March Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

PCNSA Questions and Answers

Question # 6

Which policy set should be used to ensure that a policy is applied just before the default security rules?

A.

Parent device-group post-rulebase

B.

Child device-group post-rulebase

C.

Local Firewall policy

D.

Shared post-rulebase

Full Access
Question # 7

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

A.

Admin Role profile

B.

virtual router

C.

DNS proxy

D.

service route

Full Access
Question # 8

Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?

A.

reconnaissance

B.

delivery

C.

exploitation

D.

installation

Full Access
Question # 9

What are the two main reasons a custom application is created? (Choose two.)

A.

To correctly identify an internal application in the traffic log

B.

To change the default categorization of an application

C.

To visually group similar applications

D.

To reduce unidentified traffic on a network

Full Access
Question # 10

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

A.

Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

B.

Untrust (any) to Untrust (1.1.1.100), web browsing - Allow

C.

Untrust (any) to Untrust (10.1.1.100), web browsing -Allow

D.

Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

Full Access
Question # 11

The firewall sends employees an application block page when they try to access Youtube.

Which Security policy rule is blocking the youtube application?

A.

intrazone-default

B.

Deny Google

C.

allowed-security services

D.

interzone-default

Full Access
Question # 12

Which type security policy rule would match traffic flowing between the inside zone and outside zone within the inside zone and within the outside zone?

A.

global

B.

universal

C.

intrazone

D.

interzone

Full Access
Question # 13

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

A.

Server profile

B.

Authentication profile

C.

Security profile

D.

Interface Management profile

Full Access
Question # 14

Access to which feature requires the PAN-OS Filtering license?

A.

PAN-DB database

B.

DNS Security

C.

Custom URL categories

D.

URL external dynamic lists

Full Access
Question # 15

Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?

A.

URL Filtering > Inline Categorization

B.

URL Filtering > Categories

C.

URL Filtering > URL Filtering Settings

D.

URL Filtering > HTTP Header Insertion

Full Access
Question # 16

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choices to block the sameURL then which choice would be the last to block access to the URL?

A.

EDL in URL Filtering Profile.

B.

Custom URL category in Security Policy rule.

C.

Custom URL category in URL Filtering Profile.

D.

PAN-DB URL category in URL Filtering Profile.

Full Access
Question # 17

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

A.

URL traffic

B.

vulnerability protection

C.

anti-spyware

D.

antivirus

Full Access
Question # 18

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

A.

Data redistribution

B.

Dynamic updates

C.

SNMP setup

D.

Service route

Full Access
Question # 19

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A.

GlobalProtect agent

B.

XML API

C.

User-ID Windows-based agent

D.

log forwarding auto-tagging

Full Access
Question # 20

How does the Policy Optimizer policy view differ from the Security policy view?

A.

It provides sorting options that do not affect rule order.

B.

It displays rule utilization.

C.

It details associated zones.

D.

It specifies applications seen by rules.

Full Access
Question # 21

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet gateways?

A.

GlobalProtect

B.

AutoFocus

C.

Aperture

D.

Panorama

Full Access
Question # 22

Files are sent to the WildFire cloud service via the WildFire Analysis Profile. How are these files used?

A.

WildFire signature updates

B.

Malware analysis

C.

Domain Generation Algorithm (DGA) learning

D.

Spyware analysis

Full Access
Question # 23

Which statement is true regarding a Prevention Posture Assessment?

A.

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C.

It provides a percentage of adoption for each assessment area

D.

It performs over 200 security checks on Panorama/firewall for the assessment

Full Access
Question # 24

Which update option is not available to administrators?

A.

New Spyware Notifications

B.

New URLs

C.

New Application Signatures

D.

New Malicious Domains

E.

New Antivirus Signatures

Full Access
Question # 25

What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

A.

Implement a threat intel program.

B.

Configure a URL Filtering profile.

C.

Train your staff to be security aware.

D.

Rely on a DNS resolver.

E.

Plan for mobile-employee risk

Full Access
Question # 26

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A.

on either the data place or the management plane.

B.

after it is matched by a security policy rule that allows traffic.

C.

before it is matched to a Security policy rule.

D.

after it is matched by a security policy rule that allows or blocks traffic.

Full Access
Question # 27

A network administrator is required to use a dynamic routing protocol for network connectivity.

Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

A.

RIP

B.

OSPF

C.

IS-IS

D.

EIGRP

E.

BGP

Full Access
Question # 28

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped.

Which type of NAT was configured?

A.

Static IP

B.

Dynamic IP

C.

Destination NAT

D.

Dynamic IP and Port

Full Access
Question # 29

What is a function of application tags?

A.

creation of new zones

B.

application prioritization

C.

automated referenced applications in a policy

D.

IP address allocations in DHCP

Full Access
Question # 30

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition, the configuration was not saved prior to

making the changes.

Which action will allow the administrator to undo the changes?

A.

Load configuration version, and choose the first item on the list.

B.

Load named configuration snapshot, and choose the first item on the list.

C.

Revert to last saved configuration.

D.

Revert to running configuration.

Full Access
Question # 31

Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

A.

Prisma SaaS

B.

AutoFocus

C.

Panorama

D.

GlobalProtect

Full Access
Question # 32

Which two security profile types can be attached to a security policy? (Choose two.)

A.

antivirus

B.

DDoS protection

C.

threat

D.

vulnerability

Full Access
Question # 33

What is the correct process tor creating a custom URL category?

A.

Objects > Security Profiles > URL Category > Add

B.

Objects > Custom Objects > URL Filtering > Add

C.

Objects > Security Profiles > URL Filtering > Add

D.

Objects > Custom Objects > URL Category > Add

Full Access
Question # 34

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

A.

Block List

B.

Custom URL Categories

C.

PAN-DB URL Categories

D.

Allow List

Full Access
Question # 35

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

A.

Aperture

B.

AutoFocus

C.

Parisma SaaS

D.

GlobalProtect

Full Access
Question # 36

Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

A.

URL filtering

B.

Antivirus

C.

WildFire

D.

Threat Prevention

Full Access
Question # 37

Identify the correct order to configure the PAN-OS integrated USER-ID agent.

3. add the service account to monitor the server(s)

2. define the address of the servers to be monitored on the firewall

4. commit the configuration, and verify agent connection status

1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

A.

2-3-4-1

B.

1-4-3-2

C.

3-1-2-4

D.

1-3-2-4

Full Access
Question # 38

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

A.

Network ab

B.

Policies

C.

Objects

D.

Device

Full Access
Question # 39

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

A.

global

B.

intrazone

C.

interzone

D.

universal

Full Access
Question # 40

What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

A.

authentication sequence

B.

LDAP server profile

C.

authentication server list

D.

authentication list profile

Full Access
Question # 41

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

A.

Eleven rules use the "Infrastructure* tag.

B.

The view Rulebase as Groups is checked.

C.

There are seven Security policy rules on this firewall.

D.

Highlight Unused Rules is checked.

Full Access
Question # 42

What is the maximum volume of concurrent administrative account sessions?

A.

Unlimited

B.

2

C.

10

D.

1

Full Access
Question # 43

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

A.

Tagged

B.

Intrazone

C.

Universal

D.

Interzone

Full Access
Question # 44

At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?

A.

delivery

B.

command and control

C.

explotation

D.

reinsurance

E.

installation

Full Access
Question # 45

Which Security policy action will message a user's browser thai their web session has been terminated?

A.

Reset server

B.

Deny

C.

Drop

D.

Reset client

Full Access
Question # 46

In order to attach an Antivirus, Anti-Spyware and Vulnerability Protection security profile to your Security Policy rules, which setting must be selected?

A.

Policies > Security > Actions Tab > Select Group-Profiles as Profile Type

B.

Policies > Security > Actions Tab > Select Default-Profiles as Profile Type

C.

Policies > Security > Actions Tab > Select Profiles as Profile Type

D.

Policies > Security > Actions Tab > Select Tagged-Profiles as Profile Type

Full Access
Question # 47

What are three configurable interface types for a data-plane ethernet interface? (Choose three.)

A.

Layer 3

B.

HSCI

C.

VWire

D.

Layer 2

E.

Management

Full Access
Question # 48

You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

A.

Data Filtering Profile applied to outbound Security policy rules

B.

Antivirus Profile applied to outbound Security policy rules

C.

Data Filtering Profile applied to inbound Security policy rules

D.

Vulnerability Profile applied to inbound Security policy rules

Full Access
Question # 49

Which component is a building block in a Security policy rule?

A.

decryption profile

B.

destination interface

C.

timeout (min)

D.

application

Full Access
Question # 50

Which statements is true regarding a Heatmap report?

A.

When guided by authorized sales engineer, it helps determine te areas of greatest security risk.

B.

It provides a percentage of adoption for each assessment area.

C.

It runs only on firewall.

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Full Access
Question # 51

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?

A.

>show system fqdn

B.

>request fqdn show system

C.

>request show system fqdn

D.

>request system fqdn show

Full Access
Question # 52

By default, what is the maximum number of templates that can be added to a template stack?

A.

6

B.

8

C.

10

D.

12

Full Access
Question # 53

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

A.

Add zones attached to interfaces to the virtual router

B.

Add interfaces to the virtual router

C.

Enable the redistribution profile to redistribute connected routes

D.

Add a static routes to route between the two interfaces

Full Access
Question # 54

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

A.

Blometric scanning results from iOS devices

B.

Firewall logs

C.

Custom API scripts

D.

Security Information and Event Management Systems (SIEMS), such as Splun

E.

DNS Security service

Full Access
Question # 55

Based on the screenshot what is the purpose of the included groups?

A.

They are only groups visible based on the firewall's credentials.

B.

They are used to map usernames to group names.

C.

They contain only the users you allow to manage the firewall.

D.

They are groups that are imported from RADIUS authentication servers.

Full Access
Question # 56

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

A.

Objects > Dynamic Updates > Review App-IDs

B.

Device > Dynamic Updates > Review Policies

C.

Device > Dynamic Updates > Review App-IDs

D.

Objects > Dynamic Updates > Review Policies

Full Access
Question # 57

Which System log severity level would be displayed as a result of a user password change?

A.

High

B.

Critical

C.

Medium

D.

Low

Full Access
Question # 58

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

A.

Auth KO because RADIUS server lost user and password for SYS01 Admin

B.

Auth KO because LDAP server is not reachable

C.

Auth OK because of the Auth Profile Local

D.

Auth OK because of the Auth Profile TACACS -

Full Access
Question # 59

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

A.

by minute

B.

hourly

C.

daily

D.

weekly

Full Access
Question # 60

At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

A.

after clicking Check New in the Dynamic Update window

B.

after connecting the firewall configuration

C.

after downloading the update

D.

after installing the update

Full Access
Question # 61

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

A.

Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic

B.

Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

C.

Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application

D.

Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

Full Access
Question # 62

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

A.

Objects tab > Application Filters

B.

Policies tab > Security

C.

ACC tab > Global Filters

D.

Objects tab > Application Groups

E.

Objects tab > Applications

Full Access
Question # 63

What must be configured before setting up Credential Phishing Prevention?

A.

Anti Phishing Block Page

B.

Threat Prevention

C.

Anti Phishing profiles

D.

User-ID

Full Access
Question # 64

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on Objective

Full Access
Question # 65

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Full Access
Question # 66

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

A.

Clone and edit the Strict profile.

B.

Use URL filtering to limit categories in which users can transfer files.

C.

Set the action to Continue.

D.

Edit the Strict profile.

Full Access
Question # 67

Which order of steps is the correct way to create a static route?

A.

1) Enter the route and netmask

2) Enter the IP address for the specific next hop

3) Specify the outgoing interface for packets to use to go to the next hop

4) Add an IPv4 or IPv6 route by name

B.

1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop

3) Enter the IP address for the specific next hop

4) Add an IPv4 or IPv6 route by name

C.

1) Enter the IP address for the specific next hop

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name

4) Specify the outgoing interface for packets to use to go to the next hop

D.

1) Enter the IP address for the specific next hop

2) Add an IPv4 or IPv6 route by name

3) Enter the route and netmask

4) Specify the outgoing interface for packets to use to go to the next hop

Full Access
Question # 68

Which Security policy set should be used to ensure that a policy is applied first?

A.

Child device-group pre-rulebase

B.

Shared pre-rulebase

C.

Parent device-group pre-rulebase

D.

Local firewall policy

Full Access
Question # 69

Which objects would be useful for combining several services that are often defined together?

A.

shared service objects

B.

service groups

C.

application groups

D.

application filters

Full Access
Question # 70

After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

A.

Import named config snapshot

B.

Load named configuration snapshot

C.

Revert to running configuration

D.

Revert to last saved configuration

Full Access
Question # 71

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

A.

Disable automatic updates during weekdays

B.

Automatically “download and install” but with the “disable new applications” option used

C.

Automatically “download only” and then install Applications and Threats later, after the administrator approves the update

D.

Configure the option for “Threshold”

Full Access
Question # 72

What is considered best practice with regards to committing configuration changes?

A.

Disable the automatic commit feature that prioritizes content database installations before committing

B.

Validate configuration changes prior to committing

C.

Wait until all running and pending jobs are finished before committing

D.

Export configuration after each single configuration change performed

Full Access
Question # 73

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

A.

Use the CLI enter the command reset rules all

B.

Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

C.

use the Reset Rule Hit Counter > All Rules option.

D.

Reboot the firewall.

Full Access
Question # 74

Which file is used to save the running configuration with a Palo Alto Networks firewall?

A.

running-config.xml

B.

run-config.xml

C.

running-configuration.xml

D.

run-configuratin.xml

Full Access
Question # 75

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

A.

URL Filtering profile applied to inbound Security policy rules.

B.

Data Filtering profile applied to outbound Security policy rules.

C.

Antivirus profile applied to inbound Security policy rules.

D.

Vulnerability Prote

ction profile applied to outbound Security policy rules.

Full Access
Question # 76

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

A.

Dynamic IP and Port (DIPP)

B.

Static IP

C.

Static Port

D.

Dynamic IP

E.

Static IP and Port (SIPP)

Full Access
Question # 77

What is a recommended consideration when deploying content updates to the firewall from Panorama?

A.

Before deploying content updates, always check content release version compatibility.

B.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C.

Content updates for firewall A/A HA pairs need a defined master device.

D.

After deploying content updates, perform a commit and push to Panorama.

Full Access
Question # 78

What are two valid selections within an Antivirus profile? (Choose two.)

A.

deny

B.

drop

C.

default

D.

block-ip

Full Access
Question # 79

Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

A.

It functions like PAN-DB and requires activation through the app portal.

B.

It removes the 100K limit for DNS entries for the downloaded DNS updates.

C.

IT eliminates the need for dynamic DNS updates.

D.

IT is automatically enabled and configured.

Full Access
Question # 80

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

A.

80

B.

8443

C.

4443

D.

443

Full Access
Question # 81

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

A.

Rules without App Controls

B.

New App Viewer

C.

Rule Usage

D.

Unused Unused Apps

Full Access
Question # 82

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Full Access
Question # 83

Which two configuration settings shown are not the default? (Choose two.)

A.

Enable Security Log

B.

Server Log Monitor Frequency (sec)

C.

Enable Session

D.

Enable Probing

Full Access
Question # 84

Which three types of entries can be excluded from an external dynamic list (EDL)? (Choose three.)

A.

IP addresses

B.

Domains

C.

User-ID

D.

URLs

E.

Applications

Full Access
Question # 85

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

A.

Anti-Spyware

B.

Antivirus

C.

Vulnerability Protection

D.

URL Filtering

Full Access
Question # 86

What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

A.

any supported Palo Alto Networks firewall or Prisma Access firewall

B.

an additional subscription free of charge

C.

a firewall device running with a minimum version of PAN-OS 10.1

D.

an additional paid subscription

Full Access
Question # 87

What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?

A.

Increase the backup capacity for configuration backups per firewall

B.

Increase the per-firewall capacity for address and service objects

C.

Reduce the configuration and session synchronization time between HA pairs

D.

Reduce the number of objects pushed to a firewall

Full Access
Question # 88

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

A.

Create an Application Filter and name it Office Programs, the filter it on the business-systems category, office-programs subcategory

B.

Create an Application Group and add business-systems to it

C.

Create an Application Filter and name it Office Programs, then filter it on the business-systems category

D.

Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

Full Access
Question # 89

Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

A.

Layer 3

B.

Virtual Wire

C.

Tap

D.

Layer 2

Full Access
Question # 90

Which protocol used to map username to user groups when user-ID is configured?

A.

SAML

B.

RADIUS

C.

TACACS+

D.

LDAP

Full Access
Question # 91

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering “gambling” category.

Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the “gambling” URL category?

A.

Add just the URL www.powerball.com to a Security policy allow rule.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the URL Filtering allow list.

D.

Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Full Access
Question # 92

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

A.

Override

B.

Allow

C.

Block

D.

Continue

Full Access
Question # 93

What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

A.

every 30 minutes

B.

every 5 minutes

C.

once every 24 hours

D.

every 1 minute

Full Access
Question # 94

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

A.

Layer-ID

B.

User-ID

C.

QoS-ID

D.

App-ID

Full Access
Question # 95

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

A.

change the logging action on the rule

B.

review the System Log

C.

refresh the Traffic Log

D.

tune your Traffic Log filter to include the dates

Full Access
Question # 96

When is the content inspection performed in the packet flow process?

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Full Access
Question # 97

Based on the security policy rules shown, ssh will be allowed on which port?

A.

80

B.

53

C.

22

D.

23

Full Access
Question # 98

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?

A.

SAML

B.

Multi-Factor Authentication

C.

Role-based

D.

Dynamic

Full Access
Question # 99

Which two features can be used to tag a user name so that it is included in a dynamic user group? (Choose two)

A.

XML API

B.

log forwarding auto-tagging

C.

GlobalProtect agent

D.

User-ID Windows-based agent

Full Access
Question # 100

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

A.

User-ID

B.

App-ID

C.

Security Processing Engine

D.

Content-ID

Full Access
Question # 101

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

A.

The web session was unsuccessfully decrypted.

B.

The traffic was denied by security profile.

C.

The traffic was denied by URL filtering.

D.

The web session was decrypted.

Full Access
Question # 102

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

A.

create the service object in the specific template

B.

uncheck the shared option

C.

ensure that disable override is selected

D.

ensure that disable override is cleared

Full Access
Question # 103

A website is unexpectedly allowed due to miscategorization.

What are two way-s to resolve this issue for a proper response? (Choose two.)

A.

Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.

B.

Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category to block.

C.

Review the categorization of the website on https://urlfiltering.paloaltonetworks.com.

Submit for "request change*, identifying the appropriate categorization, and wait for confirmation before testing again.

D.

Create a URL category and assign the affected URL.

Add a Security policy with a URL category qualifier of the custom URL category below the original policy. Set the policy action to Deny.

Full Access
Question # 104

Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?

A.

exclude

B.

continue

C.

hold

D.

override

Full Access
Question # 105

Which Security profile should be applied in order to protect against illegal code execution?

A.

Vulnerability Protection profile on allowed traffic

B.

Antivirus profile on allowed traffic

C.

Antivirus profile on denied traffic

D.

Vulnerability Protection profile on denied traffic

Full Access
Question # 106

By default, which action is assigned to the interzone-default rule?

A.

Reset-client

B.

Reset-server

C.

Deny

D.

Allow

Full Access
Question # 107

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

A.

default

B.

universal

C.

intrazone

D.

interzone

Full Access
Question # 108

Which statement best describes a common use of Policy Optimizer?

A.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

B.

Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

C.

Policy Optimizer can display which Security policies have not been used in the last 90 days.

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

Full Access