palo-alto-networks pcnsa practice test

Palo Alto Networks Certified Network Security Administrator


Question 1

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom
set of firewall permissions?

  • A. Role-based
  • B. Multi-Factor Authentication
  • C. Dynamic
  • D. SAML
Answer:

A

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-
administrators/administrative-role-types.html

Discussions

Question 2

Identify the correct order to configure the PAN-OS integrated USER-ID agent.
3. add the service account to monitor the server(s)
2. define the address of the servers to be monitored on the firewall
4. commit the configuration, and verify agent connection status
1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

  • A. 2-3-4-1
  • B. 1-4-3-2
  • C. 3-1-2-4
  • D. 1-3-2-4
Answer:

D

Discussions

Question 3

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto
Networks EDL of Known Malicious IP Addresses list?

  • A. destination address
  • B. source address
  • C. destination zone
  • D. source zone
Answer:

B

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-
policy/external-dynamic-list.html

Discussions

Question 4

An administrator would like to override the default deny action for a given application, and instead would like to block the
traffic and send the ICMP code communication with the destination is administratively prohibited.
Which security policy action causes this?

  • A. Drop
  • B. Drop, send ICMP Unreachable
  • C. Reset both
  • D. Reset server
Answer:

B

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy/security-policy-actions.html

Discussions

Question 5

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside
zone?

  • A. interzone-default
  • B. internal-inside-dmz
  • C. inside-portal
  • D. egress-outside
Answer:

D

Discussions

Question 6

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?

  • A. every 30 minutes
  • B. every 5 minutes
  • C. every 24 hours
  • D. every 1 minute
Answer:

D

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-wildfire-updates

Discussions

Question 7

You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in
common application.
Which Security Profile detects and blocks access to this threat after you update the firewalls threat signature database?

  • A. Data Filtering Profile applied to outbound Security policy rules
  • B. Antivirus Profile applied to outbound Security policy rules
  • C. Data Filtering Profile applied to inbound Security policy rules
  • D. Vulnerability Protection Profile applied to inbound Security policy rules
Answer:

B

Discussions

Question 8

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is
currently using an application identified by App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is
adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days. Based on
the information, how is the SuperApp traffic affected after the 30 days have passed?

  • A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp- base application
  • B. No impact because the apps were automatically downloaded and installed
  • C. No impact because the firewall automatically adds the rules to the App-ID interface
  • D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
Answer:

C

Discussions

Question 9

Your company requires positive username attribution of every IP address used by wireless devices to support a new
compliance requirement. You must collect IP to-user mappings as soon as possible with minimal downtime and minimal
configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

  • A. syslog
  • B. RADIUS
  • C. UID redistribution
  • D. XFF headers
Answer:

A

Discussions

Question 10

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain
controllers?

  • A. Active Directory monitoring
  • B. Windows session monitoring
  • C. Windows client probing
  • D. domain controller monitoring
Answer:

A

Discussions
To page 2