PCNSA Exam - Yorumlar
PCNSA Exam - Yorumlar
PCNSA Exam - Yorumlar
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 1/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 1
DRAG DROP -
Match the Palo Alto Networks Security Operating Platform architecture to its description.
Select and Place:
Correct Answer:
T.I.C -- > Identifies and inspects all traffic to block known threats
NGF -- > Gathers, analyzes, correlates and disseminates threat to and from the network and endpoints located within the network
A.E.P -- > Inspects process and files to prevent known and unknown exploits.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 3/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 1
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. management
B. network processing
C. data
D. security processing
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 4/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 1
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an
application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be
deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the
applications
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 5/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A is correct. For example, Facebook-chat is a dependency on Facebook-base, and must be specifically allowed through a dependency commit,
explicit security policy, etc. It would not be implicitly allowed, things that are implicitly allowed would be ssl and web-browsing, as facebook-base
could not function without those.
upvoted 2 times
But if the security policy is locked to the SuperApp-base, then the traffic to the new apps would be blocked, option A.
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 6/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 1
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-zones/security-zone-overview
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 7/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 1
Which two configuration settings shown are not the default? (Choose two.)
C. Enable Session
D. Enable Probing
Correct Answer: BC
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/enable-
server- monitoring
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 8/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Ankitkumar2029 6 months, 2 weeks ago
Selected Answer: A
A. Enable Security Log
upvoted 1 times
Screengrabed the default settings for PAN OS 10 from CBT nuggets course with Keith Barker
upvoted 4 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 9/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 1
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 10/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 11/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 1
Which option shows the attributes that are selectable when setting up application filters?
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-application-filters
Page 36
An administrator can dynamically categorize multiple applications into an application filter based
on the specific attributes Category, Subcategory, Tags, Risk, and Characteristic.
upvoted 1 times
PANOS 8.1:
Catg., Sub, Tech, Risk, Charch.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 12/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: B
Answer B is correct
upvoted 2 times
In PANOS10 you need to click a button "Show Technology Column" to see the technology tab
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 13/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 1
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
D. Allow List
Correct Answer: AD
"ACTIONS(eg Block, Allow etc) can be set for WHICH TWO ITEMS in a URL filtering security profile?"
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 14/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
Gaven 1 year, 4 months ago
Selected Answer: BC
See @ciscoSannin comment. The question is asking for Action on WHICH ITEMS.A and D are actions not Items
upvoted 2 times
Questions is " Actions can be set for which two items in a URL filtering security profile? "
So the according to the question the correct answer should be B and C since its asking which profiles the actions can be set.
Reference
URL Filtering Categories - https://docs.paloaltonetworks.com/pan-Aos/9-0/pan-os-web-interface-help/objects/objects-security-profiles-url-
filtering/url-filtering-categories
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 15/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 1
DRAG DROP -
Match the Cyber-Attack Lifecycle stage to its correct description.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 16/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Correct Answer: CD
"A firewall admin must be careful before they install any App‐ID updates because some applications may have changed since the last App‐ID
update (content update). For example, an application that was previously categorized under web‐browsing now may be categorized under its own
unique App‐ID. Categorization of applications into more specific applications allows more granularity and control of applications within security
policies. Because the new App‐ID no longer will be categorized as web‐browsing, no security policy now will contain this new App‐ID.
Consequently, the new App‐ID will be blocked."
upvoted 6 times
app-id-impact-on-existing-policy-rules
upvoted 1 times
Ankitkumar2029 6 months, 2 weeks ago
Selected Answer: A
A. Updated application content might change how Security policy rules are enforced.
upvoted 1 times
For any manual process in app-id updates, the option disable content update must be done first, then the admin must allow new signatures
manually
upvoted 4 times
Updated or changed application identifiers MIGHT surely change the way security policy is applied if there's been changes or new additions. (A is
correct). Therefore where there are NEW additions to applications and app identifiers, all the new app-IDs MUST be explicitly/manually included
correctly in the security policy.(B is correct).
C is wrong.... it's silly to think security policy is not affected by app-id when it's in the app-id profile is used.
D is wrong...lost me at "automatically"
upvoted 2 times
As the firewall automatically retrieves and installs the latest application and threat signatures (based on your custom settings), it starts enforcing
security policy based on the latest App-IDs and threat protection without any additional configuration.
Because new App-IDs can change how the security policy enforces traffic, this more limited release of new App-IDs is intended to provide you with
a predictable window in which you can prepare and update your security policy.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/app-and-threat-content-updates
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 18/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
C. Captive Portal
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 19/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple
applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
Correct Answer: A
upvoted 3 times
sid_2020 2 years, 11 months ago
I think its B only. If you see the question it categorically says 'their own office application' They are not saying Office application in general.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 21/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention
activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-
networks- assessment-and-review-tools
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 22/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
A. intrazone-default
B. Deny Google
C. allowed-security services
D. interzone-default
Correct Answer: D
upvoted 3 times
RameshKaku 1 year, 5 months ago
Selected Answer: B
B- Because Youtube depends on Google-base
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 24/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html
Took the PAN-EDU-210 a few weeks ago the course material says so as well as ->
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 25/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan rule, which scans
allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks. When traffic matches the allow rule defined in the security
policy, the security profile(s) that are attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.
upvoted 1 times
scanossa 1 year, 1 month ago
Selected Answer: B
B is correct
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 26/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and
None?
A. Translation Type
B. Interface
C. Address Type
D. IP Address
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 27/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 28/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify
out-of-date or unused rules on the firewall?
Correct Answer: D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-policy-rule-usage
upvoted 1 times
There is no "Hit Count" option either so for the sake of this question I think B & D would be correct but B is our best option.
1. Unused in 30 days
2. Unused in 90 days
3. Unused
upvoted 2 times
diego1984 1 year, 9 months ago
C is correct, there is no "Hit Count" option
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 30/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
Select and Place:
Correct Answer:
correct
upvoted 2 times
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 32/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
D. Use the Reset Rule Hit Counter > All Rules option
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/creating-and-managing-policies
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 33/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email
Correct Answer: BC
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 34/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management
plane resources?
Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-
user-id-agent.html
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 35/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 36/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You
must collect IP
`"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The
wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 37/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to
contact a command- and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
Correct Answer: BD
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/create-best-practice-security-profiles
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf
upvoted 2 times
In this case, an antivirus profile (C.), which specifically detects and prevents the spread of viruses and other malicious software, would be more
appropriate. Additionally, a URL filtering profile (D.), which blocks access to malicious or undesirable websites, could be used to prevent the
infected host from communicating with the C2 server.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 38/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
PunkSp 7 months, 3 weeks ago
Selected Answer: BC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-profiles
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 39/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?
A. Delivery
B. Reconnaissance
D. Exploitation
Correct Answer: D
https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 41/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
"Exploitation: In this stage, attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized
document. This allows the attack to gain an initial entry point into the organization."
upvoted 1 times
Delivery: This stage marks the transition from the attacker working outside of an organization’s network to working within an organization’s
network. Malware delivered during this stage is designed to exploit existing software vulnerabilities. To deliver its initial malware, the attacker might
choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email message.
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 42/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4
Correct Answer: D
From the existing option 1-3-2-4 is correct. 1-2-3-4 would be correct as well, as there is no difference what you do first, add servers to be
monitored, or define a useraccount
upvoted 8 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 43/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow
B. Application = "Telnet"
C. Log Forwarding
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 44/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the security policy rules shown, ssh will be allowed on which port?
A. 80
B. 53
C. 22
D. 23
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 45/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?
A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/install-content-and-software-updates.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 46/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image
shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 47/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the topology, which zone type should zone A and zone B to be configured with?
A. Layer3
B. Tap
C. Layer2
D. Virtual Wire
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 48/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?
A. domain controller
B. TACACS+
C. LDAP
D. RADIUS
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 49/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?
A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire
Correct Answer: B
Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator
account?
A. Root
B. Dynamic
C. Role-based
D. Superuser
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 50/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which administrator type utilizes predefined roles for a local administrator account?
A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/get-started-with-the-cli/give-administrators-access-to-the-
cli/administrative- privileges?PageSpeed=noscript
Dynamic includes predefined admin profiles such as Superuser + Superuser(RO), VirtSys + VirtSys(RO), etc
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 51/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two security profile types can be attached to a security policy? (Choose two.)
A. antivirus
B. DDoS protection
C. threat
D. vulnerability
Correct Answer: AD
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/security-profiles
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 52/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto
their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from
the laptop.
Which security profile feature could have been used to prevent the communication with the CnC server?
C. Create a URL filtering profile and block the DNS Sinkhole category
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 53/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 54/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: D
D is correct you monitor domain controllers
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 55/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.)
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 56/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B,C and D if the question says Security policy and Security profile (means togheter) security policy cannot block must allow always in order to
inspect the traffic and let the Security profile works
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 57/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the image, which two options are true about the Security policy rules. (Choose two.)
Correct Answer: BC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 58/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the
Outside zone?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
Page 101
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 59/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet
gateways?
A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 60/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 61/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.
A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 62/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which file is used to save the running configuration with a Palo Alto Networks firewall?
A. running-config.xml
B. run-config.xml
C. running-configuration.xml
D. run-configuration.xml
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 63/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
In the example security policy shown, which two websites would be blocked? (Choose two.)
A. LinkedIn
B. Facebook
C. YouTube
D. Amazon
Correct Answer: AB
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 64/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Palo Alto Networks component provides consolidated policy creation and centralized management?
A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus
Correct Answer: B
Reference:
https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management-datasheet
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 65/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture,
and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-
networks- assessment-and-review-tools
"Prevention Posture Assessment (PPA)—The PPA is a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture. The PPA not only helps to identify all security risks, it also provides detailed suggestions on how to prevent the
risks and close the gaps. The assessment, guided by an experienced Palo Alto Networks sales engineer, helps determine the areas of greatest risk
where you should focus prevention activities. You can run the PPA on firewalls and on Panorama."
upvoted 5 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 66/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)
A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 67/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check
the number, but doesn't want to unblock the gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category?
(Choose two.)
A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to
allow.
D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 68/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive
information?
A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 69/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to
contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?
Correct Answer: C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/dynamic-content-
updates#:~:text=Antivirus%20updates%20are%20released%20every,ll%20need%20a%20WildFire%20subscription.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 70/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Antivirus: Includes new and updated antivirus signatures, including WildFire signatures and
automatically generated command-and-control (C2) signatures. WildFire signatures detect malware seen first by firewalls from around the world.
You must have a Threat Prevention subscription to get these updates. New antivirus signatures are published daily.
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 71/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B. New URLs
Correct Answer: B
Option A is done by configuring Wildfire to send an alert when something new is discovered
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 72/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other
required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-
admin make?
A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE
to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-
address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second
security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any
destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-
IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 73/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. every 5 minutes
B. every 15 minutes
C. every 60 minutes
D. every 30 minutes
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-wildfire-updates
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 74/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?
A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-wildfire-updates
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 75/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link
has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
B. Captive Portal
Correct Answer: A
https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-agent.html#id8f750af3-799f-4546-8b9e-
a44a23b5b5c0
upvoted 1 times
The Windows-based agent uses MS-RPC, which requires the full Windows Security logs to be sent to the agent, where they are filtered for the
relevant User-ID information.
The PAN-OS integrated agent uses either the Windows Management Instrumentation, of WMI, or the Windows Remote Management Protocol, or
WinRM which enables the agent to retrieve only the User-ID information from the Windows Security logs.
The result is that, in an infrastructure with remote networks separated with WAN links, the integrated agent is more appropriate for reading remote
logs and the Windows-based agent is more appropriate for reading local logs.However, uses of the integrated agent is not without cost: it
consumes more of the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them
forward the relevant User-ID information to firewall on a central network often is beneficial.
upvoted 4 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 76/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Arrange the correct order that the URL classifications are processed within the system.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 77/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?
A. authentication sequence
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/framemaker/pan-os/7-1/pan-os-admin.pdf page 144
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 78/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
C. antivirus profile
D. vulnerability profile
Correct Answer: A
A. Tap
B. Layer3
C. Virtual Wire
D. Layer2
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 79/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
A. Override
B. Allow
C. Block
D. Continue
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/configure-url-filtering.html
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/configure-url-filtering.html
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 80/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An internal host needs to connect through the firewall using source NAT to servers of the internet.
Which policy is required to enable source NAT on the firewall?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 81/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP
addresses?
A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware
Correct Answer: A
DoS Protection profiles protect specific devices (classified profiles) and groups of devices (aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and
Other IP flood attacks
DoS protection profiles and policy rules are granular and targeted, and can even be classified to a single device (IP address)
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 82/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
Correct Answer: C
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-
filtering-security-policy-rules
You can filter Security policy rules to see all the port-based rules, which have no applications configured (Policies > Security > Policy Optimizer >
No App Specified).
You can also filter to see all the rules that have applications configured but traffic doesn’t hit all of the applications (Policies > Security > Policy
Optimizer > Unused Apps).
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 83/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
The correct answer should be "A" No App Specified
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-
security-policy-rules
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/policies/policies-security/security-policy-rule-usage.html
No App Specified—Rules that have the application set to any, so you can identify port-based rules to convert to application-based rules.
upvoted 7 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 84/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID
Correct Answer: BD
Reference:
http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-pass-parallel-processing-hardware-
architecture.html
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 85/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Match the network device with the correct User-ID technology.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 86/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application
signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-
impact-on- existing-policy-rules
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 87/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Select a Security policy rule, and then select Hit Count > Reset.
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 88/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the topology, which zone type should you configure for firewall interface E1/1?
A. Tap
B. Tunnel
C. Virtual Wire
D. Layer3
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 89/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 90/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that
passes within the zones?
A. intrazone
B. interzone
C. universal
D. global
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 91/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same
URL then which choice would be the last to block access to the URL?
Correct Answer: C
ALL options will block the URLs, it's asking here about the order of blocking, which will be first or last to block, it's not asking IF those options
would block or not ;)
The answer is of course D
1- Block list
2- Allow list
3- Custom URL Cat.
4- EDLs
5- Downloaded PAN-DB Files
6- PAN-DB Cloud
upvoted 6 times
The order in which the device checks for URL categories is as follows:
Block list
Allow list
Custom categories
Device cache
BrightCloud downloaded database
Cloud lookup (if enabled
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 92/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 93/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?
A. north-south
B. inbound
C. outbound
D. east-west
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 94/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which protocol is used to map usernames to user groups when User-ID is configured?
A. TACACS+
B. SAML
C. LDAP
D. RADIUS
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html
Correct Answer: D
Reference:
https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 95/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.
Action: allow -
(Choose two.)
A. Service = ג€application-defaultג€
B. Service = ג€service-telnetג€
C. Application = ג€Telnetג€
D. Application = ג€anyג€
Correct Answer: AC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 96/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Anti-Spyware Profile
C. Antivirus Profile
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 97/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)
C. It functions like PAN-DB and requires activation through the app portal.
D. It removes the 100K limit for DNS entries for the downloaded DNS updates.
Correct Answer: AB
- https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812
---Deals with 100K limit
- https://docs.paloaltonetworks.com/threat-prevention
---Deals with DNS Security feature and how to buy and activate it.
upvoted 12 times
https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures
upvoted 1 times
D is incorrect. the downloaded DNS updates still have 100k limitation hardcoded, the new DNS security cloud service doesn't "remove" the 100K
limit for DNS entries for the downloaded DNS updates.
https://live.paloaltonetworks.com/t5/blogs/pan-os-9-0-dns-security-and-content-inspection/ba-p/249812
"New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the
downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. "
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures
”downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k
signatures“
upvoted 4 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 98/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B maybe is correct as there is no need for DNS updates. In fact every lookup goes into the cloud: "the cloud-based signature database provides
users with instant access to newly added DNS signatures without the need to download updates"
C yes you have to activate it but I don't know what app portal is.
D I disagree with it because you can still download DNS pack for faster lookups: " Locally available, downloadable DNS signature sets (packaged
with the antivirus and WildFire updates) come with a hard-coded capacity limitation of 100k signatures and do not include signatures generated
through advanced analysis"
"Locally available, downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-coded capacity limitation
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 99/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
of 100k signatures and do not include signatures generated through advanced analysis."
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/dns-security/cloud-delivered-dns-signatures.html
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 100/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. GlobalProtect agent
B. XML API
Correct Answer: BD
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
upvoted 27 times
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
upvoted 1 times
https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-dynamic-user-
groups
Firewall logs - create a log forwarding profile and use the Built-In Actions
Custom API scripts
upvoted 2 times
usernames by using the web interface. Usernames can also be tagged and untagged by using the auto-tagging feature in a Log Forwarding Profile.
(NOTE: I have practically done both.). You also can program another utility to invoke the PAN-OS XML API commands to tag or untag usernames.
(NOTE: I've not tried XML API myself tho.
upvoted 2 times
mecacig953 5 months, 3 weeks ago
Selected Answer: BC
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
upvoted 1 times
In other words, how would you automatically include tagged usernames using Panorama or Web interface?!
- The answer is, you do that through defining a filter & an action in Dynamic user groups, followed by Log forwarding configuration, if you don't
activate the log forwarding auto-tagging in the security policy, then the Dynamic user group (DUG) will NOT be populated....you can test it yourself
in any Palo Alto firewall.
Without 'Log forwarding auto-tagging' attached to your security policy, the defined log filter & it's action in DUG will NOT forward any recognised
username - which matches the predefined filter & action - to the dynamic user group
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 102/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a
known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the command-and-control server?
C. Create a URL filtering profile and block the DNS Sinkhole URL category
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.
Correct Answer: D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
Configure the DNS Sinkhole action in the Anti-Spyware profile. Click on the Objects > Anti-Spyware under Security Profiles..
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 103/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 104/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?
A. virtual router
C. DNS proxy
D. service route
Correct Answer: C
Reference:
https://weberblog.net/palo-alto-dns-proxy-for-management-services/
Ref: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/dns/use-case-3-firewall-acts-as-dns-proxy-between-client-and-
server
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 105/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
javim 1 year, 1 month ago
Selected Answer: D
D is the correct answer.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
upvoted 1 times
A DNS Proxy on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s network connected to the firewall
interface
"In such a scenario, the firewall performs DNS resolution on its dataplane."
upvoted 1 times
The Palo Alto firewall has a feature called DNS Proxy. Normally it is used for data plane interfaces so that clients can use the interfaces of the Palo
for its recursive DNS server. Furthermore, this DNS Proxy Object can be used for the DNS services of the
https://weberblog.net/palo-alto-dns-proxy-for-management-services/
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo
Alto Networks services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port
(a regular interface) to access these services. The path from the interface to the service on a server is known as a service route.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/service-routes
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 106/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?
A. Prisma SaaS
B. GlobalProtect
C. AutoFocus
D. Panorama
Correct Answer: A
Reference:
https://www.paloaltonetworks.com/resources/whitepapers/protecting-the-extended-perimeter-with-globalprotect-cloud-service-full
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 107/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?
A. TACACS+
B. RADIUS
C. LDAP
D. SAML
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an-authentication-profile-and-sequence
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 108/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which operations are allowed when working with App-ID application tags?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 109/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 110/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's
management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-
user-id- agent/configure-the-windows-based-user-id-agent-for-user-mapping.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 111/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The Windows-based agent uses MS-RPC, which requires the full Windows Security logs to be sent to the agent, where they are filtered for the
relevant User-ID information.
The PAN-OS integrated agent uses either the Windows Management Instrumentation, of WMI, or the Windows Remote Management Protocol, or
WinRM which enables the agent to retrieve only the User-ID information from the Windows Security logs.
The result is that, in an infrastructure with remote networks separated with WAN links, the integrated agent is more appropriate for reading remote
logs and the Windows-based agent is more appropriate for reading local logs.However, uses of the integrated agent is not without cost: it
consumes more of the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them
forward the relevant User-ID information to firewall on a central network often is beneficial.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 112/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall
permissions?
A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-
types.html
“ Role Based—Custom roles you can configure for more granular access control over the functional areas of the web interface, CLI, and XML API.”
upvoted 10 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 113/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
Correct Answer: D
Reference:
https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-assessment-bpa-tool-for-ngfw-and-panorama/ba-
p/248343
https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-
networks-assessment-and-review-tools
upvoted 8 times
D. Heatmap report is presented in %, check out the promotion video on Palo Alto website
https://www.paloaltonetworks.com/resources/videos/bpa-promo
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 114/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 115/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the
policy rule?
A. Apps Allowed
B. Service
C. Name
D. Apps Seen
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 116/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
it is answer D
upvoted 3 times
A. PAN-DB database
B. DNS Security
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-and-subscriptions.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 117/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. They are groups that are imported from RADIUS authentication servers.
B. They are the only groups visible based on the firewall's credentials.
C. They contain only the users you allow to manage the firewall.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 118/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?
Correct Answer: C
upvoted 1 times
gustavok 1 year, 3 months ago
Selected Answer: A
lab-client is not a host, it is the name we are giving to the agent that is connecting to the specified domain controller (Active Directory)
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 120/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. Reset Server
D. Reset Client
Correct Answer: B
The difference between deny and drop is that deny will make a router (or other device) send an ICMP type 3 (destination unreachable) message
response back, where drop will not notify the sending party that the device has be denied and just silently drop the traffic.
upvoted 16 times
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/security-policy-actions
Drop
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 121/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 122/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows
within the zones?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 123/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 124/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which
traffic would you need to monitor and block to mitigate the malicious activity?
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 125/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Match each feature to the DoS Protection Policy or the DoS Protection Profile.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 126/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?
A. Kerberos user
B. SAML user
D. local user
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 127/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. every 15 minutes
B. every 30 minutes
C. every 60 minutes
D. every 5 minutes
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-updates/dynamic-content-updates.html#:~:text=WildFire%
20signature%20updates%20are%20made,within%20a%20minute%20of%20availability
.
Starting with PAN-OS version 9.1, which new type of object is supported for use within the User field of a Security policy rule?
A. remote username
D. local username
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 128/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?
B. Review Apps
C. Pre-analyze
D. Review Policies
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 129/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?
A. interzone-default
B. internal-inside-dmz
C. inside-portal
D. egress-outside
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 130/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. backup
B. candidate
C. running
D. committed
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 131/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.)
A. hostname
B. netmask
C. default gateway
D. auto-negotiation
E. IP address
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 132/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-updates
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-dynamic-updates.html
upvoted 4 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 133/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Sorry Answer is A
upvoted 1 times
error_909 1 year, 4 months ago
Selected Answer: D
D make more sense to me.
upvoted 1 times
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-
control server.
Which Security Profile detects and prevents this threat from establishing a command-and-control connection?
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 134/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
Correct Answer: B
First line: "The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice
recommendations"
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 135/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access
the PowerBall
Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed
in the URL filtering `gambling` category.
Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?
D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 136/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and
scanning files for sensitive information?
A. Prisma SaaS
B. AutoFocus
C. Panorama
D. GlobalProtect
Correct Answer: A
In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?
A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
C. Use the Reset Rule Hit Counter > All Rules option
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/creating-and-managing-policies
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 137/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the Security policy rules shown, SSH will be allowed on which port?
C. any port
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 138/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.
Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
Correct Answer: B
For example, Vulnerability Protection Security Profiles protect against buffer overflows, illegal code execution, and other attempts to exploit system
vulnerabilities
Correct answer is D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 139/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection.html
upvoted 2 times
Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components?
(Choose two.)
B. Policy Engine
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 140/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 141/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?
A. URL filtering
B. vulnerability protection
C. anti-spyware
D. antivirus
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 142/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the topology, which zone type should zone A and zone B to be configured with?
A. Layer3
B. Ethernet
C. Layer2
D. Virtual Wire
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 143/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific website.
How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?
A. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES.
B. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile.
C. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES.
D. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-file-blocking
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 144/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?
A. authorization
B. continue
C. authentication
D. override
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 145/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
B. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
C. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
D. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 146/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Objects
B. Monitor
C. Device
D. Policies
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-addresses
An administrator wishes to follow best practices for logging traffic that traverses the firewall.
Which log setting is correct?
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 147/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)
A. QoS profile
Correct Answer: BC
Zone Protection Profile: Network -- Zones -- Inside -- Zone Protection Profile -- NEW
SYN Flood info is found here
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 148/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.
What is the correct process to enable this logging?
A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Correct Answer: B
Selected Answer: A
Default rules and profiles require Override and, of course, best practice, log at end.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 150/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.
What changes are required on VR-1 to route traffic between two interfaces on the NGFW?
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/virtual-routers.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 151/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to prevent users from submitting corporate credentials in a phishing attack.
Which Security profile should be applied?
A. antivirus
B. anti-spyware
C. URL-filtering
D. vulnerability protection
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-
prevention.html#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 152/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two rule types allow the administrator to modify the destination zone? (Choose two.)
A. interzone
B. shadowed
C. intrazone
D. universal
Correct Answer: AD
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 153/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
The “predefined” or Panorama pushed “intrazone-default” and “interzone-default” rules names or functions cannot be changed.
This is indicated by a green boarder around the editor and the “Read Only” wording in the title.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
upvoted 3 times
B. migrate other firewall vendors' security rules to Palo Alto Networks configuration
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 154/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the screenshot, what is the purpose of the group in User labelled `it`?
Correct Answer: C
It's not B because it says access IT applications on all ports, it's not all ports, but default ports.
It's not D because it says group "DMZ" but the group is called "it".
It's C which says to allow group "it" to access IT application, which is true. If they added "on standard ports" would have been more accurate
but then it would have been simple I assume
upvoted 1 times
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. No notification
D. Reset Client
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 155/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.
Which statement accurately describes how the firewall will apply an action to matching traffic?
C. If it is a block rule, then the Security policy rule action is applied last.
Correct Answer: D
Which Security profile can you apply to protect against malware such as worms and Trojans?
A. antivirus
B. data filtering
C. vulnerability protection
D. anti-spyware
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-
profiles#:~:text=Antivirus%20profiles%20protect%20against%20viruses,as
%20well%20as%20spyware%20downloads
.
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 156/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH,
web-browsing and SSL applications.
Which policy achieves the desired results?
A.
B.
C.
D.
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 157/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Banchan 10 months ago
i think so A.Because both ip address is colect.
upvoted 1 times
Which license is required to use the Palo Alto Networks built-in IP address EDLs?
A. DNS Security
B. Threat Prevention
C. WildFire
D. SD-Wan
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-
edls.html#:~:text=With%20an%
20active%20Threat%20Prevention,to%20protect%20against%20malicious%20hosts
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 158/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Panorama automatically removes local configuration locks after a commit from Panorama.
B. Local configuration locks prohibit Security policy changes for a Panorama managed device.
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/manage-locks-for-restricting-configuration-
changes.html
A is not correct. You can't perform a commit while a lock is in place, therefore, the lock can't be automatically removed after a commit that you
cannot execute.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 159/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 160/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Place the following steps in the packet processing order of operations from first to last.
Select and Place:
Correct Answer:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 161/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. IP netmask
B. IP subnet
C. IP wildcard mask
D. IP range
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/create-an-address-
object.html
A. decryption profile
B. destination interface
C. timeout (min)
D. application
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-security/building-blocks-in-a-security-policy-
rule.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 162/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You have been tasked to configure access to a new web server located in the DMZ.
Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10.1.1.0/24 network to
192.168.1.0/24?
A. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2.
B. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.10
C. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2.
D. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254.
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 163/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new
content becomes available.
Which security policy action causes this?
A. Reset server
B. Reset both
C. Deny
D. Drop
Correct Answer: C
A drop is silent, you simply discard the packet and don't tell anyone about it. This is great for most siatuations as you don't generate more traffic
on your network and outsiders who may potentially be scanning you are non the wiser.
A deny sends a notification to the sender that something happened and their packet was rejected
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 164/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Selecting the option to revert firewall changes will replace what settings?
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/revert-firewall-
configuration- changes.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 165/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 166/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.
If the application's default deny action is reset-both, what action does the firewall take?
Correct Answer: D
https://beacon.paloaltonetworks.com/assessment_responses/report/16167409#assessment-response-details
upvoted 1 times
Drop:
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
upvoted 2 times
Reset both= Sends a TCP reset to both the client-side and server-side devices.
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 167/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
This link refers to action for a signatures: Objects>Security ProfilesVulnerability Protection, and not for the exam question. Please refrain from
posting incorrect answers!
upvoted 3 times
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)
A. SAML 2.0
B. Kerberos
C. TACACS
D. TACACS+
E. SAML 1.0
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 168/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which objects would be useful for combining several services that are often defined together?
A. application filters
B. service groups
D. application groups
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-services.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 169/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the screenshot, what two types of route is the administrator configuring? (Choose two.)
A. BGP
B. static route
C. default route
D. OSPF
Correct Answer: BC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 170/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
A. interzone
B. shadowed
C. intrazone
D. universal
Correct Answer: A
upvoted 4 times
Jeevanchalhai 1 year, 8 months ago
it should be D
upvoted 2 times
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the
ICMP code
`communication with the destination is administratively prohibited`.
Which security policy action causes this?
A. Drop
C. Reset both
D. Reset server
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy/security-policy-actions.html
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
For Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action: Drop
and enable the Send ICMP Unreachable
check box. When enabled, the firewall sends the ICMP code for communication with the destination is administratively prohibited—ICMPv4: Type 3,
Code 13; ICMPv6: Type 1, Code 1.
upvoted 4 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 172/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 173/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to prevent access to media content websites that are risky.
Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)
A. recreation-and-hobbies
B. streaming-media
C. known-risk
D. high-risk
Correct Answer: BD
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/url-filtering-multi-category.html
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/url-filtering-security-categories.html
upvoted 10 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 174/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. PAN-DB
D. Antivirus
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 175/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?
A. Drop
B. Deny
C. Block
D. Reset-server
Correct Answer: A
Which object would an administrator create to block access to all high-risk applications?
A. HIP profile
C. application group
D. application filter
Correct Answer: D
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0
https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-block-high-risk-apps-with-application/ba-p/517730
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 176/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: C
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
If the application does not change, the firewall inspects the content as per all the security profiles attached to the original matching rule. If it results
in threat detection, then the corresponding security profile action is taken.
The firewall forwards the packet to the forwarding stage if one of the conditions hold true:
If inspection results in a ‘detection’ and security profile action is set to allow, or
Content inspection returns no ‘detection’.
The firewall then re-encrypts the packet before entering the forwarding stage, if applicable (SSL forward proxy decryption and SSH decryption).
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 177/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of
time?
B. Automatically ג€download and installג€ but with the ג€disable new applicationsג€ option used
C. Automatically ג€download onlyג€ and then install Applications and Threats later, after the administrator approves the update
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/threat-prevention/best-practices-for-application-and-threat-content-updates#
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/software-and-content-updates/best-practices-for-app-and-threat-content-
updates/best-practices-mission-critical#id184AH00L078
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 178/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What must be considered with regards to content updates deployed from Panorama?
B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
D. Panorama can only download one content update at a time for content updates of the same type.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-updates/deploy-updates-to-firewalls-log-collectors-
and- wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-
appliances-using-panorama/schedule-a-content-update-using-panorama
upvoted 1 times
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-
appliances-using-panorama/schedule-a-content-update-using-panorama
upvoted 1 times
During the packet flow process, which two processes are performed in application identification? (Choose two.)
Correct Answer: AB
Reference:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 179/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-
mapping
However, @ntir shared the link which shows literally this situation. I would go with D because it's from PA site.
upvoted 1 times
upvoted 1 times
BeforeScope 6 months, 1 week ago
answer D
upvoted 1 times
What does an administrator use to validate whether a session is matching an expected NAT policy?
A. system log
B. test command
C. threat log
D. config audit
Correct Answer: B
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 181/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.
C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.
D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/enable-automated-commit-recovery.html
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
A. by minute
B. hourly
C. daily
D. weekly
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-
practices- mission-critical.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 182/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Place the steps in the correct packet-processing order of operations.
Select and Place:
Correct Answer:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 183/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
2.Zone protection
3.Security profile enforcement
4.App-ID
upvoted 5 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 184/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known
Malicious IP
Addresses list?
A. destination address
B. source address
C. destination zone
D. source zone
Correct Answer: D
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 185/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
URL categories can be used as match criteria on which two policy types? (Choose two.)
A. authentication
B. decryption
C. application override
D. NAT
Correct Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-category-as-policy-match-criteria.html
Source: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/how-to-use-url-categories
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 186/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 187/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server
based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)
Correct Answer: AE
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 188/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to
exploit system flaws?
A. URL filtering
B. vulnerability protection
C. file blocking
D. anti-spyware
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection.html
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
Correct Answer: AC
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 189/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What action will inform end users when their access to Internet content is being restricted?
C. Ensure that the ג€site accessג€ setting for all URL sites is set to ג€alertג€.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-response-pages.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 190/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What is a recommended consideration when deploying content updates to the firewall from Panorama?
A. Before deploying content updates, always check content release version compatibility.
B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
C. Content updates for firewall A/A HA pairs need a defined master device.
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-and-updates/deploy-updates-to-firewalls-log-collectors-
and- wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 191/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which information is included in device state other than the local configuration?
A. uncommitted changes
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-operations.html
Exports the firewall state information as a bundle. In addition to the running configuration, the state information includes device group and
template settings pushed from Panorama.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 192/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
A. It defines the SSL/TLS encryption strength used to protect the management interface.
C. It defines the certificate to send to the client's browser from the management interface.
Correct Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 193/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.
What should the administrator do?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 194/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: A
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?
A. check now
B. review policies
D. download
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-
impact-on- existing-policy-rules
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 195/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. domain match
B. host names
C. wildcard
D. category match
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-custom-objects-url-category.html
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-custom-objects-url-category
upvoted 2 times
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?
A. 80
B. 8443
C. 4443
D. 443
Correct Answer: C
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000Cm8SCAS#:~:text=Details,using%20https%20on%20port%204443
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 196/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control
(RBAC)? (Choose two.)
A. SAML
B. TACACS+
C. LDAP
D. Kerberos
Correct Answer: AB
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-
authentication.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 197/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: C
answer is A
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 198/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently
used by attackers to distribute illegal or unethical material?
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/edl-for-bulletproof-isps
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0pCAG
upvoted 4 times
Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP
Addresses list?
A. source address
B. destination address
C. source zone
D. destination zone
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 199/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which three filter columns are available when setting up an Application Filter? (Choose three.)
A. Parent App
B. Category
C. Risk
D. Standard Ports
E. Subcategory
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-application-filters
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 200/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and
risky websites?
A. reconnaissance
B. delivery
C. installation
D. exploitation
Correct Answer: A
Reference :
https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle
Gain full visibility into all traffic, including SSL, and block high-risk applications. Extend those protections to remote and mobile devices.
Protect against perimeter breaches by blocking malicious or risky websites through URL filtering.
Block known exploits, malware and inbound command-and-control communications using multiple threat prevention disciplines, including IPS,
anti-malware, anti-CnC, DNS monitoring and sinkholing, and file and content blocking.
Detect unknown malware and automatically deliver protections globally to thwart new attacks.
Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc.
upvoted 6 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 201/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown
malware The malware caused the laptop to begin infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?
A. DNS Sinkhole
B. WildFire Analysis
C. Antivirus
D. DoS Protection
Correct Answer: A
..."In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a
known malicious domain, causing the malicious domain name to resolve to an IP address that you define..."
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-profiles)
upvoted 1 times
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-profiles
upvoted 1 times
https://www.paloaltonetworks.com/customers/bank-ocbc-nisp
A. Threat Prevention
C. User-ID
Correct Answer: C
Reference :
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-
prevention
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-
prevention
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 203/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
A. block
B. sinkhole
C. allow
D. alert
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 204/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that
exist. Admins can then manually enable policies they want to keep and delete ones they want to remove.
B. Policy Optimizer can display which Security policies have not been used in the last 90 days.
C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.
D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.
Correct Answer: D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/create-prisma-access-policy/policy-optimizer
upvoted 6 times
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/security-policy-rule-optimization
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 205/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)
C. The virtual router would load balance across the two routes.
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 206/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 207/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-
control server.
Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control
connection?
A. Anti-Spyware Profile
C. Antivirus Profile
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 208/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Policy Optimizer
B. Prisma SaaS
C. GlobalProtect
D. Panorama
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 209/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within
the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?
A. interzone
B. intrazone
C. default
D. universal
Correct Answer: D
- Universal allows traffic between the zones and within the zones.
- Interzone does NOT allow traffic within a zone, and permits traffic between the two zones
- Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter?
- Universal allows traffic between the zones and within the zones.
Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
upvoted 1 times
For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic
between zones A and B.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 210/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Interzone does NOT allow traffic within a zone, and permits traffic between the two zones
Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter?
Universal allows traffic between the zones and within the zones.
Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
upvoted 1 times
For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic
between zones A and B.
upvoted 4 times
According to best practices, how frequently should WildFire updates he made to perimeter firewalls?
A. every 10 minutes
B. every minute
C. every 5 minutes
D. in real time
Correct Answer: D
If you are running PAN-OS 10.0 or later, configure your firewall to retrieve WildFire signatures in real-time. This provides access to newly-
discovered malware signatures as soon as the WildFire public cloud can generate them, thereby preventing successful attacks by minimizing your
exposure time to malicious activity.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 211/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the topology, which interface type should you configure for firewall interface E1/1?
A. Layer 2
B. virtual wire
C. tap
D. mirror port
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 212/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which solution is a viable option to capture user identification when Active Directory is not in use?
C. group mapping
D. Authentication Portal
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-an-on-premises-
directory/install- the-cloud-identity-agent
There is nothing like Authn portal on PA, its actually Captive Portal. If we go word-by-word then CIE is the answer otherwise Authn Portal is. Very
ambiguous question.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 213/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What allows a security administrator to preview the Security policy rules that match new application signatures?
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-
impact-on- existing-policy-rules.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 214/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?
B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389.
C. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL.
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/best-practices/10-0/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-group-
mapping.html
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 215/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.
Which type of single, unified engine will get this result?
A. Content ID
B. App-ID
D. User-ID
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 216/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-services
upvoted 1 times
Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit
42 research, and data gathered from telemetry?
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 217/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to determine the default deny action for the application dns-over-https.
Which action would yield the information?
B. Check the action for the Security policy matching that traffic
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 218/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. PAN-DB database
C. DNS Security
Correct Answer: A
A. ensure that policy rules are not shadowing other policy rules
B. confirm that rules meet or exceed the Best Practice Assessment recommendations
C. confirm that policy rules in the configuration are allowing donning the correct traffic
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 219/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
A. subnet mask
B. tag
C. IP address
D. wildcard mask
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 220/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and
Untrust/Internet zones from each of the IOT/Guest and Trust Zones?
A.
B.
C.
D.
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 221/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 222/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are the three DNS Security categories available to control DNS traffic? (Choose three.)
A. Parked Domains
B. Spyware Domains
C. Vulnerability Domains
D. Phishing Domains
E. Malware Domains
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 223/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)
A. firewall logs
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 224/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is
configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this
request? (Choose two.)
A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive
characteristic
B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application
C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application
D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic
Correct Answer: AD
Which object would an administrator create to enable access to all applications in the office-programs subcategory?
A. HIP profile
B. URL category
C. application group
D. application filter
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 225/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the detailed log information above, what was the result of the firewall traffic inspection?
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 226/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.
What is the best way to do this?
D. Create a new NAT rule with the correct parameters and leave the translation type as None.
Correct Answer: D
What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *
A. You can specify the location as pre- or post-rules to push policy rules
B. You can specify the firewalls in a device group to which to push policy rules
C. Doing so provides audit information prior to making changes for selected policy rules
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 227/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?
A. Layer 3
B. Virtual Wire
C. Tap
D. Tunnel
Correct Answer: A
An administrator would like to create a URL Filtering log entry when users browse to any gambling website.
What combination of Security policy and Security profile actions is correct?
Correct Answer: C
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/url-filtering-profiles
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 228/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)
A. IP Protocol
B. Packets sent/received
C. Decrypted
D. Action
Correct Answer: BD
When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session End Reason as aged-out. Any traffic that uses
UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is there is no way for a graceful
termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions.
Link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW
upvoted 5 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 229/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 230/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration
that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 231/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are three valid ways to map an IP address to a username? (Choose three.)
For each access domain (up to 25) you want to assign to the administrator, Add an Access Domain from the drop-down (see Panorama > Access
Domains) and then click the adjacent Admin Role cell and select a custom Device Group and Template administrator role from the drop-down (see
Panorama > Managed Devices > Summary). When administrators with access to more than one domain log in to Panorama, an Access Domain
drop-down appears in the footer of the web interface. Administrators can select any assigned Access Domain to filter the monitoring and
configuration data that Panorama displays. The Access Domain selection also filters the firewalls that the Context drop-down displays.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 232/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. 192.168.40.1-192.168.40.255
B. 192.168.40.1-255
C. 192.168.40.1, 192.168.40.255
D. 192.168.40.1/24
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 233/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the
traffic logs on the firewall. The interzone-default was never changed from its default configuration.
Why doesn't the administrator see the traffic?
Correct Answer: C
What do you configure if you want to set up a group of objects based on their ports alone?
A. address groups
B. custom objects
C. application groups
D. service groups
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 234/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are two valid selections within a Vulnerability Protection profile? (Choose two.)
A. deny
B. drop
C. default
D. sinkhole
Correct Answer: BC
Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)
A. Tap
B. HA
C. Layer 3
D. Layer 2
E. Virtual Wire
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 235/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.
Which security policy action causes this?
A. Drop
C. Reset both
D. Reset server
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 236/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
When creating an Admin Role profile, if no changes are made, which two administrative methods will you have full access to? (Choose two.)
A. web UI
B. XML API
C. command line
D. RESTAPI
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 237/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to
update the Security policy or object when new applications are released.
Which object should the administrator use as a match condition in the Security policy?
C. an application group containing all of the file-sharing App-IDs reported in the traffic logs
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 238/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user
will be assigned?
A. 1. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash.
4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group.
7. Add the user to the group and click OK.
B. 1. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or
Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the
group. 7. Add the user to the group and click OK.
C. 1. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account
and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.
D. 1. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the
account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click
OK.
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 239/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)
A. server profile
B. admin role
C. password profile
D. access domain
Correct Answer: BD
B. Admin Role - The set of permissions for the administrator. It is a custom role where you can specify what the admin can and cannot do.
D. Access Domain - This is the set of devices or device groups, templates, or template stacks that the admin is allowed to access.
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 240/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. source zone
B. name
C. destination interface
D. destination zone
E. destination address
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching
criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules. The firewall
evaluates the rules in order from the top down.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 241/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to prevent hacking attacks through DNS queries to malicious domains.
Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)
A. deny
B. block
C. sinkhole
D. override
Correct Answer: BC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 242/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Pre-NAT address
B. Pre-NAT zone
C. Post-NAT address
D. Post-NAT zone
Correct Answer: AD
"Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if
the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any
security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon
egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers.
Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies
apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address."
I also just noticed that the question asked for a combination of address and zones so the answer cannot be "BD".
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 243/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the above the correct answers are A&B as the post nat zone is decided according to the NAT that will be applied and post NAT address is
not a matching criteria of course.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 244/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
A. OSPF
B. EIGRP
C. IS-IS
D. BGP
E. RIP
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 245/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition,
traffic should be permitted from the SERVER zone to the DMZ on SSH only.
Which rule group enables the required traffic?
A.
B.
C.
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 246/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
D.
Correct Answer: C
Further, there's no reason to establish policies for the interlink zone. The firewall will inspect the traffic and permit it, provided there's an
allow policy. This process is automatic, without needing specific policies for the interlink zone.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 247/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the
management interface?
A. service route
B. dynamic updates
C. SNMP setup
D. data redistribution
Correct Answer: A
In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which
protocol should you select when adding a new scheduled config export?
A. HTTPS
B. SMB v3
C. SCP
D. FTP
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 248/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.
Complete the empty field in the Security policy using an application object to permit only this type of access.
Service: application-default -
Action: allow
A. Application = "any"
B. Application = "web-browsing"
C. Application = "ssl"
D. Application = "http"
Correct Answer: D
The question is clearly specifying ONLY HTTP traffic, but the provided options do not match the asked criteria.
HTTP is a server, and web-browsing is an APP-ID. However, "web-browsing" if left alone with default application service allows both http and https.
More over, the answer doesn't make a correction in the Service option and leaves it as application-default.
I agree that the answer, based on the requirements is B, but the question sucks.
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 249/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established
connections to remote systems.
From the Pre-defined Categories tab within the URL Filtering profile, what is the right configuration to prevent such connections?
Correct Answer: C
Command-and-control is defined by Palo Alto Networks as URLs and domains used by malware and/or compromised systems to surreptitiously
communicate with an attacker's remote server to receive malicious commands or exfiltrate data
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 250/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to follow the best-practice approach to log the traffic that traverses the firewall.
Correct Answer: B
Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.)
A. HTTPS
B. RDP
C. SCP
D. SSH
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 251/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.
Which two types of traffic will the rule apply to? (Choose two)
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 252/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
You receive notification about new malware that infects hosts through malicious files transferred by FTP.
Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 253/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.
A. Drop
C. Reset both
D. Reset client
Correct Answer: B
or Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action: Drop and enable the Send ICMP
Unreachable check box. When enabled, the firewall sends the ICMP code
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 254/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. It dynamically shapes defined application traffic based on active sessions and bandwidth usage.
B. It dynamically filters applications based on critical, high, medium, low, or informational severity.
C. It dynamically groups applications based on application attributes such as category and subcategory.
D. It dynamically provides application statistics based on network, threat, and blocked activity.
Correct Answer: C
Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided
password?
A. continue
B. override
C. hold
D. exclude
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 255/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. named address
B. IP range
C. FQDN
D. IP netmask
Correct Answer: C
What are the requirements for using Palo Alto Networks EDL Hosting Service?
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 256/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are two valid selections within an Antivirus profile? (Choose two.)
A. deny
B. drop
C. block-ip
D. default
Correct Answer: BD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 257/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company is highly concerned with their intellectual property being accessed by unauthorized resources. There is a mature process to store
and include metadata tags for all confidential documents.
Which Security profile can further ensure that these documents do not exit the corporate network?
A. File Blocking
B. Data Filtering
C. Anti-Spyware
D. URL Filtering
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 258/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is reviewing the Security policy rules shown in the screenshot below.
Correct Answer: C
https://youtu.be/TGBfwwalpj0
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 259/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.
What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 260/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 261/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are the two default behaviors for the intrazone-default policy? (Choose two.)
A. Allow
C. Deny
D. Logging disabled
Correct Answer: AB
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 262/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 263/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets.
What are two security policy actions the administrator can select? (Choose two.)
A. Reset server
B. Deny
C. Drop
D. Reset both
Correct Answer: AC
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 264/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.
A. Static IP
B. Destination
D. Dynamic IP
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 265/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)
https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 266/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to see the traffic that matches the intrazone-default rule in the traffic logs.
A. Select the intrazone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.
B. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.
C. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.
D. This rule has traffic logging enabled by default; no further action is required.
Correct Answer: A
B. application prioritization
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 267/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. https://paloaltonetworks.com
B. #.paloaltonetworks.com
C. http://paloaltonetworks.com
D. *.paloaltonetworks.com
Correct Answer: D
What are two valid selections within an Anti-Spyware profile? (Choose two.)
B. Drop
C. Deny
D. Default
Correct Answer: BD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 268/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What is a prerequisite before enabling an administrative account which relies on a local firewall user database?
Correct Answer: A
Which Security policy set should be used to ensure that a policy is applied first?
B. Shared pre-rulebase
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 269/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red.
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 270/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 271/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2)
servers?
A. URL Filtering
B. Antivirus
C. Vulnerability
D. Anti-Spyware
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 272/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.
A. 50
B. 100
C. 200
D. 1,000
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 273/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are two ways to resolve this issue for a proper response? (Choose two.)
Correct Answer: BD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 274/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should E1/1 be configured as?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 275/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240
addresses and found that connections from addresses that needed new translations were being dropped.
A. Dynamic IP
B. Static IP
D. Destination NAT
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 276/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new
EMEA Regional Panorama Administrator should be able to:
What is the correct configuration for the new EMEA Regional Panorama Administrator profile?
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 277/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices
groups and five templates.
Which configuration action should the administrator take when creating the address object?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 278/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which type of policy allows an administrator to both enforce rules and take action?
A. Authentication
B. Security
C. NAT
D. Decryption
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 279/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?
Correct Answer: B
Why should a company have a File Blocking profile that is attached to a Security policy?
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 280/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What can be used as match criteria for creating a dynamic address group?
A. MAC addresses
B. IP addresses
C. Usernames
D. Tags
Correct Answer: D
answer - tags
upvoted 1 times
An administrator is reviewing packet captures to troubleshoot a problem with an application, and they observe TCP resets to the client and the
server.
A. Drop
B. Reset server
C. Reset client
D. Reset both
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 281/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.
A. Vulnerability protection
B. Anti-spyware
C. URL filtering
D. Antivirus
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 282/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are
available for any known user in the organization.
A. Application Group
B. Tag
D. Application Filter
Correct Answer: A
Which two configurations does an administrator need to compare in order to see differences between the active configuration and potential
changes if committed? (Choose two.)
A. Device state
B. Active
C. Candidate
D. Running
Correct Answer: CD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 283/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny.
A. Discard the session’s packets and send a TCP reset packet to let the client know the session has been terminated
C. Perform the default deny action as defined in the App-ID database for the application
Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-policy/security-policy-actions
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 284/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
Services: SSH -
Applications: Any -
Action: Allow
Services: Application-Default -
Applications: SSH -
Action: Allow
Services: Application-Default -
Applications: SSH -
Action: Deny
Services: SSH -
Applications: Any -
Action: Deny
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 285/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.
If a virus gets detected, how will the firewall handle the traffic?
B. It drops the traffic because the profile was not set to explicitly allow the traffic.
C. It allows the traffic because the profile was not set the explicitly deny the traffic.
Correct Answer: D
How should the administrator configure the firewall to restrict users to specific email applications?
B. Create an application filter and filter it on the collaboration category, email subcategory.
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 286/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Data Filtering
B. URL Filtering
C. Anti-Spyware
D. Antivirus
Correct Answer: C
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 287/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Allow
B. Deny
C. Reset-client
D. Reset-server
Correct Answer: B
A. 2
B. Unlimited
C. 10
D. 1
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 288/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
D. Unused Apps
Correct Answer: B
Both screens are similar and I could not see any difference in the format. However, the results outcome is different of course.
so I am not quite sure which one should be correct in this case.
upvoted 1 times
There is column Application in New App viewer (3rd, between columns Service and Traffic), which is not present on this pic.
This is only difference between New App V and Rules Wout App Cntrl.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 289/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A is correct - Rules without Apps Control (or No App Specified in the previous PAN-OS version)
upvoted 1 times
OhEmGee 5 months, 2 weeks ago
Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-
security-policy-rules
upvoted 1 times
PS: You can read about Rules Without Apps Control from the link in the original post and for New App Viewer, go to
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/cloud-based-app-id-service/new-app-viewer-policy-optimizer.
upvoted 2 times
Where within the firewall GUI can all existing tags be viewed?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 290/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Sinkhole
B. Reset-client
C. Drop
D. Reset-both
Correct Answer: C
To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)
A. MAC
B. IPv6
C. Email
D. IPv4
Correct Answer: BD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 291/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A NetSec manager was asked to create a new firewall administrator profile with customized privileges. The new firewall administrator must be
able to download TSF File and Starts Dump File but must not be able to reboot the device.
Where does the NetSec manager go to configure the new firewall administrator role profile?
A. Device > Admin Roles > Add > XML API > Configuration
B. Device > Admin Roles > Add > XML API > Operational Request
C. Device > Admin Roles > Add > Web UI > Support
D. Device > Admin Roles > Add > Web UI > Operations
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 292/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What must exist in order for the firewall to route traffic between Layer 3 interfaces?
A. Virtual router
B. Virtual wires
D. VLANs
Correct Answer: D
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/configure-interfaces/layer-3-interfaces
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 293/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?
A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add
B. Panorama > Device Deployment > Content Updates > Schedules > Add
C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add
D. Panorama > Content Updates > Device Deployment > Schedules > Add
Correct Answer: B
In which threat profile object would you configure the DNS Security service?
A. Antivirus
B. Anti-Spyware
C. WildFire
D. URL Filtering
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 294/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which rule type is appropriate for matching traffic occurring within a specified zone?
A. Universal
B. Shadowed
C. Intrazone
D. Interzone
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 295/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
A. Pre-NAT address
B. Post-NAT address
C. Pre-NAT zone
D. Post-NAT zone
Correct Answer: AB
Go into the WebUI and look for yourself! Only zones are required. NOT addresses!
Remember, these exams are as much "reading comprehension" as they are technical knowledge...it's C and D!
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
upvoted 2 times
mecacig953 5 months, 3 weeks ago
Selected Answer: AD
Pre-NAT IP ;Post-NAT Zone
upvoted 4 times
If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 297/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?
A. Tap
B. Virtual Wire
C. Layer 2
D. Layer 3
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-interfaces/virtual-wire-interface
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 298/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Management
B. Logical
C. Transparent
D. Tap
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 299/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is creating a Security policy rule and sees that the destination zone is grayed out.
While creating the rule, which option was selected to cause this?
A. Interzone
B. Source zone
C. Universal (default)
D. Intrazone
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 300/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
How many levels can there be in a device-group hierarchy, below the shared level?
A. 2
B. 3
C. 4
D. 5
Correct Answer: D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-
management/device-groups/device-group-hierarchy
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 301/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Templates
B. Device Groups
C. Shared
D. Panorama tab
Correct Answer: D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC
upvoted 2 times
A. Tags
B. Service
C. Type
D. Action
Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-tags
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 302/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Destination Zone
B. Actions
C. Source Zone
D. Application
Correct Answer: A
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 303/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which policy set should be used to ensure that a policy is applied just before the default security rules?
A. Shared post-rulebase
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 304/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which rule type is appropriate for matching traffic occurring within a specified zone?
How should the administrator configure the firewall to restrict users to specific email applications?
B. Create an application filter and filter it on the collaboration category, email subcategory.
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 305/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Review the screenshot below. Based on the information it contains, which protocol decoder will detect a machine-learning match, create a Threat
log entry, and permit the traffic?
A. smb
B. imap
C. ftp
D. http2
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 306/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. 1
B. 2
C. 3
D. 4
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 307/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Role Based
B. Superuser
C. Dynamic
D. Local
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 308/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The Net Sec Manager asked to create a new Firewall Operator profile with customized privileges.
In particular, the new firewall operator should be able to:
Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML as Server profiles to be used inside an Authentication
profile.
What is the right path m order to configure the new firewall Administrator Profile?
A. Device > Admin Roles > Add > Web UI > Device > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles
Device > Admin Roles > Add > Web UI > disable access to everything else
C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else
D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile
Device > Admin Roles > Add > Web UI > disable access to everything else
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 309/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Within the WildFire Analysis profile, which three items are configurable? (Choose three.)
A. FileType
B. Direction
C. Service
D. Application
E. Objects
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 310/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security profile can be used to configure sinkhole IPs m the DNS Sinkhole settings?
A. Vulnerability Protection
B. Anti-Spyware
C. Antivirus
D. URL Filtering
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 311/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto
Networks firewall? (Choose three.)
A. NTP
B. IP address
C. MTU
D. DNS server
E. service routes
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
upvoted 6 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 312/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
How does the Policy Optimizer policy view differ from the Security policy view?
Correct Answer: C
Policy Optimizer provides sorting options that don’t affect the rule order, so you can sort rules to prioritize which rules to convert or clean up first.
upvoted 2 times
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-
filtering-security-policy-rules
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 313/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the
rule type from its default value.
A. Intrazone
B. Interzone
C. Universal
D. Tagged
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 314/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B. Applications that are not explicitly sanctioned and that a company wants users to be able to access
D. Applications that are not explicitly unsanctioned and that a company wants users to be able to access
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 315/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
D. It identifies the purpose of a rule or configuration object and helps you better organize your rulebase
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 316/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?
A. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".
B. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "application-default".
C. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin also creates a custom service object named "tcp-22" with port tcp/22.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "tcp-22".
D. The admin creates a Security policy allowing application "ssh" and service "application-default".
Correct Answer: C
Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 317/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security policy action will message a user's browser that their web session has been terminated?
A. Reset client
B. Deny
C. Drop
D. Reset server
Correct Answer: D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC
upvoted 2 times
The Reset Client action is useful in situations where a web session needs to be terminated immediately, such as when a user is accessing a
malicious or unauthorized website or when there is a violation of a security policy rule.
upvoted 3 times
In order to protect users against exploit kits that exploit a vulnerability and then automatically download malicious payloads, which Security profile
should be configured?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 319/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Phishing
B. Spyware
C. PUP
D. Malware
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 320/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
To protect against illegal code execution, which Security profile should be applied?
Correct Answer: D
Which three types of entries can be excluded from an external dynamic list? (Choose three.)
A. IP addresses
B. Applications
C. User-ID
D. Domains
E. URLs
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 321/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
The Administrator profile “PCNSA Admin” is configured with an Authentication profile “Authentication Sequence PCNSA”.
The Authentication Sequence PCNSA has a profile list with four Authentication profiles:
After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “PCNSA Admin” username
and password.
Which option describes the “PCNSA Admin” login capabilities after the outage?
B. Auth KO because RADIUS server lost user and password for PCNSA Admin
Correct Answer: D
A. Reset-client
B. Reset-server
C. Deny
D. Allow
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 322/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A Panorama administrator would like to create an address object for the DNS server located in the New York City office, but does not want this
object added to the other Panorama managed firewalls.
Which configuration action should the administrator take when creating the address object?
A. Tag the address object with the New York Office tag.
Correct Answer: D
An administrator is troubleshooting an issue with traffic that matches the interzone-default rule, which is set to default configuration.
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 323/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What is the default action for the SYN Flood option within the DoS Protection profile?
A. Reset-client
B. Alert
C. Sinkhole
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 324/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B. Applications that are not explicitly unsanctioned and that an administrator wants users to be able to access
D. Applications that are not explicitly sanctioned and that an administrator wants users to be able to access
Correct Answer: C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-group
upvoted 7 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 325/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Where does a user assign a tag group to a policy rule in the policy creation window?
A. General tab
B. Usage tab
C. Application tab
D. Actions tab
Correct Answer: B
A. Security profile
B. App-ID
C. Policy-based forwarding
D. Policy Optimizer
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 326/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Wait until all running and pending jobs are finished before committing.
D. Disable the automatic commit feature that prioritizes content database installations before committing.
Correct Answer: C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-cli-quick-start/use-the-cli/commit-configuration-changes
As a best practice, validate configuration changes prior to committing so that you can fix any errors that will cause a commit failure, thereby
ensuring that the commit will succeed. This is particularly useful in environments with a strict change window.
upvoted 3 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 327/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security profile generates an alert based on a threshold when the action is set to Alert?
A. Vulnerability Protection
B. Antivirus
C. DoS protection
D. Anti-Spyware
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 328/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the network diagram, which two statements are true about traffic between the User and Server networks? (Choose two.)
B. Traffic restrictions are not possible because the networks are in the same zone.
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 329/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which setting is available to edit when a tag is created on the local firewall?
A. Color
B. Location
C. Order
D. Priority
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 330/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
With the PAN-OS 11.0 Nova release, which two attack options can new inline deep learning analysis engines detect and prevent? (Choose two.)
B. SSL attacks
D. HTTP attacks
Correct Answer: C
Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats
upvoted 2 times
Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for
command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. By operating cloud-based detection
engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to
download update packages or operate process intensive, firewall-based analyzers which can sap resources. Inline cloud analysis for your firewall
Vulnerability Protection profile supports two analysis engines: SQL injection and Command injection. Additional analysis models are delivered
through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no firewall update. Inline
cloud analysis is enabled and configured using the Vulnerability Protection profile and requires an active Advanced Threat Prevention license.
upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 331/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which profile must be applied to the Security policy rule to block spyware on compromised hosts from trying to phone-home or beacon out to
external command-and-control (C2) servers?
A. Anti-spyware
B. File blocking
C. WildFire
D. URL filtering
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 332/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which feature dynamically analyzes and detects malicious content by evaluating various web page details using a series of machine learning (ML)
models?
A. Antivirus Inline ML
C. Anti-Spyware Inline ML
D. WildFire Inline ML
Correct Answer: B
The AV and AS sec profiles also use machine learning but the AV sec profile uses the wildfire inline machine learning to search for powershell
scripts, malicious executables, etc while the AS machine learning searches for C2C traffic.
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 333/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses the firewall.
When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.
C. Traffic matches the interzone-default rule, which does not log traffic by default.
D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.
Correct Answer: C
When creating an address object, which option is available to select from the Type drop-down menu?
A. IPv6 Address
B. IP Netmask
C. IPv4 Address
D. IP Address Class
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 334/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
If both interfaces are connected to the same virtual router, which IP address information will an administrator need to enter in the Destination field
to access the internet?
A. 0.0.0.0
B. 10.0.2.1/32
C. 10.0.1.254/32
D. 0.0.0.0/0
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 335/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?
Correct Answer: B
Which Security profile must be added to Security policies to enable DNS Signatures to be checked?
A. URL Filtering
B. Vulnerability Protection
C. Anti-Spyware
D. Antivirus
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 336/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two Security profile actions can only be applied to DoS Protection profiles? (Choose two.)
A. Reset-server
B. Reset-both
C. SYN cookies
Correct Answer: CD
Where can you apply URL Filtering policy in a Security policy rule?
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 337/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Tunnel interfaces
B. Layer 2 subinterfaces
C. Layer 3 subinterfaces
D. Loopback interfaces
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 338/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which three factors can be used to create malware based on domain generation algorithms? (Choose three.)
A. Time of day
D. Cryptographic keys
E. IP address
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 339/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which action column is available to edit in the Action tab of an Antivirus security profile?
A. Virus
B. Signature
C. Spyware
D. Trojan
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 340/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Given the detailed log information above, what was the result of the firewall traffic inspection?
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 341/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
B. Allow the User-ID agent in zones where agents are not monitoring services.
D. Deny WMI traffic from the User-ID agent to any external zone.
Correct Answer: D
A. Block
B. Allow
C. Strict
D. Sinkhole
E. Alert
Correct Answer: AD
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 342/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which System log severity level would be displayed as a result of a user password change?
A. Low
B. Medium
C. High
D. Critical
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/system-
logs#id8edbfdae-ed92-4d8e-ab76-6a38f96e8cb1
upvoted 2 times
An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates.
Which filter should the administrator configure in the application filter object?
Correct Answer: C
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 343/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator receives a notification about new malware that is being used to attack hosts. The malware exploits a software bug in a common
application.
Which Security Profile will detect and block access to this threat after the administrator updates the firewall's threat signature database?
Correct Answer: A
The NetSec Manager asked to create a new firewall Local Administrator profile with customized privileges named New_Admin. This new
administrator has to authenticate without inserting any username or password to access the WebUI.
What steps should the administrator follow to create the New_Admin Administrator profile?
Correct Answer: D
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 344/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Which Security profile prevents users from submitting valid corporate credentials online?
A. WildFire
B. URL filtering
D. SSL decryption
Correct Answer: B
Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.)
B. It provides the ability to identify evasive and previously unseen command-and-control (C2) threats.
D. Due to its more advanced signatures, it provides the ability to identify new threats.
Correct Answer: AB
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 345/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?
A. Vulnerability Exceptions
B. Advanced Rules
D. WildFire Inline ML
Correct Answer: A
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 346/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
Drag the steps into the correct order to create a static route.
Correct Answer:
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 347/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
What are the two ways to implement an exception to an external dynamic list? (Choose two.)
D. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.
Correct Answer: AC
An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ
or Untrust zones.
The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where
the source and destination zones are VPN.
A. Interzone
B. Universal
C. Intrazone
D. Default
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 348/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
Why are the two fields in the Security policy EDL-Deny highlighted in red?
B. Because the destination zone, address, and device are all "any"
D. Because the Security-EDL tag has been assigned the red color
Correct Answer: D
What are two differences between an application group and an application filter? (Choose two.)
A. Application groups enable access to sanctioned applications explicitly, while application filters enable access to sanctioned applications
implicitly.
C. Application groups dynamically group applications based on attributes, while application filters contain applications that are statically
grouped.
D. Application groups can be added to application filters, while application filters cannot be added to application groups.
Correct Answer: AB
Application groups are static and are useful for enabling access to applications that you explicitly sanction for use within your organization.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-group
An application filter is dynamic and enables access to applications that you do not explicitly sanction, but that you want users to be able to access.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-an-application-filter
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 349/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator reads through the following Applications and Threats Content Release Notes before an update:
Which rule would continue to allow the file upload to confluence after the update?
A.
B.
C.
D.
Correct Answer: B
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 350/351
7/26/23, 9:42 AM PCNSA Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 351/351