times

Selected Answer: A
upvoted 1 times
  Abdod05 10 months, 2 weeks ago

PAN-OS 10
Policies> Security> Rule Usage> Rules Without App Controls
upvoted 4 times

Selected Answer: A
A is the correct answer.
upvoted 1 times

Selected Answer: A
A is the correct option
upvoted 1 times
Selected Answer: A
The correct answer should be "A" No App Specified
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-
security-policy-rules
upvoted 2 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
There ain't no such thing as "port-based rules" in Palo Alto.
upvoted 1 times

Selected Answer: A
upvoted 1 times
  johnhue 1 year, 5 months ago

In PanOS 10 it should be: Policies ---- Security -------- Policy Optimizer ------------ Rules without App Controls
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/policies/policies-security/security-policy-rule-usage.html
No App Specified—Rules that have the application set to any, so you can identify port-based rules to convert to application-based rules.
upvoted 7 times
  regie 1 year, 6 months ago

Selected Answer: A
Agree, answer should be A.
upvoted 2 times

Correct answer is A
upvoted 3 times
  atifikhan 2 years, 6 months ago

Correct answer is A
upvoted 3 times
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID
Correct Answer: BD
Reference:
http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-pass-parallel-processing-hardware-
architecture.html

BD (100%)
  Emanc21 1 year, 8 months ago

Selected Answer: BD
App-ID and User-ID is correct. PCSNA study guide p.28 -1.2Identify the components and operation of Single-Pass Parallel Processing architecture
upvoted 3 times
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces
Correct Answer: C

C (100%)

Selected Answer: C
That is an operation within firewall device
upvoted 1 times

Device>Setup>Operations
upvoted 1 times
DRAG DROP -
Match the network device with the correct User-ID technology.
Select and Place:
Correct Answer:

Answer is correct
upvoted 1 times

Microsoft Exchange- Server Monitoring, Linux Authentication- Client Probing, Windows Clients- Syslog Monitoring, Citrix Client- Terminal Service
End
upvoted 1 times

agree
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-overview#id2cbce7b3-daa8-45bf-ad85-df3415a67dc6
upvoted 1 times
  blahblah1234567890000 6 months, 1 week ago

You're own link shows they are wrong lol
upvoted 1 times

Linux=syslog and windows clients=client probing
upvoted 5 times
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application
signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches
Correct Answer: A
Reference:
impact-on- existing-policy-rules

A (100%)

Selected Answer: A
After downloading and installing a ne w content release with new and upda ted application signatures, click Review Policies to review their policy
impact. During a policy review, application signatures are compared against policy rules in the candidate configuration.
upvoted 1 times

Selected Answer: A
Review Policies is correct
upvoted 1 times

Review Policies
upvoted 1 times
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset.
B. Reboot the data-plane.
C. First disable and then re-enable the rule.
D. Type the CLI command reset hitcount <POLICY-NAME>.
Correct Answer: A

A (100%)

Selected Answer: A
Bottom of UI hit count > reset
upvoted 1 times

Select a Security policy rule, and then select Hit Count > Reset.
upvoted 1 times
Given the topology, which zone type should you configure for firewall interface E1/1?
A. Tap
B. Tunnel
C. Virtual Wire
D. Layer3
Correct Answer: A

A (100%)
  blackisok 2 months, 3 weeks ago

The correct question will be which interface type and no which zone type, but A is the best answer
upvoted 1 times

Selected Answer: A
TAP is for monitoring
upvoted 2 times

Correct answer is Tap (A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. ) PALO ALTO NETWORKS: PCNSA
Study Guide 73
upvoted 1 times
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation
Correct Answer: C

C (100%)
  Micutzu Highly Voted  2 years, 2 months ago

Correct answer is C.
Only AGGREGATE interface can belong to a zone.
upvoted 12 times
  error_909 Most Recent  1 year, 4 months ago

Selected Answer: C
MGT and HA interface cannot be assigned to zones
upvoted 4 times
  GOLdRoger 2 years, 4 months ago

The control plain of the HA should be Layer 3 I guess answer B is correct
upvoted 1 times
  Tandos 4 months, 1 week ago

You cannot put the HA and MGT interfaces into a zone d
upvoted 1 times

you cannot put the HA or management interfaces into a zone.
upvoted 6 times
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that
passes within the zones?
A. intrazone
B. interzone
C. universal
D. global
Correct Answer: B

B (78%) C (22%)
  JakaP 5 months ago

Selected Answer: B
Interzone
upvoted 1 times

universal match between inside and outside then within inside and outside to while Interzone match only between inside and outside zone.
answer is B
upvoted 2 times
  yinksho 8 months, 2 weeks ago

Selected Answer: B
B is correct answer.interzone matches traffic btw outside and inside zone but does not match traffic within zone while universal matches traffic btw
inside and outside and also within zones
upvoted 4 times
  ruben_castro81 9 months, 1 week ago

Interzone
upvoted 2 times

Universal matches Interzone and Intrazone rules.
upvoted 1 times
  mushi4ka 10 months ago

Selected Answer: C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTHCA0
upvoted 2 times

Selected Answer: B
INTERzone. Like leaving network to go to the INTERnet. Flying INTERnational
upvoted 2 times

Correct answer is interzone (PALO ALTO NETWORKS: PCNSA Study Guide 123)
upvoted 1 times
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same
URL then which choice would be the last to block access to the URL?
A. EDL in URL Filtering Profile
B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile
Correct Answer: C

D (78%) B (22%)
  IxlJustinlxl Highly Voted  2 years, 7 months ago

Answer should be D, and here is why:
The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs Objects - 2) Allow list: Manually entered
allowed URLs Objects - 3) Custom URL Categories - 4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) - 5) Pre-Defined
Categories: PAN-DB or Brightcloud categories.
upvoted 25 times
  webmanau 2 years, 3 months ago

Option C could block as well but would be the FIRST thing to block.
upvoted 2 times

Check out the wording of the question:
"....and each could be used to block access to a specific URL.....which choice would be the last to block access to the URL?"
ALL options will block the URLs, it's asking here about the order of blocking, which will be first or last to block, it's not asking IF those options
would block or not ;)
The answer is of course D
1- Block list
2- Allow list
3- Custom URL Cat.
4- EDLs
5- Downloaded PAN-DB Files
6- PAN-DB Cloud
upvoted 6 times
  baccalacca Most Recent  4 months, 3 weeks ago

The precedence is from the top down; First Match Wins:
1) Block list: Manually entered blocked URLs Objects
2) Allow list: Manually entered allowed URLs Objects -
3) Custom URL Categories -
4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) -
5) Pre-Defined Categories: PAN-DB or Brightcloud categories.
upvoted 1 times

Selected Answer: D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyTCAS
The order in which the device checks for URL categories is as follows:
Block list
Allow list
Custom categories
Device cache
BrightCloud downloaded database
Cloud lookup (if enabled
upvoted 1 times

Selected Answer: D
I think D is the most accurate according to this topic
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyTCAS
upvoted 1 times

Selected Answer: B
B is correct answer.though the question is tricky but remember evaluation is done from top to bottom.custom url will be last after block and allow
list .once the traffic matches the custom url ,it would not check others.
upvoted 1 times
  piipo 1 year ago

Selected Answer: D
PAN-DB is last
upvoted 1 times
  magicbr3 1 year, 1 month ago

Answer cannot be C because Profiles can only block or deny if a policy allows it. Answer is D
upvoted 1 times
  on2it 1 year, 1 month ago

Selected Answer: D
This is D, beceause PAN-DB is the last that will block
upvoted 1 times
  Sandman77 1 year, 2 months ago

Selected Answer: D
answer is D
upvoted 1 times

Selected Answer: D
PA-DB live is absolutely the last to block...
upvoted 2 times

Selected Answer: B
I would go with B.
upvoted 1 times

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/pan-db-categorization.html#idba222a98-c4e2-43a7-b493-
ce6c46fbd76c
upvoted 1 times

D is incorrect answer, because the purpose is to block a specific url.
I think A is correct answer.
upvoted 1 times
  sahilyakup 2 years, 1 month ago

In earlier release versions, URL Filtering category overrides had priority enforcement ahead of custom URL categories. As part of the upgrade to
PAN-OS 9.0, URL category overrides are converted to custom URL categories, and no longer receive priority enforcement over other custom URL
categories. Instead of the action you defined for the category override in previous release versions, the new custom URL category is enforced by
the security policy rule with the strictest URL Filtering profile action. From most strict to least strict, possible URL Filtering profile actions are: block,
override, continue, alert, and allow.
upvoted 1 times

In my oppinion the correct answer is D. See also question 59.
upvoted 3 times

why not D? I think the correct answer should be D
upvoted 3 times

I think it is B
upvoted 2 times
  IxlJustinlxl 2 years, 7 months ago

Answer should be B, and here is why:
The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs Objects - 2) Allow list: Manually entered
allowed URLs Objects - 3) Custom URL Categories - 4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) - 5) Pre-Defined
Categories: PAN-DB or Brightcloud categories.
If it matches all possible options then the last match would technically be the first match.
This cannot be C because it has to do with URL filtering and therefore would be part of a security profile not policy.
upvoted 1 times
Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?
A. north-south
B. inbound
C. outbound
D. east-west
Correct Answer: D

D (92%) 8%
  yurakoresh Highly Voted  1 year, 5 months ago

Selected Answer: D
It should be D. Zero-trust protects all traffic no matter the direction including east-west. But that's not the case with Perimeter-only where east-
west is not covered.
upvoted 8 times
  BeforeScope Most Recent  6 months, 1 week ago

Selected Answer: D
• Inspect perimeter traffic: Inbound traffic and Outbound traffic
• Also inspect internal traffic (east-west)
[Palo Alto Networks].
upvoted 1 times

Selected Answer: D
answer is D ease/west
upvoted 1 times

Selected Answer: D
answe is D ease/west
upvoted 1 times
  subzero2022 1 year, 5 months ago

Selected Answer: A
i believe it should be A
upvoted 1 times
Which protocol is used to map usernames to user groups when User-ID is configured?
A. TACACS+
B. SAML
C. LDAP
D. RADIUS
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

C (100%)

Selected Answer: C
LDAP is the correct answer
upvoted 1 times

Correct answer is LDAP (PALO ALTO NETWORKS: PCNSA Study Guide 200)
upvoted 3 times

Correct
upvoted 1 times
Which definition describes the guiding principle of the zero-trust architecture?
A. trust, but verify
B. always connect and verify
C. never trust, never connect
D. never trust, always verify
Correct Answer: D
Reference:
https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

D (100%)
  H3kerman 1 year, 8 months ago

Selected Answer: D
correct
upvoted 4 times
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.
Source Zone: Internal -
Destination Zone: DMZ Zone -

Application: _________?
Service: ____________?
Action: allow -
(Choose two.)
A. Service = ‫ג‬€application-default‫ג‬€
B. Service = ‫ג‬€service-telnet‫ג‬€
C. Application = ‫ג‬€Telnet‫ג‬€
D. Application = ‫ג‬€any‫ג‬€
Correct Answer: AC

AC (100%)
  Jheax Highly Voted  1 year, 5 months ago

Selected Answer: AC
AC are correct
upvoted 6 times
  nolox Most Recent  3 months, 2 weeks ago

Selected Answer: AC
Agreed
upvoted 1 times
In which profile should you configure the DNS Security feature?
A. Anti-Spyware Profile
B. Zone Protection Profile
C. Antivirus Profile
D. URL Filtering Profile
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security.html

A (100%)

Answer is A
upvoted 1 times

Selected Answer: A
Palo Alto Networks Certified Network Security Administrator Study Guide Page 193:
To enable DNS security, domain queries using DNS security that are found to be threats are remediated with an Anti-Spyware Security Profile. Edit
an existing or open a new Anti-Spyware Profile using Objects > Security Profiles > Anti-Spyware.
upvoted 3 times
Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)
A. It is automatically enabled and configured.
B. It eliminates the need for dynamic DNS updates.
C. It functions like PAN-DB and requires activation through the app portal.
D. It removes the 100K limit for DNS entries for the downloaded DNS updates.
Correct Answer: AB

BC (44%) BD (44%) 13%

C & D are Correct.
- https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812
---Deals with 100K limit
- https://docs.paloaltonetworks.com/threat-prevention
---Deals with DNS Security feature and how to buy and activate it.
upvoted 12 times
  drogadotcom Highly Voted  3 months, 2 weeks ago

Selected Answer: BC
According to PCNSA Study guide of PanOS 11 (Jan 2023 version) Pag 96:
"Licenses are activated from the Palo Alto Networks Customer
Support Portal and must be active before DNS analysis can take place"
So, that's exclude A and make correct the second statement of C; also the first statement seems correct.
For what concerning D, I think it is not correct. From https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-

delivered-dns-signatures "Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a
hard-coded capacity limitation of 100k signatures"; this means that the limit for DNS downloaded from DNS updates is the same since it is hard-
coded even after its activation. Infact, as answer B says, It is a system that resolve the limitation by eliminating the need for dynamic DNS updates.
D would have been correct if they had substituted the word "removes" with "resolves".
upvoted 6 times
  Skey Most Recent  6 days, 13 hours ago

Selected Answer: BC
BC for same reasons as said drogadotcom
upvoted 1 times

Selected Answer: BD
According to this:
https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures
upvoted 1 times
  t_h_t_f 8 months, 3 weeks ago

Correctly answer should be B & C
D is incorrect. the downloaded DNS updates still have 100k limitation hardcoded, the new DNS security cloud service doesn't "remove" the 100K
limit for DNS entries for the downloaded DNS updates.
https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812
"New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the
downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. "
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures
”downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k
signatures“
upvoted 4 times
  markeloff23 9 months, 3 weeks ago

Selected Answer: BD
B D is answer
upvoted 1 times
  Toldo75 1 year ago

Selected Answer: CD
C&D are correct
upvoted 1 times
  UFanat 1 year, 1 month ago

Selected Answer: BD
B, D are correct
upvoted 1 times
  UFanat 1 year, 1 month ago

Selected Answer: BD
According to this article:
1) Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity
limitation of 100k signatures and do not include signatures generated through advanced analysis. So D is correct.
2) To better accommodate the influx of new DNS signatures being produced on a daily basis, the cloud-based signature database provides users
with instant access to newly added DNS signatures without the need to download updates. So B is correct. It eliminates the need for dynamic DNS
updates.
upvoted 3 times
  Eluis007 1 year, 3 months ago

Selected Answer: BD
B - There's no downloaded signature anymore, all the queries occur in real time accessing Palo Alto cloud services.
D - As no downloaded signatures are needed, it removes the 100k limitation.
upvoted 1 times
  daan5000 1 year, 3 months ago

C&D
A: incorrect, you need to attach an anti-spyware profile to the rule that has this feature enabled.
B: incorrect, dynamic DNS serves a whole other purpose, has nothing to do with DNS lookups (https://docs.paloaltonetworks.com/pan-os/9-0/pan-
os-new-features/networking-features/dynamic-dns-nfg.html)
C: correct, they are probably referring to the additional license you have to acquire, similar to the URL filtering license.
D: correct, DNS security aims to provide a better alternative for the DNS signature downloads, by making it cloud-based, thus eliminating the need
for downloading the DNS database locally (which apparently is limited to 100k entries)
upvoted 3 times

Selected Answer: CD
It's not automatically anything if you must purchase it. C and D but, the answers are too vague.
upvoted 1 times

https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812
upvoted 2 times

In my oppinion the answers should be B&D.
upvoted 4 times
  aleco 2 years, 4 months ago

Hi!
A is incorrect as you have manually activate it in the Antispyware profile
B maybe is correct as there is no need for DNS updates. In fact every lookup goes into the cloud: "the cloud-based signature database provides
users with instant access to newly added DNS signatures without the need to download updates"
C yes you have to activate it but I don't know what app portal is.
D I disagree with it because you can still download DNS pack for faster lookups: " Locally available, downloadable DNS signature sets (packaged
with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated
through advanced analysis"
Any other help? Does it make sens?

upvoted 4 times
  Airknight 2 years, 4 months ago

C for sure because you have to activate - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-security/enable-
dns-security. I think D as well based on last comment.
upvoted 1 times
  CiscoSannin 2 years, 4 months ago

D is definitely one of the correct options.
"Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation
of 100k signatures and do not include signatures generated through advanced analysis."
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures.html
upvoted 1 times
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. GlobalProtect agent
B. XML API
C. User-ID Windows-based agent
D. log forwarding auto-tagging
Correct Answer: BD

BC (56%) BD (44%)

Correct options should be B and C:
To dynamically register tags, you can use:

- the XML API
- the User-ID agent
- Panorama
- the web interface on the firewall
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
upvoted 27 times
  kenyabolada Most Recent  1 week, 1 day ago

Selected Answer: BC
the XML API
the User-ID agent
Panorama
the web interface on the firewall
upvoted 1 times
  Kalender 2 months, 1 week ago

Just one question
Are User-ID Agent and User-ID Windows based Agent the same thing?
If different, the answer should be A and D
upvoted 1 times
  guuillauume 2 months, 1 week ago

Selected Answer: BD
answer BD
upvoted 1 times

Selected Answer: BD
According to PCNSA Study Guide
upvoted 2 times
  hugodiaz 4 months, 1 week ago

Care to share the page?
upvoted 1 times
  fb48 5 months ago

answer: BD
https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-dynamic-user-
groups
Firewall logs - create a log forwarding profile and use the Built-In Actions
Custom API scripts
upvoted 2 times

B and D are the answers. See the text from PCNSE Study Guide:
Several methods are available to tag or untag usernames. As shown in the following screenshot (in the book), you can manually tag and untag
usernames by using the web interface. Usernames can also be tagged and untagged by using the auto-tagging feature in a Log Forwarding Profile.
(NOTE: I have practically done both.). You also can program another utility to invoke the PAN-OS XML API commands to tag or untag usernames.
(NOTE: I've not tried XML API myself tho.
upvoted 2 times
  mecacig953 5 months, 3 weeks ago
Selected Answer: BC
upvoted 1 times

Its B and D, "You can manually tag and untag usernames using the web interface. Usernames can also be tagged and untagged by using the auto-
tagging feature in a log forwarding profile or by programming another utility to invoke PAN-OS XML API commands. "
Got this from a file called EDU-210-10.1a-M12-UserID-1.pdf which is can be access in the EDU-210 training course.
upvoted 2 times
  z8d21oczd 1 year ago

Selected Answer: BC
They are askting to tag a specific user. From the given options it mus be B and C. I agree that you would need D to scan your logs and
automatically tag users if something happens but the answer does not match the question.
A is out of question
upvoted 1 times
  commandlineclown 1 year, 2 months ago

Selected Answer: BC
upvoted 2 times

I agree
upvoted 1 times

Selected Answer: BD
I think it BD
upvoted 1 times

In the Palo Alto trainings they mention two ways to populate dynamic user group (DUG):
1. XML API
2. Log forwarding auto-tagging
In other words, how would you automatically include tagged usernames using Panorama or Web interface?!
- The answer is, you do that through defining a filter & an action in Dynamic user groups, followed by Log forwarding configuration, if you don't
activate the log forwarding auto-tagging in the security policy, then the Dynamic user group (DUG) will NOT be populated....you can test it yourself
in any Palo Alto firewall.
Without 'Log forwarding auto-tagging' attached to your security policy, the defined log filter & it's action in DUG will NOT forward any recognised
username - which matches the predefined filter & action - to the dynamic user group
So the answer is B & D

upvoted 2 times

B & C Correct
upvoted 1 times

Correct answer is B & C
upvoted 3 times
  lendrixx 2 years, 4 months ago

the XML API
the User-ID agent
Panorama
the web interface on the firewall
upvoted 2 times
  amadeu 2 years, 4 months ago

The correct answer is B and D
upvoted 2 times
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a
known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the command-and-control server?
A. Create an anti-spyware profile and enable DNS Sinkhole feature.
B. Create an antivirus profile and enable its DNS Sinkhole feature.
C. Create a URL filtering profile and block the DNS Sinkhole URL category
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.
Correct Answer: D

A (91%) 9%
  chmani Highly Voted  2 years, 7 months ago

is this correct as i have seen in palo exam correct answer was "A" (create anti-spyware profile with dns sink hole?
upvoted 19 times

DNS sinkhole is configured under an anti-spyware profile, A should be the correct option
upvoted 9 times
  blu_gandalf Most Recent  2 months, 1 week ago

just answered in Practice exam , its A
upvoted 1 times

a is the correct answer
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
Configure the DNS Sinkhole action in the Anti-Spyware profile. Click on the Objects > Anti-Spyware under Security Profiles..
upvoted 1 times
  ACPM 5 months, 2 weeks ago

Selected Answer: A
Answer is A: Anti-spyware
upvoted 1 times

Selected Answer: A
Palo connects "anti-spyware" directly with C&C in all their literature.
upvoted 3 times

Selected Answer: A
the question is asking about how to prevent " to prevent the communication with the command-and-control server?" so the answer here is A.
beside That, DNS Sinkhole is only configurable under Anti-spyware :)

upvoted 2 times

Correct answer is A
upvoted 1 times

Selected Answer: D
"begin exfiltrating corporate data."
The correct answer is D, Data filtaring profile to avoid exfiltrate corporate data
upvoted 1 times

the sinkhole is a feature of antispyware.
upvoted 1 times

A is de correct
upvoted 1 times

Selected Answer: A
Sinkhole is configured in Anti-spyware
upvoted 1 times
  francisco87 1 year, 7 months ago

Selected Answer: A
upvoted 1 times

Selected Answer: A
A should be correct
upvoted 2 times

Correct answer is A
upvoted 4 times
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?
A. virtual router
B. Admin Role profile
C. DNS proxy
D. service route
Correct Answer: C
Reference:
https://weberblog.net/palo-alto-dns-proxy-for-management-services/

D (77%) C (23%)
  venom6 Highly Voted  2 years, 7 months ago

i think its D
upvoted 16 times

Correct answer is D
upvoted 7 times
  kenyabolada Most Recent  1 week, 1 day ago

Selected Answer: D
PAN-OS 10 -> Device -> Setup -> Services -> Service Features -> Service Route Configuration
upvoted 1 times

Selected Answer: D
By default, the firewall uses the management (MGT) interface to access external services, such as DNS servers, external authentication servers, Palo
Alto Netw orks services such as soft ware, URL updates, licenses, and AutoFocus. An alternative to using the MGT interface is configuring a data
port (a standard interface) to access these services. The path from the interface to th e service on a server is aservice route.
upvoted 1 times

Selected Answer: D
D. Service Route is the correct answer.
upvoted 1 times

Selected Answer: D
Refer to page 19 on PCNSA study guide April 2022
upvoted 2 times
  p48m1 11 months, 4 weeks ago

Selected Answer: D
DNS resolution, and generally external reachability, is routed by default on the control plane (MGT interface). Service route feature allows to
change the default routing behaviour by setting the data plane as the routing path.
upvoted 2 times

Selected Answer: C
A DNS Proxy on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s network connected to the firewall
interface
"In such a scenario, the firewall performs DNS resolution on its dataplane."
Ref: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/dns/use-case-3-firewall-acts-as-dns-proxy-between-client-and-
server
upvoted 1 times
  drogadotcom 3 months, 2 weeks ago

That's correct for dataplane interfaces, control plane (or management plane). By default uses it's interface to process DNS queries, unless you
configure Service Routes. Answer should be D
upvoted 1 times
Selected Answer: D
D is the correct answer.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
upvoted 1 times

Selected Answer: D
service route is the actual name.
upvoted 1 times

Selected Answer: D
The correct answer is D - Ref PCNSA Study guide 2022 - P44
upvoted 2 times

Selected Answer: D
Answer D is Correct
upvoted 1 times
  obxfaepjwjsiflnecy 1 year, 5 months ago

Selected Answer: D
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, as
well as various Palo Alto Networks services, including software, URL updates, licenses, external dynamic lists (EDLs), and AutoFocus. An alternative
to using the MGT interface is to configure a data port (a regular interface) to access these services. The path from the interface to the service on a
server is known as a service route.
When configured as a DNS proxy, the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries
from its DNS proxy cache. If it doesn’t find the domain name in its DNS proxy cache, the firewall searches for a match to the domain name among
the entries in the specific DNS proxy object (on the interface on which the DNS query arrived). The firewall forwards the query to the appropriate
DNS server based on the match results. If no match is found, the firewall uses default DNS servers.
upvoted 5 times

Selected Answer: C
The answer is C. DNS Proxy.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/dns/use-case-3-firewall-acts-as-dns-proxy-between-client-and-
server.html
upvoted 4 times

C indeed.
A DNS Proxy on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s network connected to the firewall
interface
"In such a scenario, the firewall performs DNS resolution on its dataplane."
upvoted 1 times

The answer is D
Quoting https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide-latest.pdf
" Service routes are used so that the

communication between the firewall and servers goes through the data ports on the data plane."
upvoted 4 times
  Jeevanchalhai 1 year, 9 months ago

D is correct
upvoted 4 times

I would go with D as it fits more accurately
The Palo Alto firewall has a feature called DNS Proxy. Normally it is used for data plane interfaces so that clients can use the interfaces of the Palo
for its recursive DNS server. Furthermore, this DNS Proxy Object can be used for the DNS services of the
https://weberblog.net/palo-alto-dns-proxy-for-management-services/
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo
Alto Networks services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port
(a regular interface) to access these services. The path from the interface to the service on a server is known as a service route.
upvoted 2 times
Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?
A. Prisma SaaS
B. GlobalProtect
C. AutoFocus
D. Panorama
Correct Answer: A
Reference:
https://www.paloaltonetworks.com/resources/whitepapers/protecting-the-extended-perimeter-with-globalprotect-cloud-service-full

B (100%)
  tman1234 Highly Voted  2 years, 7 months ago

The answer should be GlobalProtect.
GlobalProtect safeguards your mobile workforce by inspecting all traffic
using your next-generation firewalls deployed as internet gateways, whether at the
perimeter, in the Demilitarized Zone (DMZ), or in the cloud. Laptops, smartphones, and
tablets with the GlobalProtect app automatically establish a secure IPsec/SSL VPN
connection to the next-generation firewall using the best gateway, thus providing full
visibility of all network traffic, applications, ports, and protocols.
upvoted 18 times
  debabani Highly Voted  2 years, 5 months ago

upvoted 11 times

Selected Answer: B
GlobalProtect administrators can set the level of control that end users have over their connections, from a fully locked-down configuration to one
where users are allowed to select which gateway they connect to.
upvoted 1 times

Selected Answer: B
B. GlobalProtect.
upvoted 2 times
  ds22 8 months ago

Prisma is for cloud policy. Global protect should be the answer
upvoted 1 times
  original_zomby 1 year, 3 months ago

B is the answer.
Prisma SaaS allows you to govern sanctioned SaaS application usage across all users in your organization and prevent the risk from breaches and
non-compliance.
upvoted 1 times

Selected Answer: B
Global Protect
upvoted 1 times

A is incorrect, Prisma Saas is a solution to provide insight and apply policies to cloud-based applications. Prisma SaaS does not enforce mobile
endpoints to send all their traffic to a central firewall in the cloud (this is what Prisma Access does).
GlobalProtect is used to enforce endpoints to send all their traffic to your company firewall through client VPN so B is the correct answer.
upvoted 1 times

Selected Answer: B
Global Protect = Internet Gateways
upvoted 2 times

Correct answer is B
upvoted 1 times
  digitreal 1 year, 7 months ago

It's B the answer is in the link even.
upvoted 3 times

Selected Answer: B
B is correct answer - GlobalProtect
upvoted 4 times

I think correct answer is B
upvoted 7 times
For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?
A. TACACS+
B. RADIUS
C. LDAP
D. SAML
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an-authentication-profile-and-sequence

LDAP is correct
upvoted 1 times
Which operations are allowed when working with App-ID application tags?
A. Predefined tags may be deleted.
B. Predefined tags may be augmented by custom tags.
C. Predefined tags may be modified.
D. Predefined tags may be updated by WildFire dynamic updates.
Correct Answer: C

B (100%)
  webmanau Highly Voted  2 years, 3 months ago

Really? This is scary.......
B is the answer. D is total rubbish.
upvoted 11 times
  jorge86 Highly Voted  2 years, 1 month ago

i think the only available option would be B, becouse predefined tad can´t be delete, edit or clone, its updated and maintained by the Applications
and Threats dynamic updates. not wildfire!
upvoted 9 times
  daan5000 Most Recent  1 year, 3 months ago

Selected Answer: B
A: incorrect, you cannot remove predefined tags (just tested this in a lab).
B: this is the correct answer, you can add additional custom tags to an application that already has predefined tags to "augment" filtering abilities
in application filters.
C: you cannot modify predefined tags
D: this is not correct, they can only be updated through application updates
upvoted 5 times

Checked on FW; You cannot delete or modify pre-defined tags.
Wildfire provides no updates to tags.
Correct answer would be B.

upvoted 2 times

Selected Answer: B
augment = improved or provide extra details, so answer B i definitely correct, D is a little bit odd
upvoted 1 times
  erbinnn 1 year, 5 months ago

Selected Answer: B
b correct
upvoted 1 times

upvoted 1 times

Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Correct answer should be B. PCNSA study guide page 113
upvoted 1 times

A and C are definitely wrong, tried to modify / delte on PAN OS 10 and you are unable.
Cant seem to find anything that shows Wildfire updates predefined tags.
Gonna go with B on this one

upvoted 2 times
After checking into firewall D is correct answer
upvoted 7 times
Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's
management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?
A. Windows-based agent deployed on each domain controller
B. PAN-OS integrated agent deployed on the firewall
C. Citrix terminal server agent deployed on the network
D. Windows-based agent deployed on the internal network a domain member
Correct Answer: A
Reference:
user-id- agent/configure-the-windows-based-user-id-agent-for-user-mapping.html

B (91%) 9%
  debabani Highly Voted  2 years, 5 months ago

B should be the answer:
upvoted 8 times
  o0ZACK0o Most Recent  4 months, 2 weeks ago

Selected Answer: B
The PAN-OS Integrated Agent is more efficient in terms of network resources since it filters logs, whereas the Windows-Based Agent sends all
security logs to the firewall.
upvoted 2 times
  kuaiquchifan 6 months, 1 week ago

Selected Answer: B
It mentioned 'slightly" used
upvoted 2 times

Selected Answer: B
Less than 10 DCs and minimal utilized management plane makes B the choice.
upvoted 3 times

Selected Answer: B
Only two DCs, same network, same location, slightly utilized management plane... obviously B.
upvoted 3 times
  vexon 1 year ago

B
Which User-ID agent should I use?
Use agentless (PAN-OS)
If you have a small to medium deployment with 10 or fewer Domain controllers or Exchange servers
If you wish to share PAN-OS sourced mappings from AD, Captive portal or Global Protect with other PA devices (max 255 devices)
Use User-ID Agent (Windows)
If you have medium to large deployment with more than 10 domain controllers
If you have multi-domain setup with large number of servers to monitor
upvoted 1 times
  Letrange 1 year, 1 month ago

It can't be A because PAN doesn't recommend to install the windows agent in the domain controller. I think the correct answer is B.
upvoted 1 times

When they're talking about "sufficient bandwidth" and "sufficient resources" on the firewall, they are always hinting at the PAN-OS integrated
agent.
When they're talking about "limited network bandwidth" and/or the "management plane is heavily used", then they want you to use the Server
agent.
upvoted 4 times

Selected Answer: A
PAN-OS Integrated User-ID Agent agent is used mostly for remote sites and it can't handle multiforest domains.
Windows-based User-ID Agent at the local site. In this case its all on the same network so I think it should be "A"
upvoted 1 times

Although, the Windows-based agent and the PAN-OS integrated agent perform the same basic tasks, they use different underlying communication
protocols. This difference makes each agent more appropriate for different environments.
The Windows-based agent uses MS-RPC, which requires the full Windows Security logs to be sent to the agent, where they are filtered for the
relevant User-ID information.
The PAN-OS integrated agent uses either the Windows Management Instrumentation, of WMI, or the Windows Remote Management Protocol, or
WinRM which enables the agent to retrieve only the User-ID information from the Windows Security logs.
The result is that, in an infrastructure with remote networks separated with WAN links, the integrated agent is more appropriate for reading remote
logs and the Windows-based agent is more appropriate for reading local logs.However, uses of the integrated agent is not without cost: it
consumes more of the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them
forward the relevant User-ID information to firewall on a central network often is beneficial.
upvoted 2 times
  Defvianti 2 years, 4 months ago

More then one domain? That is not supported with PA agent
upvoted 2 times
  jonboy22 1 year, 3 months ago

The integrated agent can handle pup to 100 domains. https://www.routeprotocol.com/palo-altro-edu-110-user-id/
upvoted 1 times
  jonboy22 1 year, 3 months ago

The integrated agent can only handle 1 AD domain, but can monitor up to 100 domain controllers. This question doesn't say more than one AD
is active. Therefore, i believe B is correct.
upvoted 1 times
  Lucerorudeboy 2 years, 5 months ago

network bandwidth isn't an issue in this case, I think A is correct
upvoted 1 times

, if network bandwidth is an issue, you might want to use the PAN-OS integrated agent because it
communicates directly with the servers, whereas the Windows agent communicates with the servers and
then communicates the User-ID information to the firewall so that it can update the firewall database.
For more information about the different agents and how they are used, see the following information:
• “Block Threats by Identifying Users ” module in the EDU-110 and EDU-210 training,
Firewall Essentials: Configuration and Management
I think B is correct answer

upvoted 4 times
  ElDTO91 2 years, 7 months ago

B should be the answer
upvoted 4 times
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall
permissions?
A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-
types.html

A (100%)
  johnnydoe01 Highly Voted  2 years, 7 months ago

It’s gotta be A Role Based
“ Role Based—Custom roles you can configure for more granular access control over the functional areas of the web interface, CLI, and XML API.”
upvoted 10 times
  atifikhan Highly Voted  2 years, 6 months ago

A is correct answer
upvoted 6 times
  jonboy22 Most Recent  1 year, 3 months ago

Selected Answer: A
"Custom-Set"
upvoted 1 times
Which statement is true regarding a Heatmap report?
A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk
B. It runs only on firewalls.
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
D. It provides a percentage of adoption for each assessment area.
Correct Answer: D
Reference:
https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-assessment-bpa-tool-for-ngfw-and-panorama/ba-
p/248343

D (100%)
  esetss4 Highly Voted  2 years, 2 months ago

Answer is D.
upvoted 8 times
  olexx Most Recent  1 year, 3 months ago

Answer is D
A. & B. are not fitting here

C. is the definition of PPA (Prevention Posture Assessment)
D. Heatmap report is presented in %, check out the promotion video on Palo Alto website
https://www.paloaltonetworks.com/resources/videos/bpa-promo
upvoted 2 times

Selected Answer: D
When you run the Best Practices Heat Map tool from the Palo support page, the end result of the report (not for you but, for the report) is to
present you with a Heat Map. "D" would be the customer's next step but, that's NOT the answer to this question.
upvoted 2 times

Selected Answer: D
PART OF BPA; he correct answer is D.
upvoted 1 times
  esetss4 2 years, 3 months ago

The correct answer is:
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
upvoted 3 times

Incorrect, that's a PPA
upvoted 1 times

C= definition of PPA
upvoted 1 times

The correct answer is D.
upvoted 2 times

networks-assessment-and-review-tools#:~:text=Prevention%20Posture%20Assessment%20(PPA),risks%20and%20close%20the%20gaps.
upvoted 1 times
Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the
policy rule?
A. Apps Allowed
B. Service
C. Name
D. Apps Seen
Correct Answer: C

D (100%)

Correct answer is D
upvoted 11 times
  rcptryk Highly Voted  1 year, 8 months ago

Correct answer is D. I have checked on FW
upvoted 8 times

Thank you. Feedback like this is super important.
upvoted 4 times
  captainpratt Most Recent  1 month, 3 weeks ago

SO WHY DO THEY SELECT NAME?
upvoted 1 times

Selected Answer: D
Correct answer is D
upvoted 3 times

Selected Answer: D
The entire reason for the existence of the column "App Seen" is for this.
upvoted 2 times

Answer is D
upvoted 2 times

Selected Answer: D
D is correct
upvoted 4 times
  AR787 1 year, 6 months ago

Selected Answer: D
correct answer is D
upvoted 2 times
  ahmad666 2 years ago
it is answer D
upvoted 3 times
  userrandomuser76 2 years, 1 month ago

It is D
upvoted 3 times
Access to which feature requires the PAN-OS Filtering license?
A. PAN-DB database
B. DNS Security
C. Custom URL categories
D. URL external dynamic lists
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-and-subscriptions.html

The license is literally called "PAN-DB URL Filtering" A
upvoted 3 times

A is Correct
upvoted 4 times
Based on the screenshot, what is the purpose of the Included Groups?
A. They are groups that are imported from RADIUS authentication servers.
B. They are the only groups visible based on the firewall's credentials.
C. They contain only the users you allow to manage the firewall.
D. They are used to map users to groups.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

D (100%)

Selected Answer: D
D it is
upvoted 1 times

They are used to map users to groups.
upvoted 1 times
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?
A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.
Correct Answer: C

A (100%)

The correct answer is A
upvoted 8 times
  suen110001 Highly Voted  2 years, 3 months ago

This should be A. The User-ID agent is connected to a domain controller labeled lab-client.
upvoted 5 times
  Adilon Most Recent  3 months, 1 week ago

A is the right answer
upvoted 1 times
  fb48 5 months, 1 week ago

Answer C.
A is wrong, not the domain controller is named lab-client, but client itself.
upvoted 1 times
  Ermbmx2 3 months ago

That is wrong. It is under the Server Monitoring section and under the "SERVER" monitoring section column "Name" it lists Lab-client which also
specifies it as an Active Directory Domain Controller. It is not the name of a client.
A is the correct answer.
upvoted 1 times
  Toldo75 1 year ago

Selected Answer: A
upvoted 1 times

Selected Answer: A
upvoted 1 times
  gustavok 1 year, 3 months ago
Selected Answer: A
lab-client is not a host, it is the name we are giving to the agent that is connecting to the specified domain controller (Active Directory)
upvoted 2 times

Selected Answer: A
Why "A"? Because of the wording on the Tab: "Server Monitoring", "Name"...then, there's a name.
upvoted 1 times
  LuisRG17 1 year, 7 months ago

Selected Answer: A
Correct
upvoted 2 times
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. Reset Server
D. Reset Client
Correct Answer: B

A (100%)

I think the correct answer should be "Drop"
The difference between deny and drop is that deny will make a router (or other device) send an ICMP type 3 (destination unreachable) message
response back, where drop will not notify the sending party that the device has be denied and just silently drop the traffic.
upvoted 16 times
  hugodiaz Most Recent  4 months, 3 weeks ago

Answer is A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/security-policy-actions
Drop
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
It can't be Reset-Server as it is only after a session has been established.

upvoted 1 times

Selected Answer: A
Its drop
upvoted 1 times

Selected Answer: A
A drop just literally drops the packet.
upvoted 1 times

Selected Answer: A
Drop is silent.
upvoted 1 times

Selected Answer: A
For the reasons others have specified!!
upvoted 1 times
  Hyay 10 months, 1 week ago

Selected Answer: A
That's what drop does
upvoted 1 times
  KhalidB 1 year, 4 months ago

Drop a is correct
upvoted 1 times
  ppower 2 years, 6 months ago

Though A.Drop would be my first choice here because traffic simply discarded without notifying the sender, option "Reset Server" notifies only
Server side to close the socket meanwhile Client in unaware of the action.
upvoted 2 times
  nunesduck 2 years, 6 months ago
Drop is correct answer

https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206900#M60682
upvoted 2 times

A is correct answer
upvoted 3 times
  nabilzay 2 years, 7 months ago

Answer should be A
upvoted 4 times
What do Dynamic User Groups help you to do?
A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
B. create a dynamic list of firewall administrators
C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity
Correct Answer: A
Reference:

A (100%)

Selected Answer: A
Straight outta Palo: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
upvoted 1 times

Selected Answer: A
Correct
upvoted 1 times

Selected Answer: A
Correct
upvoted 1 times
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows
within the zones?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: B

C (100%)

C. interzone should be the correct answer here since how the question is asked.
upvoted 15 times

C is the correct answer, as intrazone allows traffic within a zone not between different zones
upvoted 10 times
  SessoConPupoPazzo Most Recent  2 months, 4 weeks ago

Selected Answer: C
C is the correct answer
upvoted 1 times

Selected Answer: C
upvoted 2 times

Selected Answer: C
The question is the definition of the answer
upvoted 1 times
  FlyerGuy 1 year, 4 months ago

Selected Answer: C
C is correct. Question states filtering between zones, NOT within zones.
upvoted 2 times

Selected Answer: C
C is correct
upvoted 1 times

C is correct
upvoted 1 times

Selected Answer: C
Page 123
upvoted 1 times
  ThelioNN 1 year, 6 months ago

Selected Answer: C
between zones is interzone rule
upvoted 1 times

Selected Answer: C
C is correct - between zones is inTERzone within zone is inTRAzone

upvoted 1 times
The correct answer is C
upvoted 2 times
  Raul_Andre 2 years, 5 months ago

Undoubtedly line C is the correct one
upvoted 3 times
  Raul_Andre 2 years, 5 months ago

Undoubtedly line C is the correct one,
upvoted 3 times

upvoted 3 times
  nunesduck 2 years, 6 months ago

Interzone is correct
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0
upvoted 4 times

C is correct answer
upvoted 5 times
You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which
traffic would you need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Correct Answer: D

D (100%)
  madinaes 3 months, 3 weeks ago

within same Network is E-W while outside is N-S
upvoted 1 times
  akon 10 months, 3 weeks ago

Selected Answer: D
Correct ans is D
upvoted 1 times

Lateral movement activity, the correct answer id D.
upvoted 4 times
  Arty1234123 1 year, 5 months ago

Selected Answer: D
The answer is B.
upvoted 1 times

Sorry, Inspect internal traffic. It's B.
upvoted 2 times

Type error, It's D.
upvoted 1 times

The answer is B.
upvoted 1 times
DRAG DROP -
Match each feature to the DoS Protection Policy or the DoS Protection Profile.
Select and Place:
Correct Answer:
  Lua77707 1 week, 2 days ago

I think that here must change place between (Threat Intellegence and NGFW)
upvoted 1 times

Answer is correct
upvoted 2 times

Don't think it is. TIC can't work within network and endpoints. I think only NGFW and TIC need to change places. AEP is ok.
upvoted 2 times
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?
A. Kerberos user
B. SAML user
C. local database user
D. local user
Correct Answer: B

D (100%)
  zerdo Highly Voted  2 years ago

Local user. D is correct. Because for the other users youcan create a auth profile. But for local users (users in XML config), auth profile cannot
created.
upvoted 8 times
  Grandslam Highly Voted  1 year, 6 months ago

Selected Answer: D
Page 106
PAN-OS software supports the following authentication types:
• None
• Local Database
• RADIUS
• LDAP
• TACACS+
• SAML
• Kerberos
upvoted 6 times
  kewokil120 Most Recent  1 year, 2 months ago

Selected Answer: D
D is correct
upvoted 2 times

D is the correct
upvoted 2 times
How frequently can WildFire updates be made available to firewalls?
A. every 15 minutes
B. every 30 minutes
C. every 60 minutes
D. every 5 minutes
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-updates/dynamic-content-updates.html#:~:text=WildFire%
20signature%20updates%20are%20made,within%20a%20minute%20of%20availability
.

D (100%)

Selected Answer: D
The honest answer is "as close to zero as is offered in the answer". Palo has been working on making the answer zero for each version update.
upvoted 3 times
Starting with PAN-OS version 9.1, which new type of object is supported for use within the User field of a Security policy rule?
A. remote username
B. dynamic user group
C. static user group
D. local username
Correct Answer: B

B (100%)

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/features-introduced-in-pan-os-9-1/user-id-
features#id1787EF00LF4
upvoted 1 times
Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?
A. Review App Matches
B. Review Apps
C. Pre-analyze
D. Review Policies
Correct Answer: D

D (100%)

Selected Answer: D
D is correct: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-
new-app-id-impact-on-existing-policy-rules
upvoted 2 times
Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?
A. interzone-default
B. internal-inside-dmz
C. inside-portal
D. egress-outside
Correct Answer: D

D (56%) C (44%)
  amorcle 1 month, 3 weeks ago

Selected Answer: D
D it's correct, because 203.0.113.0/24 it's a reserved/special use address (TEST-NET-3. RFC 5737) so it can't stay in an outside zone.
upvoted 1 times

upvoted 1 times

egress-outsid. source and destination zone possuem any + any aplication e application-default service, action allow. Então é "D"
upvoted 1 times

Selected Answer: D
it's about ALL the traffic, so D is the correct answer
upvoted 1 times
  Ermbmx2 2 months, 2 weeks ago

Selected Answer: D
The only option that matches "ALL" FTP traffic from Inside to Outside
upvoted 3 times

Can someone explain why it is not D?
If it say "any" FTP traffic wouldnt it have to be D since C would only match FTP traffic destined to that specific IP. Is that not correct?
upvoted 1 times

Correction, it says "ALL" FTP traffic. Wouldn't D be the first policy that allows "ALL" FTP traffic?
upvoted 1 times
  BuzeHa 4 months ago

Selected Answer: C
correct
upvoted 2 times

Selected Answer: C
I mean, technically inside-portal would match any FTP traffic first to the outside zone, even if the destination address is defined.
upvoted 2 times

upvoted 1 times

Yup, the question doesn't ask about dst IP so I think C is correct.
upvoted 1 times

But it does say "Match ALL ftp traffic" (not "any") which the Inside-portal would not match all the ftp traffic, just the FTP traffic destined to
that specific IP.
upvoted 3 times
Which type of firewall configuration contains in-progress configuration changes?
A. backup
B. candidate
C. running
D. committed
Correct Answer: B

B (100%)
  SupaFlash Highly Voted  2 years ago

The question says in progress changes.. changes are in the candidate config, they become part of the running-config after commit. Answer is B
upvoted 9 times

Selected Answer: B
Answer B is Correct, Candidate
upvoted 1 times
  sahilyakup 2 years ago

C is the correct. Running-configuration must be in-progress. Candidate configuration waits for a commit to be in-progress
upvoted 2 times

The question clearly states that: "... in-progress configuration" which is candidate that must be committed to be part of the running
configuration. More details on the study guide Page 49 -50
upvoted 2 times
Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.)
A. hostname
B. netmask
C. default gateway
D. auto-negotiation
E. IP address
Correct Answer: BCE

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

Basically all IPv4 based: No point of having an IP if you don't have a netmask to determine network. Also no point to have an IP if there is no
gateway to get out to the internet
upvoted 1 times
What is an advantage for using application tags?
A. They are helpful during the creation of new zones.
B. They help content updates automate policy updates.
C. They help with the creation of interfaces.
D. They help with the design of IP address allocations in DHCP.
Correct Answer: B

B (100%)

Selected Answer: B
upvoted 1 times

Selected Answer: B
Tags. All Tags. Are specific to the creation of Policy. They have several purposes, apply to any object, can be defined and so forth. I am uncertain as
to whether any action subsequent to their application is automated or not. The only thing I'm clear on is, they are Security Policy related, or to it's
creation, whether automated or not.
upvoted 4 times
At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?
A. after clicking Check Now in the Dynamic Update window
B. after committing the firewall configuration
C. after installing the update
D. after downloading the update
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-updates

D (80%) A (20%)

Selected Answer: D
When an Applications and Threats content update is performed, which is the earliest point you can review the impact of new application signatures
on existing policies?
- after download
upvoted 1 times

Selected Answer: D
D
upvoted 1 times

Selected Answer: D
Answer is D. Clicking "check now" just looks for new updates. If you have a schedule set up the system is already looking for new updates on its
own though. To see if an update will affect an existing rule, you have to download the update and then click on "review policies" to see impact the
update will have (Answer D).
upvoted 3 times

Selected Answer: D
D is correct
Must be downloaded or installed
upvoted 2 times

Answer is D
"Action > Download: Additionally, downloading an Application and Threat content release version enables the option to Review Policies that are
affected by new application signatures included with the release."
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-dynamic-updates.html
upvoted 4 times

Selected Answer: A
Very Tricky. Yes, "after the download" you must A. A is the last step you can take before choosing to Commit. You don't have an "A" until you "D"
but "D" is not "A".
upvoted 1 times

Palo: "downloading an Application and Threat content release version enables the option to Review Policies that are affected by new application
signatures included with the release"
upvoted 4 times

Selected Answer: A
Sorry Answer is A
upvoted 1 times
Selected Answer: D
D make more sense to me.
upvoted 1 times

Sorry Answer is A
upvoted 1 times

Lists the versions that are currently available on the Palo Alto Networks Update Server. To check if a new software release is available from Palo Alto
Networks, click Check Now. The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if
there are updates available, displays them at the top of the list.
upvoted 1 times

Answer is A, I checked on the Firewall
upvoted 2 times
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-
control server.
Which Security Profile detects and prevents this threat from establishing a command-and-control connection?
A. Vulnerability Protection Profile applied to outbound Security policy rules.
B. Anti-Spyware Profile applied to outbound security policies.
C. Antivirus Profile applied to outbound Security policy rules
D. Data Filtering Profile applied to outbound Security policy rules.
Correct Answer: B

B (100%)
  Adilon 3 months, 1 week ago

B is correct
upvoted 1 times

Selected Answer: B
B is correct
upvoted 2 times

Selected Answer: B
B is correct: Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate with external command-and-control
(C2) servers, thus enabling you to detect malicious traffic leaving the network from infected clients.
upvoted 1 times
Which statement is true regarding a Best Practice Assessment?
A. It runs only on firewalls.
B. It shows how current configuration compares to Palo Alto Networks recommendations.
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
Correct Answer: B

B (100%)
  Jasfart 2 months ago

Selected Answer: B
https://docs.paloaltonetworks.com/best-practices/10-2/bpa-getting-started
First line: "The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice
recommendations"
upvoted 1 times

Selected Answer: B
The attempt here is to determine competency in selecting between two Palo Tools:
Prevention Posture Assessment (PPA)—The PPA is a set of questionnaires that help uncover security risk prevention gaps across all areas of network
and security architecture.
Keep your mind straight and understand what is PPA or BPA.
upvoted 4 times
The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access
the PowerBall
Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed
in the URL filtering `gambling` category.
Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?
A. Add just the URL www.powerball.com to a Security policy allow rule.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the URL Filtering allow list.
D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.
Correct Answer: CD

A (100%)
  TheLorenz 1 month, 1 week ago

A is not correct as you cannot add www.powerball.com to a security policy unless you first create an address object and add the fqdn. A does not
mention doing any of this.
upvoted 1 times

Selected Answer: A
As @OhEmGee said
upvoted 1 times

Selected Answer: A
The question is about very specific URL, which can't be 'limited' by *.powerball.com as this would allow a.powerball.com, a.b.c.powerball.com etc.
upvoted 1 times

Correct
upvoted 1 times

in my opinion, only D is the correct answer
upvoted 2 times

why do you think the adding domain into url allow list is not useful? I think it's OK C and D are correct.
upvoted 2 times
Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and
scanning files for sensitive information?
A. Prisma SaaS
B. AutoFocus
C. Panorama
D. GlobalProtect
Correct Answer: A

A (100%)

Selected Answer: A
The one that blows my mind is the difference between Prima Saas (formerly Aperture) and the all-points Internet Gateway thingy called
"GlobalProtect".
upvoted 1 times
  okwilagwem 1 year, 8 months ago

I thought Aperture was the correct answer?
upvoted 2 times

Its now called Prisma SaaS
upvoted 4 times
In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?
A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
B. Reboot the firewall
C. Use the Reset Rule Hit Counter > All Rules option
D. Use the CLI enter the command reset rules all
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/creating-and-managing-policies

C (100%)

Selected Answer: C
Correct
upvoted 1 times
Based on the Security policy rules shown, SSH will be allowed on which port?
A. the default port
B. only ephemeral ports
C. any port
D. same port as ssl and snmpv3
Correct Answer: A

A (100%)

Strongly recommend completing the Security+ or its equivalent in PCCET - Palo Alto Networks Certified Entry-level Technician. As a Firewall
Administrator, knowing about 100 ports by heart is essential.
upvoted 2 times

Selected Answer: A
application-default means the default port will be used. in this case for SSH port 22.
A is correct.
upvoted 1 times
You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
A. Data Filtering Profile applied to outbound Security policy rules
B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to inbound Security policy rules
D. Vulnerability Protection Profile applied to inbound Security policy rules
Correct Answer: B

D (100%)

Agree, should be D. See study guide p153:
Vulnerability Protection - Detects attempts to exploit known software vulnerabilities
upvoted 7 times

Selected Answer: D
Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems. While Anti-Spyware profiles help
identify infected hosts as traffic leaves the network, Vulnerability Protection profiles protect against threats entering th e network. For example,
Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities.
upvoted 1 times

Selected Answer: D
I would think that D is the most accurate because it can detect and block traffic which uses known vulnererabilies. But AntiVirus could help to avoid
downloading the malware itself.. But how the question sounds, it's more likely D what they want to hear.
upvoted 1 times

Selected Answer: D
D is correct
upvoted 1 times

Selected Answer: D
the exploit is on a Vulnerability. The issue is whether Palo calls it that or combines it in "antivirus". Looking at the previous comments, it is obvious
that Vulnerability is a separate security policy concern.
upvoted 1 times

Selected Answer: D
the exploit is on a Vulnerability. The issue is whether Palo calls it that or combines it in "antivirus". Looking at the previous comments, it is obvious
that Vulnerability is a separate security policy concern.
upvoted 1 times

Vulnerability Protection Security Profiles stop attempts to exploit system flaws or gain unauthorized access to systems. Anti-Spyware Security
Profiles identify infected hosts as traffic leaves the network, but Vulnerability Protection Security Profiles protect against threats entering the
network.
For example, Vulnerability Protection Security Profiles protect against buffer overflows, illegal code execution, and other attempts to exploit system
vulnerabilities
Correct answer is D
Ref - PCNSA Study Guide 2022 - P157

upvoted 4 times

D is correct
upvoted 1 times

Selected Answer: D
Page 153
Vulnerability Protection - Detects attempts to exploit known software vulnerabilities
upvoted 2 times

Apply a Vulnerability Protection profile to every Security Policy rule that allows traffic to protect against buffer overflows, illegal code execution,
and other attempts to exploit client- and server-side vulnerabilities.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection.html
upvoted 2 times

upvoted 1 times

D is Correct
upvoted 1 times
  Nicholasvolta 1 year, 9 months ago

I think it's D, but no one has come to this last question so there are no comments..
upvoted 1 times
Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components?
(Choose two.)
A. Network Processing Engine
B. Policy Engine
C. Parallel Processing Hardware
D. Single Stream-based Engine
Correct Answer: CD

CD (100%)

Selected Answer: CD
C&D are the corrects.
pag.32 PCNSA study guide
upvoted 1 times

Selected Answer: CD
The very core of Palo's concept.
upvoted 1 times
An administrator is reviewing another administrator's Security policy log settings.

Which log setting configuration is consistent with best practices for normal traffic?
A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start enabled, Log at Session End disabled
C. Log at Session Start disabled, Log at Session End enabled
D. Log at Session Start and Log at Session End both disabled
Correct Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC
Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?
A. URL filtering
B. vulnerability protection
C. anti-spyware
D. antivirus
Correct Answer: C
Reference:

Selected Answer: C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
upvoted 2 times

Selected Answer: C
In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a
known malicious domain, causing the malicious domain name to resolve to an IP address that you define. This feature helps to identify infected
hosts on the protected network using DNS traffic.
upvoted 1 times
  ebarros 10 months, 1 week ago

Correct answer is D, no?
upvoted 1 times
Given the topology, which zone type should zone A and zone B to be configured with?
A. Layer3
B. Ethernet
C. Layer2
D. Virtual Wire
Correct Answer: A

In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. A Virtual Router object must exist for the firewall to route traffic
between Layer 3 interfaces. Layer 3 interfaces are assigned IP addresses.
upvoted 1 times
Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific website.
How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?
A. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES.
B. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile.
C. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES.
D. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-file-blocking

Should be B, especially after reading the mentioned url. The question is asking to block file but not restricting web access. So only option B allows
security policy to block a file.
upvoted 8 times
  z8d21oczd Most Recent  1 year ago

Selected Answer: B
Must be B
upvoted 4 times

Selected Answer: B
B is correct
upvoted 3 times
  mjw80013 1 year, 2 months ago

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-file-blocking
create a file blocking rpfoile attach to security policy
upvoted 2 times

Selected Answer: B
B is absolutely correct because it contains the verbage of the File Policy. Agree with ZZL.
upvoted 2 times

B is correct
upvoted 2 times
Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?
A. authorization
B. continue
C. authentication
D. override
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions.html
  H3kerman Highly Voted  1 year, 8 months ago

Selected Answer: D
OVERRIDE - The user will see a response page indicating that a password is required to allow access to websites in the given category. With this
option, the security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A
log entry is generated in the URL Filtering log. The Override webpage doesn’t display properly on client systems configured to use a proxy server.
upvoted 5 times
How are Application Filters or Application Groups used in firewall policy?
A. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
B. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
C. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
D. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.
Correct Answer: C
  Emanc21 Highly Voted  1 year, 8 months ago

Selected Answer: C
is correct
upvoted 7 times
  mlj23 Most Recent  2 months ago

C is correct. Application groups are static not dynamic.
upvoted 1 times

Selected Answer: C
An application filter is an object that dynamically groups applications based on application attributes that you select from the App-ID database.
upvoted 1 times
  dbcool22 10 months, 3 weeks ago

Selected Answer: C
C, Filters are dynamic and can be added to a app group. App groups can also be added to other app groups
upvoted 2 times
  nono0001 1 year, 3 months ago

answer B
Nesting Application Groups and Filters
An administrator can nest application groups and filters. Multiple applications and multiple application filters can be combined into an application
group. One or more application groups then also can be combined into one application group. The final application group then can be added to a
Security policy rule.
upvoted 1 times

An administrator can dynamically categorize multiple applications into an application filter based on the specific attributes Category, Subcategory,
Tags, Risk, and Characteristic. For example, if you want to allow all audio streaming applications, you could create an application filter that includes
the subcategory of audio-streaming, which automatically would add all applications to the filter from the App-ID database that are subcategorized
as audio-streaming. The filter then would be added as an application to a Security policy rule. Application filters simplify the process of ensuring
that all applications that meet any attribute automatically are added to a Security policy.
upvoted 1 times
Which tab would an administrator click to create an address object?
A. Objects
B. Monitor
C. Device
D. Policies
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-addresses

To create an address object, perform the following steps:
1. Select Objects > Addresses and Add an address object by Name. The name is case-sensitive, and the name must be unique. There is a limit of 63
characters (letters, numbers, spaces, hyphens, and underscores).
2. Select the Type of address object.
3. Enter a tag to apply to the address object.
4. Commit changes.
5. View logs filtered by your address object.
6. View a custom report based on your address object.
7. Use a filter in the ACC to view network activity. Select ACC > Network Activity.
upvoted 2 times
An administrator wishes to follow best practices for logging traffic that traverses the firewall.
Which log setting is correct?
A. Enable Log at Session Start
B. Disable all logging
C. Enable Log at both Session Start and End
D. Enable Log at Session End
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC

best practice is to log the end-of-session traffic
upvoted 1 times

Best practice is to log the traffic.
upvoted 2 times
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)
A. QoS profile
B. DoS Protection profile
C. Zone Protection profile
D. DoS Protection policy
Correct Answer: BC

The answer is B and C.
DoS Protection profile: Object -- Security Profile -- DoS Protection -- Add --

SYN Flood info is found here
Zone Protection Profile: Network -- Zones -- Inside -- Zone Protection Profile -- NEW
SYN Flood info is found here
upvoted 3 times

Flood Attack Protection
Zone Protection Profiles protect against of five types of floods:
• SYN (TCP)
• UDP
• ICMP
• ICMPv6
• Other IP
upvoted 3 times
An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.
What is the correct process to enable this logging?
A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Correct Answer: B
  AG15808 Highly Voted  1 year, 6 months ago

A is the correct answer. You must select "Override" and A is the only answer that meets this requirement.
upvoted 7 times
  mr_flubber Most Recent  2 months, 3 weeks ago

Selected Answer: A
It's A, override is necessary.
upvoted 1 times

override for sure
upvoted 1 times

A: https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/log-and-monitor-
data-center-traffic/log-data-center-traffic-that-matches-no-interzone-rules
upvoted 1 times

Selected Answer: A
Override
upvoted 1 times
  Chance101 6 months, 3 weeks ago

Selected Answer: A
tis A boom shacka lacka
upvoted 1 times
  Spaz_6 7 months, 1 week ago

Selected Answer: A
The default policy can only be modified with override option.
upvoted 1 times

Selected Answer: A
Default rules are not modifiable unless you over ride them
upvoted 3 times

Selected Answer: A
A it is. Tested and verified
upvoted 1 times

Selected Answer: A
A is correct answer. You need to override.
upvoted 1 times
  bnsrikar 1 year, 2 months ago

A is correct answer. You need to override.
Default rules cannot be modified
upvoted 2 times

Selected Answer: A
Default rules and profiles require Override and, of course, best practice, log at end.
upvoted 2 times

Selected Answer: A
A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
upvoted 3 times

Selected Answer: A
A is correct
upvoted 2 times

Selected Answer: A
The default rules are predefined rules that are part of the predefined configuration and are read-only by default; you can override them and
change a limited number of settings, including the tags, action (allow or deny), log settings, and security profiles. The names for the two default
rules are intrazone-default and interzone-default.
upvoted 4 times

A is correct
upvoted 2 times

Should be A, the default status is "Read Only", so you have to override it first, before enable the logging.
upvoted 4 times
The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?
A. Add static routes to route between the two interfaces
B. Add interfaces to the virtual router
C. Add zones attached to interfaces to the virtual router
D. Enable the redistribution profile to redistribute connected routes
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/virtual-routers.html

Selected Answer: B
B is the correct answer since the question is asking about route traffic between two interfaces (not subnets). That is why it cannot be A. Also to add
static routes you need to have the related interfaces already inserted.
upvoted 1 times

Selected Answer: B
Correct
upvoted 1 times

Selected Answer: B
They are not using the default VR. 1 was made so interfaces and static routes have to be created. Since Interfaces come first that the answer.
upvoted 2 times
  gustavok 1 year, 4 months ago

Selected Answer: B
Routers know which subnets are physically connected to it and can route between them without any further configuration
upvoted 2 times

B is correct, it says only one V-Router is configured; even if we set the static route without the interfaces being attached to the ONLY V-Router that
we have, those very two interfaces wouldn't be able to communicate ;)
upvoted 1 times

correct answer is B
upvoted 2 times
  JeffreyMcMaster 1 year, 5 months ago

Selected Answer: A
It's in the explination.
upvoted 1 times

Between two interfaces it is not necessary to apply static route because they are directly connected, "route traffic between two interfaces on the
NGFW".
upvoted 4 times
An administrator wants to prevent users from submitting corporate credentials in a phishing attack.
Which Security profile should be applied?
A. antivirus
B. anti-spyware
C. URL-filtering
D. vulnerability protection
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-
prevention.html#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

prevention.html#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
upvoted 1 times

URL Filtering Security Profiles
For each URL category, select User Credential Submissions to allow or disallow users from submitting valid corporate credentials to a URL in that
category. This action will prevent credential phishing.
upvoted 1 times
  sabaheta 1 year, 9 months ago

C is correct answer :
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/prevent-credential-phishing.html
upvoted 2 times
Which two rule types allow the administrator to modify the destination zone? (Choose two.)
A. interzone
B. shadowed
C. intrazone
D. universal
Correct Answer: AD
Reference:
  bariloch1 Highly Voted  1 year, 9 months ago

a and d choose two
upvoted 13 times
  DlaEdu_Ex Most Recent  3 weeks, 1 day ago

Selected Answer: AD
AD is correct
upvoted 1 times

Selected Answer: AD
A and D are between multiple zones
upvoted 1 times

Selected Answer: AD
Interzone: traffic between two different zones.
Intrazone: traffic within the same zone
Universal: traffic that matches interzone and intrazone
The question is talking about a destination zone that is meaning that is not a source zone, that excludes automatically C. So it must be A and D
upvoted 1 times
  JakaP 5 months ago

Selected Answer: AD
a and d choose
upvoted 1 times
  jm31 5 months, 3 weeks ago

B&D
Interzone and Intrazone default rules can't be edited. You can only override and change the Logging settings. Modifying zone is forbidden.
Shadowed rules are technically valid rules which are configured by administrators.
upvoted 1 times

Question isn't talking about the default rules, it is talking about the policy rule TYPE, you can set the policy rule type to interzone, intrazone, or
universal. Intrazone is a rule type that only defines a single zone. Shadow is a feature to optimizing policies that may be shadowed by another
policy.
upvoted 2 times

Selected Answer: AD
A and D. Universal and Interzone are the best answers.
upvoted 1 times

Selected Answer: AD
Interzone is for traffic on a single zone and shadowed does not exist
upvoted 1 times

Selected Answer: BD
You can't change default intrazone and interzone rules. Must be B & D
upvoted 1 times

Read the question carefully, it asked about "Which two RULE TYPES" not default policy rules.
upvoted 1 times
  Batdre84 1 year, 2 months ago

Answers Are: B & D
The “predefined” or Panorama pushed “intrazone-default” and “interzone-default” rules names or functions cannot be changed.
This is indicated by a green boarder around the editor and the “Read Only” wording in the title.
upvoted 3 times

Selected Answer: A
Choose Two. A and D
upvoted 1 times

Selected Answer: D
both A and D
upvoted 3 times

Selected Answer: D
both A and D
upvoted 3 times
  Emanc21 1 year, 8 months ago

A & D are the correct answers.
upvoted 3 times
  rcptryk 1 year, 8 months ago

correct answer a and d. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
upvoted 4 times
What is the main function of Policy Optimizer?
A. reduce load on the management plane by highlighting combinable security rules
B. migrate other firewall vendors' security rules to Palo Alto Networks configuration
C. eliminate ‫ג‬€Log at Session Start‫ג‬€ security rules
D. convert port-based security rules to application-based security rules
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.html

Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID-based rulebase, which improves your
security by reducing the attack surface and offering visibility into applications so you can safely enable them. Policy Optimizer identifies port-based
rules so you can convert them to application-based whitelist rules or add applications from a port-based rule to an existing application-based rule
without compromising application availability. It also identifies over-provisioned App-ID-based rules (App-ID rules configured with unused
applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify application-based rules that allow applications
you do not use, and analyze rule usage characteristics such as hit count.
upvoted 4 times
Based on the screenshot, what is the purpose of the group in User labelled `it`?
A. Allows ‫ג‬€any‫ג‬€ users to access servers in the DMZ zone.
B. Allows users to access IT applications on all ports.
C. Allow users in group ‫ג‬€it‫ג‬€ to access IT applications.
D. Allow users in group ‫ג‬€DMZ‫ג‬€ to access IT applications.
Correct Answer: C

Selected Answer: C
C correct
upvoted 2 times
  SessoConPupoPazzo 2 months, 4 weeks ago

Why, please explain
upvoted 1 times
  cawoyev 2 months, 1 week ago

It's not A because it says "any" users but we can see the user group is called "it".
It's not B because it says access IT applications on all ports, it's not all ports, but default ports.
It's not D because it says group "DMZ" but the group is called "it".
It's C which says to allow group "it" to access IT application, which is true. If they added "on standard ports" would have been more accurate
but then it would have been simple I assume
upvoted 1 times
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. No notification
D. Reset Client
Correct Answer: A

Selected Answer: A
Agreed
upvoted 1 times
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?
A. If it is a block rule, then Security Profile action is applied last.
B. If it is an allow rule, then the Security policy rule is applied last.
C. If it is a block rule, then the Security policy rule action is applied last.
D. If it is an allowed rule, then the Security Profile action is applied last.
Correct Answer: D
  H3kerman Highly Voted  1 year, 8 months ago

Selected Answer: D
Security Profiles are added to the end of Security policy rules. After a packet has been allowed by the Security policy
upvoted 8 times

That is true, Security profiles are applied only after a Security policy allow match; if the traffic is for example dropped they will not match
Security profiles.
upvoted 1 times
Which Security profile can you apply to protect against malware such as worms and Trojans?
A. antivirus
B. data filtering
C. vulnerability protection
D. anti-spyware
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-
profiles#:~:text=Antivirus%20profiles%20protect%20against%20viruses,as
%20well%20as%20spyware%20downloads
.

Selected Answer: A
Correct
upvoted 1 times

Antivirus Security Profiles protect against viruses, worms, and Trojans, along with spyware downloads.
upvoted 3 times
Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH,
web-browsing and SSL applications.
Which policy achieves the desired results?
A.
B.
C.
D.
Correct Answer: B
  DlaEdu_Ex 3 weeks, 1 day ago

B is correct
upvoted 1 times

B. Because A restricts internet to just the nexthop network
upvoted 2 times

Answer is B
upvoted 1 times
  Banchan 10 months ago
i think so A.Because both ip address is colect.
upvoted 1 times

Shouldn't it be A ?
upvoted 1 times
  Hyay 10 months ago

My bad, B is correct. Because A is too restrictive on internet
upvoted 3 times
Which license is required to use the Palo Alto Networks built-in IP address EDLs?
A. DNS Security
B. Threat Prevention
C. WildFire
D. SD-Wan
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-
edls.html#:~:text=With%20an%
20active%20Threat%20Prevention,to%20protect%20against%20malicious%20hosts

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls
upvoted 1 times

An active Threat Prevention license is required to obtain Palo Alto Networks built-in EDLs. These built-in EDLs protect your network against
malicious hosts
upvoted 3 times
Which statement is true about Panorama managed devices?
A. Panorama automatically removes local configuration locks after a commit from Panorama.
B. Local configuration locks prohibit Security policy changes for a Panorama managed device.
C. Security policy rules configured on local firewalls always take precedence.
D. Local configuration locks can be manually unlocked from Panorama.
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/manage-locks-for-restricting-configuration-
changes.html

Selected Answer: B
B is correct. Once lock from local PA, new policy cant be push from Pano
upvoted 1 times
  Najmmm 8 months, 4 weeks ago

Selected Answer: B
B is correct. Once lock from local PA, new policy cant be push from Pano
upvoted 4 times
  BC1c1c 10 months ago

B is correct: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltACAS "When a user has a configuration lock, it is
not possible to perform a commit or push a policy from Panorama. If the administrator is not available to remove the lock, a device WebGUI or CLI
command can be used by a superuser to force the removal of the configuration lock."
A is not correct. You can't perform a commit while a lock is in place, therefore, the lock can't be automatically removed after a commit that you
cannot execute.
upvoted 2 times

B is correct. If you trey to push a config to a device with a local local you get the following message:
Details:
. Other administrators are holding device wide config locks.
upvoted 1 times
  mjw80013 1 year, 2 months ago

Selected Answer: B
local locks prevent panorama pushes. they have to be removed by the admin who locked it
upvoted 2 times
A Security Profile can block or allow traffic at which point?
A. on either the data plane or the management plane
B. after it is matched to a Security policy rule that allows or blocks traffic
C. after it is matched to a Security policy rule that allows traffic
D. before it is matched to a Security policy rule
Correct Answer: C

Selected Answer: C
C is the correct answer.
upvoted 3 times

Selected Answer: C
Security Profiles are added to the end of Security policy rules. After a packet has been allowed by the Security policy
upvoted 2 times
DRAG DROP -
Place the following steps in the packet processing order of operations from first to last.
Select and Place:
Correct Answer:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
  Bubu3k Highly Voted  1 year, 4 months ago

Zone Protection Checks
TCP State Check
Forwarding (based on interface type)
NAT Policy Lookup (only L3 & Virt wire)
DoS Protection Policy Lookup
Security Policy Lookup
Session Allocation
Firewall Session Fast Path (if packet from existing session)
Security Processing
Captive Portal
Application Identification
Content Inspection
Forwarding/Egress (includes QoS)
upvoted 7 times
  DriftLanevo 1 year, 3 months ago

Thanks! better than PA official guide!
upvoted 1 times
  DriftLanevo 1 year, 3 months ago

I think after Content Inspection, there will be
Encrypt/Decrypt
Security Profile enforcement
upvoted 1 times
  khaled_ellaboudy Most Recent  5 months ago

Correct Answer
upvoted 1 times
Which type of address object is `10.5.1.1/0.127.248.2`?
A. IP netmask
B. IP subnet
C. IP wildcard mask
D. IP range
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/create-an-address-
object.html

Selected Answer: C
Wild Card
upvoted 1 times

Selected Answer: C
C is correct.
upvoted 1 times
Which component is a building block in a Security policy rule?
A. decryption profile
B. destination interface
C. timeout (min)
D. application
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-security/building-blocks-in-a-security-policy-
rule.html
  o0ZACK0o 4 months, 1 week ago

Selected Answer: D
Answer is D
upvoted 1 times
You have been tasked to configure access to a new web server located in the DMZ.
Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10.1.1.0/24 network to
192.168.1.0/24?
A. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2.
B. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.10
C. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2.
D. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254.
Correct Answer: C
  zeebo340 Highly Voted  1 year, 4 months ago

Answer is C
upvoted 5 times
  Kevin310 Highly Voted  1 year, 6 months ago

Selected Answer: C
C is correct.
upvoted 5 times
  H3kerman Most Recent  1 year, 8 months ago

Selected Answer: C
C is correct answer. Destination is the web server, interface towards the router and next hop IP address of the routers interface connected to FW.
upvoted 4 times

Ignore mu previous comment. I was thinking routing on RTR no on NGFW
upvoted 3 times

none of the option look correct to me.
I would pick D if interface was Eth1/2 . Hope there is no typo
upvoted 1 times
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new
content becomes available.
Which security policy action causes this?
A. Reset server
B. Reset both
C. Deny
D. Drop
Correct Answer: C

Simple answer, confusing question..
upvoted 1 times

Selected Answer: C
For clarification:
each app has its own defualt deny-action listed in the database. If the deny option is selected in the policy rue, then this default action will be used.
Answer C is correct
upvoted 4 times

C is correct answer.
A drop is silent, you simply discard the packet and don't tell anyone about it. This is great for most siatuations as you don't generate more traffic
on your network and outsiders who may potentially be scanning you are non the wiser.
A deny sends a notification to the sender that something happened and their packet was rejected
upvoted 2 times
Selecting the option to revert firewall changes will replace what settings?
A. the candidate configuration with settings from the running configuration
B. dynamic update scheduler settings
C. the running configuration with settings from the candidate configuration
D. the device state with settings from another configuration
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/revert-firewall-
configuration- changes.html
  sabaheta Highly Voted  1 year, 9 months ago

Correct answer should be A.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/web-interface-basics/revert-changes
upvoted 14 times
  ARWANGSH Most Recent  6 months, 1 week ago

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
A is the right answer
upvoted 1 times

Selected Answer: A
correct answer should be A
upvoted 1 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
Correct answer should be A.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/web-interface-basics/revert-changes
upvoted 1 times

Selected Answer: A
Did someone pick "D" just to see if we are paying attention? It's A
upvoted 2 times

Correct answer is A
upvoted 2 times

Selected Answer: A
Answer A is Correct
upvoted 2 times

Selected Answer: A
Revert operations replace settings in the current candidate configuration with settings from another configuration. Reverting changes is useful
when you want to undo changes to multiple settings as a single operation instead of manually reconfiguring each setting.
upvoted 1 times

Agree.
Select ConfigRevert Changes at the top right of the firewall or Panorama web interface to undo changes made to the candidate configuration since
the last commit.
upvoted 1 times
An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.
If the application's default deny action is reset-both, what action does the firewall take?
A. It silently drops the traffic.
B. It silently drops the traffic and sends an ICMP unreachable code.
C. It sends a TCP reset to the server-side device.
D. It sends a TCP reset to the client-side and server-side devices.
Correct Answer: D
  blu_gandalf 2 months, 1 week ago

guys its D, i just had it in the Practice Exam, may-2023
upvoted 1 times

Selected Answer: A
It will not process the application profile and drop the traffic; A
upvoted 2 times
  o0ZACK0o 4 months, 1 week ago

Selected Answer: A
upvoted 1 times
  Tandos 4 months, 1 week ago

answer id D as on the Palo Alto practice exam link below
https://beacon.paloaltonetworks.com/assessment_responses/report/16167409#assessment-response-details
upvoted 1 times
  Neil_Neo234 8 months ago

Selected Answer: A
Security policy action comes first. So the action will be drop
upvoted 2 times
  DigitalEtrigan 8 months ago

"the action is drop" this is stated in the question :)
Drop:
upvoted 2 times
  DigitalEtrigan 8 months ago

So it is clearly A.
upvoted 1 times
  FireACACIA 8 months, 2 weeks ago

The answer is D https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/security-policy-actions
Reset both= Sends a TCP reset to both the client-side and server-side devices.
upvoted 2 times

Selected Answer: A
correct answer is A
upvoted 2 times
  froggy2638 9 months ago

The correct answer is D. Reset-both => Sends a TCP reset to both the client-side and server-side devices.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection
upvoted 1 times
  kvothe86 9 months ago
This link refers to action for a signatures: Objects>Security ProfilesVulnerability Protection, and not for the exam question. Please refrain from
posting incorrect answers!
upvoted 3 times

Selected Answer: A
If a policy is set to drop, it will take precedence over the app I’d configuration
upvoted 2 times
  reinaldopazsandoval 10 months ago

Selected Answer: A
Should be A because the comment "and the action is drop" as is not a deny the security policy rule will not fall under the Deny APP default action.
upvoted 1 times

Selected Answer: D
Reset Both
For TCP, resets the connection on both the client and server ends. For UDP,
drops the connection.
upvoted 1 times
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)
A. SAML 2.0
B. Kerberos
C. TACACS
D. TACACS+
E. SAML 1.0
Correct Answer: ABD

Selected Answer: ABD
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-types.html
upvoted 1 times

PAN-OS software supports the following authentication types:
• None
• Local Database
• RADIUS
• LDAP
• TACACS+
PALO ALTO NETWORKS: PCNSA Study Guide 106
• SAML
• Kerberos
upvoted 1 times
Which objects would be useful for combining several services that are often defined together?
A. application filters
B. service groups
C. shared service objects
D. application groups
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-services.html

Selected Answer: B
R.T.F.Q.
upvoted 4 times
Given the screenshot, what two types of route is the administrator configuring? (Choose two.)
A. BGP
B. static route
C. default route
D. OSPF
Correct Answer: BC

In question was asked for 2. B and C are valid
upvoted 4 times

B and C
upvoted 4 times

It literally says it at the top of the screenshot "Virtual Router - Static Route - IPv4"
and we all know that 0.0.0.0 represents a default route.
upvoted 4 times

So which answer is the best?
upvoted 1 times

PA doesn't support EIGRP
upvoted 1 times

Are we missing an answere here - EIGRP? Default route for sure! But OSPF?? metrics
upvoted 2 times
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
A. interzone
B. shadowed
C. intrazone
D. universal
Correct Answer: A
  sabaheta Highly Voted  1 year, 8 months ago

Yes, correct answer should be D.Universal.
upvoted 10 times
  cyberdiamond Most Recent  3 months, 1 week ago

Interzone and Intrazone rules = Universal
upvoted 1 times
  PaloCert 3 months, 2 weeks ago

Selected Answer: D
D (Universal) for intra and inter zone traffic
upvoted 1 times

Selected Answer: D
D is for both inter and intra
upvoted 2 times

Selected Answer: D
Universal is for all types of flows Inter on intra
upvoted 1 times
  gully300 11 months, 3 weeks ago

Selected Answer: D
The correct answer should be D.Universal.
upvoted 1 times

Selected Answer: D
The answer should be D.
upvoted 1 times

The answer should be D.
upvoted 2 times

Selected Answer: D
Agree with others, should be "D"!
upvoted 2 times

Selected Answer: D
D is the correct answer.
upvoted 1 times

D is correct
upvoted 1 times

Selected Answer: D
Universal - By default, all the traffic destined between two zones, regardless of whether it is from the same zone or different zone. Universal rule
types apply to all matching interzone and intrazone traffic in the specified source and destination zones.
upvoted 4 times
it should be D
upvoted 2 times

Shouldn't this be a Universal Policy?
upvoted 3 times
  Farah123 1 year, 9 months ago

i think also answer D is correct: universal
upvoted 3 times
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the
ICMP code
`communication with the destination is administratively prohibited`.
A. Drop
B. Drop, send ICMP Unreachable
C. Reset both
D. Reset server
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy/security-policy-actions.html

Selected Answer: B
Why not reset? Because "For a TCP session with a reset action, the firewall does not send an ICMP Unreachable response."
upvoted 3 times

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClltCAC#:~:text=The%20Deny%20action%20will%20tear,packets%20will%20be%20silently%20discarded.
upvoted 1 times

Answer is Drop and send icmp unrechable
upvoted 2 times

Drop
For Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action: Drop
and enable the Send ICMP Unreachable
check box. When enabled, the firewall sends the ICMP code for communication with the destination is administratively prohibited—ICMPv4: Type 3,
Code 13; ICMPv6: Type 1, Code 1.
upvoted 4 times

I guess that the correct answer is B, because you will drop the request and additional you have to enable Send ICMP Unreachable to send the
message
upvoted 3 times
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?
A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Protection profile applied to outbound Security policy rules.
Correct Answer: C
Reference:

Antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads. Using a stream-based malware prevention engine,
which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients without
significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and
JavaScript viruses, including support for scanning inside compressed files and data encoding schemes. If you have enabled Decryption on the
firewall, the profile also enables scanning of decrypted content.
The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking
for FTP, HTTP, and SMB protocols.
upvoted 4 times
An administrator wants to prevent access to media content websites that are risky.
Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)
A. recreation-and-hobbies
B. streaming-media
C. known-risk
D. high-risk
Correct Answer: BD
  Rowdy_47 Highly Voted  1 year, 8 months ago

I'm going to go with B and D
Reason being that I think media contect matches closer with option B
known risk is not an option in the security focused URL catagory
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/url-filtering-multi-category.html
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/url-filtering-security-categories.html
upvoted 10 times

I agree
upvoted 1 times
  zeebo340 Highly Voted  1 year, 4 months ago

Know-risk not available. So the correct answer must be B & D.
upvoted 5 times

Selected Answer: BD
B & D provide the combination of a solution that matches the question
upvoted 5 times

Selected Answer: AB
D doesn't mean they are media sites, so i'd go with A & B
High-risk sites include:

Sites previously confirmed to be malware, phishing, or C2 sites that have displayed only benign activity for at least 30 days.
Unknown domains are classified as high-risk until PAN-DB completes site analysis and categorization.https://www.examtopics.com/exams/palo-
alto-networks/pcnsa/view/7/#
Sites that are associated with confirmed malicious activity. For example, a page might be high-risk if there are malicious hosts on the same domain,
even if the page itself does not contain malicious content.
Bulletproof ISP-hosted sites.
upvoted 1 times

AB are the corrects answers
upvoted 1 times

Selected Answer: BD
B and D
upvoted 3 times
Which dynamic update type includes updated anti-spyware signatures?
A. PAN-DB
B. Applications and Threats
C. GlobalProtect Data File
D. Antivirus
Correct Answer: B

Selected Answer: B
Applications and Threat covers this one
upvoted 1 times

The majority of those updates are covered by Applications and Threat. Answer B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html
upvoted 2 times

Selected Answer: B
ANSWER IS B
upvoted 2 times

Selected Answer: B
Page 61:
Applications and Threats: Includes new and updated application and threat signatures, including those that detect spyware and vulnerabilities.
upvoted 2 times

B and D are correct.
Wrong question.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/threat-signatures.html
upvoted 1 times

I will go with B
upvoted 1 times

Antivirus: Includes new and updated antivirus signatures, including WildFire signatures and automatically generated command-and-control (C2)
signatures. WildFire signatures detect malware seen first by firewalls from around the world. You must have a Threat Prevention subscription to get
these updates. New antivirus signatures are published daily.
upvoted 1 times

Two more down and you would have been on the correct answer:
Applications and Threats: Includes new and updated application and threat signatures, including those that detect spyware and vulnerabilities
upvoted 1 times
An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?
A. Drop
B. Deny
C. Block
D. Reset-server
Correct Answer: A

A. correct answer..
Drop silently drops the packet, while deny gives an update.
upvoted 2 times
Which object would an administrator create to block access to all high-risk applications?
A. HIP profile
B. Vulnerability Protection profile
C. application group
D. application filter
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0
  nolox 3 months, 1 week ago

Selected Answer: D
I thought it was C but no:
https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-block-high-risk-apps-with-application/ba-p/517730
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0
upvoted 1 times
  walcazea 4 months, 2 weeks ago

D is correct
upvoted 1 times
  Iqbal003 1 year, 2 months ago

D is correct
upvoted 1 times
Which option is part of the content inspection process?
A. Packet forwarding process
B. IPsec tunnel encryption
C. SSL Proxy re-encrypt
D. Packet egress process
Correct Answer: C
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

Selected Answer: C
Seems correct:
The firewall performs content Inspection, if applicable, where protocol decoders’ decode the flow and the firewall parses and identifies known
tunneling applications (those that routinely carry other applications like web-browsing).
If the identified application changes due to this, the firewall consults the security policies once again to determine if the session should be
permitted to continue.
If the application does not change, the firewall inspects the content as per all the security profiles attached to the original matching rule. If it results
in threat detection, then the corresponding security profile action is taken.
The firewall forwards the packet to the forwarding stage if one of the conditions hold true:
If inspection results in a ‘detection’ and security profile action is set to allow, or
Content inspection returns no ‘detection’.
The firewall then re-encrypts the packet before entering the forwarding stage, if applicable (SSL forward proxy decryption and SSH decryption).
upvoted 2 times

But there is also forwarding, so shouldn't it be A?
upvoted 1 times
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of
time?
A. Disable automatic updates during weekdays
B. Automatically ‫ג‬€download and install‫ג‬€ but with the ‫ג‬€disable new applications‫ג‬€ option used
C. Automatically ‫ג‬€download only‫ג‬€ and then install Applications and Threats later, after the administrator approves the update
D. Configure the option for ‫ג‬€Threshold‫ג‬€
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/threat-prevention/best-practices-for-application-and-threat-content-updates#

Selected Answer: D
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall
waits before installing the latest content. In a mission-critical network, schedule up to a 48 hour threshold.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/software-and-content-updates/best-practices-for-app-and-threat-content-
updates/best-practices-mission-critical#id184AH00L078
upvoted 1 times
  RahulGawale19 12 months ago

D. Configure the option for a Threshold
upvoted 1 times
What must be considered with regards to content updates deployed from Panorama?
A. Content update schedulers need to be configured separately per device group.
B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
C. A PAN-OS upgrade resets all scheduler configurations for content updates.
D. Panorama can only download one content update at a time for content updates of the same type.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-updates/deploy-updates-to-firewalls-log-collectors-
and- wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html

Selected Answer: D
Panorama can download only one update at a time for updates of the same type. If you schedule multiple updates of the same type to download
during the same time Recurrence, only the first download succeeds.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-
appliances-using-panorama/schedule-a-content-update-using-panorama
upvoted 1 times

Selected Answer: D
Correct.
upvoted 1 times
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. pattern based application identification
B. application override policy match
C. session application identified
D. application changed from content inspection
Correct Answer: AB
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

Selected Answer: AB
Based on link correct
upvoted 1 times
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
B. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
C. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-
mapping
  Surfside92 Highly Voted  9 months, 3 weeks ago

Selected Answer: D
The given answer D is correct - my previous answers are wrong. There's 2 policies at play here - the security and NAT policy. I thought the question
related to the NAT policy - it doesn't - it asks about the security policy.
upvoted 8 times

Answer is D:
Zone: After NAT
Address: Before NAT
upvoted 1 times
  Aaron_0801 2 months, 2 weeks ago

Answer is D
"It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the
post-NAT zones".
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-
overview#:~:text=It%20then%20evaluates%20and%20applies%20any%20security%20policies%20that%20match%20the%20packet%20based%20o
n%20the%20original%20(pre%2DNAT)%20source%20and%20destination%20addresses%2C%20but%20the%20post%2DNAT%20zones
upvoted 1 times

Selected Answer: D
As @Surfside92 mentioned, according to CBT Nuggets video (watched the same) answer should be B.
However, @ntir shared the link which shows literally this situation. I would go with D because it's from PA site.
upvoted 1 times
  ntir 5 months, 1 week ago

D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-
mapping#ide8f6a4b3-f875-4855-acb5-5fd9ad918d04
upvoted 1 times
answer D
upvoted 1 times

Selected Answer: A
the key in this question is Security policy rule, the traffic will flow through the firewall within two rules, Nat rule policy+Security rule policy.
upvoted 2 times

Selected Answer: A
Must be A. You create the rule to the internal ip.
upvoted 2 times
  Surfside92 9 months, 3 weeks ago

Selected Answer: C
I've labbed this using a cbtnuggets video.
Within the rule you specify the dmz server global ip address and actual local address
upvoted 1 times

Sorry - meant answer b -
upvoted 1 times
What does an administrator use to validate whether a session is matching an expected NAT policy?
A. system log
B. test command
C. threat log
D. config audit
Correct Answer: B
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

Selected Answer: B
Correct
upvoted 1 times
What is the purpose of the automated commit recovery feature?
A. It reverts the Panorama configuration.
B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.
C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.
D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/enable-automated-commit-recovery.html

Selected Answer: C
Think it's correct
upvoted 1 times
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
A. by minute
B. hourly
C. daily
D. weekly
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-
practices- mission-critical.html

C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-
updates/best-practices-mission-critical
upvoted 1 times
DRAG DROP -
Place the steps in the correct packet-processing order of operations.
Select and Place:
Correct Answer:
Reference:
  Mouna_cert Highly Voted  7 months, 2 weeks ago

1. Zone protection
2. Decryption
3. App-ID
4. Security profile enforcement
upvoted 12 times

I gree. Best explanation: https://networkinterview.com/packet-flow-in-palo-alto-detailed-explanation/
upvoted 1 times

@blackisok
Based on the link you provided this is incorrect. Decryption should be first as it is done in the Tunnel decapsulation of the the Ingress Stage.
Zone Protection checks is done in the next Firewall Session Lookup Stage. Then Security Policy, then App-ID.
So based on your link it should be
1. Decryption
2. Zone Protection
3. Security Profile
4. App-ID
upvoted 3 times
  leini 2 months ago

i think this is it too. Security profile should come first before App-ID. If not what App-ID does it know to check if it does not see the
profile first.
upvoted 1 times
  Samurai55_1998_01 Highly Voted  5 months ago

I believe that it goes in this order
1.Decryption
2.Zone protection
3.Security profile enforcement
4.App-ID
upvoted 5 times
  cert111 1 month, 4 weeks ago

This seems right to me. Not sure why people are saying Zone protection comes first. The Palo Alto doc says that it's 3.1 - after decryption.
upvoted 1 times
  nolox Most Recent  4 months, 1 week ago

1. Zone protection
3. Decryption
4. App id
upvoted 1 times

1. Zone protection
2. Decryption
3. App id
upvoted 4 times
  LetsDiscuss23 4 months, 1 week ago

This is correct
upvoted 1 times
  Neil_Neo234 8 months ago

https://networkinterview.com/packet-flow-in-palo-alto-detailed-explanation/
upvoted 2 times

Zone Protection Checks
TCP State Check
Forwarding (based on interface type)
NAT Policy Lookup (only L3 & Virt wire)
DoS Protection Policy Lookup
Security Policy Lookup
Session Allocation
Firewall Session Fast Path (if packet from existing session)
Security Processing
Captive Portal
Application Identification
Content Inspection
Forwarding/Egress (includes QoS)
upvoted 4 times
  Samurai55_1998_01 5 months ago

Where would you say that decryption process is taking place?
upvoted 2 times

I would say it would have to be taking place first or else the contents of the packet wouldnt be able to be read to determine the remaining
Zone/Security/App info.
upvoted 1 times
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known
Malicious IP
Addresses list?
A. destination address
B. source address
C. destination zone
D. source zone
Correct Answer: D
  Alex48694 9 months ago

Selected Answer: B
It's B: source address
upvoted 2 times

Selected Answer: B
The question is regarding how to block traffic COMING from an IP adrares regardless of the zone
upvoted 2 times
  Banchan 10 months ago

B.I think so too.Its nesesary source ip address.
upvoted 2 times

Selected Answer: B
B, it identifies adresses.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list
upvoted 3 times
URL categories can be used as match criteria on which two policy types? (Choose two.)
A. authentication
B. decryption
C. application override
D. NAT
Correct Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-category-as-policy-match-criteria.html

Selected Answer: AB
There are many ways to enforce web page access beyond only blocking and allowing certain sites. For example, you can use multiple categories
per URL to allow users to access a site, but block particular functions like submitting corporate credentials or downloading files. You can also use
URL categories to enforce different types of policy, such as Authentication, Decryption, QoS, and Security.
upvoted 2 times

Selected Answer: AB
The answers are correct.
Source: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/how-to-use-url-categories
upvoted 3 times
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
A. The web session was unsuccessfully decrypted.
B. The traffic was denied by security profile.
C. The traffic was denied by URL filtering.
D. The web session was decrypted.
Correct Answer: CD
  TheMaster01 Highly Voted  10 months ago

The session was decrypted because you can see web-browsing over port 443
The traffic was denied by a security profile https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO

upvoted 5 times
  SillyGoose123 Most Recent  4 months, 2 weeks ago

How can I read that the traffic was denied?
upvoted 1 times
  SillyGoose123 4 months, 2 weeks ago

Nevermind, it's "Session end reason"
upvoted 1 times

Selected Answer: BD
upvoted 1 times

Selected Answer: BD
for URL Filtering, the type of logs is not traffic i believe
upvoted 2 times
  Mazalaza 7 months, 4 weeks ago

BD seem better answer
upvoted 2 times

Selected Answer: BD
B and D are correct
upvoted 3 times
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server
based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)
A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow
B. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow
C. Untrust (Any) to Untrust (10.1.1.1), ssh - Allow
D. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing - Allow
E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow
Correct Answer: AE

Selected Answer: AE
To define Destination, Security policy uses Post-NAT zone and Pre-NAT address
upvoted 1 times
  skaez 1 month ago

Selected Answer: DE
If we check DNAT, HTTP is for 1.1.1.100 so answer E
And answer E is for the 2 DNAT and correct ports
upvoted 1 times

i think its D , E
upvoted 1 times

i was worng sorry
upvoted 1 times

A and E
upvoted 1 times

Selected Answer: AE
A and E are correct answers.
upvoted 1 times

I dont understand how a could possibly be correct since the other server is supposed to get the SSH traffic.
upvoted 1 times

Nevermind I misread the IP.
upvoted 1 times
Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to
exploit system flaws?
A. URL filtering
B. vulnerability protection
C. file blocking
D. anti-spyware
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection.html

Selected Answer: B
Vulnerability Protection Security Profiles protect against threats entering the network. For example, Vulnerability Protection Security Profiles protect
against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection Security
Profile protects clients and servers from all known critical-, high-, and medium-severity threats. You also can create exceptions that enable you to
change the response to a specific signature.
upvoted 1 times
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer's Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages
Correct Answer: AC
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies.html

Selected Answer: AC
A and C are correct answers.
upvoted 1 times
What action will inform end users when their access to Internet content is being restricted?
A. Create a custom ‫ג‬€URL Category‫ג‬€ object with notifications enabled.
B. Publish monitoring data for Security policy deny logs.
C. Ensure that the ‫ג‬€site access‫ג‬€ setting for all URL sites is set to ‫ג‬€alert‫ג‬€.
D. Enable ‫ג‬€Response Pages‫ג‬€ on the interface providing Internet access.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-response-pages.html

Selected Answer: D
Think it's right
upvoted 1 times
What is a recommended consideration when deploying content updates to the firewall from Panorama?
A. Before deploying content updates, always check content release version compatibility.
B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
C. Content updates for firewall A/A HA pairs need a defined master device.
D. After deploying content updates, perform a commit and push to Panorama.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-updates/deploy-updates-to-firewalls-log-collectors-
and- wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html

upvoted 1 times

I agree with A
upvoted 2 times
  sjurka 7 months ago

Selected Answer: A
You can't push "to Panorama"
upvoted 2 times

It says from
upvoted 1 times
  cert111 2 months, 2 weeks ago

The answer D reads "to Panorama"
upvoted 1 times
  t_h_t_f 8 months, 3 weeks ago

Agree with A
upvoted 3 times

Selected Answer: A
The content release version on the Panorama management server must be the same (or earlier) version as the content release version on any
Dedicated Log Collectors or managed firewalls.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-panorama/install-content-and-software-updates-for-
panorama/panorama-log-collector-firewall-and-wildfire-version-compatibility#id09d0b616-1197-4f80-be05-fdd7e75f8652
upvoted 4 times
Which information is included in device state other than the local configuration?
A. uncommitted changes
B. audit logs to provide information of administrative account changes
C. system logs to provide information of PAN-OS changes
D. device group and template settings pushed from Panorama
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-operations.html

Selected Answer: D
Correct:
Exports the firewall state information as a bundle. In addition to the running configuration, the state information includes device group and
template settings pushed from Panorama.
upvoted 1 times
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
A. It defines the SSL/TLS encryption strength used to protect the management interface.
B. It defines the CA certificate used to verify the client's browser.
C. It defines the certificate to send to the client's browser from the management interface.
D. It defines the firewall's global SSL/TLS timeout values.
Correct Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0

Selected Answer: C
Correct.
upvoted 1 times

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0#:~:text=For%20web-gui%20access%20to,all%20web-
based%20management%20sessions.&text=Navigate%20to%20GUI%3A%20Device%20%3E%20Setup,configured%20SSL%2FTLS%20service%20
profile.
upvoted 1 times
An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.
What should the administrator do?
A. change the logging action on the rule
B. review the System Log
C. refresh the Traffic Log
D. tune your Traffic Log filter to include the dates
Correct Answer: A

Selected Answer: A
change the logging action on the rule (override default settings)
intrazone-default has Log-Settings disabled by default
upvoted 1 times
  Sanjug2022 3 weeks, 3 days ago

A is correct , since intrazone logs need to be enable
upvoted 1 times
  kikeabcd 2 months, 1 week ago

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: B
For me B
upvoted 2 times

Selected Answer: A
A is correct
upvoted 1 times
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. after the SSL Proxy re-encrypts the packet
C. before the packet forwarding process
D. before session lookup
Correct Answer: A
Reference:
  Achuth 4 months ago

D is also correct right? Both A and D?
upvoted 1 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
A is a correct anwer.
upvoted 2 times
During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?
A. check now
B. review policies
C. test policy match
D. download
Correct Answer: B
Reference:
impact-on- existing-policy-rules

Selected Answer: B
It is B, according to Palo Alto
upvoted 2 times
When creating a custom URL category object, which is a valid type?
A. domain match
B. host names
C. wildcard
D. category match
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-custom-objects-url-category.html

The two types are URL List and Category Match.
upvoted 1 times

Selected Answer: D
The answer D is correct, according to Palo Alto
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-custom-objects-url-category
upvoted 2 times
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?
A. 80
B. 8443
C. 4443
D. 443
Correct Answer: C
Reference:
id=kA10g000000Cm8SCAS#:~:text=Details,using%20https%20on%20port%204443
  MarkGrootaarts 2 months, 4 weeks ago

Selected Answer: C
Correct
upvoted 2 times

Selected Answer: C
Correct
upvoted 1 times
What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control
(RBAC)? (Choose two.)
A. SAML
B. TACACS+
C. LDAP
D. Kerberos
Correct Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-
authentication.html

Selected Answer: AB
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and
authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML
server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For
details, see:
upvoted 1 times
Which administrative management services can be configured to access a management interface?
A. HTTPS, HTTP, CLI, API
B. HTTPS, SSH, telnet, SNMP
C. SSH, telnet, HTTP, HTTPS
D. HTTP, CLI, SNMP, HTTPS
Correct Answer: C
  madt 2 months, 3 weeks ago

Selected Answer: C
C is correct
upvoted 1 times

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/management-interfaces
answer is A
upvoted 2 times

The question is talking about "administrative management services" about the management interface not management interfaces.
Tested in a lab: From PanOS 11.0 firewall go to Device -> Setup -> Interfaces -> Management -> Administrative Management -> Services - you
will see these options : HTTP, HTTPS, TELNET, SSH.
That is why the answer is C not A.
upvoted 2 times

C is correct
upvoted 1 times

Selected Answer: C
The administrative management services are http,https,telnet and ssh
upvoted 2 times

Selected Answer: C
Definitely C - I'm looking at the management interface settings here on my palo alto - ssh/telnet/http/https/
upvoted 2 times

A or C?
upvoted 1 times

C, key is "services"
upvoted 3 times
  stickboy 9 months, 4 weeks ago

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/management-interfaces
upvoted 1 times

The link you've provided is fine - but it shows the answer = C
upvoted 2 times
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently
used by attackers to distribute illegal or unethical material?
A. Palo Alto Networks C&G IP Addresses
B. Palo Alto Networks High Risk IP Addresses
C. Palo Alto Networks Known Malicious IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/edl-for-bulletproof-isps

Selected Answer: D
D, is correct
upvoted 2 times

Selected Answer: D
According to Palo Alto, the correct answer is D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0pCAG
upvoted 4 times
Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP
Addresses list?
A. source address
B. destination address
C. source zone
D. destination zone
Correct Answer: A

Selected Answer: B
block traffic TO IP addresses.
To being the keyword on the question.
upvoted 7 times
  madt Most Recent  2 months, 3 weeks ago

Selected Answer: B
Answer is B
upvoted 1 times

Selected Answer: B
it's saying "to" IP address and not "from"
upvoted 2 times
Which three filter columns are available when setting up an Application Filter? (Choose three.)
A. Parent App
B. Category
C. Risk
D. Standard Ports
E. Subcategory
Correct Answer: BCE

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXfCAK

Answers are correct B,C,E
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-application-filters
upvoted 3 times
Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and
risky websites?
A. reconnaissance
B. delivery
C. installation
D. exploitation
Correct Answer: A
Reference :

Selected Answer: B
Weaponization and Delivery: Attackers will then determine which methods to use in order to deliver malicious payloads. Some of the methods they
might utilize are automated tools, such as exploit kits, spear phishing attacks with malicious links, or attachments and malvertizing.
Gain full visibility into all traffic, including SSL, and block high-risk applications. Extend those protections to remote and mobile devices.
Protect against perimeter breaches by blocking malicious or risky websites through URL filtering.
Block known exploits, malware and inbound command-and-control communications using multiple threat prevention disciplines, including IPS,
anti-malware, anti-CnC, DNS monitoring and sinkholing, and file and content blocking.
Detect unknown malware and automatically deliver protections globally to thwart new attacks.
Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc.
upvoted 6 times
  BC1c1c Highly Voted  10 months ago

The answer is B, not A. In reconnaissance, you educate users what inside info they shouldn't post: "sensitive documents, customer lists, event
attendees, job roles and responsibilities (i.e., using specific security tools within an organization), etc."
Delivery: "Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc."
upvoted 5 times
  Najmmm Most Recent  8 months, 4 weeks ago

Selected Answer: B
It's Delivery
upvoted 2 times

Selected Answer: B
Weaponization and Delivery
upvoted 2 times
A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown
malware The malware caused the laptop to begin infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?
A. DNS Sinkhole
B. WildFire Analysis
C. Antivirus
D. DoS Protection
Correct Answer: A

Selected Answer: C
The key word in the question = Detect
Antivirus security profiles protect against viruses, worms, and trojans as well as spyware downloads.
Answer A will indeed deal with the spyware when it kicks in and tries to do its stuff - but its Antivirus that detects it.
upvoted 5 times

Answer is C , Antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads. Using a stream-based malware prevention
engine, which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients
without significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and
JavaScript viruses
upvoted 1 times

Selected Answer: C
Because it says "detect malware ON the laptop" I will have to vote C. As DNS sinkhole wouldn't be actually ON the laptop and would have to be
detected on the firewall or sinkhole log. It's a poorly worded question IMO.
upvoted 1 times
  Kalender 2 months, 2 weeks ago

Selected Answer: C
DNS Sinkhole is for "Malicious Domain" detection. But Antivius is for malvare detection
And the question is about "Malware Detection"
..."In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a
known malicious domain, causing the malicious domain name to resolve to an IP address that you define..."
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-profiles)
upvoted 1 times

Selected Answer: A
Because of word "Feature"
upvoted 1 times
  SillyGoose123 4 months, 2 weeks ago

Selected Answer: C
A DNS sinkhole can be set up to prevent C2 communications, but will not detect a virus
upvoted 2 times

Selected Answer: A
Security profile "feature" and not security profile. So it is DNS Sinkhole which is a "feature" of anti-spywear profile.
upvoted 3 times

Yeah its a poorly worded question cause Palo Alto describes their security profiles as "Security Profile Features". Like stated here.
"Additionally, Palo Alto Networks also comes with security profile features, such as antivirus, anti-spyware, VPN, URL Filtering and WildFire
features, that are useful in averting both known and unknown threats.”
upvoted 1 times

https://www.paloaltonetworks.com/customers/bank-ocbc-nisp
The link to the source of the quote.

upvoted 1 times

However, now that I am reading that article more in depth, it looks like it may be from the POV of the PA customer and not PA themselves.
So I would delete my previous comment if I could LOL.
upvoted 1 times

Selected Answer: A
The PA AV isnt running on the endpoint. Malware is delivered via USB. S, now only DNS sinkhole can get info about infected endpoints.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-
sinkholing.
upvoted 1 times
  J2J2J2J 5 months, 3 weeks ago

Selected Answer: C
Answer : C (DETECT the malware ON the laptop)
upvoted 1 times
  LHK0103 8 months ago

Selected Answer: A
Since the malware had been downloaded from the USB drive, so I think "A" is correct because they want to detect which laptop was infected.
upvoted 3 times
  IHave3Dogs 9 months ago

DNS Sinkhole would detect the infected laptop. The question as written should have answer C but perhaps they are thinking of how to detect the
infected laptop.
upvoted 1 times

Selected Answer: A
Correct. The profile needed is Anti-spyware, and the FEATURE needed inside is DNS-sinkhole
upvoted 2 times
What must be configured before setting up Credential Phishing Prevention?
A. Threat Prevention
B. Anti Phishing Block Page
C. User-ID
D. Anti Phishing profiles
Correct Answer: C
Reference :
prevention
  Apache207 4 months, 1 week ago

STEP 1:If you have not done so already, Enable User-ID.
upvoted 1 times

Selected Answer: C
Correct
prevention
upvoted 1 times
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
A. block
B. sinkhole
C. allow
D. alert
Correct Answer: B

Selected Answer: B
B is correct
upvoted 2 times

Selected Answer: B
Correct
upvoted 2 times
Which statement best describes a common use of Policy Optimizer?
A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that
exist. Admins can then manually enable policies they want to keep and delete ones they want to remove.
B. Policy Optimizer can display which Security policies have not been used in the last 90 days.
C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.
D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.
Correct Answer: D
  Hyay Highly Voted  10 months, 1 week ago

Selected Answer: B
Not correct to me. Seems to be B. Documentation says it does not change profiles.
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/create-prisma-access-policy/policy-optimizer
upvoted 6 times
  Skey Most Recent  2 weeks, 3 days ago

Selected Answer: A
The key word for me is « common » both A and B are option for policy optimizer but i’ll go for A as a common use of this solution
upvoted 1 times
  innuendo2 4 weeks, 1 day ago

for me is A
Policy Optimizer identifies port-based rules so you can convert them to application-based allow rules or add applications from a port-based rule to
an existing application-based rule without compromising application availability.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/security-policy-rule-optimization
upvoted 2 times

Selected Answer: B
B is correct
upvoted 4 times
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
A. The route with lowest metric is used.
B. The route with the highest administrative distance is used.
C. The virtual router would load balance across the two routes.
D. Path monitoring determines whether a route is usable.
Correct Answer: AD
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
A. Security policy rule
B. ACC global fitter
C. NAT address pool
D. external dynamic list
Correct Answer: C

Selected Answer: A
Answer : A
IP Wildcard Mask—Enter an IP wildcard address in the format of an IPv4 address followed by a slash and a mask (which must begin with a zero); for
example, 10.182.1.1/0.127.248.0. In the wildcard mask, a zero (0) bit indicates that the bit being compared must match the bit in the IP address that
is covered by the 0. A one (1) bit in the mask is a wildcard bit, meaning the bit being compared need not match the bit in the IP address that is
covered by the 1. Convert the IP address and the wildcard mask to binary. To illustrate the matching: on binary snippet 0011, a wildcard mask of
1010 results in four matches (0001, 0011, 1001, and 1011).
upvoted 1 times
  ARWANGSH 6 months, 1 week ago

Selected Answer: A
Wildcard objects can be used only in the Security policy rule.
upvoted 2 times

Wildcard objects can be used only in the Security policy rule.
upvoted 2 times

Selected Answer: A
upvoted 1 times

Selected Answer: A
Security policy rule
upvoted 1 times
  stickboy 9 months, 3 weeks ago

Selected Answer: A
upvoted 2 times
  Robert_99 9 months, 4 weeks ago

The correct answer is You can use an address object of type IP Wildcard Mask only in a Security policy rule.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-addresses IP
Wildcard Mas
upvoted 2 times
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-
control server.
Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control
connection?
A. Anti-Spyware Profile
B. Data Filtering Profile
C. Antivirus Profile
D. Vulnerability Protection Profile
Correct Answer: B

why not antivirus ?
upvoted 1 times
  hugodiaz 4 months ago

Selected Answer: A
correct
upvoted 1 times

Selected Answer: A
"Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2)
servers"
upvoted 2 times

Selected Answer: A
Anti-Spyware Profile
upvoted 1 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
"Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2)
servers"
upvoted 2 times
Which Palo Alto Networks component provides consolidated policy creation?
A. Policy Optimizer
B. Prisma SaaS
C. GlobalProtect
D. Panorama
Correct Answer: D
  83KG 5 months, 1 week ago

Selected Answer: D
https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management-datasheet
upvoted 1 times
An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within
the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?
A. interzone
B. intrazone
C. default
D. universal
Correct Answer: D
  CarlosDV06 4 months ago

I've the evaluation tomorrow and read this example question. The answer is B, the question asks for the rule TYPE and we have three: Intrazone
(within a zone), interzone (between zones) and universal (within and between zones).
upvoted 1 times

Selected Answer: B
Most of the question is fluff. Main key takeaways are:
1) Allow DNS traffic within LAN-ZONE

2) Allow DNS traffic within DMZ-ZONE
3) Deny DNS traffic between LAN-ZONE, DMZ-ZONE
What Security Rule type is required?
- Universal allows traffic between the zones and within the zones.
- Interzone does NOT allow traffic within a zone, and permits traffic between the two zones
- Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter?
- Universal allows traffic between the zones and within the zones.
Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
upvoted 1 times
  baccalacca 4 months, 1 week ago

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTHCA0
upvoted 1 times

A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot
specify a destination zone for intrazone rules).
For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic
between zones A and B.
upvoted 1 times

Selected Answer: B
Its b since its not going between zones.
upvoted 1 times
  lorentinooo 7 months ago

Selected Answer: A
It says that DNS traffic is allowed in LAN and DMZ zone. That traffic could come from outside zone, such as internet but it is not allowed between
LAN and DMZ. According to this, I'd say is A because you only need to match Interzone areas.
upvoted 1 times
  michelbragaguimaraes 7 months, 2 weeks ago

Selected Answer: C
Default
upvoted 1 times
  ReallyMatters 7 months, 2 weeks ago

Why not C. Pls read carefully
upvoted 2 times

default what? interzone-default or intrazone-default...
Most of the question is fluff. Main key takeaways are:
Allow DNS traffic within LAN-ZONE

Allow DNS traffic within DMZ-ZONE
Deny DNS traffic between LAN-ZONE, DMZ-ZONE
What Security Rule type is required?
Interzone does NOT allow traffic within a zone, and permits traffic between the two zones
Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter?
Universal allows traffic between the zones and within the zones.
Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
upvoted 1 times

Selected Answer: B
Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones
(cannot specify a destination zone for intrazone rules).
For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic
between zones A and B.
upvoted 4 times

Selected Answer: B
upvoted 3 times
According to best practices, how frequently should WildFire updates he made to perimeter firewalls?
A. every 10 minutes
B. every minute
C. every 5 minutes
D. in real time
Correct Answer: D

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-100/wildfire-real-time-signature-updates
answer - real time

upvoted 1 times

Selected Answer: D
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practices
If you are running PAN-OS 10.0 or later, configure your firewall to retrieve WildFire signatures in real-time. This provides access to newly-
discovered malware signatures as soon as the WildFire public cloud can generate them, thereby preventing successful attacks by minimizing your
exposure time to malicious activity.
upvoted 2 times
Given the topology, which interface type should you configure for firewall interface E1/1?
A. Layer 2
B. virtual wire
C. tap
D. mirror port
Correct Answer: C
Which solution is a viable option to capture user identification when Active Directory is not in use?
A. Cloud identity Engine
B. Directory Sync Service
C. group mapping
D. Authentication Portal
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-an-on-premises-
directory/install- the-cloud-identity-agent

Answer would be D
upvoted 1 times
  hdrnzienlaoroljol 1 month, 1 week ago

Selected Answer: D
ABC - all have to do with active directory.
Answer is D
upvoted 1 times

Selected Answer: D
i think it's D, for my side.
upvoted 1 times

i think it's D, for my side.
upvoted 1 times
  Leeryan 4 months ago

Selected Answer: D
Has to be D. Active directory is not in use..
upvoted 1 times

a b c - all have to do with active directory.
answer is D
upvoted 1 times

Selected Answer: D
"when active directory is not in use" so it can't be CIE. D is the corret answer
upvoted 1 times

CIE is dependent upon on-prem AD or Cloud Azure AD.
https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/get-started-with-the-cloud-identity-engine/learn-about-
the-cloud-identity-engine#id3f7f173a-ab4b-4040-b82e-86944d8b769b
The components of the Cloud Identity Engine deployment vary based on whether the Cloud Identity Engine is accessing an on-premises directory
(such as Active Directory) or a cloud-based directory (such as Azure Active Directory).
There is nothing like Authn portal on PA, its actually Captive Portal. If we go word-by-word then CIE is the answer otherwise Authn Portal is. Very
ambiguous question.
upvoted 2 times

I think that best answer is "Authentication portal"
upvoted 4 times
  markeloff23 9 months ago

Same here
upvoted 2 times
What allows a security administrator to preview the Security policy rules that match new application signatures?
A. Policy Optimizer--New App Viewer
B. Dynamic Updates--Review App
C. Review Release Notes
D. Dynamic Updates--Review Policies
Correct Answer: D
Reference:
impact-on- existing-policy-rules.html
  captainpratt 7 months, 4 weeks ago

nice D
upvoted 2 times
  homersimpson 8 months, 2 weeks ago

Selected Answer: D
impact-on-existing-policy-rules#idfb483dd8-b89d-447d-83a8-8d70037c09f9
upvoted 3 times
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?
A. Configure a Primary Employee ID number for user-based Security policies.
B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389.
C. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL.
D. Configure a frequency schedule to clear group mapping cache.
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/best-practices/10-0/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-group-
mapping.html

Selected Answer: C
If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for
SSL.
upvoted 1 times

Selected Answer: C
Answer : C
https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-group-mapping
If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for
SSL.
upvoted 3 times
An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.
Which type of single, unified engine will get this result?
A. Content ID
B. App-ID
C. Security Processing Engine
D. User-ID
Correct Answer: C

Selected Answer: A
Security Processing doesn't have signature matching feature which is asked in the question.
https://www.paloaltonetworks.com/resources/pa-series-next-generation-firewalls-hardware-architectures.
There's Network Processor, Security Processor, Offload/Signature Matching Processor, and Management Processor.
The Security Processing Engine has APP-ID | User-ID | URL match | policy match app decoding | SSL/IPSec | decompression functions.
The Signature Matching Processor has Exploits | Virus | Spyware | CC# | SSN functions.
upvoted 2 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
Content-IDTM combines a real-time threat prevention engine with a
comprehensive URL database and elements of application identification
to limit unauthorized data and file transfers and detect and block a wide
range of exploits, malware, dangerous web surfing as well as targeted
and unknown threats.
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/tech-briefs/techbrief-content-id.pdf
upvoted 4 times
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
A. ensure that disable override is selected
B. uncheck the shared option
C. ensure that disable override is cleared
D. create the service object in the specific template
Correct Answer: B

answer is B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/manage-device-groups/create-objects-for-use-in-shared-
or-device-group-policy
upvoted 2 times

Selected Answer: B
Answer is B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-services
upvoted 1 times

Selected Answer: B
uncheck the shared when creating object
upvoted 1 times
Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit
42 research, and data gathered from telemetry?
A. Palo Alto Networks High-Risk IP Addresses
B. Palo Alto Networks Known Malicious IP Addresses
C. Palo Alto Networks C&C IP Addresses
D. Palo Alto Networks Bulletproof IP Addresses
Correct Answer: B

Selected Answer: B
upvoted 1 times

Selected Answer: B
upvoted 2 times
An administrator would like to determine the default deny action for the application dns-over-https.
Which action would yield the information?
A. View the application details in beacon.paloaltonetworks.com
B. Check the action for the Security policy matching that traffic
C. Check the action for the decoder in the antivirus profile
D. View the application details in Objects > Applications
Correct Answer: B

Selected Answer: D
D of course
upvoted 2 times

Selected Answer: D
Deny : Blocks traffic and enforces the default ”deny” action defined for the application that is being denied. To view the default “deny” action
defined for an application, display the application details in Objects > Applications
upvoted 1 times

Selected Answer: D
you can view the default deny action in the application details in Objects > Applications
upvoted 1 times

Selected Answer: D
That said - for all the app definitions on my palo alto i cannot see application type dns-over-https. But still i think its D
upvoted 1 times
Access to which feature requires a URL Filtering license?
A. PAN-DB database
B. External dynamic lists
C. DNS Security
D. Custom URL categories
Correct Answer: A

Selected Answer: A
Palo Alto Networks URL filtering solution, the Advanced URL Filtering subscription, provides real time URL analysis and malware prevention. In
addition to PAN-DB access, the Palo Alto Networks-developed URL filtering database for high-performance URL lookups, it also offers coverage
against malicious URLs and IP addresses. This multi-layered protection solution is configured through your URL filtering profile.
upvoted 1 times

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/enable-advanced-url-filtering
upvoted 3 times
What is the main function of the Test Policy Match function?
A. ensure that policy rules are not shadowing other policy rules
B. confirm that rules meet or exceed the Best Practice Assessment recommendations
C. confirm that policy rules in the configuration are allowing donning the correct traffic
D. verify that policy rules from Expedition are valid
Correct Answer: D

Selected Answer: C
The Test Security Policy Match window enables you to enter a set of criteria directly from the web interface rather than from the CLI. After a test is
executed, the criteria are evaluated against the current Security policy rules to determine if the simulated traffic matches an ex isting policy. After
running the policy match and connectivity tests in the web interface, you can quickly and easily test connectivity to ensure that policy rules allow or
deny the correct traffic, and t hose devices can connect to network resources such as WildFire ® or Log Collectors
upvoted 1 times

Selected Answer: C
commands to verify that your policies are working as expected
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configuration/test-policy-matches
upvoted 1 times

Selected Answer: C
Test the policy rules in your running configuration to ensure that your policies appropriately allow and deny traffic and access to applications and
websites in compliance with your business needs and requirements.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/test-policy-rule-traffic-matches
upvoted 4 times
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
A. subnet mask
B. tag
C. IP address
D. wildcard mask
Correct Answer: B

Selected Answer: B
https://docs.paloaltonetworks.com/network-security/security-policy/objects/address-groups/dynamic-address-groups
upvoted 1 times
View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and
Untrust/Internet zones from each of the IOT/Guest and Trust Zones?
A.
B.
C.
D.
Correct Answer: C
  Sanjug2022 1 month ago

Answer B
upvoted 1 times

"most restrictive, yet fully functional rule" is key word
answer should be A (i think)
upvoted 1 times

B is correct
upvoted 1 times
  DatITGuyTho1337 3 months, 3 weeks ago

The answer is A because the question is asking for the most restrictive means to access the DMZ and untrust zones from the Guest and Trust zones.
In answer A, the rule restricts access to the destination IP address subnet ranges of the DMZ and Untrust zone destination addresses, whereas
answer B pretty much says you can connect to any address in the DMZ and Untrust subnets. A is the correct answer.
upvoted 1 times
  PaloCert 4 months, 2 weeks ago

B is the correct answer. You need to allow traffic to any destination for internet access.
upvoted 1 times
  Wisley 4 months, 3 weeks ago

It should be B.
upvoted 1 times

It should be "B". Need to access the internet
upvoted 1 times
  himing_123 5 months, 2 weeks ago

B. need to access the internet
upvoted 1 times
  DlaEdu_Ex 5 months, 2 weeks ago

The answer is B.
A is incorrect - no internet access, DST addresses are too strictly definedd;
C is incorrect - SRC and DST addresses do not correspond to Zones;
D is incorrect - the SRC address does not match the SRC zone.
upvoted 2 times

the answer should be B, we cant specify dst add for internet
upvoted 3 times

It should be B.
In order to allow general Internet access destination IP address should be Any.
upvoted 4 times
  ebarros 10 months ago

I agree
"to allow general Internet" there can be no destination restriction... only need to restrict the services reported..
upvoted 2 times
  ebarros 10 months ago

..and also restrict the zones
upvoted 1 times

It's A...
upvoted 1 times

If its A how can the rule allow traffic to get to google.com / 8.8.8.8 ???
upvoted 4 times
What are the three DNS Security categories available to control DNS traffic? (Choose three.)
A. Parked Domains
B. Spyware Domains
C. Vulnerability Domains
D. Phishing Domains
E. Malware Domains
Correct Answer: BDE
  reinaldopazsandoval Highly Voted  10 months ago

Selected Answer: ADE
To show this go to Ani-Spyware Profile to DNS policy > DNS Security
upvoted 6 times
  Kalender Most Recent  2 months, 2 weeks ago

Malware—test-malware.testpanw.com
Phishing—test-phishing.testpanw.com
Parked—test-parked.testpanw.com
upvoted 1 times

A D E are the correct answers
upvoted 1 times

Answer : ADE
Malware—test-malware.testpanw.com
Phishing—test-phishing.testpanw.com
Parked—test-parked.testpanw.com
upvoted 1 times

upvoted 1 times
What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)
A. firewall logs
B. custom API scripts
C. Security Information and Event Management Systems (SIEMS), such as Splunk
D. biometric scanning results from iOS devices
E. DNS Security service
Correct Answer: CDE
  BC1c1c Highly Voted  9 months, 4 weeks ago

ABC: https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-dynamic-
user-groups
Identity the user information sources for the tags:

Firewall logs
For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile and use the Built-In Actions.
For User-ID, HIP Match, GlobalProtect, and IP-Tag logs, configure the log settings.
Cortex XSOAR
Security Information and Event Management Systems (SIEMS), such as Splunk
Custom API scripts
upvoted 14 times
  hdrnzienlaoroljol Most Recent  1 month, 2 weeks ago

Selected Answer: ABC
groups
upvoted 1 times

A B C logically
upvoted 1 times

groups
upvoted 2 times
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is
configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this
request? (Choose two.)
A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive
characteristic
B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application
C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application
D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic
Correct Answer: AD
  hdrnzienlaoroljol 1 month, 2 weeks ago

Selected Answer: AD
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-applications/applications-overview
upvoted 1 times

Selected Answer: AD
Column Characteristics on the pic:
upvoted 1 times

Selected Answer: AD
Seems correct
upvoted 1 times
Which object would an administrator create to enable access to all applications in the office-programs subcategory?
A. HIP profile
B. URL category
C. application group
D. application filter
Correct Answer: D

Selected Answer: D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-filter
upvoted 1 times
Given the detailed log information above, what was the result of the firewall traffic inspection?
A. It was blocked by the Vulnerability Protection profile action
B. It was blocked by the Security policy action
C. It was blocked by the Anti-Virus Security profile action
D. It was blocked by the Anti-Spyware Profile action
Correct Answer: D
  Adilon 2 months, 4 weeks ago

Dm see in log details
upvoted 1 times

Selected Answer: D
Correct
upvoted 1 times
An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.
What is the best way to do this?
A. Create a static NAT rule translating to the destination interface.
B. Create a static NAT rule with an application override.
C. Create a Security policy rule to allow the traffic.
D. Create a new NAT rule with the correct parameters and leave the translation type as None.
Correct Answer: D

Selected Answer: D
Seems logical
upvoted 1 times

Selected Answer: D
D is correct:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/configure-nat/disable-nat-for-a-specific-host-or-interface
upvoted 4 times
What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *
A. You can specify the location as pre- or post-rules to push policy rules
B. You can specify the firewalls in a device group to which to push policy rules
C. Doing so provides audit information prior to making changes for selected policy rules
D. Doing so limits the templates that receive the policy rules
Correct Answer: A
  reinaldopazsandoval Highly Voted  10 months ago

Selected Answer: B
Correct is B, please visit: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/push-a-
policy-rule-to-a-subset-of-firewalls
upvoted 6 times
  Najmmm Most Recent  8 months, 3 weeks ago

Selected Answer: B
correct answer is B
upvoted 2 times

Correct answer is B.
upvoted 3 times
When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?
A. Layer 3
B. Virtual Wire
C. Tap
D. Tunnel
Correct Answer: A

Selected Answer: A
Yes A is correct
upvoted 1 times
An administrator would like to create a URL Filtering log entry when users browse to any gambling website.
What combination of Security policy and Security profile actions is correct?
A. Security policy = deny, Gambling category in URL profile = block
B. Security policy = drop, Gambling category in URL profile = allow
C. Security policy = allow, Gambling category in URL profile = alert
D. Security policy = allow, Gambling category in URL profile = allow
Correct Answer: C
  markeloff23 Highly Voted  9 months, 1 week ago

Correct,
If security policy is *not allowed, panos skip security profile analysis
upvoted 5 times

Selected Answer: C
Security policy: deny and drop --> user can not go inside and browse
then Security policy must allow
-----------------------------------------
URL Profile: allow: no log entry is generated.
URL Profile alert: a log entry is generated in the URL filtering log.
upvoted 1 times

Selected Answer: C
Answer : C
A log entry is generated in the URL filtering log.
upvoted 1 times

C is correct. A log entry is generated in the URL filtering log.
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/url-filtering-profiles
upvoted 1 times
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)
A. IP Protocol
B. Packets sent/received
C. Decrypted
D. Action
Correct Answer: BD
  Alex48694 Highly Voted  9 months ago

Selected Answer: AB
Answer: AB
When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session End Reason as aged-out. Any traffic that uses
UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is there is no way for a graceful
termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions.
Link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW
upvoted 5 times

Selected Answer: AB
tcp is ok only if "paket sent" and paket "received" is equal.
otherwise there is an anomaly and it must be investigated.
That is why the number of packets is important. On the other hand, the "action" must always be "allow" otherwise no traffic is possible.
upvoted 1 times

Although I got it wrong at the time, reading the question again plus the discussion and this provided article :
(https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW) leads me to believe that the answer is actually "AD".
This is because there are no such fields as "packets sent / packets received" in the detailed log view of a session. But the fields for "Action" and
"Protocol" does exist. Based on the article, if protocol is UDP then aged out reason is ok and can be ignored, the opposite is true for TCP which a
session of aged out warrants further investigation.
upvoted 1 times

Selected Answer: AB
Action for 'allowed' session is always Allow. IP Protocol shows e.g. in case of UDP. Packets send/receive also indicate the reason for 'aged-out'
traffic.
upvoted 1 times

Selected Answer: AB
Answer: AB
For a session which is allowed, the action will be allow...
upvoted 1 times

I would chose A and B as correct answers.
For example:
-- DNS traffic will show up as aged-out (answer A)
-- TCP traffic can show 100 bytes sent, 0 bytes received which can mean that traffic is dropped after the firewall, or destination IP is nor responding
(answer B)
upvoted 4 times
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
A. It requires an active subscription to a third-party DNS Security service
B. It requires a valid URL Filtering license
C. It uses techniques such as DGA/DNS tunneling detection and machine learning
D. It requires a valid Threat Prevention license
E. It enables users to access real-time protections using advanced predictive analytics
Correct Answer: CDE

Selected Answer: CDE
https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security
upvoted 1 times
  Najmmm 5 months ago

DNS security subscription provides enhanced DNS sinkholing capabilities by querying DNS Security, an extensible cloud-based service capable of
generating DNS signatures using advanced predictive analytics and machine learning. This service provides full access to the continuously
expanding DNS-based threat intelligence produced by Palo Alto Networks.
upvoted 1 times

CDE are correct:
DNS Security subscription enables users to access real-time protections using advanced predictive analytics. When techniques such as DGA/DNS
tunneling detection and machine learning are used, threats hidden within DNS traffic can be proactively identified and shared through an infinitely
scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of
ever-expanding signatures that have been generated using a multitude of data sources. This list of signatures allows you to defend against an array
of threats using DNS in real-time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and
prevention capabilities of the DNS Security service will be available through content releases. To access the DNS Security service, you must have a
Threat Prevention license and DNS Security license.
upvoted 1 times
After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration
that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?
A. Revert to running configuration
B. Load named configuration snapshot
C. Revert to last saved configuration
D. Import named config snapshot
Correct Answer: A
  Cristhian9 1 month ago

Right!
upvoted 1 times

Selected Answer: A
Restores the current running configuration. This operation undoes all changes that every administrator made to the candidate configuration since
the last commit. To revert only the changes of specific administrators
upvoted 2 times
What are three valid ways to map an IP address to a username? (Choose three.)
A. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent
B. WildFire verdict reports
C. DHCP Relay logs
D. using the XML API
E. usernames inserted inside HTTP Headers
Correct Answer: ADE

Correct.
upvoted 2 times

disagree - please reference https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-interface/panorama-
administrators
For each access domain (up to 25) you want to assign to the administrator, Add an Access Domain from the drop-down (see Panorama > Access
Domains) and then click the adjacent Admin Role cell and select a custom Device Group and Template administrator role from the drop-down (see
Panorama > Managed Devices > Summary). When administrators with access to more than one domain log in to Panorama, an Access Domain
drop-down appears in the footer of the web interface. Administrators can select any assigned Access Domain to filter the monitoring and
configuration data that Panorama displays. The Access Domain selection also filters the firewalls that the Context drop-down displays.
upvoted 1 times

you're confusing what the question is asking.
Username mapping to IP addressing falls under USER-ID
I recommend you review this document:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users
upvoted 2 times

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users
upvoted 4 times
How is an address object of type IP range correctly defined?
A. 192.168.40.1-192.168.40.255
B. 192.168.40.1-255
C. 192.168.40.1, 192.168.40.255
D. 192.168.40.1/24
Correct Answer: A
  FMaster007 2 weeks, 2 days ago

It's asking for a range, not a network ID. So the answer is A, not D.
upvoted 1 times

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/create-an-address-object
Answer : A - IP range - from webpage = they use use the same IP's on Palo site as what they have in question
An address object of type IP Netmask requires you to enter the IP address or network using slash notation to indicate the IPv4 network or the IPv6
prefix length. For example, 192.168.18.0/24 or 2001:db8:123:1::/64.
upvoted 2 times

Selected Answer: A
Answer : A
IP Range—Enter a range of addresses using the following format: ip_address-ip_address where both ends of the range are IPv4 addresses or both
are IPv6 addresses. For example: 2001:db8:123:1::1-2001:db8:123:1::22
upvoted 3 times

answer A
upvoted 3 times

Selected Answer: A
the key in this question is (IP range), thus i think that A is the cottrect answer.
upvoted 3 times
  froggy2638 9 months ago

Selected Answer: D
D is the only one that works when plugged into Objects > Address > Add
upvoted 1 times

that is for netmask, ip range explanation from PA
Enter an IP address range (Ex. 10.0.0.1-10.0.0.4). Each of the IP addresses in the range can also be in an IPv6 form (Ex. 2001:db8:123:1::1-
2001:db8:123:1::11)
upvoted 6 times
An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the
traffic logs on the firewall. The interzone-default was never changed from its default configuration.
Why doesn't the administrator see the traffic?
A. The interzone-default policy is disabled by default.
B. Traffic is being denied on the interzone-default policy.
C. Logging on the interzone-default policy is disabled.
D. The Log Forwarding profile is not configured on the policy.
Correct Answer: C

C is the correct answer, logging on both default rules are disabled until you override them to enable logging.
upvoted 3 times

A seems more right.
Logging is disabled by default.
upvoted 1 times
  sguerouate 6 months, 1 week ago

"The interzone-default policy is disabled by default."
It's never disable by default, le log is. The response said, the rule is disable wich is not the case by default so C is the correct answer
upvoted 2 times
What do you configure if you want to set up a group of objects based on their ports alone?
A. address groups
B. custom objects
C. application groups
D. service groups
Correct Answer: D

Selected Answer: D
Correct. Service = layer 4, Application = layer 7
upvoted 3 times
What are two valid selections within a Vulnerability Protection profile? (Choose two.)
A. deny
B. drop
C. default
D. sinkhole
Correct Answer: BC

B & C correct
upvoted 1 times

Selected Answer: BC
BC are correst.
You can configure the following actions in an Anti-Spyware profile:
Default; Allow; Alert; Drop; Reset Client; Reset Server; Reset Both; Block IP
https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-vulnerability-protection
upvoted 1 times

Selected Answer: BC
B and C are correct.
upvoted 1 times

Selected Answer: BC
b and C
upvoted 2 times
Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)
A. Tap
B. HA
C. Layer 3
D. Layer 2
E. Virtual Wire
Correct Answer: CDE

Correct
upvoted 2 times
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.
A. Drop
C. Reset both
D. Reset server
Correct Answer: B
  markeloff23 Highly Voted  9 months, 3 weeks ago

Why B and not A?
upvoted 6 times

Agree, i would have said A. This is the most simple way for blocking the "traffic" as they ask...
upvoted 1 times
  OhEmGee Most Recent  5 months, 2 weeks ago

Selected Answer: A
The question is not asking for notifying anyone so 'icmp' is not needed as such, thus I select A.
upvoted 3 times

Selected Answer: A
Answer : A
upvoted 2 times

Selected Answer: A
Answer is drop.
upvoted 2 times
When creating an Admin Role profile, if no changes are made, which two administrative methods will you have full access to? (Choose two.)
A. web UI
B. XML API
C. command line
D. RESTAPI
Correct Answer: AD

Selected Answer: AD
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-an-admin-role-
profile
upvoted 5 times

Selected Answer: AD
AD is correct I checked on FW
upvoted 2 times
An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to
update the Security policy or object when new applications are released.
Which object should the administrator use as a match condition in the Security policy?
A. the Online Storage and Backup URL category
B. the Content Delivery Networks URL category
C. an application group containing all of the file-sharing App-IDs reported in the traffic logs
D. an application filter for applications whose subcategory is file-sharing
Correct Answer: D

Selected Answer: D
D. The only way the Admin will not have to update any Security policies or objects when the App ID is updated is if a Filter is used. Has to be D.
upvoted 1 times
  Achuth 3 months, 3 weeks ago

Selected Answer: D
Answer seems to be D. The Administrator does not want to manually update the policy when the new new applications are released. So App filter is
required to get it auto updated. The issue is question is not clear. It can be interpreted as you did and marked as C too.
upvoted 2 times

Rolling with D. App filters update the security rules so you don't have to do so manually when new apps are released. There will probably be new
file sharing apps released onto the web on a monthly basis, filtering for the file sharing app filter object is the easiest way to stay updated without
manually expanding the matching object condition on the security rule.
upvoted 1 times

Selected Answer: C
When new app-IDs come out, the filter will be updated and that is not what admin wants.
upvoted 3 times
  Achuth 3 months, 3 weeks ago

Answer seems to be D. The Administrator does not want to manually update the policy when the new new applications are released. So App
filter is required to get it auto updated. The issue is question is not clear. It can be interpreted as you did and marked as C too.
upvoted 1 times

I would argue that the answer is D for app filters because using App groups would mean that the Admin would have to manually update the
security policy and objects when new applications are released. The App filters does this automatically on the back end so the admin does not
have to manually update the rule.
upvoted 1 times
Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user
will be assigned?
A. 1. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash.
4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group.
7. Add the user to the group and click OK.
B. 1. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or
Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the
group. 7. Add the user to the group and click OK.
C. 1. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account
and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
D. 1. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the
account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click
OK.
Correct Answer: A
  Star_world79 4 months, 1 week ago

Selected Answer: A
A is the Answer.
upvoted 1 times
  khaled_ellaboudy 5 months, 1 week ago

Selected Answer: A
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHcCAK
upvoted 1 times
  memos64 9 months ago

A is correct
upvoted 3 times
  kvothe86 9 months, 1 week ago

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHcCAK
upvoted 3 times
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)
A. server profile
B. admin role
C. password profile
D. access domain
Correct Answer: BD
  TheLorenz 1 month ago

Answer is B and D.
B. Admin Role - The set of permissions for the administrator. It is a custom role where you can specify what the admin can and cannot do.
D. Access Domain - This is the set of devices or device groups, templates, or template stacks that the admin is allowed to access.
Information on Access Domains - https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/role-based-access-

control/access-domains
upvoted 1 times
  cert111 2 months, 1 week ago

Selected Answer: BD
If you look at Panorama and try to create a Device Group and Template admin, you'll see that you need a Access Domain and Admin Role.
upvoted 1 times
  Apache207 4 months ago

Selected Answer: BD
Device Group and Template Admin type ->Access Domain to Administrator Role
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-interface/panorama-administrators
upvoted 2 times

disagree - https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-interface/panorama-administrators
answer is domain access and admin role
For each access domain (up to 25) you want to assign to the administrator, Add an Access Domain from the drop-down (see Panorama > Access
Domains) and then click the adjacent Admin Role cell and select a custom Device Group and Template administrator role from the drop-down (see
Panorama > Managed Devices > Summary). When administrators with access to more than one domain log in to Panorama, an Access Domain
drop-down appears in the footer of the web interface. Administrators can select any assigned Access Domain to filter the monitoring and
configuration data that Panorama displays. The Access Domain selection also filters the firewalls that the Context drop-down displays.
upvoted 1 times

The Answer is A and B study guide makes no reference of an access domain.
upvoted 2 times

Agreed
upvoted 1 times
An administrator is configuring a NAT rule.

At a minimum, which three forms of information are required? (Choose three.)
A. source zone
B. name
C. destination interface
D. destination zone
E. destination address
Correct Answer: ABD

Correct, checked on FW
upvoted 2 times

dsagree - answer is A C D
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching
criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules. The firewall
evaluates the rules in order from the top down.
upvoted 2 times

Brother, you have to give the NAT rule a name for reference. :)
PA NGFW are famous for the zones also, they are definitely needed at the minimum.
upvoted 2 times

You just discredited your own answer with the source information provided...
"You configure a NAT rule to match a packet’s source zone and destination zone, at a MINIMUM"
upvoted 1 times

Yes, correct. Verified from the configuration :).
upvoted 2 times

Yeah, you are agree, verified from a PaloAlto, the red attributes are A, B, D ones
(I thought that name was not required, but I was wrong)
upvoted 2 times

Correct
upvoted 4 times
An administrator wants to prevent hacking attacks through DNS queries to malicious domains.
Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)
A. deny
B. block
C. sinkhole
D. override
Correct Answer: BC
  ruben_castro81 Highly Voted  9 months, 1 week ago

Correct
upvoted 7 times
  innuendo2 Most Recent  3 weeks ago

deny is for policy
upvoted 1 times

Selected Answer: BC
Sinkhole and Block
upvoted 1 times

All possible actions are default, allow, block and sinkhole.
upvoted 2 times
An administrator is creating a NAT policy.

Which combination of address and zone are used as match conditions? (Choose two.)
A. Pre-NAT address
B. Pre-NAT zone
C. Post-NAT address
D. Post-NAT zone
Correct Answer: AD
  yinksho Highly Voted  7 months, 3 weeks ago

Selected Answer: AB
A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security
policy that match the packet based on pre-NAT src and dst address and post-Nat zone
upvoted 6 times

Selected Answer: AB
For NAT-Policies we use Pre-NAT zones and Pre-NAT addresses
upvoted 1 times
  Sanjug2022 1 month ago

A & B correct. NAT Policy : Pre-NAT Zone and Pre NAT Address
upvoted 2 times

Selected Answer: BD
Correct answer is clear at first sentence actually.
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)
upvoted 2 times

Selected Answer: BD
According to Palo Alto documentation, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
upvoted 1 times

Selected Answer: AD
Based on DatITGuyTho1337's Comment and how the question is looking for a combination of Address AND Zone, the answer would have to be
pre-NAT address and Post-NAT Zone. As post-NAT address is never used as a matching criteria.
upvoted 2 times

Selected Answer: AD
A,D are the correct answers
upvoted 1 times

I chose "B D" but I think "A D" is correct because of this excerpt:
"Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if
the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any
security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon
egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers.
Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies
apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address."
I also just noticed that the question asked for a combination of address and zones so the answer cannot be "BD".
upvoted 2 times

It is A and B since it is asking for NAT IF!! it was asking for security policy rule it would be pre NAT address post NAT zone
upvoted 1 times
  adiyahav2007 4 months, 2 weeks ago

Selected Answer: BD
I will check it now on my lab and its must to be the Zones
upvoted 1 times

I checked now**
upvoted 1 times

Selected Answer: AB
criteria based on the packet’s destination interface, (source and destination address) , and service.
Based on the above the correct answers are A&B as the post nat zone is decided according to the NAT that will be applied and post NAT address is
not a matching criteria of course.
upvoted 1 times

Selected Answer: AB
As per the flow logic, NAT rule has pre-NAT address as well as pre-NAT zones however when policy is evaluated, NAT is executed therefore at
security policy the addresses are pre-NAT where as the destination zone becomes the zone where packet is supposed to land at the end.
upvoted 1 times

Selected Answer: BD
Most of you are wrong, its B and D
criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules.
upvoted 2 times

From your link:
apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address.
Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not.
Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface
and zone, security policies are enforced on the post-NAT zone.
upvoted 4 times

You're over-thinking it. Palo Alto documentation reads, ""You configure a NAT rule to match a packet’s source zone and destination zone, at
a minimum." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview. Plus, if you
look at creating a NAT policy, you'll see that you do need to enter something in both zones.
upvoted 1 times

Selected Answer: AD
"PRE-NAT address & POST-NAT zone" rule
A&D anwers
upvoted 3 times
  Vijay_75 7 months, 2 weeks ago

Selected Answer: BD
I would say it's B & D because of the following:
1. You must specify the source zone (B)
2. You must specify the destination zone (D)
Address translation is not important because it can use the Interface IP instead
upvoted 3 times

Selected Answer: AD
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if
upvoted 2 times
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
A. OSPF
B. EIGRP
C. IS-IS
D. BGP
E. RIP
Correct Answer: ADE

EIGRP is proprietary.
upvoted 2 times

A D E are correct answers
You can configure Layer 3 interfaces on a virtual router to participate with dynamic routing protocols (BGP, OSPF, OSPFv3, or RIP) as well as add
static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that aren’t shared between virtual routers,
enabling you to configure different routing behaviors for different interfaces.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers
upvoted 1 times

Correct.
upvoted 1 times

Dynamic routing protocols available on a legacy virtual router are as follows:
• BGP4
• OSPFv2
• OSPVv3
• RIPv2
Multicast routing protocols available on a legacy virtual router are as follows:
• IGMPv1, IGMPv2, IGMPv3
• PIM-SM, PIM-ASM, PIM-SSM
upvoted 1 times
Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition,
traffic should be permitted from the SERVER zone to the DMZ on SSH only.
Which rule group enables the required traffic?
A.
B.
C.
D.
Correct Answer: C
  kvothe86 Highly Voted  9 months ago

I can't see the image properly
upvoted 13 times
  DatITGuyTho1337 Most Recent  3 months, 3 weeks ago

B is the correct answer. It is the rule that allows the require traffic between both zones. And yeah you have to zoom in real close at the image as it
is very poor quality!!!
upvoted 1 times

I think that B is not correct since FWB might not have Server Zone defined. And since "an
interface can belong to only one zone" (PCNSA Study Guide zone section) that means the only zone associated to interlink interface is the
Interlink one (and cannot be DMZ/Server).
That is why I would say C.
upvoted 2 times
  TheLorenz 1 month ago

The server zone is defined on FW B and it shows it in the policies. All it means for an interface can only belong to one zone is you cannot
have two zones on the same exact interface, but that doesn't have anything to do with this question as the server zone is already configured
on Firewall B and is visible within the policies -- This aspect does not pertain to the question at hand.
Further, there's no reason to establish policies for the interlink zone. The firewall will inspect the traffic and permit it, provided there's an
allow policy. This process is automatic, without needing specific policies for the interlink zone.
upvoted 1 times

Exactly
upvoted 1 times
  itkare 3 months, 4 weeks ago

B is correct
Option C does not have the rule to allow Server>DMZ zone traffic on SSH
upvoted 2 times

C is correct as the packet keep same sorce and destination addresses intact so the rules should be configured accordingly
upvoted 2 times

Correct
upvoted 1 times
  homersimpson 8 months, 1 week ago

Graphics are way low res.
upvoted 4 times
Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the
management interface?
A. service route
B. dynamic updates
C. SNMP setup
D. data redistribution
Correct Answer: A

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
Correct
upvoted 1 times
In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which
protocol should you select when adding a new scheduled config export?
A. HTTPS
B. SMB v3
C. SCP
D. FTP
Correct Answer: C

Selected Answer: C
FTP, SFTP and SCP can help accomplish the same thing, which is to move files from here to there (or, based on relativity, from there to here) nice
and quickly and over ethernet. There is one major difference between FTP and the other 2, though: FTP sends data in plain-text whereas SCP and
SFTP use the SSH (Secure Shell) protocol for communication. Again, this is for security purposes, so when it comes to websites and transferring
sensitive information, it is always better to err on the side of security.
upvoted 2 times

You can use both SCP and FTP according to the documentation (unless you're running Windows XD lol)
upvoted 1 times
  luismanzanero 5 months, 3 weeks ago

But "securely" means you should use TFTP. Not only FTP. That's the difference.
upvoted 1 times

I mean *SFTP
upvoted 1 times
All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.
Complete the empty field in the Security policy using an application object to permit only this type of access.
Source Zone: Internal -
Destination Zone: DMZ Zone -

Application: __________
Service: application-default -
Action: allow
A. Application = "any"
B. Application = "web-browsing"
C. Application = "ssl"
D. Application = "http"
Correct Answer: D
  Oteslar Highly Voted  7 months, 2 weeks ago

Selected Answer: B
i think the answer is B, becauce http is not an application but service, the web-browsing cab be http/https.
upvoted 5 times
  hugodiaz Most Recent  4 months ago

This was oddly worded and the whole question should not even count.
The question is clearly specifying ONLY HTTP traffic, but the provided options do not match the asked criteria.
HTTP is a server, and web-browsing is an APP-ID. However, "web-browsing" if left alone with default application service allows both http and https.
More over, the answer doesn't make a correction in the Service option and leaves it as application-default.
I agree that the answer, based on the requirements is B, but the question sucks.
upvoted 3 times

Selected Answer: B
Web browsing is a valid add id while http is not, http is a service and not an app
upvoted 3 times

APP id and not add id, sorry for the typo
upvoted 2 times
  ARWANGSH 6 months, 1 week ago

Selected Answer: B
http is not an app-id, web-browsing is:
upvoted 4 times

Selected Answer: B
http is a service.
web-browsing should be selected
upvoted 3 times
An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established
connections to remote systems.
From the Pre-defined Categories tab within the URL Filtering profile, what is the right configuration to prevent such connections?
A. Set the hacking category to continue.
B. Set the phishing category to override.
C. Set the malware category to block.
D. Set the Command and Control category to block.
Correct Answer: C
  SillyGoose123 4 months, 1 week ago

Selected Answer: D
Malware doesn't inherently establish connections to remote servers. Command and control (C2) does this by definition. Answer is D.
upvoted 1 times

Selected Answer: D
Set COMMAND AND CONTROL category to block. This is the correct answer
upvoted 1 times

Selected Answer: D
Go to Objects -> Security Profiles -> URL Filtering -> Categories tab -> Search for Command-and-Control and set the action to Block
D is the right answer.

upvoted 2 times

Selected Answer: D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-categories/url-category-best-practices
upvoted 1 times
  john7809 6 months ago

Selected Answer: D
I think that the correct answer is D
Command-and-control is defined by Palo Alto Networks as URLs and domains used by malware and/or compromised systems to surreptitiously
communicate with an attacker's remote server to receive malicious commands or exfiltrate data
upvoted 1 times
An administrator would like to follow the best-practice approach to log the traffic that traverses the firewall.
What action should they take?
A. Enable both Log at Session Start and Log at Session End.
B. Enable Log at Session End.
C. Enable Log at Session Start.
D. Disable all logging options.
Correct Answer: B

Selected Answer: B
At session end
upvoted 2 times
Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.)
A. HTTPS
B. RDP
C. SCP
D. SSH
Correct Answer: AD

Selected Answer: AD
Correct..HTTP,HTTPS,SSH and TELNET
upvoted 1 times
A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.
Which two types of traffic will the rule apply to? (Choose two)
A. traffic between zone IT and zone Finance
B. traffic between zone Finance and zone HR
C. traffic within zone IT
D. traffic within zone HR
Correct Answer: CD

Selected Answer: CD
IntraZone. So only traffic within the same zone is allowed
upvoted 1 times

Selected Answer: CD
C and D are correct.
upvoted 1 times
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?
A. Data Filtering profile applied to outbound Security policy rules.
B. Vulnerability Protection profile applied to outbound Security policy rules.
C. URL Filtering profile applied to inbound Security policy rules.
D. Antivirus profile applied to inbound Security policy rules.
Correct Answer: A
  LHK0103 Highly Voted  8 months ago

Selected Answer: D
Antivirus prevent from malware downloading
upvoted 7 times

Selected Answer: D
Antivirus
The default profile inspects all the listed protocol decoders for viruses and generates alerts for the SMTP, IMAP, and POP3 protocols while blocking
the FTP, HTTP, and SMB protocols.
(PCNSA) | Study Guide p86
upvoted 1 times

Answer should be D. The antivirus profile detects malware in the traffic stream and prevents them from being downloaded. Naturally the firewall
becomes aware of the latest threats after updating its database.
upvoted 1 times

Selected Answer: B
I vote for B
upvoted 1 times

Sorry It's my fault, D is the right answer.
upvoted 1 times

Answer B.
You go to an FTP server. Therefor an OUTBOUND rule.
Makes only B a viable answer.
upvoted 1 times
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.
A. Drop
C. Reset both
D. Reset client
Correct Answer: B

Selected Answer: A
You can set a drop action to send a type 3 ICMP, but "Drop, send ICMP Unreachable" is not the name of any action. The right answer is A.
upvoted 1 times

Its should to be A
upvoted 1 times

Selected Answer: B
B is the right answer, it's the same as Q.150
upvoted 1 times
  john7809 5 months, 4 weeks ago

Selected Answer: A
There is no security policy action " Drop, send ICMP Unreachable", it is only drop.
upvoted 4 times
  Viga1991 4 months, 3 weeks ago

I agree with you 100%
upvoted 1 times

There is the action like that, here is the information.
or Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action: Drop and enable the Send ICMP
Unreachable check box. When enabled, the firewall sends the ICMP code
upvoted 1 times

Technically the action is indeed "Drop", the tick box of the "Send ICMP..." is optional. So yeah, John is correct.
upvoted 1 times
What does an application filter help you to do?
A. It dynamically shapes defined application traffic based on active sessions and bandwidth usage.
B. It dynamically filters applications based on critical, high, medium, low, or informational severity.
C. It dynamically groups applications based on application attributes such as category and subcategory.
D. It dynamically provides application statistics based on network, threat, and blocked activity.
Correct Answer: C

Selected Answer: C
C is correct
upvoted 1 times

Selected Answer: C
Correct. An application filter is an object that dynamically groups applications based on application attributes that you define, including category,
subcategory, technology, risk factor, and characteristic.
upvoted 2 times
Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided
password?
A. continue
B. override
C. hold
D. exclude
Correct Answer: B

Selected Answer: B
The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the
security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A log entry
is generated in the URL Filtering log. The Override webpage doesn’t display properly on client systems configured to use a proxy server.
upvoted 3 times
Which type of address object is www.paloaltonetworks.com?
A. named address
B. IP range
C. FQDN
D. IP netmask
Correct Answer: C

Selected Answer: C
C is correct answer.
upvoted 2 times
What are the requirements for using Palo Alto Networks EDL Hosting Service?
A. an additional paid subscription
B. any supported Palo Alto Networks firewall or Prisma Access firewall
C. a firewall device running with a minimum version of PAN-OS 10.1
D. an additional subscription free of charge
Correct Answer: B
  J2J2J2J Highly Voted  5 months, 3 weeks ago

Selected Answer: B
Answer : B
https://docs.paloaltonetworks.com/resources/edl-hosting-service
upvoted 6 times
  gashelio 5 months, 3 weeks ago

I see you commenting on a lot of posts! Thanks for all the explanations mate
upvoted 6 times
What are two valid selections within an Antivirus profile? (Choose two.)
A. deny
B. drop
C. block-ip
D. default
Correct Answer: BD

Selected Answer: BD
BD are correct checked on FW
upvoted 1 times

Selected Answer: BD
"Deny" is a policy action and "Block IP" is part of the Anti-Spyware profile. This leaves "Drop" and "Default"
upvoted 2 times

Selected Answer: BD
Deny and Block-ip are not valid actions
upvoted 1 times

Selected Answer: BD
You can configure the following actions in an Antivirus Profiles:
Default; Allow; Alert; Drop; Reset Client; Reset Server; Reset Both.
upvoted 2 times

Drop & Deny.
Just checked on PA
upvoted 1 times

Typo I meant Default & Drop.
upvoted 2 times

Selected Answer: BD
upvoted 1 times
Your company is highly concerned with their intellectual property being accessed by unauthorized resources. There is a mature process to store
and include metadata tags for all confidential documents.
Which Security profile can further ensure that these documents do not exit the corporate network?
A. File Blocking
B. Data Filtering
C. Anti-Spyware
D. URL Filtering
Correct Answer: D
  Vijay_75 Highly Voted  7 months, 2 weeks ago

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-data-filtering
upvoted 5 times
  khaled_ellaboudy Most Recent  5 months, 1 week ago

Selected Answer: B
Correct answer is B
upvoted 1 times

Selected Answer: B
Use Data Filtering Profiles to prevent sensitive, confidential, and proprietary information from leaving your network.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up-data-filtering
upvoted 2 times

Selected Answer: B
Answer : B
Data filtering enables the firewall to detect sensitive information—such as credit card or social security numbers or internal corporate documents—
and prevent this data from leaving a secure network.
upvoted 2 times

Selected Answer: B
The right answer is B
upvoted 3 times
An administrator is reviewing the Security policy rules shown in the screenshot below.
Which statement is correct about the information displayed?
A. Highlight Unused Rules is checked.
B. There are seven Security policy rules on this firewall.
C. The view Rulebase as Groups is checked.
D. Eleven rules use the “Infrastructure” tag.
Correct Answer: C
  Oteslar Highly Voted  7 months, 2 weeks ago

i cann't read anything from the screenshot!
upvoted 8 times

The most evident thing is C, all the yellow rules are pushed from panorama and it looks that way because the filter of policy based tag is applied
upvoted 1 times

I think D is also correct because the Infrastructure tag on the side has an 11 next to it.
upvoted 2 times

I think this is the correct answer as this is clearer than other answers. Others has no evidences.
upvoted 1 times

Sorry, this is wrong, 11 here means rule number 11, and the (1) between brackets is the number of rules taged with infrastructure. So
the correct answer is C for sure
upvoted 1 times
  MarkGrootaarts Most Recent  2 months, 4 weeks ago

Selected Answer: C
Also there are 11 rules for it infra
upvoted 1 times

Selected Answer: C
C is the only valid answer
https://youtu.be/TGBfwwalpj0
upvoted 2 times
Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.
What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?
A. export named configuration snapshot
B. save named configuration snapshot
C. export device state
D. save candidate config
Correct Answer: A

Selected Answer: A
The Revert, Save, and Load operations all work with firewall co nfigurations local to the firewall.
The Export operations transfer configurations as XML-formatted files from the firewall to the host running the web interface browser. From your
local machine, you can save the files as configuration backups.
The Import operations transfer XML configuration files from the host running the web interface browser to the firewall. The XML file can be loaded
as the candidate configuration or even be committed to becoming the running configuration.
upvoted 1 times

Selected Answer: A
A is correct:
Export Named Configuration Snapshot
This option exports the current running configuration, a candidate configuration snapshot, or a previously imported configuration (candidate or
running). The firewall exports the configuration as an XML file with the specified name. You can save the snapshot in any network location. These
exports often are used as backups. These XML files also can be used as templates for building other firewall configurations.
upvoted 1 times
DRAG DROP
-
Match each rule type with its example.
Correct Answer:
  ReallyMatters Highly Voted  7 months, 2 weeks ago

Looks like inter and interzone is intechanged.
upvoted 8 times

Agree
upvoted 1 times

I agree with that.
upvoted 1 times
  khaled_ellaboudy Most Recent  5 months, 1 week ago

Interzone and intrazone are exchanged
upvoted 1 times
What are the two default behaviors for the intrazone-default policy? (Choose two.)
A. Allow
B. Log at Session End
C. Deny
D. Logging disabled
Correct Answer: AB
  DlaEdu_Ex Highly Voted  5 months, 2 weeks ago

Selected Answer: AD
By default, the firewall implicitly allows intrazone traffic (within a zone) and implicitly denies interzone traffic (between zones).
By default, traffic allowed or denied by the implicit Security policy rules is not logged on the firewall.
upvoted 6 times
  SillyGoose123 Most Recent  4 months, 1 week ago

Selected Answer: AD
By default, logging is disabled. Allow and Logging Disabled are the only two logical answers here
upvoted 1 times

Selected Answer: AD
A D - Logging disabled by default
upvoted 1 times

Selected Answer: AD
A, D. Logging is disabled by default on the intra and interzone rules.
upvoted 1 times

Selected Answer: AD
Logging is disabled for default policies by default
upvoted 1 times

A&D, Logging is disabled by default
upvoted 3 times

AD - Logging is disabled by default
upvoted 2 times
Which statement is true regarding NAT rules?
A. Translation of the IP address and port occurs before security processing.
B. Firewall supports NAT on Layer 3 interfaces only.
C. Static NAT rules have precedence over other forms of NAT.
D. NAT rules are processed in order from top to bottom.
Correct Answer: A

Selected Answer: D
Answer is D
upvoted 1 times

Answer is D, but B is also viable!!
upvoted 1 times
  N1KH1L 1 month, 1 week ago

in Vwire mode there is a nat capability so do not think B is viable
upvoted 2 times

Selected Answer: D
Answer is D
upvoted 1 times

Selected Answer: D
D is the most relevent answer and has only one meaning.
upvoted 1 times

A and D are true as below:
1. the NAT rules are processed first before the security rules
(https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0)
2. the NAT rules are processed from top down
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)
upvoted 2 times

A is not the answer as NAT "evaluation" happens before Sec Policy but actual "translation" happens after Sec Pol evaluation.
Answer is D
upvoted 2 times

Selected Answer: D
upvoted 2 times

Agree, A is impossible to use
Answer D !
upvoted 1 times
An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets.
What are two security policy actions the administrator can select? (Choose two.)
A. Reset server
B. Deny
C. Drop
D. Reset both
Correct Answer: AC

Selected Answer: AD
Palo Alto Networks firewall protection is based on application intelligence, so in the case of TCP, a TCP session must be established before the
application can be discovered. However, after a TCP session has been established, silent dropping of packets without sending a TCP reset can be
dangerous. The “drop” action could break the application and cause it to misbehave. An application might hang, continue to send packets, or
unnecessarily hold system resources open. Therefore, the default “deny” action defined for more than half of the applications recognized by the
firewall is to send a TCP reset.
upvoted 1 times

Selected Answer: CD
The question is about 'generally' preserving the resources, without spelling out server side or client side. Best option in such a case is DROP and
then RESET-BOTH.
upvoted 1 times

I disagree on the DROP option, if selected, the application will misbehave and most likely keep the sockets open as well as continually send
packets seeking a response.
upvoted 1 times

Selected Answer: AD
reset-server is useful when internal resources need to be protected from excessive resource consumption due to half-open sockets.
reset-both will provide best user experience and protect servers' resources, but may facilitate malicious use.
upvoted 1 times

Selected Answer: AD
Reset options to avoid half open sockets
upvoted 3 times
An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.
What is the most appropriate NAT policy to achieve this?
A. Static IP
B. Destination
C. Dynamic IP and Port
D. Dynamic IP
Correct Answer: C

Selected Answer: C
It's clearly PAT, port address translation
upvoted 2 times

Selected Answer: C
C is correct.
Source NAT Types:
1. Static IP:
- 1-to-1 fixed translations.
- Changes the source IP address while leaving the source port unchanged.
- Supports the implicit bidirectional rule feature.
2. Dynamic IP:
- 1-to-1 translations of a source IP address only (no port number).
- Private source address translates to the next available address in the range.
3. Dynamic IP and port (DIPP):
- Allows multiple clients to use the same public IP addresses with different source port numbers.
- The assigned address can be set to the interface address or to a translated address.
upvoted 2 times

Selected Answer: C
Answer C. Dynamic IP and Port (Many-to-One, Hide NAT, Source NAT)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
upvoted 3 times
What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)
A. Configure a URL Filtering profile
B. Train your staff to be security aware.
C. Plan for mobile-employee risk.
D. Rely on a DNS resolver.
E. Implement a threat intel program.
Correct Answer: ADE
  Kariamma 2 months, 2 weeks ago

BCE is the correct answer
upvoted 1 times

According to article that hugodiaz provided it should be ABCE :D
upvoted 3 times

Answer should be ACE based on the article that hugodiaz provided.
upvoted 2 times

Based on the following source, BCE appear to be the best practices
https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
Read the Best practices section.

upvoted 3 times

Selected Answer: ACE
I would say ACE
upvoted 1 times
An administrator would like to see the traffic that matches the intrazone-default rule in the traffic logs.
What is the correct process to enable this logging?
A. Select the intrazone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Correct Answer: A
  alphahotelzulu 1 week, 5 days ago

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
Answer : A
For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at the bottom of the security rulebase—
are predefined to allow all intrazone traffic (within the zone) and deny all interzone traffic (between zones). Although these rules are part of the
pre-defined configuration and are read-only by default, you can Override them and change a limited number of settings, including the tags, action
(allow or deny), log settings, and security profiles.
upvoted 4 times
What is a function of application tags?
A. automated referenced applications in a policy
B. application prioritization
C. IP address allocations in DHCP
D. creation of new zones
Correct Answer: A
  alphahotelzulu 1 week, 5 days ago

Selected Answer: A
Also agree on A
upvoted 1 times

Selected Answer: A
Agreed
upvoted 1 times
An administrator wants to filter access to www.paloaltonetworks.com via a custom URL category.
Which syntax would match this?
A. https://paloaltonetworks.com
B. #.paloaltonetworks.com
C. http://paloaltonetworks.com
D. *.paloaltonetworks.com
Correct Answer: D
What are two valid selections within an Anti-Spyware profile? (Choose two.)
A. Random early drop
B. Drop
C. Deny
D. Default
Correct Answer: BD

Selected Answer: BD
Deny is a policy action, random early drop is part of the inner workings of DoS protection. Answer is B and D.
upvoted 2 times
What is a prerequisite before enabling an administrative account which relies on a local firewall user database?
A. Configure an authentication profile.
B. Configure an authentication sequence.
C. Isolate the management interface on a dedicated management VLAN.
D. Configure an authentication policy.
Correct Answer: A
  DlaEdu_Ex 3 weeks, 3 days ago

Selected Answer: A
...
STEP 3 Configure an authentication profile.
...
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/authentication/configure-local-database-authentication#idda2bc269-fff3-4962-
bbab-198a0d71ae04_id38db9f4d-cf02-40a4-ada5-346c3adb38ad
upvoted 1 times
  Apache207 4 months ago

Authentication profile to use for non-local admins. Only RADIUS, TACACS+ and SAML methods are supported. And the question says that is a local
firewall user databas... Im sure that the options are not a valid prerequisite.
upvoted 1 times

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-
accounts-and-authentication/configure-a-firewall-administrator-account
upvoted 3 times
Which Security policy set should be used to ensure that a policy is applied first?
A. Local firewall policy
B. Shared pre-rulebase
C. Parent device-group pre-rulebase
D. Child device-group pre-rulebase
Correct Answer: B
  Samurai55_1998_01 4 months, 4 weeks ago

Answer is B.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-interface/defining-policies-on-panorama
upvoted 2 times
An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red.
What would cause this error?
A. Entries contain symbols.
B. Entries are wildcards.
C. Entries contain regular expressions.
D. Entries are duplicated.
Correct Answer: C

Selected Answer: D
Correct
upvoted 2 times

Selected Answer: D
You cannot save your changes to the external dynamic list if you have duplicate entries in the Manual Exceptions list. To identify duplicate entries,
look for entries with a red underline.
upvoted 2 times
  DlaEdu_Ex 5 months, 1 week ago

Selected Answer: D
You cannot save your changes to the external dynamic list if you have duplicate entries in the Manual Exceptions list. To identify duplicate entries,
look for entries with a red underline.
upvoted 1 times
  jakelobster 5 months, 3 weeks ago

must be D correct:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/exclude-entries-from-an-external-
dynamic-list
upvoted 3 times
What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?
A. Increase the per-firewall capacity for address and service objects
B. Reduce the configuration and session synchronization time between HA pairs
C. Increase the backup capacity for configuration backups per firewall
D. Reduce the number of objects pushed to a firewall
Correct Answer: D

Selected Answer: D
Only D has sens
upvoted 1 times

Selected Answer: D
Answer : D
Select this option (enabled by default) to share all Panorama shared objects and device-group-specific objects with managed firewalls.
If you disable this option, the appliance checks Panorama policies for references to address, address group, service, and service group objects, and
does not share any unreferenced objects. This option reduces the total object count by ensuring that the appliance sends only necessary objects to
managed firewalls.
If you have a policy rule that targets specific devices in a device group, then the objects used in that policy are considered used in that device
group.
upvoted 4 times
Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2)
servers?
A. URL Filtering
B. Antivirus
C. Vulnerability
D. Anti-Spyware
Correct Answer: D
  perceptivity 2 weeks, 4 days ago

Selected Answer: D
upvoted 1 times

Selected Answer: D
im going to have to go with D on this one. very similar to the other questions which were also anti-spyware.
upvoted 1 times

Selected Answer: D
Seems legit
upvoted 2 times
  jose010696 3 months ago

trying to communicate with external command-and-control (C2) servers
asnwer: A
upvoted 1 times
An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.
What is the maximum number of entries that they can be excluded?
A. 50
B. 100
C. 200
D. 1,000
Correct Answer: B

Selected Answer: B
B is correct
As you view the entries of an external dynamic list, you can exclude up to 100 entries from the list. The ability to exclude entries from an external
dynamic list gives you the option to enforce policy on some (but not all) of the entries in a list. This is helpful if you cannot edit the contents of an
external dynamic list (such as the Palo Alto Networks High-Risk IP Addresses feed) because it comes from a third-party source.
upvoted 1 times

Selected Answer: B
Select up to 100 entries to exclude from the list and click Submit or manually Add a list exception.
upvoted 1 times

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/exclude-entries-from-an-external-
dynamic-list
upvoted 2 times
A website is unexpectedly allowed due to miscategorization.
What are two ways to resolve this issue for a proper response? (Choose two.)
A. Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category to block.
B. Review the categorization of the website on https://urlfiltering paloaltonetworks.com.

Submit for "request change", identifying the appropriate categorization, and wait for confirmation before testing again.
C. Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.
D. Create a URL category and assign the affected URL.

Add a Security policy with a URL category qualifier of the custom URL category below the original policy.
Set the policy action to Deny.
Correct Answer: BD
  ngarcia 1 month, 4 weeks ago

Selected Answer: AB
My vote
upvoted 1 times

Selected Answer: AB
Correct
upvoted 1 times

Voting for AB! Setting policy action to deny in option D renders the point moot of using URL filtering profiles!! The FW will simply disallow traffic
flow entirely!!!
upvoted 1 times

On checking out details for option D, I also realized that it will never be enforced because the rule above it will be used instead!!!!
upvoted 1 times
  Head_of_Chaos 4 months, 1 week ago

Must be AB.
D is below, so the action will be allowed.
upvoted 1 times

Selected Answer: AB
AB is correct
upvoted 2 times

Selected Answer: AB
It cannot be D as the suggested block policy is inserted 'below' the original policy and the original policy is allowing the traffic to the URL!
upvoted 2 times
If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should E1/1 be configured as?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Correct Answer: A

Selected Answer: A
A is correct.
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/tap-interfaces)
upvoted 1 times
An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240
addresses and found that connections from addresses that needed new translations were being dropped.
Which type of NAT was configured?
A. Dynamic IP
B. Static IP
C. Dynamic IP and Port
D. Destination NAT
Correct Answer: C
  83KG Highly Voted  5 months, 3 weeks ago

Selected Answer: A
The size of the NAT pool
should be equal to the number of internal hosts that require address translations. By default,
if the source address pool is larger than the NAT address pool and eventually all of the NAT
addresses are allocated, new connections that need address translation are dropped. To
override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use
of DIPP addresses when necessary
upvoted 6 times
  MarkGrootaarts Most Recent  2 months, 4 weeks ago

Selected Answer: A
Correct
upvoted 2 times

Selected Answer: A
Asking about the NAT type used and not what should be used. Answer is A Dynamic IP
upvoted 2 times

A is correct,
Question is 'Which type of NAT WAS configured?', not 'Which type of NAT SHOULD BE configured?'
upvoted 2 times
  BNGKRM 5 months, 2 weeks ago

The answer should be A.
upvoted 1 times
The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new
EMEA Regional Panorama Administrator should be able to:
Access only EMEA-Regional device groups with read-only privileges

Access only EMEA-Regional templates with read-only privileges
What is the correct configuration for the new EMEA Regional Panorama Administrator profile?
A. Administrator Type = Device Group and Template Admin

Admin Role = EMEA_Regional_Admin_read_only
Access Domain = EMEA-Regional
B. Administrator Type = Dynamic -

Admin Role = Superuser (read-only)
C. Administrator Type = Dynamic -

Admin Role = Panorama Administrator
D. Administrator Type = Custom Panorama Admin

Profile = EMEA Regional Admin_read_only
Correct Answer: A

Selected Answer: A
Administrator Type
- Dynamic - Roles that provide access to Panorama and managed firewalls.
- Custom Panorama Admin - Configurable roles that have read-write access, read-only
access, or no access to Panorama features.
- Device Group and Template Admin - Configurable roles that have read-write access,
read-only access, or no access to features for the device groups and templates that
are assigned to the access domains select for this administrator.
upvoted 1 times

Selected Answer: A
Would say it's correct
upvoted 1 times
An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices
groups and five templates.
Which configuration action should the administrator take when creating the address object?
A. Ensure that Disable Override is cleared.
B. Ensure that the Shared option is cleared.
C. Ensure that the Shared option is checked.
D. Tag the address object with the Global tag.
Correct Answer: C

Selected Answer: C
Correct
upvoted 1 times

Selected Answer: C
Correct
upvoted 2 times
Which type of policy allows an administrator to both enforce rules and take action?
A. Authentication
B. Security
C. NAT
D. Decryption
Correct Answer: A

Selected Answer: B
3.2 Differentiate specific security rule types
Security rule types Security policies allow you to enforce rules and take action, and they can be as general or as specific as needed.
(https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf)
upvoted 1 times

Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Answer is B in plain text https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf
upvoted 1 times

Selected Answer: B
Its a very lame question.
PCNSA study guide, section 3.2:
Security rule types
Security policies allow you to enforce rules and take action, and they can be as general or as specific as needed.
Now check this :)

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy
Policies allow you to enforce rules and take action. The different types of policy rules that you can create on the firewall are: Security, NAT, Quality
of Service (QoS), Policy Based Forwarding (PBF), Decryption, Application Override, Authentication, Denial of Service (DoS), and Zone protection
policies. All these different policies work together to allow, deny, prioritize, forward, encrypt, decrypt, make exceptions, authenticate access, and
reset connections as needed to help secure your network.
upvoted 1 times

Selected Answer: A
Answer : A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-policy
upvoted 2 times

Brother, the answer is B. The security rule base allows admins to enforce RULES with actions defined by said admin. The authentication policy
enforces user authenticate users before they access resources and whatnot.
upvoted 1 times
With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?
A. Within five minutes, after downloading updates
B. Instantly, after downloading updates
C. Within five minutes, without downloading updates
D. Instantly, without downloading updates
Correct Answer: B

To better accommodate the influx of new DNS signatures being produced on a daily basis, the cloud-based signature database provides users with
instant access to newly added DNS signatures without the need to download updates. If network connectivity goes down or is otherwise
unavailable, the firewall uses the onbox DNS signature set.
upvoted 2 times

Selected Answer: D
The cloud-based signature database provides users with instant access to newly added DNS signatures without the need to download updates
upvoted 2 times

Selected Answer: D
upvoted 4 times
Why should a company have a File Blocking profile that is attached to a Security policy?
A. To block uploading and downloading of any type of files
B. To block uploading and downloading of specific types of files
C. To detonate files in a sandbox environment
D. To analyze file types
Correct Answer: B

Selected Answer: B
Answer : B
File blocking profiles are used to block specified file types over specified applications and in the specified session flow direction
(inbound/outbound/both). You can set the profile to alert or block on upload and/or download and you can specify which applications will be
subject to the file blocking profile.
upvoted 1 times
What can be used as match criteria for creating a dynamic address group?
A. MAC addresses
B. IP addresses
C. Usernames
D. Tags
Correct Answer: D

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-address-groups
answer - tags
upvoted 1 times
An administrator is reviewing packet captures to troubleshoot a problem with an application, and they observe TCP resets to the client and the
server.
A. Drop
B. Reset server
C. Reset client
D. Reset both
Correct Answer: D

d
upvoted 3 times
An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.
Which Security profile should be used?
A. Vulnerability protection
B. Anti-spyware
C. URL filtering
D. Antivirus
Correct Answer: B
  J2J2J2J Highly Voted  5 months, 3 weeks ago

Selected Answer: A
Vulnerability Protection profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against
buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities.
upvoted 9 times

Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
Correct
upvoted 1 times

Selected Answer: A
Same opinion as others.
upvoted 1 times

Selected Answer: A
Inbound threats, then the correct answer is A
upvoted 2 times

https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-vulnerability-protection
upvoted 3 times
An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are
available for any known user in the organization.
What object is best suited for this configuration?
A. Application Group
B. Tag
C. External Dynamic List
D. Application Filter
Correct Answer: A

Selected Answer: A
The question insinuates that there are a couple of applications that need to be blocked, and not a category of applications. This is why an
Application Group (static) fits better than an Application Filter (dynamic)
upvoted 3 times
Which two configurations does an administrator need to compare in order to see differences between the active configuration and potential
changes if committed? (Choose two.)
A. Device state
B. Active
C. Candidate
D. Running
Correct Answer: CD
  Daimaxians 4 months ago

Selected Answer: CD
Candidate and Running.
Device state doesn't exist. Active doesn't exist.
upvoted 1 times
An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny.
What deny action will the firewall perform?
A. Discard the session’s packets and send a TCP reset packet to let the client know the session has been terminated
B. Drop the traffic silently
C. Perform the default deny action as defined in the App-ID database for the application
D. Send a TCP reset packet to the client- and server-side devices
Correct Answer: A

Selected Answer: C
upvoted 1 times
  DlaEdu_Ex 5 months ago

Selected Answer: C
C is correct
upvoted 1 times

Selected Answer: C
Deny action on security policy rule initiate the default deny action for matched app on security profile.
upvoted 2 times

Selected Answer: C
upvoted 1 times
If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
A. Source Zone: Trusted -
Destination Zone: DMZ -
Services: SSH -
Applications: Any -
Action: Allow
B. Source Zone: Trusted -
Services: Application-Default -
Applications: SSH -
Action: Allow
C. Source Zone: Trusted -
Services: Application-Default -
Applications: SSH -
Action: Deny
D. Source Zone: Trusted -
Services: SSH -
Applications: Any -
Action: Deny
Correct Answer: B

Selected Answer: B
B is correct
"Select SSH as the application and set the service to application-default."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHtCAK
upvoted 2 times
An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.
If a virus gets detected, how will the firewall handle the traffic?
A. It allows the traffic but generates an entry in the Threat logs.
B. It drops the traffic because the profile was not set to explicitly allow the traffic.
C. It allows the traffic because the profile was not set the explicitly deny the traffic.
D. It uses the default action assigned to the virus signature.
Correct Answer: D

Selected Answer: D
D is correct
"Default—For each threat signature and Antivirus signature that is defined by Palo Alto Networks, a default action is specified internally. Typically,
the default action is an alert or a reset-both. "
upvoted 2 times
An administrator needs to allow users to use only certain email applications.
How should the administrator configure the firewall to restrict users to specific email applications?
A. Create an application filter and filter it on the collaboration category.
B. Create an application filter and filter it on the collaboration category, email subcategory.
C. Create an application group and add the email applications to it.
D. Create an application group and add the email category to it.
Correct Answer: C

Selected Answer: C
Correct
upvoted 1 times

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-group
upvoted 1 times
DNS exceptions can be set under which Security profile?
A. Data Filtering
B. URL Filtering
C. Anti-Spyware
D. Antivirus
Correct Answer: C

Selected Answer: C
C is correct
"Object -> Anti-spyware profile -> DNS Exceptions "
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW
upvoted 1 times
An administrator is troubleshooting an issue with an accounts payable application.
Which log setting could be temporarily configured to improve visibility?
A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start and Log at Session End both disabled
C. Log at Session Start enabled, Log at Session End disabled
D. Log at Session Start disabled, Log at Session End enabled
Correct Answer: A

I don't quite understand how the payable application aspect ties into this answer. Why does a payable application need a special procedure?
upvoted 1 times

Maybe the application is being denied an interzone default rule/ intrazone would not show in the logs its defaulted to no logging, unless you
enable the log at session end/start
upvoted 2 times
By default, which action is assigned to the interzone-default rule?
A. Allow
B. Deny
C. Reset-client
D. Reset-server
Correct Answer: B

Selected Answer: B
B is corrrect..
intrazone-->Allow
interzone-->Deny
upvoted 1 times
What is the maximum volume of concurrent administrative account sessions?
A. 2
B. Unlimited
C. 10
D. 1
Correct Answer: B
  Enc0d3d 1 month, 3 weeks ago

B- https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-
administrative-accounts-and-authentication/configure-a-firewall-administrator-account
upvoted 1 times

Modify the number of supported administrator accounts.
Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC
mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent
administrative account sessions.
Select DeviceSetupManagement and edit the Authentication Settings.
Edit the Max Session Count to specify the number of supported concurrent sessions (range is 0 to 4) allowed for all administrator and user
accounts.
Enter 0 to configure the firewall to support an unlimited number of administrative accounts.
Edit the Max Session Time in minutes for an administrative account. Default is 720 minutes.
Click OK.
Commit.
upvoted 1 times

Selected Answer: B
There is currently no limit for admins to login concurrently.
upvoted 1 times
An administrator is updating Security policy to align with best practices.
Which Policy Optimizer feature is shown in the screenshot below?
A. Rules without App Controls
B. New App Viewer
C. Rule Usage – Unused
D. Unused Apps
Correct Answer: B
  stxc 2 months, 1 week ago

Answer is: D ( unused Apps)
just checked the firewall.
look at the top where it says "App Usage"
go to --> Policies> Policy Optimizer > Unused Apps
upvoted 2 times

I just checked one more time on the firewall and both answers are correct:
Unused Apps and Without App Control.
Both screens are similar and I could not see any difference in the format. However, the results outcome is different of course.
so I am not quite sure which one should be correct in this case.
upvoted 1 times

Selected Answer: A
Just checked on FW.
There is column Application in New App viewer (3rd, between columns Service and Traffic), which is not present on this pic.
This is only difference between New App V and Rules Wout App Cntrl.
upvoted 1 times

I vote for B, new app viewer!
upvoted 1 times

Answer = B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/cloud-based-app-id-service/new-app-viewer-policy-optimizer
upvoted 2 times

Selected Answer: A
A is correct - Rules without Apps Control (or No App Specified in the previous PAN-OS version)
upvoted 1 times
Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-
security-policy-rules
upvoted 1 times

A little more on why it is Rules without Apps Control and not New App Viewer:
Although both are true for this specific screenshot however the difference is that in New App Viewer, we get to see the rules which are
configured with applications like web-browsing and such rules are not visible in Rules Without Apps Control. Thus, in New App Viewer, at times
we get to see numbers under 'Apps Allowed' whereas on the other hand this column contains 'Any'. Moreover, the New Apps Allowed
functionality requires PA Application Cloud Engine (ACE) SaaS subscription to get the App info from cloud DB. The Rules Without Apps Control
is on-the-box functionality. Here's the definition from firewall's help page;
New App Viewer—New cloud applications downloaded from the Application Control Engine if the firewall has a SaaS Security subscription.
Rules Without App Controls—Rules that have the application set to any, so you can identify port-based rules to convert to application-based
rules.
upvoted 4 times

I think you are right since by default the column "Application" is displayed in "New App Viewer", here in the screenshot it is not present
(verified in PanOS 11 lab). That is why also the correct answer is "Rules without Apps Control" -> A
upvoted 1 times

Cont....
Since the question is asked in simple way without details like conversion of applications (e.g. web-browsing to specific cloud based app), we
can safely assume that it is not about New App Viewer.
PS: You can read about Rules Without Apps Control from the link in the original post and for New App Viewer, go to
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/cloud-based-app-id-service/new-app-viewer-policy-optimizer.
upvoted 2 times

Selected Answer: A
This is rules without app control
upvoted 2 times

Selected Answer: B
Answer : B
upvoted 2 times
Where within the firewall GUI can all existing tags be viewed?
A. Policies > Tags
B. Network > Tags
C. Objects > Tags
D. Monitor > Tags
Correct Answer: C

Selected Answer: C
C is correct
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-tags
upvoted 1 times
What is the Anti-Spyware Security profile default action?
A. Sinkhole
B. Reset-client
C. Drop
D. Reset-both
Correct Answer: C

Answer is D
upvoted 1 times

Selected Answer: D
When a threat event is detected, you can configure the following actions in an Anti-Spyware profile:
Default—For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally.
Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or
Antivirus signature.
upvoted 2 times

Selected Answer: D
https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-anti-spyware
upvoted 3 times

Selected Answer: D
Reset both or alert
upvoted 1 times
To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)
A. MAC
B. IPv6
C. Email
D. IPv4
Correct Answer: BD

Correct answer IPv4 and IPv6:
upvoted 2 times
A NetSec manager was asked to create a new firewall administrator profile with customized privileges. The new firewall administrator must be
able to download TSF File and Starts Dump File but must not be able to reboot the device.
Where does the NetSec manager go to configure the new firewall administrator role profile?
A. Device > Admin Roles > Add > XML API > Configuration
B. Device > Admin Roles > Add > XML API > Operational Request
C. Device > Admin Roles > Add > Web UI > Support
D. Device > Admin Roles > Add > Web UI > Operations
Correct Answer: D
  kenyabolada 1 week, 3 days ago

Selected Answer: C
Support -> TSF file
Operations -> Reboot device
upvoted 1 times
  Grace_Shu 1 month, 2 weeks ago

Checked again, answer is D.
upvoted 1 times
  Grace_Shu 1 month, 2 weeks ago

question said: must not be able to reboot the device.
Answer is C
upvoted 2 times

Correct ans as verified in the PAN OS 10.2 configuration.
upvoted 1 times

Following are the option under, Device -> Admin Roles -> Add -> Web UI -> Operations:
1. Reboot
2. Generate Tech Support File
3. Generate Status Dump File
4. Download Core Files
5. Download PCAP Files
upvoted 4 times
What must exist in order for the firewall to route traffic between Layer 3 interfaces?
A. Virtual router
B. Virtual wires
C. Traffic Distribution profile
D. VLANs
Correct Answer: D
  davidnl1987 3 weeks, 3 days ago

Selected Answer: A
Virtual Router - Manage the routes on Layer3
upvoted 1 times

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/configure-interfaces/layer-3-interfaces
upvoted 1 times
  jose010696 3 months ago

A
upvoted 1 times

A
In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure Layer 3 Interfaces, you must configure the
virtual router that you want the firewall to use to route the traffic for each Layer 3 interface.
upvoted 2 times

Selected Answer: A
Answer : A
A virtual router is a function of the firewall that participates in Layer 3 routing.
upvoted 3 times

Selected Answer: A
A - Virtual router
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/layer-3-interfaces
upvoted 2 times
Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?
A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add
B. Panorama > Device Deployment > Content Updates > Schedules > Add
C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add
D. Panorama > Content Updates > Device Deployment > Schedules > Add
Correct Answer: B

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/schedule-
dynamic-content-updates
upvoted 1 times

Selected Answer: A
Perform the following steps for each update type you want to schedule.
Select PanoramaDevice DeploymentDynamic Updates, click Schedules, and Add a schedule.
upvoted 1 times

Selected Answer: A
upvoted 3 times

Selected Answer: A
Answer : A
upvoted 1 times
In which threat profile object would you configure the DNS Security service?
A. Antivirus
B. Anti-Spyware
C. WildFire
D. URL Filtering
Correct Answer: C

Selected Answer: B
Answer B. Anti-Spyware
upvoted 2 times

Selected Answer: B
Anti-Spyware
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-dns-
security#:~:text=To%20enable%20DNS%20Security%2C%20you,to%20a%20security%20policy%20rule.
upvoted 4 times
Which rule type is appropriate for matching traffic occurring within a specified zone?
A. Universal
B. Shadowed
C. Intrazone
D. Interzone
Correct Answer: C

Selected Answer: C
C is Correct
upvoted 1 times
Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
A. Pre-NAT address
B. Post-NAT address
C. Pre-NAT zone
D. Post-NAT zone
Correct Answer: AB
  Viga1991 Highly Voted  4 months, 1 week ago

A& D https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf Question 11
upvoted 5 times
  NorthIdaho Most Recent  2 weeks, 6 days ago

I know that we have had "Pre-NAT IP, Post-NAT zone" drummed into our heads. But...the question is asking, which two "MATCHING CRITERIA" are
used when creating a Security policy involving NAT.
Go into the WebUI and look for yourself! Only zones are required. NOT addresses!
Remember, these exams are as much "reading comprehension" as they are technical knowledge...it's C and D!
upvoted 2 times
  Sanjug2022 4 weeks, 1 day ago

A and D
upvoted 1 times
  cert111 2 months ago

Selected Answer: CD
This article reads, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." So I'm thinking it would be Pre-
NAT zone and post-NAT zone, wouldn't it?
upvoted 3 times
  monterrosa 4 months, 1 week ago

Selected Answer: AD
Pregunta sacada de la guia de Palo Alto y marcan como respuesta Pre-NAT IP, post-NAT zone
Q13. Which phrase is a simple way to remember how to configure Security policy rules where NAT
was implemented?
a. Post-NAT IP, pre-NAT zone
b. Post-NAT IP, post-NAT zone
c. Pre-NAT IP, post-NAT zone
d. Pre-NAT IP, pre-NAT zone
upvoted 2 times

A and D
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if
upvoted 2 times

AB
You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum.
In addition to zones, you can <b>configure matching criteria based on the packet’s destination interface, source and destination address, and
service.</b>
upvoted 1 times

A&D
apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address.
Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not.
Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and
zone, security policies are enforced on the post-NAT zone.
upvoted 2 times
Selected Answer: AD
Pre-NAT IP ;Post-NAT Zone
upvoted 4 times

Selected Answer: AB
Answer : A & B (Security Policy)
upvoted 1 times

Destination zone in Sec Pol is post-NAT (actual zone where packet is supposed to land).
upvoted 1 times
If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?
A. Some traffic between A & B
B. Some traffic within A
C. All traffic within zones A & B
D. Some traffic within B
Correct Answer: C

Should be all traffic within zone A and zone B and between them !!!!!
upvoted 2 times

Actually none of the option is correct. With this type of config, the right answer is traffic within and between the zones are policed.
upvoted 3 times
Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Correct Answer: B

answer = b
A virtual wire logically binds two Ethernet interfaces together, allowing for all traffic to pass between the interfaces, or just traffic with selected
VLAN tags (no other switching or routing services are available). You can create virtual wire subinterfaces to classify traffic according to an IP
address, IP range, or subnet. A virtual wire requires no changes to adjacent network devices. A virtual wire can bind two Ethernet interfaces of the
same medium (both copper or both fiber optic), or bind a copper interface to a fiber optic interface.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-interfaces/virtual-wire-interface
upvoted 1 times
What is a valid Security Zone type in PAN-OS?
A. Management
B. Logical
C. Transparent
D. Tap
Correct Answer: A

Correct TAP (D)
upvoted 1 times

Selected Answer: D
D is correct
Typeas are Tap, Virtual Wire, Layer2, Layer3, External, or Tunnel
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-zones/building-blocks-of-security-zones
upvoted 1 times
  [Removed] 4 months, 4 weeks ago

Correct Answer:Tap
upvoted 1 times

Selected Answer: D
TAP is the only valid answer
upvoted 2 times

Selected Answer: D
Answer : D
upvoted 2 times

Below are the Zone Type
Tap
Virtual Wire
Layer 2
Layer 3
Tunnel
External
upvoted 4 times
An administrator is creating a Security policy rule and sees that the destination zone is grayed out.
While creating the rule, which option was selected to cause this?
A. Interzone
B. Source zone
C. Universal (default)
D. Intrazone
Correct Answer: A
  Dosbabyy 4 months, 2 weeks ago

Selected Answer: D
D is the correct answer
upvoted 1 times

D - inTRAzone.
Meaning within the zone.
upvoted 1 times

Selected Answer: D
In Intrazone security rules, no destination zone can be specified
upvoted 2 times

Intrazone doesn't allow one to set destination zone.
upvoted 1 times

Selected Answer: D
Answer : D
upvoted 2 times
How many levels can there be in a device-group hierarchy, below the shared level?
A. 2
B. 3
C. 4
D. 5
Correct Answer: D

I picked the wrong answer (D), but the correct answer to this question is C. The question asks how many levels there are BELOW the "Shared" level,
so 4 levels is correct. Technically there can be a total of 5 levels.
upvoted 2 times

Selected Answer: C
Total of 5 levels including the shared one
upvoted 3 times

Selected Answer: C
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-
management/device-groups/device-group-hierarchy
upvoted 1 times

Selected Answer: C
Answer : C
You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with lower-level groups inheriting the
settings (policy rules and objects) of higher-level groups.
management/device-groups/device-group-hierarchy
upvoted 2 times
Where in Panorama would Zone Protection profiles be configured?
A. Templates
B. Device Groups
C. Shared
D. Panorama tab
Correct Answer: D

Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
Select the Network tab and, in the Template drop-down, select T_DataCenter.
Select Network ProfilesZone Protection and click Add.
upvoted 2 times

Selected Answer: A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-configure-firewalls-using-panorama/set-up-your-
centralized-configuration-and-policies/use-templates-to-administer-a-base-configuration
upvoted 3 times

Selected Answer: A
Answer is A
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC
upvoted 2 times
Which parameter is used to view the Security policy rulebase as groups?
A. Tags
B. Service
C. Type
D. Action
Correct Answer: A

Answer = A (tags)
You must create a tag before you can group rules using that tag. After you assign grouped rules by a tag, View Rulebase as Groups to see a visual
representation of your policy rulebase based on the assigned tags. While viewing your rulebase as groups, the policy order and priority is
maintained. In this view, select the group tag to view all rules grouped by that tag.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-tags
upvoted 3 times
When a security rule is configured as Intrazone, which field cannot be changed?
A. Destination Zone
B. Actions
C. Source Zone
D. Application
Correct Answer: A

answer = destination zone
upvoted 1 times
An administrator is trying to understand which NAT policy is being matched.
In what order does the firewall evaluate NAT policies?
A. Dynamic IP and Port first, then Static, and finally Dynamic IP
B. From top to bottom
C. Static NAT rules first, then lop down
D. Static NAT rules first, then Dynamic
Correct Answer: B

answer = b
criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules. The firewall
evaluates the rules in order from the top down. Once a packet matches the criteria of a single NAT rule, the packet is not subjected to additional
NAT rules. Therefore, your list of NAT rules should be in order from most specific to least specific so that packets are subjected to the most specific
rule you created for them.
upvoted 1 times
Which policy set should be used to ensure that a policy is applied just before the default security rules?
A. Shared post-rulebase
B. Local firewall policy
C. Parent device-group post-rulebase
D. Child device-group post-rulebase
Correct Answer: D
  rehor Highly Voted  4 months, 2 weeks ago

Selected Answer: A
Order:
Shared pre-rules
Device group pre-rules
Local firewall rules
Device group post-rules
Shared post-rules
Intrazone-default
Interzone-default
upvoted 5 times
  Joel34110 Most Recent  4 months, 3 weeks ago

Selected Answer: A
I'm not sure but according to this link it would be answer A
management/device-groups/device-group-policies
upvoted 1 times
Which rule type is appropriate for matching traffic occurring within a specified zone?
How should the administrator configure the firewall to restrict users to specific email applications?
A. Create an application filter and filter it on the collaboration category.
B. Create an application filter and filter it on the collaboration category, email subcategory.
C. Create an application group and add the email applications to it.
D. Create an application group and add the email category to it.
Correct Answer: B
  supportqinet 1 month, 2 weeks ago

Selected Answer: C
Answer C
upvoted 2 times

Selected Answer: C
Answer C-- Asking for Specific applications
upvoted 3 times
  fb48 4 months, 4 weeks ago

Answer C
An application group is an object that contains applications that you want to treat similarly in policy. Application groups are useful for enabling
access to applications that you explicitly sanction for use within your organization. Grouping sanctioned applications simplifies administration of
your rulebases. Instead of having to update individual policy rules when there is a change in the applications you support, you can update only the
affected application groups
upvoted 4 times
Review the screenshot below. Based on the information it contains, which protocol decoder will detect a machine-learning match, create a Threat
log entry, and permit the traffic?
A. smb
B. imap
C. ftp
D. http2
Correct Answer: D
  modems 2 weeks, 2 days ago

Why not HTTP? Not too sure how IMAP can be used for machine learning.
Action Alert: generates an alert for each application traffic flow. The alert is saved in the threat log.
upvoted 1 times

Selected Answer: B
Is the correct answer
upvoted 1 times

Selected Answer: B
B is the correct answer.
According to the screenshot, only imap, pop3 and smtp have a default (alert) action, which generates an alert for each application traffic flow. The
alert is saved in the threat log.
upvoted 3 times

Answer B.
HTTP/2 has allow which does not create a log-entry
upvoted 4 times
An interface can belong to how many Security Zones?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A
What are the two types of Administrator accounts? (Choose two.)
A. Role Based
B. Superuser
C. Dynamic
D. Local
Correct Answer: AD

AC
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-
accounts-and-authentication/configure-a-firewall-administrator-account
upvoted 1 times

Selected Answer: AC
AC is correct
upvoted 1 times

Selected Answer: AC
AC
The Administrator Types are:
- Role Based
- Dynamic
upvoted 1 times
  JakaP 4 months, 4 weeks ago

Selected Answer: AC
Answer AC
device>administrators>add
Administrator type: Dynamic - Role Based.
upvoted 1 times
  nolox 5 months ago

Selected Answer: AC
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types
upvoted 2 times

Answer AC
device>administrators>add
Administrator type: Dynamic - Role Based.
upvoted 2 times
The Net Sec Manager asked to create a new Firewall Operator profile with customized privileges.
In particular, the new firewall operator should be able to:
Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML as Server profiles to be used inside an Authentication
profile.
The firewall operator should not be able to access anything else.
What is the right path m order to configure the new firewall Administrator Profile?
A. Device > Admin Roles > Add > Web UI > Device > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles
C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile
D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile
Correct Answer: D
  fb48 Highly Voted  5 months ago

answer: A
B and C do not exist. D is a different function
upvoted 9 times
  DlaEdu_Ex Most Recent  3 weeks, 3 days ago

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/reference-web-interface-administrator-access/web-
interface-access-privileges/provide-granular-access-to-the-device-tab#id5c184695-1fc8-47b5-914c-da6ed75f5351
upvoted 1 times

Correct Answer A
upvoted 1 times

Selected Answer: A
A is correct
upvoted 1 times
  Victorjenitha 4 months ago

A is correct
upvoted 3 times
Within the WildFire Analysis profile, which three items are configurable? (Choose three.)
A. FileType
B. Direction
C. Service
D. Application
E. Objects
Correct Answer: ACE

abd
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-security-profiles-wildfire-analysis
upvoted 2 times

Use a WildFire Analysis profile to specify for WildFire file analysis to be performed locally on the WildFire appliance or in the WildFire cloud. You
can specify traffic to be forwarded to the public cloud or private cloud based on file type, application, or the transmission direction of the file
(upload or download). After creating a WildFire analysis profile, adding the profile to a policy (PoliciesSecurity) further allows you apply the profile
settings to any traffic matched to that policy (for example, a URL category defined in the policy).
upvoted 2 times

Correct Answer is file type, direction and application
upvoted 1 times

upvoted 2 times

ABD
Objects > Security Profiles > Wildfire Analysis

You have 4 options:
Applications
File Types
Direction
Analysis
upvoted 4 times
  [Removed] 5 months ago

Correct Answer is file type, direction and application
upvoted 1 times
Which Security profile can be used to configure sinkhole IPs m the DNS Sinkhole settings?
A. Vulnerability Protection
B. Anti-Spyware
C. Antivirus
D. URL Filtering
Correct Answer: B

Selected Answer: B
B is correct
upvoted 2 times
Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto
Networks firewall? (Choose three.)
A. NTP
B. IP address
C. MTU
D. DNS server
E. service routes
Correct Answer: ABD
  hugodiaz Highly Voted  4 months, 2 weeks ago

upvoted 5 times
  JakaP Highly Voted  4 months, 4 weeks ago

Selected Answer: BDE
It is : B,D,E
upvoted 5 times

The management interface does not require a service route. This is only if you a re doing management through the data plane.
upvoted 6 times

Correct that they don't REQUIRE service routes, but service routes are needed for updates...NTP isn't.
upvoted 1 times
  DlaEdu_Ex Most Recent  3 weeks, 3 days ago

Selected Answer: BDE
Some management tasks, such as retrieving licenses and updating the threat and application signatures on the firewall, require access to the
internet, typically via the MGT port. If you do not want to enable external access via the MGT port, you can set up an in-band data port on the data
plane to provide access to the required external services by using the service routes.
upvoted 1 times

We all agree on IP and DNS. because it's here: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/getting-started/integrate-the-
firewall-into-your-management-network/perform-initial-configuration
Having a MGT interface doesn't mean you have internet connectivity because the MGT interface could simply be connected to PC for managing.
You will need to setup a service route to hardcode the path to the net.
upvoted 1 times

BDE - is my answer. NTP is not required here.
upvoted 1 times

Let us take a moment here. The question includes the word "must" and the question says also “management interface”
i.e. management interface can be “MGT” which it is the default and it can be also a data port (if you decide to use it as a management interface. We
also know that NTP is an optional (it is recommended) but it is not a must.
We also know that a service route is a must if you need to use a data port as management interface.
Therefore, I would go with the answer:
IP Address (must)
DNS Server (must)
Service route (must if you use a data port as a management interface instead using the default MGT).
Thanks!
upvoted 1 times

I would go now with the answer ABD since the question mentions the word that says "Functional Update"
so stick with NTP, IP address and DNS server.
upvoted 1 times

ABD
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK
upvoted 3 times
How does the Policy Optimizer policy view differ from the Security policy view?
A. It provides sorting options that do not affect rule order
B. It specifies applications seen by rules
C. It displays rule utilization
D. It details associated zones
Correct Answer: C

Selected Answer: A
Policy Optimizer provides sorting options that don’t affect the rule order, so you can sort rules to prioritize which rules to convert or clean up first.
upvoted 1 times

I am shooting for the answer A!
upvoted 1 times

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/security-policy-rule-optimization
Policy Optimizer provides sorting options that don’t affect the rule order, so you can sort rules to prioritize which rules to convert or clean up first.
upvoted 2 times
  Joel34110 4 months, 3 weeks ago

Selected Answer: A
You can’t filter or sort rules in PoliciesSecurity because that would change the order of the policy rules in the rulebase. Filtering and sorting
PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App
Viewer (if you have a SaaS Inline Security subscription) does not change the order of the rules in the rulebase.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-
filtering-security-policy-rules
upvoted 2 times
An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the
rule type from its default value.
What type of Security policy rule is created?
A. Intrazone
B. Interzone
C. Universal
D. Tagged
Correct Answer: B

Selected Answer: C
C is correct
upvoted 1 times

Selected Answer: C
Universal Rule is "default"
upvoted 1 times

Selected Answer: C
Correct
upvoted 1 times

Answer is C, others explained why below.
upvoted 1 times

B
from one zone to anotherhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
upvoted 1 times

Universal is the default rule TYPE when creating new rules.
upvoted 1 times

Selected Answer: C
Rule type: Universal (default)
upvoted 2 times

C
Policy > Security > Add
Rule type: Universal (default)
upvoted 3 times
What do application filters help provide access to?
A. Applications that are explicitly sanctioned for use within a company
B. Applications that are not explicitly sanctioned and that a company wants users to be able to access
C. Applications that are explicitly unsanctioned for use within a company
D. Applications that are not explicitly unsanctioned and that a company wants users to be able to access
Correct Answer: B

b
n application filter is an object that dynamically groups applications based on application attributes that you define, including category,
subcategory, technology, risk factor, and characteristic. This is useful when you want to safely enable access to applications that you do not
explicitly sanction, but that you want users to be able to access. For example, you may want to enable employees to choose their own office
programs (such as Evernote, Google Docs, or Microsoft Office 365) for business use. To safely enable these types of applications, you could create
an application filter that matches on the Category business-systems and the Subcategory office-programs. As new applications office programs
emerge and new App-IDs get created, these new applications will automatically match the filter you defined; you will not have to make any
additional changes to your policy rulebase to safely enable any application that matches the attributes you defined for the filter.
upvoted 3 times
  fb48 4 months, 4 weeks ago

B is correct
This is useful when you want to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to
access.
upvoted 2 times
What is the function of an application group object?
A. It contains applications that you want to treat similarly in policy
B. It groups applications dynamically based on application attributes that you define
C. It represents specific ports and protocols for an application
D. It identifies the purpose of a rule or configuration object and helps you better organize your rulebase
Correct Answer: D
  fb48 Highly Voted  5 months ago

Answer A
An application group is an object that contains applications that you want to treat similarly in policies.
ref: https://docs.paloaltonetworks.com/network-security/security-policy/objects/application-groups
upvoted 6 times
  hdrnzienlaoroljol Most Recent  1 month, 1 week ago

Selected Answer: A
It contains applications that you want to treat similarly in policy
upvoted 1 times

Selected Answer: A
affected application groups.
upvoted 1 times

A
affected application groups.
upvoted 2 times

Selected Answer: A
upvoted 3 times
How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?
A. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".
B. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "application-default".
C. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin also creates a custom service object named "tcp-22" with port tcp/22.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "tcp-22".
D. The admin creates a Security policy allowing application "ssh" and service "application-default".
Correct Answer: C
  Wisley Highly Voted  4 months, 2 weeks ago

Selected Answer: C
Because if you select application default, you will not add other service.
upvoted 11 times
  Joel34110 Most Recent  4 months, 3 weeks ago

Selected Answer: B
Answer B ssh port 22 = application default
upvoted 1 times

If you are specifying the service (ports) then all previous actions will need to match. in your case if you choose B only SSH over port 4422 would
be allowed you cannot add application-default to the service when ports a specified
upvoted 4 times
Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?
A. DNS Malicious signatures
B. DNS Security signatures
C. DNS Malware signatures
D. DNS Block signatures
Correct Answer: B

Selected Answer: B
Correct
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-dns-security#tabs-id066476b2-c4dd-4fc0-b7e4-
f4ba32e19f60
upvoted 1 times

answer B
https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures
upvoted 1 times
Which Security policy action will message a user's browser that their web session has been terminated?
A. Reset client
B. Deny
C. Drop
D. Reset server
Correct Answer: D
  kico55 2 weeks, 1 day ago

Selected Answer: A
Answer A:
Sending a reset only to the client would ensure, for example, internal hosts receive a notification the session was reset and the browser is not left
spinning or the application can close the established session while the remote server is left unaware.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC
upvoted 2 times
  NorthIdaho 2 weeks, 5 days ago

Sending a reset only to the client would ensure, for example, internal hosts receive a notification the session was reset and the browser is not left
spinning or the application can close the established session while the remote server is left unaware.
upvoted 1 times

Selected Answer: A
The Drop action is mostly used as a stealthy way of discarding traffic. The firewall will simply throw away any packets associated with an unwanted
connection, not letting the client or server know the packets are being discarded.
upvoted 2 times

Selected Answer: A
otherwise right on the money with Community answers.
upvoted 2 times
  cert111 2 months, 2 weeks ago

Selected Answer: A
It's A.... "The Drop action is mostly used as a stealthy way of discarding traffic. The firewall will simply throw away any packets associated with an
unwanted connection, not letting the client or server know the packets are being discarded."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC
upvoted 1 times
  hibozel 3 months, 1 week ago

Selected Answer: A
B can not be corret. If default deny action is drop, then there is no response will be sent to client's browser, just silently drop.
When this action is selected in a security policy rule, the firewall will send a TCP RST (reset) packet to the client's browser, which will terminate the
web session and display an error message in the user's browser indicating that the session has been reset or terminated.
The Reset Client action is useful in situations where a web session needs to be terminated immediately, such as when a user is accessing a
malicious or unauthorized website or when there is a violation of a security policy rule.
upvoted 3 times
  SillyGoose123 4 months ago

Selected Answer: B
B is correct
upvoted 1 times

A
upvoted 1 times

Selected Answer: B
Deny actions sends a type 3 ICMP packet, notifying the client of the terminated connection
upvoted 2 times
  Mazalaza 5 months ago

Selected Answer: B
B is correct
upvoted 3 times

Agree with B
upvoted 1 times
In order to protect users against exploit kits that exploit a vulnerability and then automatically download malicious payloads, which Security profile
should be configured?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
Correct Answer: C

Selected Answer: C
upvoted 1 times

Answer C
upvoted 1 times
Which verdict may be assigned to a WildFire sample?
A. Phishing
B. Spyware
C. PUP
D. Malware
Correct Answer: D

Answer is A,
Benign, Grayware, Phising, Malicious (Not Malware)
upvoted 1 times

Selected Answer: A
Wildfire Verdicts can be : Benign, Grayware, Phishing or Malicious
upvoted 3 times

Selected Answer: A
Answer A
Wildfire Verdicts can be : Benign, Grayware, Phishing or Malicious
upvoted 1 times

A & D seem to be correct:
The verdict element value can be one of the following:

0—benign
1—malware
2—grayware
4—phishing
upvoted 1 times

Benign
Grayware
Phishing
Malicious (not malware).
Answer should be A
upvoted 2 times

anwer = a
When WildFire analyzes a previously unknown sample in one of the Palo Alto Networks-hosted WildFire public clouds or a locally-hosted WildFire
private cloud, a verdict is produced to identify samples as malicious, unwanted (grayware is considered obtrusive but not malicious), phishing, or
benign
upvoted 1 times
  Joel34110 4 months, 1 week ago

Selected Answer: A
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
upvoted 1 times

More updated link: https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
upvoted 2 times
To protect against illegal code execution, which Security profile should be applied?
A. Antivirus profile on allowed traffic
B. Antivirus profile on denied traffic
C. Vulnerability Protection profile on allowed traffic
D. Vulnerability Protection profile on denied traffic
Correct Answer: D
  LetsDiscuss23 Highly Voted  4 months, 1 week ago

Selected Answer: C
Answer is C, you do not create security profiles on Denied Rules. Having security profiles on denied rules will just eat up CPU. It is not needed and
there is no benefits
upvoted 6 times

C is correct
upvoted 1 times

Selected Answer: C
Answer is C, you do not create security profiles on Denied Rules. Having security profiles on denied rules will just eat up CPU. It is not needed and
there is no benefits
upvoted 1 times

C is corrrect
upvoted 1 times
Which three types of entries can be excluded from an external dynamic list? (Choose three.)
A. IP addresses
B. Applications
C. User-ID
D. Domains
E. URLs
Correct Answer: ADE

Correct
upvoted 2 times

ADE
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/view-external-dynamic-list-entries
upvoted 1 times
The Administrator profile “PCNSA Admin” is configured with an Authentication profile “Authentication Sequence PCNSA”.
The Authentication Sequence PCNSA has a profile list with four Authentication profiles:
Auth Profile LDAP -
Auth Profile Radius -
Auth Profile Local -
Auth Profile TACACS -
After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “PCNSA Admin” username
and password.
Which option describes the “PCNSA Admin” login capabilities after the outage?
A. Auth OK because of the Auth Profile TACACS
B. Auth KO because RADIUS server lost user and password for PCNSA Admin
C. Auth OK because of the Auth Profile Local
D. Auth KO because LDAP server is not reachable
Correct Answer: D
  LetsDiscuss23 Highly Voted  4 months, 1 week ago

Selected Answer: C
Answer is C first 2 options are unavailable because no username/pw info next up it will check the local database on the firewall. Last option doesn't
matter because it is last in the authentication sequence.
upvoted 6 times
  kabotar 4 months, 1 week ago

agreed
upvoted 2 times
  Darude Most Recent  2 months, 4 weeks ago

Selected Answer: C
If you don't mind I'll add reference as well: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-an-
authentication-profile-and-sequence :-)
upvoted 1 times
By default, which action is assigned to the intrazone-default rule?
A. Reset-client
B. Reset-server
C. Deny
D. Allow
Correct Answer: D
A Panorama administrator would like to create an address object for the DNS server located in the New York City office, but does not want this
object added to the other Panorama managed firewalls.
Which configuration action should the administrator take when creating the address object?
A. Tag the address object with the New York Office tag.
B. Ensure that Disable Override is cleared.
C. Ensure that the Shared option is checked.
D. Ensure that the Shared option is cleared.
Correct Answer: D

Selected Answer: D
Answer is D, for more specific information view https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-
device-groups/manage-unused-shared-objects
upvoted 2 times
An administrator is troubleshooting an issue with traffic that matches the interzone-default rule, which is set to default configuration.
What should the administrator do?
A. Change the logging action on the rule
B. Tune your Traffic Log filter to include the dates
C. Refresh the Traffic Log
D. Review the System Log
Correct Answer: D
  baccalacca Highly Voted  4 months, 1 week ago

Answer = A
Traffic that does not match any of the rules you defined will match the predefined interzone-default rule at the bottom of the rulebase and be
denied. For visibility into the traffic that is not matching any of the rules you created, enable logging on the interzone-default rule
upvoted 5 times
  guuillauume Most Recent  3 months, 1 week ago

Selected Answer: A
answer A
upvoted 2 times

Selected Answer: A
Answer is A by default logging is off. https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-
internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-5-enable-logging-for-traffic-that-doesnt-match-any-rules
upvoted 4 times
What is the default action for the SYN Flood option within the DoS Protection profile?
A. Reset-client
B. Alert
C. Sinkhole
D. Random Early Drop
Correct Answer: D

Selected Answer: D
Random Early Drop
—The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate
(above the Activate Rate) gets, the more packets the firewall drops. ..
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-
sessions/configure-dos-protection-against-flooding-of-new-sessions)
upvoted 1 times

Answer correct = D
DoS Protection Profiles and Policy Rules work together to provide protection against flooding of many incoming SYN, UDP, ICMP, and ICMPv6
packets, and other types of IP packets. You determine what thresholds constitute flooding. In general, the DoS Protection profile sets the thresholds
at which the firewall generates a DoS alarm, takes action such as Random Early Drop, and drops additional incoming connections. A DoS Protection
policy rule configured to protect (rather than to allow or deny packets) determines the criteria for packets to match (such as source address) in
order to be counted toward the thresholds. This flexibility allows you to block certain traffic, or allow certain traffic and treat other traffic as DoS
traffic. When the incoming rate exceeds your maximum threshold, the firewall blocks incoming traffic from the source address.
upvoted 4 times
Application groups enable access to what?
A. Applications that are explicitly unsanctioned for use within a company
B. Applications that are not explicitly unsanctioned and that an administrator wants users to be able to access
C. Applications that are explicitly sanctioned for use within a company
D. Applications that are not explicitly sanctioned and that an administrator wants users to be able to access
Correct Answer: C

answer = C
access to applications that you explicitly sanction for use within your organization.
upvoted 7 times
  davidnl1987 Most Recent  1 month ago

Selected Answer: C
upvoted 1 times

Selected Answer: C
explicitly....application group
imlicitly...application filter
apps must be sanctioned at application groups
upvoted 1 times

Selected Answer: C
correct
upvoted 1 times

Answer is C, going with Baccalacca on this one.
upvoted 1 times
  itkare 4 months ago

Selected Answer: A
D was correct if it was Application Filter but this question is about Application Groups
Explicit Applications that company needs "Access" to is option A
upvoted 1 times

Selected Answer: D
Answer is D You cant added sanctioned apps to app groups https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/objects/objects-applications/actions-supported-on-applications
upvoted 1 times
Where does a user assign a tag group to a policy rule in the policy creation window?
A. General tab
B. Usage tab
C. Application tab
D. Actions tab
Correct Answer: B

A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-tags-to-group-and-visually-distinguish-objects/view-rules-by-tag-
group
Step 3 show that its on the general tab

upvoted 6 times

upvoted 1 times

Selected Answer: A
upvoted 2 times
  PaloCert 4 months, 1 week ago

upvoted 3 times

Selected Answer: A
Answer is A General Tab- Confirmed by looking at security policy rule
upvoted 4 times
What is used to monitor Security policy applications and usage?
A. Security profile
B. App-ID
C. Policy-based forwarding
D. Policy Optimizer
Correct Answer: D

Selected Answer: D
Answer is D-Confirmed here
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-security/applications-and-usage
upvoted 3 times
What is considered best practice with regards to committing configuration changes?
A. Wait until all running and pending jobs are finished before committing.
B. Export configuration after each single configuration change performed.
C. Validate configuration changes prior to committing.
D. Disable the automatic commit feature that prioritizes content database installations before committing.
Correct Answer: C

Correct answer = C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-cli-quick-start/use-the-cli/commit-configuration-changes
As a best practice, validate configuration changes prior to committing so that you can fix any errors that will cause a commit failure, thereby
ensuring that the commit will succeed. This is particularly useful in environments with a strict change window.
upvoted 3 times
Which Security profile generates an alert based on a threshold when the action is set to Alert?
A. Vulnerability Protection
B. Antivirus
C. DoS protection
D. Anti-Spyware
Correct Answer: A

Selected Answer: C
answer c imo
upvoted 2 times

Answer= c
DoS Protection profiles set thresholds that protect against new session IP flood attacks and provide resource protection (maximum concurrent
session limits for specified endpoints and resources). DoS Protection profiles protect specific devices (classified profiles) and groups of devices
(aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and Other IP flood attacks. Configuring Flood Protection thresholds in a DoS Protection
profile is similar to configuring Flood Protection in a Zone Protection profile, but Zone Protection profiles protect entire ingress zones, while DoS
protection profiles and policy rules are granular and targeted, and can even be classified to a single device (IP address). The firewall measures the
aggregate number of connections-per-second (CPS) to a group of devices (aggregate profile) or measures the CPS to individual devices (classified
profile).
upvoted 2 times
  Apache207 4 months, 1 week ago

Selected Answer: C
DOS Generates an alert when the attck vol. (CPS) reaches the Alarm threshold set in the profile. Study guide 92.
upvoted 2 times

C is the answer
upvoted 2 times

Selected Answer: C
Answer should be Data Filter profile, but thats not an option the only other one it could be would be DOS protection profile as it has thresholds for
alarm rates.
upvoted 2 times
Given the network diagram, which two statements are true about traffic between the User and Server networks? (Choose two.)
A. Traffic is permitted through the default Intrazone “allow” rule.
B. Traffic restrictions are not possible because the networks are in the same zone.
C. Traffic is permitted through the default Interzone “allow” rule.
D. Traffic restrictions are possible by modifying Intrazone rules.
Correct Answer: AD
  kikin140 1 month, 4 weeks ago

The answer is AD:
id=kA10g000000ClTHCA0&lang=es
upvoted 1 times

Selected Answer: AD
Correct
upvoted 3 times
Which setting is available to edit when a tag is created on the local firewall?
A. Color
B. Location
C. Order
D. Priority
Correct Answer: D

Correct Answer A
upvoted 1 times
  Head_of_Chaos 4 months ago

Selected Answer: A
You can choose the color.
upvoted 3 times

A is the answer
upvoted 2 times

Selected Answer: A
Only answer is A others dont make sense
upvoted 2 times
With the PAN-OS 11.0 Nova release, which two attack options can new inline deep learning analysis engines detect and prevent? (Choose two.)
A. Command injection attacks
B. SSL attacks
C. SQL injection attacks
D. HTTP attacks
Correct Answer: C

A and C
Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats.
(https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/vuln-protection-inline-cloud-analysis)
upvoted 2 times

Selected Answer: A
A and C
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats.
(https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/vuln-protection-inline-cloud-analysis)
upvoted 1 times

I picked wrong (BC), but looking at the other comments, the answer should be A C.
upvoted 2 times
  monterrosa 4 months, 1 week ago

Selected Answer: A
AyC
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats
upvoted 2 times

answer = C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/vuln-protection-inline-cloud-analysis
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. By operating cloud-based detection
engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to
download update packages or operate process intensive, firewall-based analyzers which can sap resources. Inline cloud analysis for your firewall
Vulnerability Protection profile supports two analysis engines: SQL injection and Command injection. Additional analysis models are delivered
through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no firewall update. Inline
cloud analysis is enabled and configured using the Vulnerability Protection profile and requires an active Advanced Threat Prevention license.
upvoted 2 times
Which profile must be applied to the Security policy rule to block spyware on compromised hosts from trying to phone-home or beacon out to
external command-and-control (C2) servers?
A. Anti-spyware
B. File blocking
C. WildFire
D. URL filtering
Correct Answer: D

Selected Answer: A
...Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2)
servers, allowing you to detect malicious traffic leaving the network from infected clients...
(https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-anti-spyware)
upvoted 1 times

Selected Answer: A
...Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2)
servers, allowing you to detect malicious traffic leaving the network from infected clients...
(https://docs.paloaltonetworks.com/network-security/security-policy/security-profiles/security-profile-anti-spyware)
upvoted 1 times

Answer should be A!!!!
upvoted 1 times

Mostly because the admin will not know what websites the compromised hosts will communicate with so using the URL filtering profile will not
be effective. The Anti Spyware sec profile however will sort you out fine, it's the chef's kiss in this situation!!!!
upvoted 2 times
Which feature dynamically analyzes and detects malicious content by evaluating various web page details using a series of machine learning (ML)
models?
A. Antivirus Inline ML
B. URL Filtering Inline ML
C. Anti-Spyware Inline ML
D. WildFire Inline ML
Correct Answer: B
  Darude 2 months, 2 weeks ago

Selected Answer: B
reference:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/url-filtering-inline-ml
upvoted 1 times

Selected Answer: B
URL Filtering local inline categorization (previously known as inline ML) enables the firewall dataplane to apply machine learning on webpages to
alert users when phishing variants are detected while preventing malicious variants of JavaScript exploits from entering your network. Local inline
categorization dynamically analyzes and detects malicious content by evaluating various web page details using a series of ML models.
upvoted 1 times

Local inline categorization dynamically analyzes and detects malicious content by evaluating various web page details using a series of ML models.
upvoted 1 times

I got it wrong (C), but the answer is B due to the URL Filtering profile using inline categorization to analyze web traffic. Aka: "
Enable local inline categorization—Enables real-time analysis of URL traffic using firewall-based, machine learning models, to detect and prevent
malicious phishing variants and JavaScript exploits from entering your network."
The AV and AS sec profiles also use machine learning but the AV sec profile uses the wildfire inline machine learning to search for powershell
scripts, malicious executables, etc while the AS machine learning searches for C2C traffic.
upvoted 1 times
An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses the firewall.
When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.
What might cause this issue?
A. Office365 traffic is logged in the System Log.
B. Office365 traffic is logged in the Authentication Log.
C. Traffic matches the interzone-default rule, which does not log traffic by default.
D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.
Correct Answer: C

I think it is C. The admin EXPECTS the traffic to go through the firewall but if the traffic matches the default INTERZONE rule it will be blocked and
no log will be generated, making initial troubleshooting trickier than it should be.
upvoted 1 times
When creating an address object, which option is available to select from the Type drop-down menu?
A. IPv6 Address
B. IP Netmask
C. IPv4 Address
D. IP Address Class
Correct Answer: B
  kenyabolada 1 week, 2 days ago

Selected Answer: B
The four types of address objects are:
● IP Netmask
● IP Range
● IP Wildcard Mask
● FQDN
upvoted 1 times
  Darude 2 months, 1 week ago

Selected Answer: B
B correct, checked on our firewall
upvoted 2 times
Ethernet 2/1 has an IP Address of 10.0 1 2 in Zone ‘trust’ (LAN).
If both interfaces are connected to the same virtual router, which IP address information will an administrator need to enter in the Destination field
to access the internet?
A. 0.0.0.0
B. 10.0.2.1/32
C. 10.0.1.254/32
D. 0.0.0.0/0
Correct Answer: A

Selected Answer: D
0.0.0.0/0
upvoted 1 times

D Correct!
upvoted 1 times

Selected Answer: D
D checked on our firewall
upvoted 4 times
Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?
A. URL Filtering > Categories
B. URL Filtering > URL Filtering Settings
C. URL Filtering > Inline Categorization
D. URL Filtering > HTTP Header Insertion
Correct Answer: B
  Darude Highly Voted  2 months, 1 week ago

Selected Answer: A
A checked on our firewall
upvoted 5 times

A is Correct
upvoted 1 times

Ans A: Step 5. https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/set-
up-credential-phishing-prevention#idfd42ebad-d0fc-415a-aadc-e222fc2beb80
upvoted 1 times
Which Security profile must be added to Security policies to enable DNS Signatures to be checked?
A. URL Filtering
B. Vulnerability Protection
C. Anti-Spyware
D. Antivirus
Correct Answer: C

C. Page 97 Study Guide
upvoted 1 times

Selected Answer: C
Yes..correct..
"In addition, you can enable the DNS sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a
known malicious domain, causing the malicious domain name to resolve to an IP address that you define"
upvoted 1 times
Which two Security profile actions can only be applied to DoS Protection profiles? (Choose two.)
A. Reset-server
B. Reset-both
C. SYN cookies
D. Random Early Drop
Correct Answer: CD

Selected Answer: CD
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-
sessions/configure-dos-protection-against-flooding-of-new-sessions
step2 nummer4
upvoted 2 times

Selected Answer: CD
C,D verified on our firewall
upvoted 2 times
Where can you apply URL Filtering policy in a Security policy rule?
A. Within the applications selection
B. Within a destination address
C. Within a service type
D. Within the actions tab
Correct Answer: D

Selected Answer: D
D is correct..checked on firewall
Security Policy Rule-> Actions
Profile Setting
Profile Type:Profiles
URL Filtering:none and default
upvoted 3 times
Which interface types are assigned to IEEE 802.1Q VLANs?
A. Tunnel interfaces
B. Layer 2 subinterfaces
C. Layer 3 subinterfaces
D. Loopback interfaces
Correct Answer: C
  modems 2 weeks, 3 days ago

I think it is L3 subinterfaces. You can assign VLAN tag to VLAN interface. Subinterfaces in terms of Palo alto are only L3 subinterfaces.
upvoted 1 times

Answer is B
upvoted 1 times

Accordently "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-interfaces/layer-3-
subinterface#id5604fdd4-bce9-430d-a111-52372ecc194b"
Correct Answer is C.
You can create a Layer 3 subinterface for a PPPoE client for IEEE 802.1Q VLAN
upvoted 3 times

B. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-vlans
upvoted 1 times
  scoobysnack209 2 months, 1 week ago

The answer is 'B'
upvoted 1 times

Selected Answer: B
B IEEE 802.1Q is a standard for VLAN tagging in Ethernet networks. In Cisco IOS, VLANs are typically assigned to Layer 2 subinterfaces, which are
logical interfaces that allow a physical interface to be divided into multiple virtual interfaces. Each Layer 2 subinterface can be assigned a unique
VLAN ID, allowing traffic to be separated and managed based on VLAN membership.
upvoted 4 times
Which three factors can be used to create malware based on domain generation algorithms? (Choose three.)
A. Time of day
B. URL custom categories
C. Other unique values
D. Cryptographic keys
E. IP address
Correct Answer: ACD

Selected Answer: C
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/domain-generation-algorithm-detection
upvoted 1 times

Selected Answer: ACD
Correct..
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/domain-generation-algorithm-detection
upvoted 3 times
Which action column is available to edit in the Action tab of an Antivirus security profile?
A. Virus
B. Signature
C. Spyware
D. Trojan
Correct Answer: A
  davidnl1987 1 month ago

Selected Answer: B
Only can edit Signature field
upvoted 1 times

Selected Answer: B
I see under Antivirus Profile /Action Tab:
"Signature Action", "Wildfire Signature Action" and "Wildfire Inline ML Action".
upvoted 1 times

B- https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-security-profiles-antivirus
upvoted 2 times

Selected Answer: B
I agree with stxc. See his statement.
upvoted 1 times

I see under Antivirus Profile /Action Tab:
"Signature Action", "Wildfire Signature Action" and "Wildfire Inline ML Action".
so I think the answer should be "Signature".
upvoted 2 times
Given the detailed log information above, what was the result of the firewall traffic inspection?
A. It denied the category DNS phishing.
B. It denied the traffic because of unauthorized attempts.
C. It was blocked by the Anti-Virus Security profile action.
D. It was blocked by the Anti-Spyware Profile action.
Correct Answer: D

Selected Answer: D
D seems to be correct.
upvoted 1 times
When configuring a security policy, what is a best practice for User-ID?
A. Use only one method for mapping IP addresses to usernames.
B. Allow the User-ID agent in zones where agents are not monitoring services.
C. Limit User-ID to users registered in an Active Directory server.
D. Deny WMI traffic from the User-ID agent to any external zone.
Correct Answer: D
  perceptivity 1 week, 6 days ago

Selected Answer: D
Only enable User-ID on trusted zones.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0
upvoted 1 times
What are three DNS policy actions? (Choose three.)
A. Block
B. Allow
C. Strict
D. Sinkhole
E. Alert
Correct Answer: AD

Answer is A,B,D
upvoted 2 times
  DlaEdu_Ex 1 month, 1 week ago

ABDE
Policy Action
Choose an action to take when DNS lookups are made to known malware sites. The options are alert, allow, block, or sinkhole. The default action
for Palo Alto Networks DNS signatures is sinkhole.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile
upvoted 2 times
Which System log severity level would be displayed as a result of a user password change?
A. Low
B. Medium
C. High
D. Critical
Correct Answer: B

Answer is A
Low
Minor severity notifications, such as user password changes.
upvoted 1 times

Selected Answer: A
Is a Low Severity in system logs
upvoted 2 times

Selected Answer: A
System logs display entries for each system event on the firewall.
1. Critical - Hardware failures, including high availability (HA) failover and link failures.
2. High - Serious issues, including dropped connections with external devices, such as LDAP and RADIUS servers.
3. Medium - Mid-level notifications, such as antivirus package upgrades.
4. Low - Minor severity notifications, such as user password changes.
5. Informational - Log in/log off, administrator name or password change, any configuration change, and all other events not covered by the other
severity levels.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/system-
logs#id8edbfdae-ed92-4d8e-ab76-6a38f96e8cb1
upvoted 2 times
An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates.
Which filter should the administrator configure in the application filter object?
A. The category is media, and the characteristic includes Evasive.
B. The subcategory is audio-streaming, and the risk is 1.
C. The subcategory is audio-streaming, and the risk is 5.
D. The category is media, and the tag is high risk.
Correct Answer: C

Selected Answer: C
C is correct
upvoted 2 times
An administrator receives a notification about new malware that is being used to attack hosts. The malware exploits a software bug in a common
application.
Which Security Profile will detect and block access to this threat after the administrator updates the firewall's threat signature database?
A. Vulnerability Profile applied to inbound Security policy rules
B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to outbound Security policy rules
D. Data Filtering Profile applied to inbound Security policy rules
Correct Answer: A

Selected Answer: B
I would go with B, as it is malware.
upvoted 1 times
The NetSec Manager asked to create a new firewall Local Administrator profile with customized privileges named New_Admin. This new
administrator has to authenticate without inserting any username or password to access the WebUI.
What steps should the administrator follow to create the New_Admin Administrator profile?
A. 1. Set the Authentication profile to Local.

2. Select the "Use only client certificate authentication" check box.
3. Set Role to Role Based.
B. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Certificate Name = New Admin
C. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Common Name = New_Admin
D. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Role Based.
3. Issue to the Client a Certificate with Common Name = New Admin
Correct Answer: D
Which Security profile prevents users from submitting valid corporate credentials online?
A. WildFire
B. URL filtering
C. Advanced threat prevention
D. SSL decryption
Correct Answer: B
  blahblah1234567890000 1 month, 2 weeks ago

Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-url-filtering
upvoted 2 times
Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.)
A. It contains all the features already in a Threat Prevention subscription.
B. It provides the ability to identify evasive and previously unseen command-and-control (C2) threats.
C. When it is active, a WildFire profile is no longer needed.
D. Due to its more advanced signatures, it provides the ability to identify new threats.
Correct Answer: AB
  DlaEdu_Ex 3 weeks ago

Selected Answer: AB
Advanced Threat Prevention—The Advanced Threat Prevention cloud service uses inline deep learning and machine learning models for real-time
detection of evasive and never before seen, unknown C2 threats and zero day vulnerability exploits. As an ultra low-latency native cloud service,
this extensible and infinitely scalable solution is always kept up to date with model training improvements. The Advanced Threat Prevention license
includes all of the benefits included with Threat Prevention.
https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention
upvoted 1 times
  innuendo2 3 weeks, 3 days ago

Isnt d an option?
upvoted 1 times
With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?
A. Vulnerability Exceptions
B. Advanced Rules
C. Inline Cloud Analysis
D. WildFire Inline ML
Correct Answer: A

Selected Answer: C
Ver 10: Exceptions
Ver 11: Inline Cloud Analisys
upvoted 2 times
  DlaEdu_Ex 1 month ago

Selected Answer: C
Inline Cloud Analysis Tab
Version 11: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection
Version 10: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection

upvoted 2 times
DRAG DROP
-
Drag the steps into the correct order to create a static route.
Correct Answer:

Correct Sequence is ;
1.Add an IPv4 or IPv6 route by name.
2.Enter the route and netmask
3.Specify the outgoing interface for packets to use to go to the next hop
4.Enter the IP address for the specific next hop
upvoted 4 times

Name
Route and netmask
Outgoing interface (Optional)
IP address for the specific next hop
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/static-routes/configure-a-static-route
upvoted 2 times
What are the two ways to implement an exception to an external dynamic list? (Choose two.)
A. Edit the external dynamic list by removing the entries to exclude.
B. Select the entries to exclude from the List Entries list.
C. Manually add an entry to the Manual Exceptions list.
D. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.
Correct Answer: AC

Selected Answer: BC
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/view-external-dynamic-list-
entries#id7cdec99b-469a-4159-af9b-e5c6394ab869
upvoted 2 times
An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ
or Untrust zones.
The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where
the source and destination zones are VPN.
Which Security policy rule type should they use?
A. Interzone
B. Universal
C. Intrazone
D. Default
Correct Answer: B

Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/security-policy/components-of-a-security-policy-rule
upvoted 1 times

Selected Answer: A
Interzone
The administrator does not want to match traffic where the source and destination zones are LAN/VPN
upvoted 2 times
  cas23147 1 month, 1 week ago

Selected Answer: A
not want to match traffic where the source and destination zones are LAN
upvoted 2 times
An administrator is reviewing the Security policy rules shown in the screenshot.
Why are the two fields in the Security policy EDL-Deny highlighted in red?
A. Because antivirus inspection is enabled for this policy
B. Because the destination zone, address, and device are all "any"
C. Because the action is Deny
D. Because the Security-EDL tag has been assigned the red color
Correct Answer: D
What are two differences between an application group and an application filter? (Choose two.)
A. Application groups enable access to sanctioned applications explicitly, while application filters enable access to sanctioned applications
implicitly.
B. Application groups are static, while application filters are dynamic.
C. Application groups dynamically group applications based on attributes, while application filters contain applications that are statically
grouped.
D. Application groups can be added to application filters, while application filters cannot be added to application groups.
Correct Answer: AB

Selected Answer: AB
An application filter is dynamic and enables access to applications that you do not explicitly sanction, but that you want users to be able to access.
Application groups are static and are useful for enabling access to applications that you explicitly sanction for use within your organization.
An application filter is dynamic and enables access to applications that you do not explicitly sanction, but that you want users to be able to access.
upvoted 1 times
An administrator reads through the following Applications and Threats Content Release Notes before an update:
Which rule would continue to allow the file upload to confluence after the update?
A.
B.
C.
D.
Correct Answer: B
  DlaEdu_Ex Highly Voted  3 weeks, 2 days ago

Selected Answer: A
A should be the answer
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
upvoted 5 times
  alphahotelzulu Most Recent  2 weeks ago

Selected Answer: A
Correct answer is A
upvoted 1 times
  alphahotelzulu 2 weeks ago

Correct answer is A
upvoted 1 times
  innuendo2 3 weeks, 3 days ago

Why not A?
upvoted 1 times

I am also agreed , Hope Correct A
upvoted 1 times

PCNSA Exam - Yorumlar

Uploaded by

Copyright:

Available Formats

PCNSA Exam - Yorumlar

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCNSA Exam - Yorumlar

Uploaded by

Copyright:

Available Formats

7/26/23, 9:41 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Single Topic

  prseedd Highly Voted  2 years, 9 months ago

  MEDO162 Most Recent  1 month, 3 weeks ago

  nolox 4 months, 2 weeks ago

Because of that I think the answer should be as @FahmiZnd replied:

  cutemomo 4 months, 3 weeks ago

these are all incorrect

  BMRobertson 6 months ago

  FahmiZnd 1 year ago

Community vote distribution

  MEDO162 1 month, 3 weeks ago

  Viga1991 4 months, 2 weeks ago

  baccalacca 4 months, 3 weeks ago

  all_nicknames_are_taken 4 months, 3 weeks ago

  Wing123 7 months, 2 weeks ago

  Freakezoid 11 months, 2 weeks ago

  error_909 1 year, 4 months ago

  Cyril_the_Squirl 1 year, 9 months ago

  jc1515 2 years ago

B. No impact because the apps were automatically downloaded and installed

Community vote distribution

  rebet Highly Voted  3 years, 5 months ago

  rach91 Highly Voted  3 years, 5 months ago

  j4v13rh4ack Most Recent  5 months, 3 weeks ago

  daytonadave2011 6 months, 4 weeks ago

  kewokil120 1 year, 2 months ago

  error_909 1 year, 4 months ago

  error_909 1 year, 4 months ago

  Gaven 1 year, 4 months ago

  Kane002 1 year, 9 months ago

  DatBroNZ 1 year, 9 months ago

  Cyril_the_Squirl 1 year, 9 months ago

  Rowdy_47 1 year, 10 months ago

  Rowdy_47 1 year, 10 months ago

  Rowdy_47 1 year, 8 months ago

  Micutzu 2 years, 1 month ago

  ramasamymuthiah 2 years, 2 months ago

  debabani 2 years, 5 months ago

  prseedd 2 years, 9 months ago

  sid_2020 2 years, 11 months ago

Community vote distribution

  error_909 Highly Voted  1 year, 4 months ago

  all_nicknames_are_taken Most Recent  4 months, 3 weeks ago

  Najmmm 5 months, 1 week ago

  Ankitkumar2029 6 months, 2 weeks ago

  Cyril_the_Squirl 1 year, 9 months ago

  Cyril_the_Squirl 1 year, 9 months ago

  prseedd 2 years, 9 months ago

A. Enable Security Log

B. Server Log Monitor Frequency (sec)

Community vote distribution

  Outlaw87 Highly Voted  3 years, 2 months ago

  rmoreirac 1 year, 1 month ago

  Sanjug2022 Most Recent  3 weeks, 4 days ago

  Gilmarcio 2 months ago

  o0ZACK0o 4 months, 2 weeks ago