Questions and Answers PDF 1/157

Thank You for your purchase

om
Palo Alto Networks PCNSA Exam Question & Answers
Palo Alto Networks Certified Network Security

.c
Administrator Exam

ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 2/157

Product Questions: 359

Version: 22.2

Question: 1

om
DRAG DROP

.c
Match the Palo Alto Networks Security Operating Platform architecture to its description.

ps
m
du
am
ex
id
al
.v
w
w
// w
s:

Answer:
tp

Explanation:
ht

Threat Intelligence Cloud – Gathers, analyzes, correlates, and disseminates threats to and from the
network and endpoints located within the network.
Next-Generation Firewall – Identifies and inspects all traffic to block known threats
Advanced Endpoint Protection - Inspects processes and files to prevent known and unknown exploits

Question: 2

Which firewall plane provides configuration, logging, and reporting functions on a separate
processor?

A. control

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 3/157

B. network processing
C. data
D. security processing

Answer: A
Explanation:

Question: 3

om
A security administrator has configured App-ID updates to be automatically downloaded and
installed. The company is currently using an application identified by App-ID as SuperApp_base.

.c
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat
and SuperApp_download, which will be deployed in 30 days.

ps
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

m
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer

du
matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
am
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until
ex

the security administrator approves the applications

id

Answer: A
al

Explanation:
.v

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
w

introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
w

Question: 4
// w
s:
tp

How many zones can an interface be assigned with a Palo Alto Networks firewall?
ht

A. two
B. three
C. four
D. one

Answer: D
Explanation:

References:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 4/157

Question: 5

Which two configuration settings shown are not the default? (Choose two.)

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

A. Enable Security Log

B. Server Log Monitor Frequency (sec)
C. Enable Session
D. Enable Probing

Answer: B,C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 5/157

References:

Question: 6

Which data-plane processor layer of the graphic shown provides uniform matching for spyware and
vulnerability exploits on a Palo Alto Networks Firewall?

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:

A. Signature Matching
B. Network Processing
tp

C. Security Processing
ht

D. Security Matching

Answer: A
Explanation:

Question: 7

Which option lists the attributes that are selectable when setting up an Application filters?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 6/157

A. Category, Subcategory, Technology, and Characteristic

B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology

Answer: B
Explanation:

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-

om
application- filters

Question: 8

.c
ps
m
Actions can be set for which two items in a URL filtering security profile? (Choose two.)

A. Block List
du
am
B. Custom URL Categories
C. PAN-DB URL Categories
ex

D. Allow List
id

Answer: AD
al

Explanation:
.v

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-
w

filtering-profile-actions
w

Question: 9
// w
s:

DRAG DROP
tp
ht

Match the Cyber-Attack Lifecycle stage to its correct description.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 7/157

om
.c
ps
m
du
am
ex
id

Answer:
Explanation:
al
.v

Reconnaissance – stage where the attacker scans for network vulnerabilities and services that can be
w

exploited.
Installation – stage where the attacker will explore methods such as a root kit to establish persistence
w

Command and Control – stage where the attacker has access to a specific server so they can
w

communicate and pass data to and from infected devices within a network.
//

Act on the Objective – stage where an attacker has motivation for attacking a network to deface web
s:

property
tp

Question: 10
ht

Which two statements are correct about App-ID content updates? (Choose two.)

A. Updated application content may change how security policy rules are enforced
B. After an application content update, new applications must be manually classified prior to use
C. Existing security policy rules are not affected by application content updates
D. After an application content update, new applications are automatically identified and classified

Answer: A,D
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 8/157

Question: 11

Which User-ID mapping method should be used for an environment with clients that do not
authenticate to Windows Active Directory?

A. Windows session monitoring via a domain controller

B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent

om
Answer: C
Explanation:

.c
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-

ps
users/map-ip-addresses-to-usernames-using-captive-portal.html

m
Question: 12

du
am
An administrator needs to allow users to use their own office applications. How should the
administrator configure the firewall to allow multiple applications in a dynamic environment?
ex

A. Create an Application Filter and name it Office Programs, the filter it on the business-systems
id

category, office-programs subcategory

al

B. Create an Application Group and add business-systems to it

C. Create an Application Filter and name it Office Programs, then filter it on the business-systems
.v

category
w

D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
w

Answer: A
w

Explanation:
//
s:

An application filter is an object that dynamically groups applications based on application attributes
tp

that you define, including category, subcategory, technology, risk factor, and characteristic. This is
ht

useful when you want to safely enable access to applications that you do not explicitly sanction, but
that you want users to be able to access. For example, you may want to enable employees to choose
their own office programs (such as Evernote, Google Docs, or Microsoft Office 365) for business use.
To safely enable these types of applications, you could create an application filter that matches on
the Category business-systems and the Subcategory office-programs. As new applications office
programs emerge and new App-IDs get created, these new applications will automatically match the
filter you defined; you will not have to make any additional changes to your policy rulebase to safely
enable any application that matches the attributes you defined for the filter.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-in -
policy/create-an-application-filter.html

Question: 13

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 9/157

Which statement is true regarding a Best Practice Assessment?

A. The BPA tool can be run only on firewalls

B. It provides a percentage of adoption for each assessment data
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest
risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas
of network and security architecture

Answer: C

om
Explanation:

Question: 14

.c
ps
The firewall sends employees an application block page when they try to access Youtube.

m
Which Security policy rule is blocking the youtube application?

du
am
ex
id
al
.v
w
w
w

A. intrazone-default
//

B. Deny Google
s:

C. allowed-security services
tp

D. interzone-default
ht

Answer: D
Explanation:

Question: 15

Complete the statement. A security profile can block or allow traffic____________

A. on unknown-tcp or unknown-udp traffic

B. after it is matched by a security policy that allows traffic

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 10/157

C. before it is matched by a security policy

D. after it is matched by a security policy that allows or blocks traffic

Answer: B
Explanation:

Security profiles are objects added to policy rules that are configured with an action of allow.

Question: 16

om
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options
Dynamic IP and Port, Dynamic, Static IP, and None?

.c
ps
m
du
am
ex
id
al
.v
w
w

A. Translation Type
w

B. Interface
C. Address Type
//

D. IP Address
s:
tp

Answer: A
ht

Explanation:

Question: 17

Which interface does not require a MAC or IP address?

A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 11/157

Answer: A
Explanation:

Question: 18

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which
utility should the company use to identify out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified

om
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps

.c
D. Rule Usage Filter > Hit Count > Unused in 90 days

ps
Answer: D

m
Explanation:

du
Question: 19
am
DRAG DROP
ex

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 12/157

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:

Answer:
tp

Explanation:
ht

Step 1 – Select network tab

Step 2 – Select zones from the list of available items
Step 3 – Select Add
Step 4 – Specify Zone Name
Step 5 – Specify Zone Type
Step 6 – Assign interfaces as needed

Question: 20

What are two differences between an implicit dependency and an explicit dependency in App-ID?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 13/157

(Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security
policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security
policy
D. An explicit dependency requires the dependent application to be added in the security policy

Answer: A,D
Explanation:

om
Question: 21

.c
ps
Recently changes were made to the firewall to optimize the policies and the security team wants to
see if those changes are helping.

m
What is the quickest way to reset the hit counter to zero in all the security policy rules?

A. At the CLI enter the command reset rules and press Enter
du
am
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
ex

D. Use the Reset Rule Hit Counter > All Rules option
id

Answer: D
al

Explanation:
.v

References:
w
w

Question: 22
// w

Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)
s:
tp

A. facebook
ht

B. facebook-chat
C. facebook-base
D. facebook-email

Answer: B,C
Explanation:

Question: 23

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 14/157

bandwidth, and limited firewall management plane resources?

A. Windows-based agent deployed on the internal network

B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links

Answer: A
Explanation:

Another reason to choose the Windows agent over the integrated PAN-OS agent is to save

om
processing cycles on the firewall’s management plane.

Question: 24

.c
ps
Your company requires positive username attribution of every IP address used by wireless devices to

m
support a new compliance requirement. You must collect IP –to-user mappings as soon as possible

du
with minimal downtime and minimal configuration changes to the wireless devices themselves. The
wireless devices are from various manufactures.
am
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
ex

A. syslog
id

B. RADIUS
C. UID redistribution
al

D. XFF headers
.v
w

Answer: A
w

Explanation:
w

Question: 25
//
s:
tp

An administrator receives a global notification for a new malware that infects hosts. The infection
ht

will result in the infected host attempting to contact a command-and-control (C2) server. Which two
security profile components will detect and prevent this threat after the firewall’s signature database
has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies

B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies

Answer: B,D
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 15/157

References:

Question: 26

In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

A. Weaponization
B. Reconnaissance
C. Installation
D. Command and Control

om
E. Exploitation

Answer: A

.c
Explanation:

ps
Question: 27

m
du
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
am
3. add the service account to monitor the server(s)
ex

2. define the address of the servers to be monitored on the firewall

4. commit the configuration, and verify agent connection status
id

1. create a service account on the Domain Controller with sufficient permissions to execute the User-
al

ID agent
.v

A. 2-3-4-1
w

B. 1-4-3-2
w

C. 3-1-2-4
D. 1-3-2-4
// w

Answer: D
s:

Explanation:
tp
ht

Question: 28

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and
action = Allow

A. Destination IP: 192.168.1.123/24

B. Application = ‘Telnet’
C. Log Forwarding
D. USER-ID = ‘Allow users in Trusted’

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 16/157

Answer: B
Explanation:

Question: 29

Based on the security policy rules shown, ssh will be allowed on which port?

om
.c
ps
m
du
am
A. 80
ex

B. 53
C. 22
id

D. 23
al
.v

Answer: C
Explanation:
w
w

Question: 30
// w
s:

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with
tp

the firewall?
ht

A. Threat Prevention License

B. Threat Implementation License
C. Threat Environment License
D. Threat Protection License

Answer: A
Explanation:

Question: 31

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 17/157

An administrator notices that protection is needed for traffic within the network due to malicious
lateral movement activity. Based on the image shown, which traffic would the administrator need to
monitor and block to mitigate the malicious activity?

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

A. branch office traffic

B. north-south traffic
C. perimeter traffic
D. east-west traffic

Answer: D
Explanation:

Question: 32

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 18/157

Given the topology, which zone type should zone A and zone B to be configured with?

om
A. Layer3
B. Tap

.c
C. Layer2
D. Virtual Wire

ps
Answer: A

m
Explanation:

Question: 33 du
am
ex

To use Active Directory to authenticate administrators, which server profile is required in the
id

authentication profile?
al

A. domain controller
.v

B. TACACS+
C. LDAP
w

D. RADIUS
w
w

Answer: C
//

Explanation:
s:
tp

Question: 34
ht

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 19/157

Question: 35

Which administrator type provides more granular options to determine what the administrator can
view and modify when creating an administrator account?

A. Root
B. Dynamic
C. Role-based
D. Superuser

om
Answer: C
Explanation:

.c
Question: 36

ps
m
Which administrator type utilizes predefined roles for a local administrator account?

A. Superuser
du
am
B. Role-based
C. Dynamic
ex

D. Device administrator
id

Answer: C
al

Explanation:
.v

References:
w
w

Question: 37
// w
s:

Which two security profile types can be attached to a security policy? (Choose two.)
tp

A. antivirus
ht

B. DDoS protection
C. threat
D. vulnerability

Answer: A,D
Explanation:

References:

Question: 38

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 20/157

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The
USB drive had malware on it that loaded onto their computer and then contacted a known command
and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the
laptop.

Which security profile feature could have been used to prevent the communication with the CnC
server?

A. Create an anti-spyware profile and enable DNS Sinkhole

B. Create an antivirus profile and enable DNS Sinkhole
C. Create a URL filtering profile and block the DNS Sinkhole category

om
D. Create a security policy and enable DNS Sinkhole

.c
Answer: A

ps
Explanation:

m
References:

Question: 39
du
am
ex

Which user mapping method could be used to discover user IDs in an environment with multiple
Windows domain controllers?
id

A. Active Directory monitoring

al

B. Windows session monitoring

.v

C. Windows client probing

w

D. domain controller monitoring

w

Answer: A
w

Explanation:
//
s:

Question: 40
tp
ht

What are three differences between security policies and security profiles? (Choose three.)

A. Security policies are attached to security profiles

B. Security profiles are attached to security policies
C. Security profiles should only be used on allowed traffic
D. Security profiles are used to block traffic by themselves
E. Security policies can block or allow traffic

Answer: B,C,E
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 21/157

Question: 41

Given the image, which two options are true about the Security policy rules. (Choose two.)

om
.c
A. The Allow Office Programs rule is using an Application Filter

ps
B. In the Allow FTP to web server rule, FTP is allowed using App-ID
C. The Allow Office Programs rule is using an Application Group

m
D. In the Allow Social Networking rule, allows all of Facebook’s functions

du Answer: AD
am
Explanation:
ex

In the Allow FTP to web server rule, FTP is allowed using port based rule and not APP-ID.
id

Question: 42
al
.v

Which type of security rule will match traffic between the Inside zone and Outside zone, within the
w

Inside zone, and within the Outside zone?

w
w

A. global
B. intrazone
//

C. interzone
s:

D. universal
tp

Answer: D
ht

Explanation:

References:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

Question: 43

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints
by inspecting traffic deployed as internet gateways?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 22/157

A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama

Answer: A
Explanation:

GlobalProtect: GlobalProtect safeguards your mobile workforce by inspecting all traffic using your
next-generation firewalls deployed as internet gateways, whether at the perimeter, in the

om
Demilitarized Zone (DMZ), or in the cloud.

Question: 44

.c
ps
Given the scenario, which two statements are correct regarding multiple static default routes?

m
(Choose two.)

du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

A. Path monitoring does not determine if route is useable

B. Route with highest metric is actively used
C. Path monitoring determines if route is useable
D. Route with lowest metric is actively used

Answer: C,D
Explanation:

Question: 45

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 23/157

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate
malicious code against a targeted machine.

om
.c
ps
m
A. Exploitation
B. Installation

du
C. Reconnaissance
am
D. Act on Objective

Answer: A
ex

Explanation:
id

Question: 46
al
.v
w

Which file is used to save the running configuration with a Palo Alto Networks firewall?
w

A. running-config.xml
w

B. run-config.xml
//

C. running-configuration.xml
s:

D. run-configuratin.xml
tp

Answer: A
ht

Explanation:

Question: 47

In the example security policy shown, which two websites fcked? (Choose two.)

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 24/157

A. LinkedIn
B. Facebook
C. YouTube
D. Amazon

om
Answer: A,B
Explanation:

.c
ps
Question: 48

m
du
Which two Palo Alto Networks security management tools provide a consolidated creation of
policies, centralized management and centralized threat intelligence. (Choose two.)
am
A. GlobalProtect
B. Panorama
ex

C. Aperture
D. AutoFocus
id
al

Answer: B,D
.v

Explanation:
w

Question: 49
w
// w

Which statement is true regarding a Prevention Posture Assessment?

s:
tp

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial
numbers, zones, areas of architecture, and other categories
ht

B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas
of network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment

Answer: B
Explanation:

Question: 50

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 25/157

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated
approach to prevent threats? (Choose five.)

A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware

Answer: A,C,D,E,F

om
Explanation:

Question: 51

.c
ps
The PowerBall Lottery has reached a high payout amount and a company has decided to help

m
employee morale by allowing employees to check the number, but doesn’t want to unblock the

du
gambling URL category.
am
Which two methods will allow the employees to get to the PowerBall Lottery site without the
company unlocking the gambling URL category? (Choose two.)
ex

A. Add all the URLs from the gambling category except powerball.com to the block list and then set
id

the action for the gambling category to allow.

B. Manually remove powerball.com from the gambling URL category.
al

C. Add *.powerball.com to the allow list

.v

D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set
w

the action to allow.

w

Answer: C,D
w

Explanation:
//
s:

Question: 52
tp
ht

Which service protects cloud-based applications such as Dropbox and Salesforce by administering
permissions and scanning files for sensitive information?

A. Aperture
B. AutoFocus
C. Parisma SaaS
D. GlobalProtect

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 26/157

Question: 53

Which administrator receives a global notification for a new malware that infects hosts. The infection
will result in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall`s signature
database has been updated?

A. antivirus profile applied to outbound security policies

B. data filtering profile applied to inbound security policies
C. data filtering profile applied to outbound security policies

om
D. vulnerability profile applied to inbound security policies

Answer: C

.c
Explanation:

ps
Question: 54

m
Which update option is not available to administrators?
du
am
A. New Spyware Notifications
ex

B. New URLs
C. New Application Signatures
id

D. New Malicious Domains

al

E. New Antivirus Signatures

.v

Answer: B
w

Explanation:
w
w

Question: 55
//
s:

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future
tp

Public Cloud environments. All other required connections have already been enabled between the
ht

USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-

rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination
IP-address for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any
source IP-address to any destination IP-address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-
port-TCP-22 should be created. A second security-rule is required that allows traffic from zone
OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from
any source-IP-address to any destination-IP-address is required to allow the return-traffic from the

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 27/157

SSH-servers to reach the server-admin

Answer: B
Explanation:

Question: 56

How often does WildFire release dynamic updates?

A. every 5 minutes

om
B. every 15 minutes
C. every 60 minutes

.c
D. every 30 minutes

ps
Answer: A

m
Explanation:

du
References:
am
Question: 57
ex
id

What is the minimum timeframe that can be set on the firewall to check for new WildFire
signatures?
al
.v

A. every 30 minutes
B. every 5 minutes
w

C. once every 24 hours

w

D. every 1 minute
// w

Answer: D
s:

Explanation:
tp

Because new WildFire signatures are now available every five minutes, it is a best practice to use this
ht

setting to ensure the firewall retrieves these signatures within a minute of availability.

Question: 58

A network has 10 domain controllers, multiple WAN links, and a network infrastructure with
bandwidth needed to support mission-critical applications. Given the scenario, which type of User-ID
agent is considered a best practice by Palo Alto Networks?

A. Windows-based agent on a domain controller

B. Captive Portal

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 28/157

C. Citrix terminal server with adequate data-plane resources

D. PAN-OS integrated agent

Answer: A
Explanation:

Question: 59

DRAG DROP

Arrange the correct order that the URL classifications are processed within the system.

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:

Answer:
tp

Explanation:
ht

First – Block List

Second – Allow List
Third – Custom URL Categories
Fourth – External Dynamic Lists
Fifth – Downloaded PAN-DB Files
Sixth - PAN-DB Cloud

Question: 60

What must be configured for the firewall to access multiple authentication profiles for external
services to authenticate a non-local account?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 29/157

A. authentication sequence
B. LDAP server profile
C. authentication server list
D. authentication list profile

Answer: A
Explanation:

References:

om
Question: 61

.c
Which prevention technique will prevent attacks based on packet count?

ps
A. zone protection profile

m
B. URL filtering profile

du
C. antivirus profile
D. vulnerability profile
am
Answer: A
ex

Explanation:
id

Question: 62
al
.v

Which interface type can use virtual routers and routing protocols?
w
w

A. Tap
w

B. Layer3
C. Virtual Wire
//

D. Layer2
s:
tp

Answer: B
ht

Explanation:

Question: 63

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

A. Override
B. Allow
C. Block
D. Continue

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 30/157

Answer: B
Explanation:

References:

Question: 64

An internal host wants to connect to servers of the internet through using source NAT.
Which policy is required to enable source NAT on the firewall?

om
A. NAT policy with source zone and destination zone specified

.c
B. post-NAT policy with external source and any destination address
C. NAT policy with no source of destination zone selected

ps
D. pre-NAT policy with external source and any destination address

m
Answer: A

du
Explanation:
am
Question: 65
ex
id

Which security profile will provide the best protection against ICMP floods, based on individual
combinations of a packet`s source and destination IP address?
al
.v

A. DoS protection
B. URL filtering
w

C. packet buffering
w

D. anti-spyware
// w

Answer: A
s:

Explanation:
tp

Question: 66
ht

Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

A. Policies> Security> Rule Usage> No App Specified

B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps

Answer: A
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 31/157

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/security-policy-rule-
optimization/migrate-port-based-to-app-id-based-security-policy-rules.html

Question: 67

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo
Alto Networks Firewall? (Choose two.)

A. Layer-ID

om
B. User-ID
C. QoS-ID
D. App-ID

.c
ps
Answer: B,D
Explanation:

m
du
Question: 68
am
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
ex

A. Device>Setup>Services
id

B. Device>Setup>Management
al

C. Device>Setup>Operations
D. Device>Setup>Interfaces
.v
w

Answer: C
w

Explanation:
// w

Question: 69
s:

DRAG DROP
tp
ht

Match the network device with the correct User-ID technology.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 32/157

om
.c
ps
m
du
am
ex

Answer:
id

Explanation:
al

Microsoft Exchange – Server monitoring

.v

Linux authentication – syslog monitoring

Windows Client – client probing
w

Citrix client – Terminal Services agent

w
w

Question: 70
//
s:

Which action related to App-ID updates will enable a security administrator to view the existing
security policy rule that matches new application signatures?
tp
ht

A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches

Answer: A
Explanation:

References:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
introduced- incontent-releases/review-new-app-id-impact-on- existing-policy-rules

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 33/157

Question: 71

How is the hit count reset on a rule?

A. select a security policy rule, right click Hit Count > Reset
B. with a dataplane reboot
C. Device > Setup > Logging and Reporting Settings > Reset Hit Count
D. in the CLI, type command reset hitcount <POLICY-NAME>

om
Answer: A
Explanation:

.c
Question: 72

ps
m
du
am
ex
id
al
.v
w
w

Given the topology, which zone type should interface E1/1 be configured with?
w

A. Tap
//

B. Tunnel
s:

C. Virtual Wire
tp

D. Layer3
ht

Answer: A
Explanation:

Question: 73

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

A. Management
B. High Availability
C. Aggregate

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 34/157

D. Aggregation

Answer: C
Explanation:

Question: 74

Which security policy rule would be needed to match traffic that passes between the Outside zone
and Inside zone, but does not match traffic that passes within the zones?

om
A. intrazone
B. interzone

.c
C. universal
D. global

ps
Answer: B

m
Explanation:

Question: 75 du
am
Based on the show security policy rule would match all FTP traffic from the inside zone to the outside
ex

zone?
id
al
.v
w
w
// w
s:
tp
ht

A. internal-inside-dmz
B. engress outside
C. inside-portal
D. intercone-default

Answer: B
Explanation:

Question: 76

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 35/157

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

A. facebook-email
B. facebook-base
C. facebook
D. facebook-chat

Answer: B, D
Explanation:

Question: 77

om
Which type security policy rule would match traffic flowing between the inside zone and outside

.c
zone within the inside zone and within the outside zone?

ps
A. global
B. universal

m
C. intrazone

du
D. interzone
am
Answer: B
Explanation:
ex

Question: 78
id
al

Based on the screenshot presented which column contains the link that when clicked opens a
.v

window to display all applications matched to the policy rule?

w
w
// w
s:
tp
ht

A. Apps Allowed
B. Name
C. Apps Seen
D. Service

Answer: C
Explanation:

Question: 79

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 36/157

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

A. Use the CLI enter the command reset rules all

B. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.
C. use the Reset Rule Hit Counter > All Rules option.
D. Reboot the firewall.

Answer: C
Explanation:

Question: 80

om
What in the minimum frequency for which you can configure the firewall too check for new wildfire

.c
antivirus signatures?

ps
A. every 5 minutes
B. every 1 minute

m
C. every 24 hours

du
D. every 30 minutes
am
Answer: B
Explanation:
ex
id
al
.v
w

Question: 81
w
w

What do dynamic user groups you to do?

//

A. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious
s:

activity
tp

B. create a policy that provides auto-sizing for anomalous user behavior and malicious activity
C. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
ht

D. create a dynamic list of firewall administrators

Answer: C
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-
user-
groups#:~:text=Dynamic%20user%20groups%20help%20you,activity%20while%20maintaining%20us
er%20visibility.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 37/157

Question: 82

Which plane on a Palo alto networks firewall provides configuration logging and reporting functions
on a separate processor?

A. data
B. network processing
C. management
D. security processing

Answer: C

om
Explanation:

.c
Question: 83

ps
Your company occupies one floor in a single building you have two active directory domain

m
controllers on a single networks the firewall s management plane is only slightly utilized.
Which user-ID agent sufficient in your network?

A. PAN-OS integrated agent deployed on the firewall

du
am
B. Windows-based agent deployed on the internal network a domain member
C. Citrix terminal server agent deployed on the network
ex

D. Windows-based agent deployed on each domain controller

id

Answer: D
al

Explanation:
.v

Explanation/Reference:
w

Reference:
w

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-
w

users/configureuser-mapping-using-the-windows-user-id- agent/configure-the-windows-based-user-
id- agent-for-usermapping.html
//
s:

Question: 84
tp
ht

At which point in the app-ID update process can you determine if an existing policy rule is affected by
an app-ID update?

A. after clicking Check New in the Dynamic Update window

B. after connecting the firewall configuration
C. after downloading the update
D. after installing the update

Answer: A
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 38/157

Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-
help/device/device-dynamicupdates

Question: 85

Which Palo Alto network security operating platform component provides consolidated policy
creation and centralized management?

A. Prisma SaaS
B. Panorama
C. AutoFocus

om
D. GlobalProtect

Answer: B

.c
Explanation:

ps
Question: 86

m
du
Which type firewall configuration contains in-progress configuration changes?
am
A. backup
B. running
ex

C. candidate
D. committed
id
al

Answer: C
.v

Explanation:
w

Question: 87
w
w

Which link in the web interface enables a security administrator to view the security policy rules that
//

match new application signatures?

s:

A. Review Apps
tp

B. Review App Matches

ht

C. Pre-analyze
D. Review Policies

Answer: D
Explanation:

Question: 88

At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an
email?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 39/157

om
A. delivery

.c
B. command and control
C. explotation

ps
D. reinsurance

m
E. installation

du
Answer: A
Explanation:
am
Question: 89
ex
id

How frequently can wildfire updates be made available to firewalls?

al

A. every 15 minutes
.v

B. every 30 minutes
C. every 60 minutes
w

D. every 5 minutes
w
w

Answer: D
//

Explanation:
s:
tp

Question: 90
ht

Which data flow direction is protected in a zero trust firewall deployment that is not protected in a
perimeter-only firewall deployment?

A. outbound
B. north south
C. inbound
D. east west

Answer: D
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 40/157

Question: 91

How do you reset the hit count on a security policy rule?

A. First disable and then re-enable the rule.

B. Reboot the data-plane.
C. Select a Security policy rule, and then select Hit Count > Reset.
D. Type the CLI command reset hitcount <POLICY-NAME>.

Answer: C
Explanation:

om
Question: 92

.c
ps
Which protocol used to map username to user groups when user-ID is configured?

m
A. SAML
B. RADIUS

du
C. TACACS+
D. LDAP
am
Answer: D
ex

Explanation:
id

Question: 93
al
.v

Based on the graphic which statement accurately describes the output shown in the server
w

monitoring panel?
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 41/157

om
.c
ps
m
du
am
A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
ex

C. The host lab-client has been found by a domain controller.

D. The User-ID agent is connected to the firewall labeled lab-client.
id
al

Answer: A
Explanation:
.v
w

Question: 94
w
// w

Which three configuration settings are required on a Palo Alto networks firewall management
s:

interface?
tp

A. default gateway
ht

B. netmask
C. IP address
D. hostname
E. auto-negotiation

Answer: ABC
Explanation:

Explanation/Reference:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 42/157

Question: 95

Which Palo Alto networks security operating platform service protects cloud-based application such
as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive
information?

A. Prisma SaaS
B. AutoFocus
C. Panorama

om
D. GlobalProtect

Answer: A

.c
Explanation:

ps
Question: 96

m
Which statements is true regarding a Heatmap report?
du
am
A. When guided by authorized sales engineer, it helps determine te areas of greatest security risk.
ex

B. It provides a percentage of adoption for each assessment area.

C. It runs only on firewall.
id

D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas
al

of network and security architecture.

.v

Answer: B
w

Explanation:
w
w

Reference: https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-
assessment-bpa-tool-for-ngfw-and-panorama/ba-p/248343
//
s:

Question: 97
tp
ht

Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field
of a security policy rule?

A. local username
B. dynamic user group
C. remote username
D. static user group

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 43/157

Question: 98

Which two statements are true for the DNS security service introduced in PAN-OS version 10.0?

A. It functions like PAN-DB and requires activation through the app portal.
B. It removes the 100K limit for DNS entries for the downloaded DNS updates.
C. IT eliminates the need for dynamic DNS updates.
D. IT is automatically enabled and configured.

om
Answer: AB
Explanation:

.c
Question: 99

ps
m
Which three statement describe the operation of Security Policy rules or Security Profiles? (Choose

du
three)
am
A. Security policy rules inspect but do not block traffic.
B. Security Profile should be used only on allowed traffic.
ex

C. Security Profile are attached to security policy rules.

D. Security Policy rules are attached to Security Profiles.
id

E. Security Policy rules can block or allow traffic.

al

Answer: BCE
.v

Explanation:
w
w

Question: 100
// w
s:

Based on the screenshot what is the purpose of the included groups?

tp
ht

A. They are only groups visible based on the firewall's credentials.

B. They are used to map usernames to group names.
C. They contain only the users you allow to manage the firewall.
D. They are groups that are imported from RADIUS authentication servers.

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 44/157

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

Question: 101

What is an advantage for using application tags?

A. They are helpful during the creation of new zones

B. They help with the design of IP address allocations in DHCP.
C. They help content updates automate policy updates

om
D. They help with the creation of interfaces

Answer: C

.c
Explanation:

ps
Question: 102

m
du
Which operations are allowed when working with App-ID application tags?
am
A. Predefined tags may be deleted.
B. Predefined tags may be augmented by custom tags.
ex

C. Predefined tags may be modified.

D. Predefined tags may be updated by WildFire dynamic updates.
id
al

Answer: B
.v

Explanation:
w

Question: 103
w
// w

You need to allow users to access the office–suite application of their choice. How should you
s:

configure the firewall to allow access to any office-suite application?

tp

A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
ht

B. Create an Application Group and add business-systems to it.

C. Create an Application Filter and name it Office Programs, then filter it on the office programs
subcategory.
D. Create an Application Filter and name it Office Programs then filter on the business-systems
category.

Answer: C
Explanation:

Question: 104

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 45/157

In which profile should you configure the DNS Security feature?

A. URL Filtering Profile

B. Anti-Spyware Profile
C. Zone Protection Profile
D. Antivirus Profile

Answer: B
Explanation:

om
Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-

.c
security/enable- dnssecurity.html

ps
Question: 105

m
du
Access to which feature requires PAN-OS Filtering licens?
am
A. PAN-DB database
B. URL external dynamic lists
ex

C. Custom URL categories

D. DNS Security
id

Answer: A
al

Explanation:
.v
w

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-
w

licenses-and-subscriptions.html
w

Question: 106
//
s:

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on
tp

behalf of the control plane?

ht

A. Admin Role profile

B. virtual router
C. DNS proxy
D. service route

Answer: A
Explanation:

Question: 107

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 46/157

Which license must an administrator acquire prior to downloading Antivirus updates for use with the
firewall?

A. URL filtering
B. Antivirus
C. WildFire
D. Threat Prevention

Answer: D
Explanation:

om
Question: 108

.c
Which definition describes the guiding principle of the zero-trust architecture?

ps
A. never trust, never connect

m
B. always connect and verify

du
C. never trust, always verify
D. trust, but verity
am
Answer: C
ex

Explanation:
id

Explanation/Reference:
al

Reference:
https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
.v
w

Question: 109
w
w

Four configuration choices are listed, and each could be used to block access to a specific URL. If you
configured each choices to block the sameURL then which choice would be the last to block access to
//

the URL?
s:
tp

A. EDL in URL Filtering Profile.

ht

B. Custom URL category in Security Policy rule.

C. Custom URL category in URL Filtering Profile.
D. PAN-DB URL category in URL Filtering Profile.

Answer: D
Explanation:

The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs
Objects - 2) Allow list: Manually entered allowed URLs Objects - 3) Custom URL Categories - 4)
Cached Cached: URLs learned from External Dynamic Lists (EDLs) - 5) Pre-Defined Categories: PAN-
DB or Brightcloud categories.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 47/157

Question: 110

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their
corporate laptop the malware contacted a known command-and-control server which exfiltrating
corporate data.

Which Security profile feature could have been used to prevent the communications with the
command-and-control server?

A. Create a Data Filtering Profile and enable its DNS sinkhole feature.

om
B. Create an Antivirus Profile and enable its DNS sinkhole feature.
C. Create an Anti-Spyware Profile and enable its DNS sinkhole feature.
D. Create a URL Filtering Profile and block the DNS sinkhole URL category.

.c
ps
Answer: C
Explanation:

m
du
Question: 111
am
Which two features can be used to tag a user name so that it is included in a dynamic user group?
(Choose two)
ex

A. XML API
id

B. log forwarding auto-tagging

al

C. GlobalProtect agent
D. User-ID Windows-based agent
.v
w

Answer: AD
w

Explanation:
w

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-
//

filtering-profile-actions
s:
tp

Question: 112
ht

Based on the security policy rules shown, ssh will be allowed on which port?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 48/157

om
A. any port
B. same port as ssl and snmpv3

.c
C. the default port

ps
D. only ephemeral ports

m
Answer: C

du
Explanation:
am
Question: 113
ex

Which action results in the firewall blocking network traffic with out notifying the sender?
id
al

A. Drop
.v

B. Deny
C. Reset Server
w

D. Reset Client
w
w

Answer: B
//

Explanation:
s:

Question: 114
tp
ht

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security Policy rules that permits only this type of access.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 49/157

Choose two.

A. Service = "any"
B. Application = "Telnet"
C. Service - "application-default"
D. Application = "any"

Answer: BC
Explanation:

om
Question: 115

.c
Which type of administrative role must you assign to a firewall administrator account, if the account

ps
must include a custom set of firewall permissions?

m
A. SAML

du
B. Multi-Factor Authentication
C. Role-based
am
D. Dynamic
ex

Answer: C
Explanation:
id
al

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-
administration/manage-firewall-administrators/administrative-role-types.html
.v
w

Question: 116
w
w

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to
//

raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com)
s:

for just this week. However, the company does not want employees to access any other websites
tp

also listed in the URL filtering “gambling” category.

ht

Which method allows the employees to access the PowerBall Lottery website but without unblocking
access to the “gambling” URL category?

A. Add just the URL www.powerball.com to a Security policy allow rule.

B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the URL Filtering allow list.
D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Answer: CD
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 50/157

Question: 117

Which type of administrator account cannot be used to authenticate user traffic flowing through the
firewall’s
data plane?

A. Kerberos user
B. SAML user
C. local database user
D. local user

om
Answer: B

.c
Explanation:

ps
Question: 118

m
DRAG DROP

du
Match each feature to the DoS Protection Policy or the DoS Protection Profile.
am
ex
id
al
.v
w
w
// w
s:
tp
ht

Answer:
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 51/157

om
.c
ps
m
du
am
Question: 119
ex

Access to which feature requires the PAN-OS Filtering license?

id
al

A. PAN-DB database
.v

B. DNS Security
C. Custom URL categories
w

D. URL external dynamic lists

w
w

Answer: A
//

Explanation:
s:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-
tp

licenses-andsubscriptions.html
ht

Question: 120

You receive notification about new malware that is being used to attack hosts The malware exploits a
software bug in a common application
Which Security Profile detects and blocks access to this threat after you update the firewall's threat
signature database?

A. Data Filtering Profile applied to outbound Security policy rules

B. Antivirus Profile applied to outbound Security policy rules
C. Data Filtering Profile applied to inbound Security policy rules

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 52/157

D. Vulnerability Profile applied to inbound Security policy rules

Answer: B
Explanation:

Question: 121

Which Security profile can you apply to protect against malware such as worms and Trojans?

A. data filtering
B. antivirus

om
C. vulnerability protection
D. anti-spyware

.c
Answer: B

ps
Explanation:

m
Reference:

du
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-
profiles#:~:text=Antivirus%
am
20profiles%20protect%20against%20viruses,as
%20well%20as%20spyware%20downloads
ex

Question: 122
id
al

Which two settings allow you to restrict access to the management interface? (Choose two )
.v

A. enabling the Content-ID filter

w

B. administrative management services

w

C. restricting HTTP and telnet using App-ID

w

D. permitted IP addresses
//
s:

Answer: A, C
Explanation:
tp
ht

Question: 123

Which object would an administrator create to block access to all high-risk applications?

A. HIP profile
B. application filter
C. application group
D. Vulnerability Protection profile

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 53/157

Explanation/Reference:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKECA0

Question: 124

An administrator would like to override the default deny action for a given application and instead
would like to block the traffic and send the ICMP code "communication with the destination is
administratively prohibited"
Which security policy action causes this?

om
A. Drop
B. Drop, send ICMP Unreachable

.c
C. Reset both

ps
D. Reset server

m
Answer: B

du
Explanation:
am
Question: 125
ex

What is a prerequisite before enabling an administrative account which relies on a local firewall user
database?
id
al

A. Configure an authentication policy

B. Configure an authentication sequence
.v

C. Configure an authentication profile

w

D. Isolate the management interface on a dedicated management VLAN

w

Answer: C
w

Explanation:
//
s:

Question: 126
tp
ht

Which two rule types allow the administrator to modify the destination zone? (Choose two )

A. interzone
B. intrazone
C. universal
D. shadowed

Answer: A, C
Explanation:

Question: 127

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 54/157

Which statement is true about Panorama managed devices?

A. Panorama automatically removes local configuration locks after a commit from Panorama
B. Local configuration locks prohibit Security policy changes for a Panorama managed device
C. Security policy rules configured on local firewalls always take precedence
D. Local configuration locks can be manually unlocked from Panorama

Answer: D
Explanation:

om
Explanation
Explanation/Reference:
Reference:

.c
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-

ps
panorama/manage- locks-forrestricting-configuration-changes.html

m
du
am
ex
id
al
.v
w
w
// w
s:

Question: 128
tp
ht

What can be achieved by selecting a policy target prior to pushing policy rules from Panorama?

A. Doing so limits the templates that receive the policy rules

B. Doing so provides audit information prior to making changes for selected policy rules
C. You can specify the firewalls m a device group to which to push policy rules
D. You specify the location as pre can - or post-rules to push policy rules

Answer: C
Explanation:

Question: 129

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 55/157

An administrator would like to see the traffic that matches the interzone-default rule in the traffic
logs.
What is the correct process to enable this logging1?

A. Select the interzone-default rule and edit the rule on the Actions tab select Log at Session Start
and click OK
B. Select the interzone-default rule and edit the rule on the Actions tab select Log at Session End and
click OK
C. This rule has traffic logging enabled by default no further action is required
D. Select the interzone-default rule and click Override on the Actions tab select Log at Session End
and click OK

om
Answer: D

.c
Explanation:

ps
Question: 130

m
du
What is the correct process tor creating a custom URL category?
am
A. Objects > Security Profiles > URL Category > Add
B. Objects > Custom Objects > URL Filtering > Add
ex

C. Objects > Security Profiles > URL Filtering > Add

D. Objects > Custom Objects > URL Category > Add
id

Answer: D
al

Explanation:
.v
w

Question: 131
w
w

Which tab would an administrator click to create an address object?

//

A. Device
s:

B. Policies
tp

C. Monitor
ht

D. Objects

Answer: D
Explanation:

Question: 132

An administrator would like to silently drop traffic from the internet to a ftp server.
Which Security policy action should the administrator select?

A. Reset-server

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 56/157

B. Block
C. Deny
D. Drop

Answer: D
Explanation:

Question: 133

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes
are required on VR-1 to route traffic between two interfaces on the NGFW?

om
A. Add zones attached to interfaces to the virtual router

.c
B. Add interfaces to the virtual router
C. Enable the redistribution profile to redistribute connected routes

ps
D. Add a static routes to route between the two interfaces

m
Answer: D

du
Explanation:
am
Question: 134
ex

What is the main function of the Test Policy Match function?

id

A. verify that policy rules from Expedition are valid

al

B. confirm that rules meet or exceed the Best Practice Assessment recommendations
.v

C. confirm that policy rules in the configuration are allowing/denying the correct traffic
D. ensure that policy rules are not shadowing other policy rules
w
w

Answer: D
w

Explanation:
//
s:

Question: 135
tp

DRAG DROP
ht

Match the cyber-attack lifecycle stage to its correct description.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 57/157

om
Answer:

.c
Explanation:

ps
m
du
am
ex
id
al
.v
w

Question: 136
w

Which option is part of the content inspection process?

// w

A. IPsec tunnel encryption

s:

B. Packet egress process

tp

C. SSL Proxy re-encrypt

D. Packet forwarding process
ht

Answer: C
Explanation:

Question: 137

Which objects would be useful for combining several services that are often defined together?

A. shared service objects

B. service groups

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 58/157

C. application groups
D. application filters

Answer: B
Explanation:

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-
services.html

om
Question: 138

.c
Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two
components'? (Choose two )

ps
A. Network Processing Engine

m
B. Single Stream-based Engine

du
C. Policy Engine
D. Parallel Processing Hardware
am
Answer: B
ex

Explanation:
id

Question: 139
al
.v

Which type of address object is "10 5 1 1/0 127 248 2"?

w

A. IP subnet
w

B. IP wildcard mask
w

C. IP netmask
D. IP range
//
s:

Answer: B
tp

Explanation:
ht

Question: 140

An administrator has configured a Security policy where the matching condition includes a single
application and the action is deny
If the application s default deny action is reset-both what action does the firewall take*?

A. It sends a TCP reset to the client-side and server-side devices

B. It silently drops the traffic and sends an ICMP unreachable code
C. It silently drops the traffic
D. It sends a TCP reset to the server-side device

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 59/157

Answer: A
Explanation:

Question: 141

How are Application Fillers or Application Groups used in firewall policy?

A. An Application Filter is a static way of grouping applications and can be configured as a nested
member of an Application Group
B. An Application Filter is a dynamic way to group applications and can be configured as a nested

om
member of an Application Group
C. An Application Group is a dynamic way of grouping applications and can be configured as a nested

.c
member of an Application Group
D. An Application Group is a static way of grouping applications and cannot be configured as a nested

ps
member of Application Group

m
Answer: B

du
Explanation:
am
Question: 142
ex

An administrator wishes to follow best practices for logging traffic that traverses the firewall
id

Which log setting is correct?

al

A. Disable all logging

.v

B. Enable Log at Session End

C. Enable Log at Session Start
w

D. Enable Log at both Session Start and End

w
w

Answer: B
//

Explanation:
s:

Explanation
tp

Explanation/Reference:
ht

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC

Question: 143

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to
block matching traffic
Which statement accurately describes how the firewall will apply an action to matching traffic?

A. If it is an allowed rule, then the Security Profile action is applied last

B. If it is a block rule then the Security policy rule action is applied last

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 60/157

C. If it is an allow rule then the Security policy rule is applied last

D. If it is a block rule then Security Profile action is applied last

Answer: A
Explanation:

Question: 144

You have been tasked to configure access to a new web server located in the DMZ
Based on the diagram what configuration changes are required in the NGFW virtual router to route
traffic from the 10 1 1 0/24 network to 192 168 1 0/24?

om
.c
ps
m
du
am
ex
id
al
.v

A. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of
w

192.168 1.10
w

B. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/2 with a next-hop of
172.16.1.2
w

C. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of
//

172.16.1.2
s:

D. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of
tp

192.168.1.254
ht

Answer: C
Explanation:

Question: 145

An administrator wants to prevent access to media content websites that are risky
Which two URL categories should be combined in a custom URL category to accomplish this goal?
(Choose two)

A. streaming-media
B. high-risk

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 61/157

C. recreation-and-hobbies
D. known-risk

Answer: A, C
Explanation:

Question: 146

DRAG DROP

Place the following steps in the packet processing order of operations from first to last.

om
.c
ps
m
du
am
ex
id
al
.v
w

Answer:
w

Explanation:
// w
s:
tp
ht

Question: 147
A Security Profile can block or allow traffic at which point?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 62/157

A. after it is matched to a Security policy rule that allows traffic

B. on either the data plane or the management plane
C. after it is matched to a Security policy rule that allows or blocks traffic
D. before it is matched to a Security policy rule

Answer: A
Explanation:

Question: 148

Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious

om
code against a vulnerability in a targeted machine.

.c
ps
m
du
am
ex
id

A. Exploitation
al

B. Installation
.v

C. Reconnaissance
D. Act on the Objective
w
w

Answer: A
w

Explanation:
//
s:

Question: 149
tp

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website
ht

How can file uploading/downloading be restricted for the website while permitting general browsing
access to that website?

A. Create a Security policy with a URL Filtering profile that references the site access setting of
continue to NO-FILES
B. Create a Security policy with a URL Filtering profile that references the site access setting of block
to NO-FILES
C. Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate
Data Filtering profile
D. Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate
File Blocking profile

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 63/157

Answer: B
Explanation:

Question: 150

Which three types of authentication services can be used to authenticate user traffic flowing through
the firewalls data plane? (Choose three )

A. TACACS
B. SAML2

om
C. SAML10
D. Kerberos

.c
E. TACACS+

ps
Answer: A, B, D

m
Explanation:

du
Question: 151
am
Given the screenshot what two types of route is the administrator configuring? (Choose two )
ex
id
al
.v
w
w
// w
s:
tp
ht

A. default route
B. OSPF
C. BGP
D. static route

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 64/157

Answer: A
Explanation:

Question: 152

Based on the screenshot what is the purpose of the group in User labelled ''it"?

om
A. Allows users to access IT applications on all ports

.c
B. Allows users in group "DMZ" lo access IT applications

ps
C. Allows "any" users to access servers in the DMZ zone
D. Allows users in group "it" to access IT applications

m
Answer: D
Explanation:
du
am
Question: 153
ex

Which dynamic update type includes updated anti-spyware signatures?

id

A. Applications and Threats

al

B. GlobalProtect Data File

.v

C. Antivirus
w

D. PAN-DB
w

Answer: A
w

Explanation:
//
s:

Question: 154
tp
ht

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a
URL?

A. override
B. allow
C. block
D. continue

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 65/157

Question: 155

om
.c
ps
m
du
am
ex

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access
id

general Internet and DMZ servers using SSH. web-browsing and SSL applications
Which policy achieves the desired results?
al

A)
.v
w
w
// w
s:

B)
tp
ht

C)

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 66/157

D)

A. Option
B. Option
C. Option
D. Option

om
Answer: C

.c
Explanation:

ps
Question: 156

m
du
Which action results in the firewall blocking network traffic without notifying the sender?
am
A. Deny
B. No notification
C. Drop
ex

D. Reset Client
id

Answer: C
al

Explanation:
.v
w

Question: 157
w

Which type of profile must be applied to the Security policy rule to protect against buffer overflows
w

illegal code execution and other attempts to exploit system flaws?

//
s:

A. anti-spyware
tp

B. URL filtering
C. vulnerability protection
ht

D. file blocking

Answer: C
Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-
help/objects/objects-security-profiles-vulnerability-protection.html

Vulnerability Protection Security Profiles protect against threats entering the network. For example,
Vulnerability Protection Security Profiles protect against buffer overflows, illegal code execution, and
other attempts to exploit system vulnerabilities. The default Vulnerability Protection Security Profile

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 67/157

protects clients and servers from all known critical-, high-, and medium-severity threats. You also can
create exceptions that enable you to change the response to a specific signature.

Question: 158

An administrator is reviewing another administrator s Security policy log settings

Which log setting configuration is consistent with best practices tor normal traffic?

A. Log at Session Start and Log at Session End both enabled

B. Log at Session Start disabled Log at Session End enabled
C. Log at Session Start enabled Log at Session End disabled

om
D. Log at Session Start and Log at Session End both disabled

Answer: B

.c
Explanation:

ps
Question: 159

m
du
Which URL Filtering profile action would you set to allow users the option to access a site only if they
provide a URL admin password?
am
A. override
ex

B. authorization
C. authentication
id

D. continue
al

Answer: B
.v

Explanation:
w
w

Explanation/Reference:
w

Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-
//

filteringprofile-actions.html
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 68/157

om
.c
ps
m
du
Question: 160
am
Selecting the option to revert firewall changes will replace what settings?
ex

A. the running configuration with settings from the candidate configuration

B. the device state with settings from another configuration
id

C. the candidate configuration with settings from the running configuration

al

D. dynamic update scheduler settings

.v

Answer: C
w

Explanation:
w
w

Question: 161
//
s:

What is considered best practice with regards to committing configuration changes?

tp

A. Disable the automatic commit feature that prioritizes content database installations before
ht

committing
B. Validate configuration changes prior to committing
C. Wait until all running and pending jobs are finished before committing
D. Export configuration after each single configuration change performed

Answer: A
Explanation:

Question: 162

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 69/157

Which Security profile should be applied?

A. antivirus
B. anti-spyware
C. URL filtering
D. vulnerability protection

Answer: B
Explanation:

Question: 163

om
Which Security profile would you apply to identify infected hosts on the protected network using

.c
DNS traffic?

ps
A. URL traffic
B. vulnerability protection

m
C. anti-spyware

du
D. antivirus
am
Answer: C
Explanation:
ex

Question: 164
id
al

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose
.v

two.)
w

A. QoS profile
w

B. DoS Protection profile

w

C. Zone Protection profile

D. DoS Protection policy
//
s:

Answer: B, C
tp

Explanation:
ht

Explanation
Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 70/157

om
.c
ps
m
Question: 165 du
am
What is the main function of Policy Optimizer?
ex

A. reduce load on the management plane by highlighting combinable security rules

id

B. migrate other firewall vendors’ security rules to Palo Alto Networks configuration
al

C. eliminate “Log at Session Start” security rules

.v

D. convert port-based security rules to application-based security rules

w

Answer: D
w

Explanation:
// w

Explanation/Reference:
s:

Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-
tp

optimizer.html
ht

Question: 166

How does an administrator schedule an Applications and Threats dynamic update while delaying
installation of the update for a certain amount of time?

A. Disable automatic updates during weekdays

B. Automatically “download and install” but with the “disable new applications” option used
C. Automatically “download only” and then install Applications and Threats later, after the
administrator approves the update
D. Configure the option for “Threshold”

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 71/157

Answer: D
Explanation:

Question: 167

You receive notification about new malware that infects hosts through malicious files transferred by
FTP.
Which Security profile detects and protects your internal networks from this threat after you update
your firewall’s threat signature database?

om
A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.

.c
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Prote

ps
ction profile applied to outbound Security policy rules.

m
Answer: C

du
Explanation:
am
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
ex

Question: 168
id
al

Which rule type is appropriate for matching traffic both within and between the source and
.v

destination zones?
w

A. interzone
w

B. shadowed
w

C. intrazone
D. universal
//
s:

Answer: A
tp

Explanation:
ht

Question: 169

What must be considered with regards to content updates deployed from Panorama?

A. Content update schedulers need to be configured separately per device group.

B. Panorama can only install up to five content versions of the same type for potential rollback
scenarios.
C. A PAN-OS upgrade resets all scheduler configurations for content updates.
D. Panorama can only download one content update at a time for content updates of the same type.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 72/157

Answer: D
Explanation:

Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-
and-updates/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-
panorama/schedule-a-content-update-using-panorama.html

Question: 170

During the packet flow process, which two processes are performed in application identification?

om
(Choose two.)

.c
A. pattern based application identification
B. application override policy match

ps
C. session application identified
D. application changed from content inspection

m
du
Answer: AB
Explanation:
am
Reference: http://live.paloaltonetworks.com//t5/image/serverpage/image-
ex

id/12862i950F549C7D4E6309
id

Question: 171
al
.v

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
w
w
// w
s:
tp
ht

Which Security policy rule will allow traffic to flow to the web server?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 73/157

A. Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

B. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
C. Untrust (any) to Untrust (10.1.1.100), web browsing -Allow
D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

Answer: D
Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-
configuration-examples/destination-nat-exampleone-to-one-mapping

om
Question: 172

.c
What does an administrator use to validate whether a session is matching an expected NAT policy?

ps
A. system log

m
B. test command

du
C. threat log
D. config audit
am
Answer: B
ex

Explanation:
id

Reference:
al

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0
.v

Question: 173
w
w
w

What is the purpose of the automated commit recovery feature?

//

A. It reverts the Panorama configuration.

s:

B. It causes HA synchronization to occur automatically between the HA peers after a push from
tp

Panorama.
ht

C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama
after the change.
D. It generates a config log after the Panorama configuration successfully reverts to the last running
configuration.

Answer: C
Explanation:

Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-
panorama/enable-automated-commit-recovery.html

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 74/157

Question: 174

According to the best practices for mission critical devices, what is the recommended interval for
antivirus updates?

A. by minute
B. hourly
C. daily
D. weekly

Answer: C

om
Explanation:

.c
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-
practices-for-content-and-threat-content-updates/best-practices-mission-critical.html

ps
Question: 175

m
du
DRAG DROP
am
Place the steps in the correct packet-processing order of operations.
ex
id
al
.v
w
w
// w
s:
tp

Answer:
ht

Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 75/157

om
.c
ps
Reference:

m
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

Question: 176 du
am
Which Security policy match condition would an administrator use to block traffic from IP addresses
ex

on the Palo Alto Networks EDL of Known Malicious IP Addresses list?

id

A. destination address
al

B. source address
C. destination zone
.v

D. source zone
w
w

Answer: B
w

Explanation:
//
s:

Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-
dynamic-list-in-policy/external-dynamic-list.html
tp
ht

Question: 177

URL categories can be used as match criteria on which two policy types? (Choose two.)

A. authentication
B. decryption
C application override
D. NAT

Answer: AB

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 76/157

Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-
concepts/url-category-as-policy-match-criteria.html

Question: 178

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

om
.c
A. The web session was unsuccessfully decrypted.

ps
B. The traffic was denied by security profile.
C. The traffic was denied by URL filtering.

m
D. The web session was decrypted.

du Answer: D
am
Explanation:
ex

Question: 179
id
al

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address.
Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100)
.v

receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

w
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 77/157

Which two Security policy rules will accomplish this configuration? (Choose two.)
A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow
B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
C. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
D. Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow
E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Answer: AE
Explanation:

Question: 180

om
Starting with PAN-OS version 9.1, application dependency information is now reported in which two

.c
locations? (Choose two.)

ps
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer's Rule Usage page

m
C. on the Application tab in the Security Policy Rule creation window

du
D. on the Objects > Applications browser pages
am
Answer: AC
Explanation:
ex

Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-application-
id

objects-in-policy/resolve-application-dependencies.html
al

Question: 181
.v
w
w

What action will inform end users when their access to Internet content is being restricted?
w

A. Create a custom 'URL Category' object with notifications enabled.

//

B. Publish monitoring data for Security policy deny logs.

s:

C. Ensure that the 'site access" setting for all URL sites is set to 'alert'.
tp

D. Enable 'Response Pages' on the interface providing Internet access.

ht

Answer: D
Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-
help/device/device-response-pages.html

Question: 182

What is a recommended consideration when deploying content updates to the firewall from
Panorama?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 78/157

A. Before deploying content updates, always check content release version compatibility.
B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
C. Content updates for firewall A/A HA pairs need a defined master device.
D. After deploying content updates, perform a commit and push to Panorama.

Answer: D
Explanation:

Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-licenses-
and-updates/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-

om
panorama/schedule-a-content-update-using-panorama.html

Question: 183

.c
ps
Which information is included in device state other than the local configuration?

m
du
A. uncommitted changes
B. audit logs to provide information of administrative account changes
am
C. system logs to provide information of PAN-OS changes
D. device group and template settings pushed from Panorama
ex

Answer: D
id

Explanation:
al

Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
.v

help/device/device-setup-operations.html
w
w

Question: 184
// w

Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 79/157

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

A. It defines the SSUTLS encryption strength used to protect the management interface.
B. It defines the CA certificate used to verify the client's browser.
C. It defines the certificate to send to the client's browser from the management interface.
D. It defines the firewall's global SSL/TLS timeout values.

Answer: C
Explanation:

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 80/157

Question: 185

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule,
which is set to default configuration.

What should the administrator do?

A. change the logging action on the rule

B. review the System Log
C. refresh the Traffic Log

om
D. tune your Traffic Log filter to include the dates

Answer: A

.c
Explanation:

ps
Question: 186

m
du
When is the content inspection performed in the packet flow process?
am
A. after the application has been identified
ex

B. after the SSL Proxy re-encrypts the packet

C. before the packet forwarding process
id

D. before session lookup

al

Answer: A
.v

Explanation:
w
w

Reference:
w

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
//
s:

Question: 187
tp
ht

During the App-ID update process, what should you click on to confirm whether an existing policy
rule is affected by an App-ID update?

A. check now
B. review policies
C. test policy match
D. download

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 81/157

Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-
ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules

Question: 188

When creating a custom URL category object, which is a valid type?

om
A. domain match
B. host names
C. wildcard

.c
D. category match

ps
Answer: D

m
Explanation:

du
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-
am
help/objects/objects-custom-objects-url-category.html
ex

Question: 189
id
al

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port
is used for management access?
.v
w

A. 80
w

B. 8443
C. 4443
w

D. 443
//
s:

Answer: C
tp

Explanation:
ht

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8SCAS#:~:text=
Details,using%20https%20on%20port%204443

Question: 190

What two authentication methods on the Palo Alto Networks firewalls support authentication and
authorization for role-based access control? (Choose two.)

A. SAML

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 82/157

B. TACACS+
C. LDAP
D. Kerberos

Answer: AB
Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-
administration/manage-firewall-administrators/administrative-authentication.html
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server
performs both authentication and authorization. For authorization, you define Vendor-Specific

om
Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS
maps the attributes to administrator roles, access domains, user groups, and virtual systems that you
define on the firewall.

.c
ps
Question: 191

m
Choose the option that correctly completes this statement. A Security Profile can block or allow

du
traffic ____________.
am
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
ex

C. before it is matched to a Security policy rule.

D. after it is matched by a security policy rule that allows or blocks traffic.
id

Answer: B
al

Explanation:
.v
w

Explanation/Reference:
w

Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html
// w

After a packet has been allowed by the Security policy, Security Profiles are used to scan packets for
s:

threats, vulnerabilities, viruses, spyware, malicious URLs, data exfiltration, and exploitation software.
tp

Question: 192
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 83/157

om
Given the topology, which zone type should you configure for firewall interface E1/1?

.c
A. Tap
B. Tunnel

ps
C. Virtual Wire

m
D. Layer3

du
Answer: A
am
Explanation:

Question: 193
ex
id

Which two features can be used to tag a username so that it is included in a dynamic user group?
(Choose two.)
al
.v

A. GlobalProtect agent
w

B. XML API
C. User-ID Windows-based agent
w

D. log forwarding auto-tagging

// w

Answer: B, C
s:

Explanation:
tp

Question: 194
ht

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the
Authentication Profile?

A. TACACS+
B. RADIUS
C. LDAP
D. SAML

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 84/157

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an-
authenticationprofile-and-sequence

Question: 195

Which type of security policy rule will match traffic that flows between the Outside zone and inside
zone, but would not match traffic that flows within the zones?

om
A. global
B. intrazone
C. interzone

.c
D. universal

ps
Answer: C

m
Explanation:

Reference:
du
am
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-
updates/dynamic-
ex

contentupdates.html#:~:text=WildFire%20signature%20updates%20are%20made,within%20a%20mi
nute%20of %
id

20availability
al

Question: 196
.v
w

Which license is required to use the Palo Alto Networks built-in IP address EDLs?
w

A. DNS Security
w

B. Threat Prevention
//

C. WildFire
s:

D. SD-Wan
tp

Answer: B
ht

Explanation:

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-
in- policy/builtin-edls.html#:~:text=With%20an%

Question: 197

Which component is a building block in a Security policy rule?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 85/157

A. decryption profile
B. destination interface
C. timeout (min)
D. application

Answer: D
Explanation:

Explanation/Reference:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-

om
security/buildingblocks-in-a-security-policy-rule.html

Question: 198

.c
ps
An administrator would like to use App-ID's deny action for an application and would like that action
updated with dynamic updates as new content becomes available.

m
Which security policy action causes this?

A. Reset server
du
am
B. Reset both
C. Deny
ex

D. Drop
id

Answer: C
al

Explanation:
.v

Explanation/Reference:
w

Reference:
w

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-
configuration backups/revert-firewall-configuration- changes.html
// w

Question: 199
s:
tp

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches
ht

Palo Alto Networks Content DNS Signatures?

A. block
B. sinkhole
C. alert
D. allow

Answer: B
Explanation:

To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security
subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service,

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 86/157

configure the log severity and policy settings for each DNS signature category, and then attach the
profile to a security policy rule.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-
security/enable-dns-security

Question: 200

Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users
on spear phishing links, unknown emails, and risky websites?

A. reconnaissance

om
B. delivery
C. exploitation
D. installation

.c
ps
Answer: B
Explanation:

m
du
Weaponization and Delivery: Attackers will then determine which methods to use in order to deliver
malicious payloads. Some of the methods they might utilize are automated tools, such as exploit kits,
am
spear phishing attacks with malicious links, or attachments and malvertizing.
Gain full visibility into all traffic, including SSL, and block high-risk applications. Extend those
ex

protections to remote and mobile devices.

Protect against perimeter breaches by blocking malicious or risky websites through URL filtering.
id

Block known exploits, malware and inbound command-and-control communications using multiple
threat prevention disciplines, including IPS, anti-malware, anti-CnC, DNS monitoring and sinkholing,
al

and file and content blocking.

.v

Detect unknown malware and automatically deliver protections globally to thwart new attacks.
w

Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc.
w

https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle
// w

Question: 201
s:
tp

What are three factors that can be used in domain generation algorithms? (Choose three.)
ht

A. cryptographic keys
B. time of day
C. other unique values
D. URL custom categories
E. IP address

Answer: ABC
Explanation:

Domain generation algorithms (DGAs) are used to auto-generate domains, typically in large numbers
within the context of establishing a malicious command-and-control (C2) communications channel.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 87/157

DGA-based malware (such as Pushdo, BankPatch, and CryptoLocker) limit the number of domains
from being blocked by hiding the location of their active C2 servers within a large number of possible
suspects, and can be algorithmically generated based on factors such as time of day, cryptographic
keys, or other unique values.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-
security/domain-generation-algorithm-detection

Question: 202

Which action would an administrator take to ensure that a service object will be available only to the
selected device group?

om
A. create the service object in the specific template
B. uncheck the shared option

.c
C. ensure that disable override is selected

ps
D. ensure that disable override is cleared

m
Answer: D

du
Explanation:
am
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage-
device-groups/create-objects-for-use-in-shared-or-device-group-policy
ex

Question: 203
id
al

If using group mapping with Active Directory Universal Groups, what must you do when configuring
the User-ID?
.v
w

A. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port
w

3268 or 3269 for SSL

B. Configure a frequency schedule to clear group mapping cache
w

C. Configure a Primary Employee ID number for user-based Security policies

//

D. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or
s:

389
tp

Answer: B
ht

Explanation:

If you have Universal Groups, create an LDAP server profile to connect to the root domain of the
Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to
connect to the root domain controllers on port 389. This helps ensure that users and group
information is available for all domains and subdomains.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups

Question: 204

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 88/157

Which administrative management services can be configured to access a management interface?

A. HTTP, CLI, SNMP, HTTPS

B. HTTPS, SSH telnet SNMP
C. SSH: telnet HTTP, HTTPS
D. HTTPS, HTTP. CLI, API

Answer: D
Explanation:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/management-

om
interfaces

You can use the following user interfaces to manage the Palo Alto Networks firewall:

.c
ps
Use the Web Interface to perform configuration and monitoring tasks with relative ease. This
graphical interface allows you to access the firewall using HTTPS (recommended) or HTTP and it is

m
the best way to perform administrative tasks.

du
Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid
succession over SSH (recommended), Telnet, or the console port. The CLI is a no-frills interface that
am
supports two command modes, operational and configure, each with a distinct hierarchy of
commands and statements. When you become familiar with the nesting structure and syntax of the
commands, the CLI provides quick response times and administrative efficiency.
ex

Use the XML API to streamline your operations and integrate with existing, internally developed
id

applications and repositories. The XML API is a web service implemented using HTTP/HTTPS requests
and responses.
al

Use Panorama to perform web-based management, reporting, and log collection for multiple
.v

firewalls. The Panorama web interface resembles the firewall web interface but with additional
functions for centralized management.
w
w

Question: 205
// w

Which feature would be useful for preventing traffic from hosting providers that place few
s:

restrictions on content, whose services are frequently used by attackers to distribute illegal or
unethical material?
tp
ht

A. Palo Alto Networks Bulletproof IP Addresses

B. Palo Alto Networks C&C IP Addresses
C. Palo Alto Networks Known Malicious IP Addresses
D. Palo Alto Networks High-Risk IP Addresses

Answer: A
Explanation:

To block hosts that use bulletproof hosts to provide malicious, illegal, and/or unethical content, use
the bulletproof IP address list in policy.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 89/157

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-
features/edl-for-bulletproof-
isps#:~:text=A%20new%20built%2Din%20external,%2C%20illegal%2C%20and%20unethical%20cont
ent.

Question: 206

Which attribute can a dynamic address group use as a filtering condition to determine its
membership?

A. tag

om
B. wildcard mask
C. IP address
D. subnet mask

.c
ps
Answer: A
Explanation:

m
du
Dynamic Address Groups: A dynamic address group populates its members dynamically using looks
ups for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive
am
virtual infrastructure where changes in virtual machine location/IP address are frequent. For
example, you have a sophisticated failover setup or provision new virtual machines frequently and
ex

would like to apply policy to traffic from or to the new machine without modifying the
configuration/rules on the firewall.
id

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-address-
groups
al
.v

Question: 207
w
w

View the diagram.

// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 90/157

om
.c
ps
m
What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into

du
both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?
A)
am
ex
id

B)
al
.v
w
w
w

C)
//
s:
tp
ht

D)

A. Option A
B. Option B
C. Option C

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 91/157

D. Option D

Answer: C
Explanation:

Question: 208

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole
all known malware domains.
Which type of single unified engine will get this result?

om
A. User-ID
B. App-ID

.c
C. Security Processing Engine
D. Content-ID

ps
Answer: A

m
Explanation:

Question: 209 du
am
Which solution is a viable option to capture user identification when Active Directory is not in use?
ex
id

A. Cloud Identity Engine

B. group mapping
al

C. Directory Sync Service

.v

D. Authentication Portal
w

Answer: D
w

Explanation:
// w

Question: 210
s:
tp

You receive notification about a new malware that infects hosts An infection results in the infected
host attempting to contact a command-and-control server Which Security Profile when applied to
ht

outbound Security policy rules detects and prevents this threat from establishing a command-and-
control connection?

A. Antivirus Profile
B. Data Filtering Profile
C. Vulnerability Protection Profile
D. Anti-Spyware Profile

Answer: D
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 92/157

Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate
with external command-and-control (C2) servers, thus enabling you to detect malicious traffic
leaving the network from infected clients.

Question: 211

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are
verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

A. Palo Alto Networks C&C IP Addresses

B. Palo Alto Networks Bulletproof IP Addresses

om
C. Palo Alto Networks High-Risk IP Addresses
D. Palo Alto Networks Known Malicious IP Addresses

.c
Answer: D

ps
Explanation:

m
Palo Alto Networks Known Malicious IP Addresses

du
—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and
data gathered from telemetry (Share Threat Intelligence with Palo Alto Networks). Attackers use
am
these IP addresses almost exclusively to distribute malware, initiate command-and-control activity,
and launch attacks.
ex

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-
id

in-policy/built-in-edls
al

Question: 212
.v
w

The compliance officer requests that all evasive applications need to be blocked on all perimeter
w

firewalls out to the internet The firewall is configured with two zones;
1. trust for internal networks
w

2. untrust to the internet

//

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security
s:

policy using App-ID to comply with this request? (Choose two )

tp

A. Create a deny rule at the top of the policy from trust to untrust with service application-default
ht

and add an application filter with the evasive characteristic

B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive
as the application
C. Create a deny rule at the top of the policy from trust to untrust with service application-default
and select evasive as the application
D. Create a deny rule at the top of the policy from trust to untrust over any service and add an
application filter with the evasive characteristic

Answer: AD
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 93/157

Question: 213

What must be configured before setting up Credential Phishing Prevention?

A. Anti Phishing Block Page

B. Threat Prevention
C. Anti Phishing profiles
D. User-ID

Answer: B
Explanation:

om
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-

.c
credential-phishing/set-up-credential-phishing-prevention

ps
Question: 214

m
What allows a security administrator to preview the Security policy rules that match new application

du
signatures?
am
A. Review Release Notes
B. Dynamic Updates-Review Policies
ex

C. Dynamic Updates-Review App

D. Policy Optimizer-New App Viewer
id
al

Answer: B
.v

Explanation:
w

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
w

introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
// w

Question: 215
s:

Which statement best describes the use of Policy Optimizer?

tp
ht

A. Policy Optimizer can display which Security policies have not been used in the last 90 days
B. Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have
unused applications
C. Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected
D. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID
Security policy for every Layer 4 policy that exists Admins can then manually enable policies they
want to keep and delete ones they want to remove

Answer: B
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 94/157

Question: 216

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

A. Security policy rule

B. ACC global filter
C. external dynamic list
D. NAT address pool

Answer: A

om
Explanation:

.c
You can use an address object of type IP Wildcard Mask only in a Security policy rule.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-

ps
addresses

m
IP Wildcard Mask

du
—Enter an IP wildcard address in the format of an IPv4 address followed by a slash and a mask
(which must begin with a zero); for example, 10.182.1.1/0.127.248.0. In the wildcard mask, a zero (0)
am
bit indicates that the bit being compared must match the bit in the IP address that is covered by the
0. A one (1) bit in the mask is a wildcard bit, meaning the bit being compared need not match the bit
ex

in the IP address that is covered by the 1. Convert the IP address and the wildcard mask to binary. To
illustrate the matching: on binary snippet 0011, a wildcard mask of 1010 results in four matches
id

(0001, 0011, 1001, and 1011).

al

Question: 217
.v
w

An administrator would like to determine the default deny action for the application dns-over-https
w

Which action would yield the information?

w

A. View the application details in beacon paloaltonetworks.com

//

B. Check the action for the Security policy matching that traffic
s:

C. Check the action for the decoder in the antivirus profile

tp

D. View the application details in Objects > Applications

ht

Answer: D
Explanation:

Question: 218

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone,
and also needs to match DNS traffic within the DMZ zone The administrator does not want to allow
traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?

A. default

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 95/157

B. universal
C. intrazone
D. interzone

Answer: C
Explanation:

Question: 219

What are three valid ways to map an IP address to a username? (Choose three.)

om
A. using the XML API
B. DHCP Relay logs

.c
C. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent
D. usernames inserted inside HTTP Headers

ps
E. WildFire verdict reports

m
Answer: A, C, D

du
Explanation:
am
Question: 220
ex

Which object would an administrator create to enable access to all applications in the office-
id

programs subcategory?
al

A. application filter
.v

B. URL category
C. HIP profile
w

D. application group
w
w

Answer: A
//

Explanation:
s:
tp

Question: 221
ht

An administrator would like to create a URL Filtering log entry when users browse to any gambling
website. What combination of Security policy and Security profile actions is correct?

A. Security policy = drop, Gambling category in URL profile = allow

B. Security policy = deny. Gambling category in URL profile = block
C. Security policy = allow, Gambling category in URL profile = alert
D. Security policy = allow. Gambling category in URL profile = allow

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 96/157

Question: 222

Which statement is true regarding NAT rules?

A. Static NAT rules have precedence over other forms of NAT.

B. Translation of the IP address and port occurs before security processing.
C. NAT rules are processed in order from top to bottom.
D. Firewall supports NAT on Layer 3 interfaces only.

Answer: C
Explanation:

om
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-

.c
policy-overview

ps
Question: 223

m
After making multiple changes to the candidate configuration of a firewall, the administrator would

du
like to start over with a candidate configuration that matches the running configuration.
Which command in Device > Setup > Operations would provide the most operationally efficient way
am
to accomplish this?
ex

A. Import named config snapshot

B. Load named configuration snapshot
id

C. Revert to running configuration

al

D. Revert to last saved configuration

.v

Answer: C
w

Explanation:
w
w

Question: 224
//
s:

An administrator is reviewing the Security policy rules shown in the screenshot below.
Which statement is correct about the information displayed?
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 97/157

A. Eleven rules use the "Infrastructure* tag.

B. The view Rulebase as Groups is checked.
C. There are seven Security policy rules on this firewall.
D. Highlight Unused Rules is checked.

Answer: B
Explanation:

Question: 225

What are the two default behaviors for the intrazone-default policy? (Choose two.)

om
A. Allow

.c
B. Logging disabled
C. Log at Session End

ps
D. Deny

m
Answer: A, B

du
Explanation:
am
Question: 226
ex

What are two valid selections within an Antivirus profile? (Choose two.)
id

A. deny
al

B. drop
.v

C. default
D. block-ip
w
w

Answer: B, C
w

Explanation:
//
s:

Question: 227
tp

DRAG DROP
ht

Match each rule type with its example

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 98/157

Answer:
Explanation:

om
.c
ps
Question: 228

m
An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated

du
to the same public IP address. What is the most appropriate NAT policy to achieve this?
am
A. Dynamic IP and Port
B. Dynamic IP
ex

C. Static IP
D. Destination
id

Answer: A
al

Explanation:
.v
w

Question: 229
w
w

Which action can be set in a URL Filtering Security profile to provide users temporary access to all
websites in a given category using a provided password?
//
s:

A. exclude
tp

B. continue
C. hold
ht

D. override

Answer: D
Explanation:

The user will see a response page indicating that a password is required to allow access to websites
in the given category. With this option, the security administrator or help-desk person would provide
a password granting temporary access to all websites in the given category. A log entry is generated
in the URL Filtering log. The Override webpage doesn’t display properly on client systems configured
to use a proxy server.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 99/157

Question: 230

What is a function of application tags?

A. creation of new zones

B. application prioritization
C. automated referenced applications in a policy
D. IP address allocations in DHCP

Answer: C
Explanation:

om
Question: 231

.c
ps
What are three Palo Alto Networks best practices when implementing the DNS Security Service?
(Choose three.)

m
A. Implement a threat intel program.

du
B. Configure a URL Filtering profile.
C. Train your staff to be security aware.
am
D. Rely on a DNS resolver.
E. Plan for mobile-employee risk
ex

Answer: A, B, D
id

Explanation:
al
.v

Question: 232
w

An administrator is investigating a log entry for a session that is allowed and has the end reason of
w

aged-out. Which two fields could help in determining if this is normal? (Choose two.)
// w

A. Packets sent/received
s:

B. IP Protocol
C. Action
tp

D. Decrypted
ht

Answer: B, D
Explanation:

Question: 233

What does an application filter help you to do?

A. It dynamically provides application statistics based on network, threat, and blocked activity,
B. It dynamically filters applications based on critical, high, medium, low. or informational severity.
C. It dynamically groups applications based on application attributes such as category and

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 100/157

subcategory.
D. It dynamically shapes defined application traffic based on active sessions and bandwidth usage.

Answer: C
Explanation:

Question: 234

Prior to a maintenance-window activity, the administrator would like to make a backup of only the
running configuration to an external location. What command in Device > Setup > Operations would
provide the most operationally efficient way to achieve this outcome?

om
A. save named configuration snapshot

.c
B. export device state
C. export named configuration snapshot

ps
D. save candidate config

m
Answer: A

du
Explanation:
am
Export Named Configuration Snapshot This option exports the current running configuration, a
candidate configuration snapshot, or a previously imported configuration (candidate or running). The
ex

firewall exports the configuration as an XML file with the specified name. You can save the snapshot
in any network location. These exports often are used as backups. These XML files also can be used
id

as templates for building other firewall configurations.

al

Question: 235
.v
w

Your company is highly concerned with their Intellectual property being accessed by unauthorized
w

resources. There is a mature process to store and include metadata tags for all confidential
w

documents.
Which Security profile can further ensure that these documents do not exit the corporate network?
//
s:

A. File Blocking
tp

B. Data Filtering
ht

C. Anti-Spyware
D. URL Filtering

Answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-
profiles-data-filtering

Question: 236

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 101/157

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is
the best way to do this?

A. Create a Security policy rule to allow the traffic.

B. Create a new NAT rule with the correct parameters and leave the translation type as None
C. Create a static NAT rule with an application override.
D. Create a static NAT rule translating to the destination interface.

Answer: B
Explanation:

om
Question: 237

.c
When creating a Panorama administrator type of Device Group and Template Admin, which two
things must you create first? (Choose two.)

ps
A. password profile

m
B. access domain

du
C. admin rote
D. server profile
am
Answer: C, D
ex

Explanation:
id

Question: 238
al
.v

An administrator is troubleshooting traffic that should match the interzone-default rule. However,
the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was
w

never changed from its default configuration.

w

Why doesn't the administrator see the traffic?

w

A. Traffic is being denied on the interzone-default policy.

//

B. The Log Forwarding profile is not configured on the policy.

s:

C. The interzone-default policy is disabled by default

tp

D. Logging on the interzone-default policy is disabled

ht

Answer: D
Explanation:

Question: 239

An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

A. name
B. source zone

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 102/157

C. destination interface
D. destination address
E. destination zone

Answer: B, D, E
Explanation:

Question: 240

Which type of address object is www.paloaltonetworks.com?

om
A. IP range
B. IP netmask

.c
C. named address
D. FQDN

ps
Answer: D

m
Explanation:

Question: 241 du
am
What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)
ex
id

A. It uses techniques such as DGA.DNS tunneling detection and machine learning.

B. It requires a valid Threat Prevention license.
al

C. It enables users to access real-time protections using advanced predictive analytics.

.v

D. It requires a valid URL Filtering license.

E. It requires an active subscription to a third-party DNS Security service.
w
w

Answer: A, B, C
w

Explanation:
//
s:

DNS Security subscription enables users to access real-time protections using advanced predictive
analytics. When techniques such as DGA/DNS tunneling detection and machine learning are used,
tp

threats hidden within DNS traffic can be proactively identified and shared through an infinitely
ht

scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based
architecture, you can access the full database of ever-expanding signatures that have been generated
using a multitude of data sources. This list of signatures allows you to defend against an array of
threats using DNS in real-time against newly generated malicious domains. To combat future threats,
updates to the analysis, detection, and prevention capabilities of the DNS Security service will be
available through content releases. To access the DNS Security service, you must have a Threat
Prevention license and DNS Security license.

Question: 242

What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 103/157

A. any supported Palo Alto Networks firewall or Prisma Access firewall

B. an additional subscription free of charge
C. a firewall device running with a minimum version of PAN-OS 10.1
D. an additional paid subscription

Answer: A
Explanation:

om
Question: 243

.c
An administrator would like to block access to a web server, while also preserving resources and
minimizing half-open sockets. What are two security policy actions the administrator can select?

ps
(Choose two.)

m
A. Reset server

du
B. Reset both
C. Drop
am
D. Deny
ex

Answer: A, C
Explanation:
id
al

Question: 244
.v

An administrator would like to apply a more restrictive Security profile to traffic for file sharing
w

applications. The administrator does not want to update the Security policy or object when new
w

applications are released.

w

Which object should the administrator use as a match condition in the Security policy?
//

A. the Content Delivery Networks URL category

s:

B. the Online Storage and Backup URL category

tp

C. an application group containing all of the file-sharing App-IDs reported in the traffic logs
ht

D. an application filter for applications whose subcategory is file-sharing

Answer: D
Explanation:

Question: 245

A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose?
(Choose three.)

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 104/157

A. RIP
B. OSPF
C. IS-IS
D. EIGRP
E. BGP

Answer: A, B, E
Explanation:

Question: 246

om
.c
ps
m
du
am
ex
id
al
.v

Given the detailed log information above, what was the result of the firewall traffic inspection?
w
w

A. It was blocked by the Vulnerability Protection profile action.

w

B. It was blocked by the Anti-Virus Security profile action.

//

C. It was blocked by the Anti-Spyware Profile action.

s:

D. It was blocked by the Security policy action.

tp

Answer: C
ht

Explanation:

Question: 247

Which three interface deployment methods can be used to block traffic flowing through the Palo Alto
Networks firewall? (Choose three.)

A. Layer 2
B. Virtual Wire
C. Tap
D. Layer 3

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 105/157

E. HA

Answer: B, D, E
Explanation:

Question: 248

An administrator configured a Security policy rule where the matching condition includes a single
application and the action is set to deny. What deny action will the firewall perform?

A. Drop the traffic silently

om
B. Perform the default deny action as defined in the App-ID database for the application
C. Send a TCP reset packet to the client- and server-side devices

.c
D. Discard the session's packets and send a TCP reset packet to let the client know the session has
been terminated

ps
Answer: D

m
Explanation:

Question: 249 du
am
Which object would an administrator create to enable access to all applications in the office-
ex

programs subcategory?
id

A. HIP profile
al

B. Application group
.v

C. URL category
D. Application filter
w
w

Answer: C
w

Explanation:
//
s:

Question: 250
tp

What do you configure if you want to set up a group of objects based on their ports alone?
ht

A. Application groups
B. Service groups
C. Address groups
D. Custom objects

Answer: B
Explanation:

Question: 251

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 106/157

om
.c
ps
m
View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and

du
SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust
Zones?
am
A)
ex
id
al

B)
.v
w
w
w

C)
//
s:
tp
ht

D)

A. Option
B. Option
C. Option
D. Option

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 107/157

Question: 252

A website is unexpectedly allowed due to miscategorization.

What are two ways to resolve this issue for a proper response? (Choose two.)

A. Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.
B. Create a URL category and assign the affected URL.
Update the active URL Filtering profile site access setting for the custom URL category to block.
C. Review the categorization of the website on https://urlfiltering.paloaltonetworks.com.

om
Submit for "request change*, identifying the appropriate categorization, and wait for confirmation
before testing again.
D. Create a URL category and assign the affected URL.

.c
Add a Security policy with a URL category qualifier of the custom URL category below the original

ps
policy. Set the policy action to Deny.

m
Answer: C, D

du
Explanation:
am
Question: 253
ex

Why should a company have a File Blocking profile that is attached to a Security policy?
id

A. To block uploading and downloading of specific types of files

al

B. To detonate files in a sandbox environment

C. To analyze file types
.v

D. To block uploading and downloading of any type of files

w
w

Answer: A
w

Explanation:
//
s:

Question: 254
tp

An administrator is troubleshooting traffic that should match the interzone-default rule. However,
ht

the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was
never changed from its default configuration.
Why doesn't the administrator see the traffic?

A. Logging on the interzone-default policy is disabled.

B. Traffic is being denied on the interzone-default policy.
C. The Log Forwarding profile is not configured on the policy.
D. The interzone-default policy is disabled by default.

Answer: A
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 108/157

Question: 255

om
.c
ps
m
Given the detailed log information above, what was the result of the firewall traffic inspection?

A. It was blocked by the Anti-Virus Security profile action.

du
am
B. It was blocked by the Anti-Spyware Profile action.
C. It was blocked by the Vulnerability Protection profile action.
ex

D. It was blocked by the Security policy action.

id

Answer: B
al

Explanation:
.v
w
w

Question: 256
// w

An administrator would like to protect against inbound threats such as buffer overflows and illegal
s:

code execution.
tp

Which Security profile should be used?

ht

A. Antivirus
B. URL filtering
C. Anti-spyware
D. Vulnerability protection

Answer: C
Explanation:

Question: 257

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 109/157

Which statement best describes a common use of Policy Optimizer?

A. Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have
unused applications.
B. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.
C. Policy Optimizer can display which Security policies have not been used in the last 90 days.
D. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID
Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they
want to keep and delete ones they want to remove.

Answer: C

om
Explanation:

.c
ps
Question: 258

m
Which rule type is appropriate for matching traffic occurring within a specified zone?

A. Interzone
du
am
B. Universal
C. Intrazone
ex

D. Shadowed
id

Answer: C
al

Explanation:
.v

Question: 259
w
w

What is a recommended consideration when deploying content updates to the firewall from
w

Panorama?
//

A. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.
s:

B. Content updates for firewall A/A HA pairs need a defined master device.
tp

C. Before deploying content updates, always check content release version compatibility.
ht

D. After deploying content updates, perform a commit and push to Panorama.

Answer: C
Explanation:

Question: 260

Which Security policy action will message a user's browser thai their web session has been
terminated?

A. Reset server

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 110/157

B. Deny
C. Drop
D. Reset client

Answer: B
Explanation:

Question: 261

An administrator configured a Security policy rule with an Antivirus Security profile. The
administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall

om
handle the traffic?

.c
A. It allows the traffic because the profile was not set to explicitly deny the traffic.
B. It drops the traffic because the profile was not set to explicitly allow the traffic.

ps
C. It uses the default action assigned to the virus signature.
D. It allows the traffic but generates an entry in the Threat logs.

m
du
Answer: B
Explanation:
am
Question: 262
ex
id

Selecting the option to revert firewall changes will replace what settings?
al

A. The running configuration with settings from the candidate configuration

.v

B. The candidate configuration with settings from the running configuration

C. The device state with settings from another configuration
w

D. Dynamic update scheduler settings

w
w

Answer: A
//

Explanation:
s:
tp

Question: 263
ht

What can be used as match criteria for creating a dynamic address group?

A. Usernames
B. IP addresses
C. Tags
D. MAC addresses

Answer: C
Explanation:

Question: 264

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 111/157

An administrator needs to allow users to use only certain email applications.

How should the administrator configure the firewall to restrict users to specific email applications?

A. Create an application filter and filter it on the collaboration category, email subcategory.
B. Create an application group and add the email applications to it.
C. Create an application filter and filter it on the collaboration category.
D. Create an application group and add the email category to it.

Answer: B
Explanation:

om
Question: 265

.c
An administrator has an IP address range in the external dynamic list and wants to create an

ps
exception for one specific IP address in this address range.
Which steps should the administrator take?

m
du
A. Add the address range to the Manual Exceptions list and exclude the IP address by selecting the
entry.
am
B. Add each IP address in the range as a list entry and then exclude the IP address by adding it to the
Manual Exceptions list.
ex

C. Select the address range in the List Entries list. A column will open with the IP addresses. Select
the entry to exclude.
id

D. Add the specific IP address from the address range to the Manual Exceptions list by using regular
expressions to define the entry.
al
.v

Answer: D
w

Explanation:
w

Question: 266
// w

An administrator is implementing an exception to an external dynamic list by adding an entry to the

s:

list manually. The administrator wants to save the changes, but the OK button is grayed out.
tp

What are two possible reasons the OK button is grayed out? (Choose two.)
ht

A. The entry contains wildcards.

B. The entry is duplicated.
C. The entry doesn't match a list entry.
D. The entry matches a list entry.

Answer: B, C
Explanation:

Question: 267

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 112/157

om
An administrator is updating Security policy to align with best practices.
Which Policy Optimizer feature is shown in the screenshot below?

.c
ps
A. Rules without App Controls
B. New App Viewer

m
C. Rule Usage

du
D. Unused Unused Apps
am
Answer: C
Explanation:
ex

Question: 268
id
al

By default, which action is assigned to the interzone-default rule?

.v

A. Reset-client
w

B. Reset-server
w

C. Deny
w

D. Allow
//
s:

Answer: C
Explanation:
tp
ht

Question: 269

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)

A. Post-NAT address
B. Post-NAT zone
C. Pre-NAT zone
D. Pre-NAT address

Answer: B, D
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 113/157

Question: 270

What are three valid information sources that can be used when tagging users to dynamic user
groups? (Choose three.)

A. Blometric scanning results from iOS devices

B. Firewall logs
C. Custom API scripts
D. Security Information and Event Management Systems (SIEMS), such as Splun
E. DNS Security service

om
Answer: B, C, E

.c
Explanation:

ps
Question: 271

m
What is the maximum volume of concurrent administrative account sessions?

A. Unlimited
du
am
B. 2
C. 10
ex

D. 1
id

Answer: C
al

Explanation:
.v

Question: 272
w
w

In a File Blocking profile, which two actions should be taken to allow file types that support critical
w

apps? (Choose two.)

//
s:

A. Clone and edit the Strict profile.

B. Use URL filtering to limit categories in which users can transfer files.
tp

C. Set the action to Continue.

ht

D. Edit the Strict profile.

Answer: A, D
Explanation:

Question: 273

Where within the firewall GUI can all existing tags be viewed?

A. Network > Tags

B. Monitor > Tags

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 114/157

C. Objects > Tags

D. Policies > Tags

Answer: C
Explanation:

Question: 274

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

A. Anti-Spyware

om
B. Antivirus
C. Vulnerability Protection

.c
D. URL Filtering

ps
Answer: D

m
Explanation:

du
Question: 275
am
Which Security profile would you apply to identify infected hosts on the protected network uwall
user database?
ex
id

A. Anti-spyware
B. Vulnerability protection
al

C. URL filtering
.v

D. Antivirus
w

Answer: A
w

Explanation:
// w

Question: 276
s:
tp

What can be achieved by disabling the Share Unused Address and Service Objects with Devices
setting on Panorama?
ht

A. Increase the backup capacity for configuration backups per firewall

B. Increase the per-firewall capacity for address and service objects
C. Reduce the configuration and session synchronization time between HA pairs
D. Reduce the number of objects pushed to a firewall

Answer: D
Explanation:

Question: 277

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 115/157

The NetSec Manager asked to create a new firewall Local Administrator profile with customized
privileges named NewAdmin. This new administrator has to authenticate without inserting any
username or password to access the WebUI.
What steps should the administrator follow to create the New_Admin Administrator profile?

A.
1. Select the "Use only client certificate authentication" check box.
2. Set Role to Role Based.
3. Issue to the Client a Certificate with Common Name = NewAdmin
B.
1. Select the "Use only client certificate authentication" check box.
2. Set Role to Dynamic.

om
3. Issue to the Client a Certificate with Certificate Name = NewAdmin
C.

.c
1. Set the Authentication profile to Local.

ps
2. Select the "Use only client certificate authentication" check box.
3. Set Role to Role Based.

m
D.
1. Select the "Use only client certificate authentication" check box.

du
2. Set Role to Dynamic.
3. Issue to the Client a Certificate with Common Name = New Admin
am
Answer: B
ex

Explanation:
id

Question: 278
al
.v

Why does a company need an Antivirus profile?

w

A. To prevent command-and-control traffic

w

B. To protect against viruses, worms, and trojans

w

C. To prevent known exploits

//

D. To prevent access to malicious web content

s:
tp

Answer: B
Explanation:
ht

Question: 279

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a
data-plane interface instead of the management interface?

A. Data redistribution
B. Dynamic updates
C. SNMP setup
D. Service route

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 116/157

Answer: D
Explanation:

Question: 280

An administrator is trying to enforce policy on some (but not all) of the entries in an external
dynamic list. What is the maximum number of entries that they can be exclude?

A. 50
B. 100
C. 200

om
D. 1,000

.c
Answer: B

ps
Explanation:

m
Question: 281

du
To what must an interface be assigned before it can process traffic?
am
A. Security Zone
B. Security policy
ex

C. Security Protection
id

D. Security profile
al

Answer: A
.v

Explanation:
w

Question: 282
w
w

Which User Credential Detection method should be applied within a URL Filtering Security profile to
//

check for the submission of a valid corporate username and the associated password?
s:
tp

A. Domain Credential
B. IP User
ht

C. Group Mapping
D. Valid Username Detected Log Severity

Answer: C
Explanation:

Question: 283

Which interface type requires no routing or switching but applies Security or NAT policy rules before
passing allowed traffic?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 117/157

A. Layer 3
B. Virtual Wire
C. Tap
D. Layer 2

Answer: A
Explanation:

Question: 284

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a

om
Security policy with App-ID be configured?
A)

.c
ps
m
B)

du
am
ex

C)
id
al
.v
w

D)
w
// w
s:
tp

A. Option A
B. Option B
ht

C. Option C
D. Option D

Answer: D
Explanation:

Question: 285

All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 118/157

Complete the empty field in the Security policy using an application object to permit only this type of
access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: __________

Service: application-default -
Action: allow

om
A. Application = "any"
B. Application = "web-browsing"

.c
C. Application = "ssl"

ps
D. Application = "http"

m
Answer: B

du
Explanation: am
Question: 286
ex

A network administrator created an intrazone Security policy rule on the firewall. The source zones
id

were set to IT. Finance, and HR.

al

Which two types of traffic will the rule apply to? (Choose two)
.v
w

A. traffic between zone IT and zone Finance

B. traffic between zone Finance and zone HR
w

C. traffic within zone IT

w

D. traffic within zone HR

//
s:

Answer: CD
tp

Explanation:
ht

Question: 287

Which three filter columns are available when setting up an Application Filter? (Choose three.)

A. Parent App
B. Category
C. Risk
D. Standard Ports
E. Subcategory

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 119/157

Answer: BCE
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-
application-filters

Question: 288

What are three ways application characteristics are used? (Choose three.)

om
.c
A. As an attribute to define an application group

ps
B. As a setting to define a new custom application

m
C. As an Object to define Security policies

D. As an attribute to define an application filter

du
am
E. As a global filter in the Application Command Center (ACC)
ex

Answer: ABD
id

Explanation:
al

Question: 289
.v
w

Files are sent to the WildFire cloud service via the WildFire Analysis Profile. How are these files
w

used?
// w

A. WildFire signature updates

s:
tp

B. Malware analysis
ht

C. Domain Generation Algorithm (DGA) learning

D. Spyware analysis

Answer: B
Explanation:

Question: 290

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 120/157

A. Policies

B. Network

C. Objects

D. Device

Answer: C

om
Explanation:

.c
An administrator can configure URL Filtering profiles in the Objects section of the PAN-OS GUI. A URL

ps
Filtering profile is a collection of URL filtering controls that you can apply to individual Security policy
rules that allow access to the internet1. You can set site access for URL categories, allow or disallow

m
user credential submissions, enable safe search enforcement, and various other settings1.

du
To create a URL Filtering profile, go to Objects > Security Profiles > URL Filtering and click Add. You
can then specify the profile name, description, and settings for each URL category and action2. You
am
can also configure other options such as User Credential Detection, HTTP Header Insertion, and URL
Filtering Inline ML2. After creating the profile, you can attach it to a Security policy rule that allows
web traffic2.
ex
id

Question: 291
al

By default, what is the maximum number of templates that can be added to a template stack?
.v
w

A. 6
B. 8
w

C. 10
w

D. 12
//
s:

Answer: B
tp

Explanation:
ht

By default, the maximum number of templates that can be added to a template stack is 8. This is the
recommended limit for performance reasons, as adding more templates may result in sluggish
responses on the user interface. However, starting from PAN-OS 8.1.10 and 9.0.4, you can use a
debug command to increase the maximum number of templates per stack to 16. This command
requires a commit operation to take effect.
A template stack is a collection of templates that you can use to push common settings to multiple
firewalls or Panorama managed collectors. A template contains the network and device settings that
you want to share across devices, such as interfaces, zones, virtual routers, DNS, NTP, and login
banners. You can create multiple templates for different device groups or locations and add them to
a template stack in a hierarchical order. The settings in the lower templates override the settings in
the higher templates if there are any conflicts. You can then assign a template stack to one or more

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 121/157

devices and push the configuration changes.

Question: 292

Within an Anti-Spyware security profile, which tab is used to enable machine learning based
engines?

A. Inline Cloud Analysis

om
B. Signature Exceptions

.c
C. Machine Learning Policies

ps
D. Signature Policies

m
du
Answer: A
Explanation:
am
An Anti-Spyware security profile is a set of rules that defines how the firewall detects and prevents
ex

spyware from compromising hosts on the network. Spyware is a type of malware that collects
information from the infected system, such as keystrokes, browsing history, or personal data, and
id

sends it to an external command-and-control (C2) server1.

An Anti-Spyware security profile consists of four tabs: Signature Policies, Signature Exceptions,
al

Machine Learning Policies, and Inline Cloud Analysis1.

.v

The Signature Policies tab allows you to configure the actions and log settings for each spyware
w

signature category, such as adware, botnet, keylogger, phishing, or worm. You can also enable DNS
Security to block malicious DNS queries and responses1.
w

The Signature Exceptions tab allows you to create exceptions for specific spyware signatures that you
w

want to override the default action or log settings. For example, you can allow a signature that is
//

normally blocked by the profile, or block a signature that is normally alerted by the profile1.
s:

The Machine Learning Policies tab allows you to configure the actions and log settings for machine
learning based signatures that detect unknown spyware variants. You can also enable WildFire
tp

Analysis to submit unknown files to the cloud for further analysis1.

ht

The Inline Cloud Analysis tab allows you to enable machine learning based engines that detect
unknown spyware variants in real time. These engines use cloud-based models to analyze the
behavior and characteristics of network traffic and identify malicious patterns. You can enable inline
cloud analysis for HTTP/HTTPS traffic, SMTP/SMTPS traffic, or IMAP/IMAPS traffic1.
Therefore, the tab that is used to enable machine learning based engines is the Inline Cloud Analysis
tab.
References:
1: Security Profile: Anti-Spyware - Palo Alto Networks

Question: 293

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 122/157

Which two DNS policy actions in the anti-spyware security profile can prevent hacking attacks
through DNS queries to malicious domains? (Choose two.)

A. Deny

B. Sinkhole

C. Override

D. Block

om
Answer: BD

.c
Explanation:

ps
A DNS policy action is a setting in an Anti-Spyware security profile that defines how the firewall

m
handles DNS queries to malicious domains. A malicious domain is a domain name that is associated

du
with a known threat, such as malware, phishing, or botnet1.
There are four possible DNS policy actions: alert, allow, block, and sinkhole1.
am
The alert action logs the DNS query and allows it to proceed to the intended destination. This action
does not prevent hacking attacks, but only notifies the administrator of the potential threat1.
The allow action allows the DNS query to proceed to the intended destination without logging it. This
ex

action does not prevent hacking attacks, but only bypasses the DNS security inspection2.
id

The block action blocks the DNS query and sends a response to the client with an NXDOMAIN (non-
existent domain) error code. This action prevents hacking attacks by preventing the client from
al

resolving the malicious domain1.

.v

The sinkhole action redirects the DNS query to a predefined IP address (the sinkhole IP address) that
is under the control of the administrator. This action prevents hacking attacks by isolating the client
w

from the malicious domain and allowing the administrator to monitor and remediate the infected
w

host1.
w

The override action is not a valid DNS policy action, but a setting in an Anti-Spyware security profile
that allows the administrator to create exceptions for specific spyware signatures that they want to
//

override the default action or log settings3.

s:

Therefore, the two DNS policy actions that can prevent hacking attacks through DNS queries to
tp

malicious domains are block and sinkhole.

References:
ht

1: Enable DNS Security - Palo Alto Networks 2: How To Disable the DNS Security Feature from an
Anti-Spyware Profile - Palo Alto Networks 3: Security Profile: Anti-Spyware - Palo Alto Networks

Question: 294

Which profile should be used to obtain a verdict regarding analyzed files?

A. WildFire analysis

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 123/157

B. Vulnerability profile

C. Content-ID

D. Advanced threat prevention

Answer: A
Explanation:

A profile is a set of rules or settings that defines how the firewall performs a specific function, such as
detecting and preventing threats, filtering URLs, or decrypting traffic1.

om
There are different types of profiles that can be applied to different types of traffic or scenarios, such
as Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Data Filtering,
Decryption, or WildFire Analysis1.

.c
The WildFire Analysis profile is a profile that enables the firewall to submit unknown files or email

ps
links to the cloud-based WildFire service for analysis and verdict determination2. WildFire is the
industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and

m
malware3. WildFire uses a variety of malware detection techniques, such as static analysis, dynamic

du
analysis, machine learning, and intelligent run-time memory analysis, to identify and protect against
unknown threats34.
am
The Vulnerability Protection profile is a profile that protects the network from exploits that target
known software vulnerabilities. It allows the administrator to configure the actions and log settings
for each vulnerability severity level, such as critical, high, medium, low, or informational5.
ex

Content-ID is not a profile, but a feature of the firewall that performs multiple functions to identify
id

and control applications, users, content, and threats on the network. Content-ID consists of four
components: App-ID, User-ID, Content Inspection, and Threat Prevention.
al

Advanced Threat Prevention is not a profile, but a term that refers to the comprehensive approach of
.v

Palo Alto Networks to prevent sophisticated and unknown threats. Advanced Threat Prevention
includes WildFire, but also other products and services, such as DNS Security, Cortex XDR, Cortex
w

XSOAR, and AutoFocus.

w

Therefore, the profile that should be used to obtain a verdict regarding analyzed files is the WildFire
w

Analysis profile.
References:
//

1: Security Profiles - Palo Alto Networks 2: WildFire Analysis Profile - Palo Alto Networks 3: WildFire -
s:

Palo Alto Networks 4: Advanced Wildfire as an ICAP Alternative | Palo Alto Networks 5: Vulnerability
tp

Protection Profile - Palo Alto Networks : [Content-ID - Palo Alto Networks] : [Advanced Threat
Prevention - Palo Alto Networks]
ht

Question: 295

How can a complete overview of the logs be displayed to an administrator who has permission in the
system to view them?

A. Select the unified log entry in the side menu.

B. Modify the number of columns visible on the page

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 124/157

C. Modify the number of logs visible on each page.

D. Select the system logs entry in the side menu.

Answer: A
Explanation:

The best way to view a complete overview of the logs is to select the unified log entry in the side
menu. The unified log is a single view that displays all the logs generated by the firewall, such as
traffic, threat, URL filtering, data filtering, and WildFire logs1. The unified log allows the

om
administrator to filter, sort, and export the logs based on various criteria, such as time range,
severity, source, destination, application, or action1.
Modifying the number of columns visible on the page or the number of logs visible on each page

.c
does not provide a complete overview of the logs, but only changes the display settings of the

ps
current log view. Selecting the system logs entry in the side menu does not show all the logs
generated by the firewall, but only shows the logs related to system events, such as configuration

m
changes, system alerts, or HA status2.

du
References:
am
1: View Logs - Palo Alto Networks 2: View and Manage Logs - Palo Alto Networks

Question: 296
ex
id

How are service routes used in PAN-OS?

al
.v
w

A. By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered
in the network
w
w

B. To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks
//

external services
s:

C. For routing, because they are the shortest path selected by the BGP routing protocol
tp
ht

D. To route management plane services through data interfaces rather than the management
interface

Answer: D
Explanation:

Service routes are a feature of PAN-OS that allows the administrator to customize the interface that
the firewall uses to send requests to external services, such as DNS, email, Palo Alto Networks
updates, User-ID agent, syslog, Panorama, dynamic updates, URL updates, licenses, and AutoFocus1.
By default, the firewall uses the management interface for all service routes, unless the packet
destination IP address matches the configured destination service route, in which case the source IP

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 125/157

address is set to the source address configured for the destination1.

However, in some scenarios, the administrator may want to use a different interface for service
routes, such as when the management interface does not have public internet access, or when the
administrator wants to isolate or monitor the traffic for certain services23.
To configure service routes, the administrator can select Device > Setup > Services > Service Route
Configuration and customize each service with a source interface and a source address. The
administrator can also configure destination service routes to specify a destination IP address and a
gateway for each service1.
Service routes are not related to routing protocols such as OSPF or BGP, which are used to exchange
routing information between routers and determine the best path to reach a network destination.
Service routes are only used to change the interface that the firewall uses to communicate with
external services.

om
Therefore, service routes are used to route management plane services through data interfaces
rather than the management interface.

.c
References:

ps
1: Configure Service Routes - Palo Alto Networks 2: Setting a Service Route for Services to Use a
Dataplane’s Interface - Palo Alto Networks 3: How to Perform Updates when Management Interface

m
does not have Public Internet Access - Palo Alto Networks

Question: 297 du
am
What is the default action for the SYN Flood option within the DoS Protection profile?
ex
id

A. Alert
B. Random Early Drop
al

C. Reset-client
.v

D. Sinkhole
w

Answer: B
w

Explanation:
// w

Random Early Drop —The firewall uses an algorithm to progressively start dropping that type of
s:

packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the
more packets the firewall drops. .. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-
tp

admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-
ht

sessions/configure-dos-protection-against-flooding-of-new-sessions)

Question: 298

Which Security policy set should be used to ensure that a policy is applied first?

A. Child device-group pre-rulebase

B. Shared pre-rulebase
C. Parent device-group pre-rulebase
D. Local firewall policy

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 126/157

Answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-
interface/defining-policies-on-panorama

Question: 299

Which type of DNS signatures are used by the firewall to identify malicious and command-and-
control domains?

om
A. DNS Malicious signatures
B. DNS Malware signatures

.c
C. DNS Block signatures
D. DNS Security signatures

ps
Answer: D

m
Explanation:

du
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-dns-
am
security#tabs-id066476b2-c4dd-4fc0-b7e4-f4ba32e19f60
ex

Question: 300
id

Which three types of entries can be excluded from an external dynamic list (EDL)? (Choose three.)
al
.v

A. IP addresses
B. Domains
w

C. User-ID
w

D. URLs
w

E. Applications
//
s:

Answer: ABD
Explanation:
tp
ht

Three types of entries that can be excluded from an external dynamic list (EDL) are IP addresses,
domains, and URLs. An EDL is a text file that is hosted on an external web server and contains a list of
objects, such as IP addresses, URLs, domains, International Mobile Equipment Identities (IMEIs), or
International Mobile Subscriber Identities (IMSIs) that the firewall can import and use in policy rules.
You can exclude entries from an EDL to prevent the firewall from enforcing policy on those
entries. For example, you can exclude benign domains that applications use for background traffic
from Authentication policy1. To exclude entries from an EDL, you need to:
Select the EDL on the firewall and click Manual Exceptions.
Add the entries that you want to exclude in the Manual Exceptions list. The entries must match the
type and format of the EDL. For example, if the EDL contains IP addresses, you can only exclude IP
addresses.
Click OK to save the changes. The firewall will not enforce policy on the excluded entries.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 127/157

Reference: Exclude Entries from an External Dynamic List, External Dynamic List, Certifications - Palo
Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or Palo
Alto Networks Certified Network Security Administrator (PAN-OS 10.0).

Question: 301

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication
Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication
profiles:
• Auth Profile LDAP
• Auth Profile Radius

om
• Auth Profile Local
• Auth Profile TACACS
After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable

.c
but has lost the "SYS01 Admin" username and password.

ps
What is the "SYS01 Admin" login capability after the outage?

m
A. Auth KO because RADIUS server lost user and password for SYS01 Admin

du
B. Auth KO because LDAP server is not reachable
C. Auth OK because of the Auth Profile Local
am
D. Auth OK because of the Auth Profile TACACS -

Answer: C
ex

Explanation:
id

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-an-
al

authentication-profile-and-sequence
.v
w

Question: 302
w

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose
w

two.)
//
s:

A. Antivirus
tp

B. URL Filtering
C. Vulnerability Protection
ht

D. Anti-spyware

Answer: CD
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-
profiles/actions-in-security-profiles

Question: 303

What are two valid selections within an Anti-Spyware profile? (Choose two.)

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 128/157

A. Default
B. Deny
C. Random early drop
D. Drop

Answer: AD
Explanation:

Deny is a policy action, random early drop is part of the inner workings of DoS protection

om
Question: 304

.c
When is an event displayed under threat logs?

ps
A. When traffic matches a corresponding Security Profile
B. When traffic matches any Security policy

m
C. Every time a session is blocked

du
D. Every time the firewall drops a connection
am
Answer: A
Explanation:
ex

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-
id

logs/log-types-and-severity-levels/threat-
al

logs#:~:text=Threat%20logs%20display%20entries%20when,security%20rule%20on%20the%20firew
all.
.v
w

Question: 305
w
w

Which Security profile should be applied in order to protect against illegal code execution?
//

A. Vulnerability Protection profile on allowed traffic

s:

B. Antivirus profile on allowed traffic

tp

C. Antivirus profile on denied traffic

ht

D. Vulnerability Protection profile on denied traffic

Answer: A
Explanation:

The Security profile that should be applied in order to protect against illegal code execution is the
Vulnerability Protection profile on allowed traffic. The Vulnerability Protection profile defines the
actions that the firewall takes to protect against exploits and vulnerabilities in applications and
protocols. The firewall can block or alert on traffic that matches a specific threat signature or a group
of threats. The Vulnerability Protection profile can prevent illegal code execution by detecting and
blocking attempts to exploit buffer overflows, format string vulnerabilities, or other code injection
techniques1. To apply the Vulnerability Protection profile on allowed traffic, you need to:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 129/157

Create or modify a Vulnerability Protection profile on the firewall or Panorama and configure the
rules and exceptions for the threats that you want to protect against2.
Attach the Vulnerability Protection profile to a Security policy rule that allows traffic that you want to
scan for vulnerabilities3.
Commit the changes to the firewall or Panorama and the managed firewalls.
Reference: Vulnerability Protection Profile, Create a Vulnerability Protection Profile, Attach a
Vulnerability Protection Profile to a Security Policy Rule, Certifications - Palo Alto Networks, Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified
Network Security Administrator (PAN-OS 10.0)].

Question: 306

om
Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

.c
A. Dynamic IP and Port (DIPP)

ps
B. Static IP
C. Static Port

m
D. Dynamic IP

du
E. Static IP and Port (SIPP) am
Answer: ABE
Explanation:
ex

Question: 307
id
al

Refer to the exhibit.

.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 130/157

om
.c
ps
m
du
am
ex
id
al
.v

Based on the network diagram provided, which two statements apply to traffic between the User
w

and Server networks? (Choose two.)

w
w

A. Traffic is permitted through the default intrazone "allow" rule.

B. Traffic restrictions are possible by modifying intrazone rules.
//

C. Traffic restrictions are not possible, because the networks are in the same zone.
s:

D. Traffic is permitted through the default interzone "allow" rule.

tp

Answer: AB
ht

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail? id=kA10g000000ClTHCA0&lang=es

Question: 308

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

A. Server profile
B. Authentication profile

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 131/157

C. Security profile
D. Interface Management profile

Answer: AB
Explanation:

In the FW you define an Auth sequence which specifies the Auth Profile. If you click add on an Auth
Profile and define one named TACACS for example, the Auth Profile calls in the TACACS+ Server
Profile.

Question: 309

om
Which setting is available to edit when a tag is created on the local firewall?

.c
A. Location

ps
B. Color
C. Order

m
D. Priority

du Answer: B
am
Explanation:
ex

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-
tags/create-tags
id
al

Question: 310
.v

What is the best-practice approach to logging traffic that traverses the firewall?
w
w

A. Enable both log at session start and log at session end.

w

B. Enable log at session start only.

C. Enable log at session end only.
//

D. Disable all logging options.

s:
tp

Answer: C
ht

Explanation:

The best-practice approach to logging traffic that traverses the firewall is to enable log at session end
only. This option allows the firewall to generate a log entry only when a session ends, which reduces
the load on the firewall and the log storage. The log entry contains information such as the source
and destination IP addresses, ports, zones, application, user, bytes, packets, and duration of the
session. The log at session end option also provides more accurate information about the session,
such as the final application and user, the total bytes and packets, and the session end reason1. To
enable log at session end only, you need to:
Create or modify a Security policy rule that matches the traffic that you want to log.
Select the Actions tab in the policy rule and check the Log at Session End option.
Commit the changes to the firewall or Panorama and the managed firewalls.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 132/157

Reference: View and Manage Logs, Log at Session End, Certifications - Palo Alto Networks, [Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified
Network Security Administrator (PAN-OS 10.0)].

Question: 311

Where in Panorama Would Zone Protection profiles be configured?

A. Shared
B. Templates
C. Device Groups

om
D. Panorama tab

Answer: B

.c
Explanation:

ps
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-

m
configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/use-

du
templates-to-administer-a-base-configuration
am
Question: 312
ex

Based on the image provided, which two statements apply to the Security policy rules? (Choose
two.)
id
al
.v
w
w
// w
s:

A. The Allow-Office-Programs rule is using an application filter.

B. The Allow-Office-Programs rule is using an application group.
tp

C. The Allow-Social-Media rule allows all Facebook functions.

ht

D. In the Allow-FTP policy, FTP is allowed using App-ID.

Answer: AC
Explanation:

Question: 313

How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to
destination ports tcp/22 and tcp/4422?

A. The admin creates a custom service object named "tcp-4422" with port tcp/4422.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 133/157

The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".
B. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422". and service
"application-default".
C. The admin creates a Security policy allowing application "ssh" and service "application-default".
D. The admin creates a custom service object named "tcp-4422" with port tcp/4422.
The admin also creates a custom service object named "tcp-22" with port tcp/22.
The admin then creates a Security policy allowing application "ssh", service "tcp-4422". and service
"tcp-22".

Answer: D

om
Explanation:

Question: 314

.c
ps
Which feature must be configured to enable a data plane interface to submit DNS queries originated
from the firewall on behalf of the control plane?

m
du
A. Service route
B. Admin role profile
am
C. DNS proxy
D. Virtual router
ex

Answer: A
id

Explanation:
al

By default, the firewall uses the management (MGT) interface to access external services, such as
.v

DNS servers, external authentication servers, Palo Alto Netw orks services such as soft ware, URL
w

updates, licenses, and AutoFocus. An alternative to using the MGT interface is configuring a data port
w

(a standard interface) to access these services. The path from the interface to th e service on a server
is aservice route. [Palo Alto Networks]
// w

PAN-OS 10 -> Device -> Setup -> Services -> Service Features -> Service Route Configuration
s:
tp

Question: 315
ht

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ
zones. The administrator does not change the rule type from its default value.
What type of Security policy rule is created?

A. Tagged
B. Intrazone
C. Universal
D. Interzone

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 134/157

Question: 316

When HTTPS for management and GlobalProtect are enabled on the same data plane interface,
which TCP port is used for management access?

A. 80
B. 443
C. 4443
D. 8443

om
Answer: C
Explanation:

.c
The GlobalProtect Portal can be accessed by going to the IP address of the designated interface using

ps
https on port 443. The WebUI on the same interface can be accessed by going to the interface's IP
address using https on port 4443. The port for WebUI management is changed because the tcp/443

m
socket used by GlobalProtect takes precedence

Question: 317 du
am
An administrator manages a network with 300 addresses that require translation. The administrator
ex

configured NAT with an address pool of 240 addresses and found that connections from addresses
that needed new translations were being dropped.
id

Which type of NAT was configured?

al

A. Static IP
.v

B. Dynamic IP
w

C. Destination NAT
w

D. Dynamic IP and Port

w

Answer: B
//

Explanation:
s:
tp

The size of the NAT pool should be equal to the number of internal hosts that require address
ht

translations. By default, if the source address pool is larger than the NAT address pool and eventually
all of the NAT addresses are allocated, new connections that need address translation are dropped.
To override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use of DIPP
addresses when necessary

Question: 318

What are the two main reasons a custom application is created? (Choose two.)

A. To correctly identify an internal application in the traffic log

B. To change the default categorization of an application
C. To visually group similar applications

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 135/157

D. To reduce unidentified traffic on a network

Answer: AD
Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-
policy/create-a-custom-application

Question: 319

What Policy Optimizer policy view differ from the Security policy do?

om
A. It shows rules that are missing Security profile configurations.

.c
B. It indicates rules with App-ID that are not configured as port-based.
C. It shows rules with the same Source Zones and Destination Zones.

ps
D. It indicates that a broader rule matching the criteria is configured above a more specific rule.

m
Answer: B

du
Explanation:
am
Policy Optimizer policy view differs from the Security policy view in several ways. One of them is that
it indicates rules with App-ID that are not configured as port-based. These are rules that have the
ex

application set to “any” instead of a specific application or group of applications. These rules are
overly permissive and can introduce security gaps, as they allow any application traffic on the
id

specified ports. Policy Optimizer helps you convert these rules to application-based rules that follow
al

the principle of least privilege access12. You can use Policy Optimizer to discover and convert port-
based rules to application-based rules, and also to remove unused applications, eliminate unused
.v

rules, and discover new applications that match your policy criteria3. Reference:
w

Policy Optimizer Best Practices - Palo Alto Networks

w

Manage: Policy Optimizer - Palo Alto Networks | TechDocs

Why use Security Policy Optimizer and what are the benefits?
// w

Question: 320
s:
tp

How does the Policy Optimizer policy view differ from the Security policy view?
ht

A. It provides sorting options that do not affect rule order.

B. It displays rule utilization.
C. It details associated zones.
D. It specifies applications seen by rules.

Answer: A
Explanation:

You can’t filter or sort rules in PoliciesSecurity because that would change the order of the policy
rules in the rulebase. Filtering and sorting PoliciesSecurityPolicy OptimizerNo App Specified,
PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App Viewer

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 136/157

(if you have a SaaS Inline Security subscription) does not change the order of the rules in the
rulebase. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-
rule-optimization/policy-optimizer-concepts/sorting-and-filtering-security-policy-rules

Question: 321

Which System log severity level would be displayed as a result of a user password change?

A. High
B. Critical
C. Medium

om
D. Low

Answer: D

.c
Explanation:

ps
System logs display entries for each system event on the firewall.

m
1. Critical - Hardware failures, including high availability (HA) failover and link failures.

du
2. High - Serious issues, including dropped connections with external devices, such as LDAP and
RADIUS servers.
am
3. Medium - Mid-level notifications, such as antivirus package upgrades.
4. Low - Minor severity notifications, such as user password changes.
ex

5. Informational - Log in/log off, administrator name or password change, any configuration change,
and all other events not covered by the other severity levels.
id

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-and-manage-
al

logs/log-types-and-severity-levels/system-logs#id8edbfdae-ed92-4d8e-ab76-6a38f96e8cb1
.v
w

Question: 322
w

Which situation is recorded as a system log?

// w

A. An attempt to access a spoofed website has been blocked.

s:

B. A connection with an authentication server has been dropped.

tp

C. A file that has been analyzed is potentially dangerous for the system.
D. A new asset has been discovered on the network.
ht

Answer: B
Explanation:

Question: 323

Where within the URL Filtering security profile must a user configure the action to prevent credential
submissions?

A. URL Filtering > Inline Categorization

B. URL Filtering > Categories

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 137/157

C. URL Filtering > URL Filtering Settings

D. URL Filtering > HTTP Header Insertion

Answer: B
Explanation:

URL filtering technology protects users from web-based threats by providing granular control over
user access and interaction with content on the Internet. You can develop a URL filtering policy that
limits access to sites based on URL categories, users, and groups. For example, you can block access
to sites known to host malware and prevent end users from entering corporate credentials to sites in
certain categories.

om
Question: 324

.c
Which two features implement one-to-one translation of a source IP address while allowing the

ps
source port to change? (Choose two.)

m
A. Static IP

du
B. Dynamic IP / Port Fallback
C. Dynamic IP
am
D. Dynamic IP and Port (DIPP)
ex

Answer: AD
Explanation:
id
al

Static IP and Dynamic IP and Port (DIPP) are two features that implement one-to-one translation of a
source IP address while allowing the source port to change. Static IP translates a single source
.v

address to a specific public address, and allows the source port to change dynamically1. Dynamic IP
w

and Port (DIPP) translates the source IP address or range to a single IP address, and uses the source
w

port to differentiate between multiple source IPs that share the same translated address2. Both of
these features provide a one-to-one translation of IP addresses, but do not restrict the source
w

port. Reference:
//

Static IP - Palo Alto Networks

s:

Dynamic IP and Port - Palo Alto Networks

tp

Question: 325
ht

A network administrator creates an intrazone security policy rule on a NGFW. The source zones are
set to IT. Finance, and HR.
To which two types of traffic will the rule apply? (Choose two.)

A. Within zone HR
B. Within zone IT
C. Between zone IT and zone HR
D. Between zone IT and zone Finance

Answer: AB

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 138/157

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTHCA0

Question: 326

An organization has some applications that are restricted for access by the Human Resources
Department only, and other applications that are available for any known user in the organization.
What object is best suited for this configuration?

A. Application Group

om
B. Tag
C. External Dynamic List
D. Application Filter

.c
ps
Answer: A
Explanation:

m
du
Question: 327
am
Which order of steps is the correct way to create a static route?
ex

A.
1) Enter the route and netmask
id

2) Enter the IP address for the specific next hop

al

3) Specify the outgoing interface for packets to use to go to the next hop
4) Add an IPv4 or IPv6 route by name
.v

B.
w

1) Enter the route and netmask

w

2) Specify the outgoing interface for packets to use to go to the next hop
3) Enter the IP address for the specific next hop
w

4) Add an IPv4 or IPv6 route by name

//

C.
s:

1) Enter the IP address for the specific next hop

tp

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name
ht

4) Specify the outgoing interface for packets to use to go to the next hop
D.
1) Enter the IP address for the specific next hop
2) Add an IPv4 or IPv6 route by name
3) Enter the route and netmask
4) Specify the outgoing interface for packets to use to go to the next hop

Answer: A
Explanation:

Enter the route and netmask

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 139/157

Enter the IP address for the specific next hop

Specify the outgoing interface for packets to use to go to the next hop
Add an IPv4 or IPv6 route by name Comprehensive This is the correct order of steps to create a static
route in a virtual router on the firewall. The first step is to enter the route and netmask for the
destination network, such as 192.168.2.2/24 for an IPv4 address or 2001:db8:123:1::1/64 for an IPv6
address. The second step is to enter the IP address for the specific next hop, such as 192.168.56.1 or
2001:db8:49e:1::1. The third step is to specify the outgoing interface for packets to use to go to the
next hop, such as ethernet1/1. The fourth step is to add an IPv4 or IPv6 route by name, such as
route11. Reference:
Configure a Static Route - Palo Alto Networks

Question: 328

om
Which two actions are needed for an administrator to get real-time WildFire signatures? (Choose
two.)

.c
ps
A. Obtain a Threat Prevention subscription.
B. Enable Dynamic Updates.

m
C. Move within the WildFire public cloud region.

du
D. Obtain a WildFire subscription. am
Answer: BD
Explanation:
ex

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-
id

100/wildfire-real-time-signature-updates
al

Question: 329
.v
w

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using
w

Panorama?
w

A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add
//

B. Panorama > Device Deployment > Content Updates > Schedules > Add
s:

C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add
tp

D. Panorama > Content Updates > Device Deployment > Schedules > Add
ht

Answer: A
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-
updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-
update-using-panorama

Question: 330

Which Security policy action will message a user's browser that their web session has been
terminated?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 140/157

A. Drop
B. Deny
C. Reset client
D. Reset server

Answer: C
Explanation:

Sending a reset only to the client would ensure, for example, internal hosts receive a notification the
session was reset and the browser is not left spinning or the application can close the established

om
session while the remote server is left unaware.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC

.c
Question: 331

ps
Which two addresses should be reserved to enable DNS sinkholing? (Choose two.)

m
du
A. IPv6
B. Email
am
C. IPv4
D. MAC
ex

Answer: AC
id

Explanation:
al

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
.v
w

Question: 332
w
w

Which feature enables an administrator to review the Security policy rule base for unused rules?
//
s:

A. Test Policy Match

tp
ht

B. Policy Optimizer

C. View Rulebase as Groups

D. Security policy tags eb

Answer: B
Explanation:

Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an
App-ID based rulebase, which improves your security by reducing the attack surface and gaining
visibility into applications so you can safely enable them. Policy Optimizer can also identify unused

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 141/157

rules, duplicate rules, and rules that can be merged or reordered to optimize your rulebase. You can
use Policy Optimizer to review the usage statistics of your rules and take actions to clean up or
modify your rulebase as needed1. Reference: Security Policy Rule Optimization, Updated
Certifications for PAN-OS 10.1, Free PCNSE Questions for Palo Alto Networks PCNSE Exam

Question: 333

A systems administrator momentarily loses track of which is the test environment firewall and which
is the production firewall. The administrator makes changes to the candidate configuration of the
production firewall, but does not commit the changes. In addition, the configuration was not saved

om
prior to
making the changes.

.c
Which action will allow the administrator to undo the changes?

ps
A. Load configuration version, and choose the first item on the list.

m
du
B. Load named configuration snapshot, and choose the first item on the list.
am
C. Revert to last saved configuration.

D. Revert to running configuration.

ex
id

Answer: D
Explanation:
al
.v

Reverting to the running configuration will undo the changes made to the candidate configuration
w

since the last commit. This operation will replace the settings in the current candidate configuration
with the settings from the running configuration. The firewall provides the option to revert all the
w

changes or only specific changes by administrator or location1. Reference: Revert Firewall

w

Configuration Changes, How to Revert to a Previous Configuration, How to revert uncommitted

//

changes on the firewall?.

s:
tp

Question: 334
ht

What is used to monitor Security policy applications and usage?

A. Policy Optimizer

B. App-ID

C. Security profile

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 142/157

D. Policy-based forwarding

Answer: A
Explanation:

Question: 335

What is a default setting for NAT Translated Packets when the destination NAT translation is selected
as Dynamic IP (with session distribution)?

om
A. IP Hash

.c
B. Source IP Hash

ps
C. Round Robin

m
D. Least Sessions

du Answer: C
am
Explanation:
ex

When the destination NAT translation is selected as Dynamic IP (with session distribution), the
firewall uses a round-robin algorithm to distribute sessions among the available IP addresses that are
id

resolved from the FQDN. This option allows you to load-balance traffic to multiple servers that have
al

dynamic IP addresses1. Reference: Destination NAT, NAT, Getting Started: Network Address
Translation (NAT).
.v
w

Question: 336
w
w

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on
//

Panorama?
s:
tp

A. NAT Target Tab

ht

B. NAT Active/Active HA Binding Tab

C. NAT Translated Packet Tab

D. NAT Policies General Tab

Answer: A
Explanation:

The NAT Target tab is a table that allows you to specify the target firewalls or device groups for each
NAT policy rule on Panorama. This tab is available only on Panorama and not on individual firewalls.

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 143/157

The NAT Target tab enables you to create a single NAT policy rulebase on Panorama and then
selectively push the rules to the firewalls or device groups that require them. This reduces the
complexity and duplication of managing NAT policies across multiple firewalls1. Reference: NAT
Target Tab, NAT Policy Overview, NPTv6 Overview, Updated Certifications for PAN-OS 10.1.

Question: 337

Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose
three.)

om
A. Virtual Wire

B. Tap

.c
ps
C. Dynamic

m
D. Layer 3

du
E. Static
am
Answer: ABD
ex

Explanation:
id

Palo Alto Networks firewalls support three types of Ethernet interfaces that can be configured on the
firewall: virtual wire, tap, and layer 31. These interface types determine how the firewall processes
al

traffic and applies security policies. Some of the characteristics of these interface types are:
.v

Virtual Wire: A virtual wire interface allows the firewall to transparently pass traffic between two
w

network segments without modifying the packets or affecting the routing. The firewall can still apply
security policies and inspect the traffic based on the source and destination zones of the virtual
w

wire2.
w

Tap: A tap interface allows the firewall to passively monitor traffic from a network switch or router
//

without affecting the traffic flow. The firewall can only receive traffic from a tap interface and cannot
s:

send traffic out of it. The firewall can apply security policies and inspect the traffic based on the
source and destination zones of the tap interface3.
tp

Layer 3: A layer 3 interface allows the firewall to act as a router and participate in the network
ht

routing. The firewall can send and receive traffic from a layer 3 interface and apply security policies
and inspect the traffic based on the source and destination IP addresses and zones of the interface4.
Reference: Ethernet Interface Types, Virtual Wire Interfaces, Tap Interfaces, Layer 3
Interfaces, Updated Certifications for PAN-OS 10.1, [Palo Alto Networks Certified Network Security
Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-
OS 10.0)].

Question: 338

Which action can be performed when grouping rules by group tags?

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 144/157

A. Delete Tagged Rule(s)

B. Edit Selected Rule(s)

C. Apply Tag to the Selected Rule(s)

D. Tag Selected Rule(s)

Answer: D

om
Explanation:

.c
When grouping rules by group tags, the action that can be performed is to tag selected rule(s). This

ps
action allows you to assign one or more tags to the selected rules, which will group them together
and display them under the corresponding tag group. You can use tags to organize and visually

m
distinguish your rules based on different criteria, such as function, location, or

du
priority1. Reference: View Rules by Tag Group, Use Tags to Group and Visually Distinguish
Objects, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security
am
Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-
OS 10.0)].
ex

Question: 339
id
al

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security
.v

policy?
w

A. Objects > Dynamic Updates > Review App-IDs

w
w

B. Device > Dynamic Updates > Review Policies

//
s:

C. Device > Dynamic Updates > Review App-IDs

tp

D. Objects > Dynamic Updates > Review Policies

ht

Answer: C
Explanation:

To see how new and modified App-IDs impact your Security policy, you need to follow the path
Device > Dynamic Updates > Review App-IDs on PAN-OS 11.x. This option allows you to perform a
content update policy review for both downloaded and installed content. You can view the list of
new and modified App-IDs and their descriptions, and see which Security policy rules are affected by
them. You can also modify the rules or create new ones to adjust your Security policy as
needed1. Reference: See How New and Modified App-IDs Impact Your Security Policy, Updated
Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 145/157

10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Question: 340

An administrator wants to enable access to www.paloaltonetworks.com while denying access to all

other sites in the same category.

Which object should the administrator create to use as a match condition for the security policy rule
that allows access to www.paloaltonetworks.com?

om
A. Application group

B. Address ab

.c
ps
C. URL category

m
D. Service

du Answer: C
am
Explanation:
ex

A URL category object is the object that the administrator should create to use as a match condition
for the security policy rule that allows access to www.paloaltonetworks.com while denying access to
id

all other sites in the same category. A URL category object allows the administrator to define a
custom list of URLs that belong to a specific category, such as Business and Economy. The
al

administrator can then use this object in a security policy rule to allow or deny access to the URLs
.v

based on the category1. For example, the administrator can create a URL category object that
w

contains www.paloaltonetworks.com and assign it to the Business and Economy category. Then, the
administrator can create a security policy rule that allows access to this URL category object and
w

denies access to the predefined Business and Economy category2. Reference: Create a Custom URL
w

Category, Create a Security Policy Rule to Allow or Deny Access to a Custom URL
//

Category, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security
s:

Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-
OS 10.0)].
tp
ht

Question: 341

When a security rule is configured as Intrazone, which field cannot be changed?

A. Actions

B. Source Zone

C. Application

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 146/157

D. Destination Zone

Answer: D
Explanation:

When a security rule is configured as Intrazone, the destination zone field cannot be changed. This is
because an intrazone rule applies to traffic that originates and terminates in the same zone. The
destination zone is automatically set to the same value as the source zone and cannot be
modified1. An intrazone rule allows you to control and inspect traffic within a zone, such as applying

om
security profiles or logging options2. Reference: What are Universal, Intrazone and Interzone
Rules?, Security Policy, Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network
Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security

.c
Administrator (PAN-OS 10.0)].

ps
Question: 342

m
du
In which two Security Profiles can an action equal to the block IP feature be configured? (Choose
am
two.)
ex

A. URL Filtering
id

B. Vulnerability Protection
al

C. Antivirus b
.v
w

D. Anti-spyware
w

Answer: BD
w

Explanation:
//
s:

The block IP feature can be configured in two Security Profiles: Vulnerability Protection and Anti-
tp

spyware. The block IP feature allows the firewall to block traffic from a source IP address for a
specified period of time after detecting a threat. This feature can help prevent further attacks from
ht

the same source and reduce the load on the firewall1. The block IP feature can be enabled in the
following Security Profiles:
Vulnerability Protection: A Vulnerability Protection profile defines the actions that the firewall takes
to protect against exploits and vulnerabilities in applications and protocols. You can configure a rule
in the Vulnerability Protection profile to block IP connections for a specific threat or a group of
threats2.
Anti-spyware: An Anti-spyware profile defines the actions that the firewall takes to protect against
spyware and command-and-control (C2) traffic. You can configure a rule in the Anti-spyware profile
to block IP addresses for a specific spyware or C2 signature.
Reference: Monitor Blocked IP Addresses, Block IP Addresses, Vulnerability Protection Profile, [Anti-
Spyware Profile], Certifications - Palo Alto Networks, [Palo Alto Networks Certified Network Security

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 147/157

Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-
OS 10.0)].

Question: 343

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

A. Network ab

B. Policies

om
C. Objects

.c
D. Device

ps
Answer: C

m
Explanation:

du
URL Filtering profiles are configured in the Objects section of the PAN-OS GUI. A URL Filtering profile
am
defines the actions that the firewall takes for different URL categories, such as allow, block, alert,
continue, or override. You can also configure settings for credential phishing prevention, URL filtering
ex

inline machine learning, and safe search enforcement in a URL Filtering profile1. To create or modify
a URL Filtering profile, you need to go to Objects > Security Profiles > URL Filtering2. Reference: URL
id

Filtering Profile, Create a URL Filtering Profile, Updated Certifications for PAN-OS 10.1, Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified
al

Network Security Administrator (PAN-OS 10.0)].

.v
w

Question: 344
w
w

What are three valid source or D=destination conditions available as Security policy qualifiers?
//

(Choose three.)
s:
tp

A. Service
ht

B. User

C. Application

D. Address

E. Zone ab

Answer: BCE

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 148/157

Explanation:

Three valid source or destination conditions available as Security policy qualifiers are User,
Application, and Zone. These qualifiers allow you to define the match criteria for a Security policy
rule based on the identity of the user, the application used, and the zone where the traffic originates
or terminates. You can use these qualifiers to enforce granular security policies that control access to
network resources and prevent threats1. Some of the characteristics of these qualifiers are:
User: The User qualifier allows you to specify the source or destination user or user group for a
Security policy rule. The firewall can identify users based on various methods, such as User-ID,
Captive Portal, or GlobalProtect. You can use the User qualifier to apply different security policies for
different users or user groups, such as allowing access to certain applications or resources based on
user roles or privileges2.

om
Application: The Application qualifier allows you to specify the application or application group for a
Security policy rule. The firewall can identify applications based on App-ID, which is a technology that

.c
classifies applications based on multiple attributes, such as signatures, protocol decoders, heuristics,

ps
and SSL decryption. You can use the Application qualifier to allow or deny access to specific
applications or application groups, such as enabling web browsing but blocking social networking or

m
file sharing3.
Zone: The Zone qualifier allows you to specify the source or destination zone for a Security policy

du
rule. A zone is a logical grouping of one or more interfaces that have similar functions or security
requirements. The firewall can apply security policies based on the zones where the traffic originates
am
or terminates, such as intrazone, interzone, or universal. You can use the Zone qualifier to segment
your network and isolate traffic based on different trust levels or network functions4.
ex

Reference: Security Policy, Zones, User-ID, App-ID, Certifications - Palo Alto Networks, [Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified
id

Network Security Administrator (PAN-OS 10.0)].

al

Question: 345
.v
w
w

In which three places on the PAN-OS interface can the application characteristics be found? (Choose
w

three.)
//

A. Objects tab > Application Filters

s:
tp

B. Policies tab > Security

ht

C. ACC tab > Global Filters

D. Objects tab > Application Groups

E. Objects tab > Applications

Answer: ADE
Explanation:

The application characteristics can be found in three places on the PAN-OS interface: Objects tab >
Application Filters, Objects tab > Application Groups, and Objects tab > Applications. These places

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 149/157

allow you to view and manage the applications and application groups that are used in your Security
policy rules. You can also create custom applications and application filters based on various
attributes, such as category, subcategory, technology, risk, and behavior1. Some of the
characteristics of these places are:
Objects tab > Application Filters: An application filter is a dynamic object that groups applications
based on specific criteria. You can use an application filter to match multiple applications in a
Security policy rule without having to list them individually. For example, you can create an
application filter that includes all applications that have a high risk level or use peer-to-peer
technology.
Objects tab > Application Groups: An application group is a static object that groups applications
based on your custom requirements. You can use an application group to match multiple applications
in a Security policy rule without having to list them individually. For example, you can create an

om
application group that includes all applications that are related to a specific business function or
project.

.c
Objects tab > Applications: An application is an object that identifies and classifies network traffic

ps
based on App-ID, which is a technology that uses multiple attributes to identify applications. You can
use an application to match a specific application in a Security policy rule and control its access and

m
behavior. For example, you can use an application to allow web browsing but block file sharing or
social networking.

du
Reference: Objects, [Application Filters], [Application Groups], [Applications], Updated Certifications
for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo
am
Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].
ex

Question: 346
id
al

An administrator wants to reference the same address object in Security policies on 100 Panorama
.v

managed firewalls, across 10 device groups and five templates.

w

Which configuration action should the administrator take when creating the address object?
w
w

A. Ensure that the Shared option is checked.

//

B. Ensure that the Shared option is cleared.

s:
tp

C. Ensure that Disable Override is cleared.

ht

D. Tag the address object with the Global tag.

Answer: A
Explanation:

To reference the same address object in Security policies on 100 Panorama-managed firewalls, across
10 device groups and five templates, the administrator should ensure that the Shared option is
checked when creating the address object. This option allows the administrator to create a shared
address object that is available to all device groups and templates on Panorama. The shared address

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 150/157

object can then be used in multiple firewall policy rules, filters, and other functions1. This reduces
the complexity and duplication of managing address objects across multiple
firewalls2. Reference: Address Objects, Create a Shared Address Object, Certifications - Palo Alto
Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0)].

Question: 347

What are three configurable interface types for a data-plane ethernet interface? (Choose three.)

om
A. Layer 3
B. HSCI

.c
C. VWire

ps
D. Layer 2

m
du
E. Management am
Answer: ACD
Explanation:
ex

Three configurable interface types for a data-plane ethernet interface are Layer 3, VWire, and Layer
id

2. These interface types determine how the firewall processes traffic and applies security policies.
Some of the characteristics of these interface types are:
al

Layer 3: A layer 3 interface allows the firewall to act as a router and participate in the network
.v

routing. The firewall can send and receive traffic from a layer 3 interface and apply security policies
w

and inspect the traffic based on the source and destination IP addresses and zones of the interface1.
VWire: A virtual wire interface allows the firewall to transparently pass traffic between two network
w

segments without modifying the packets or affecting the routing. The firewall can still apply security
w

policies and inspect the traffic based on the source and destination zones of the virtual wire2.
//

Layer 2: A layer 2 interface allows the firewall to act as a switch and forward traffic based on MAC
s:

addresses. The firewall can send and receive traffic from a layer 2 interface and apply security
policies and inspect the traffic based on the source and destination zones of the interface3.
tp

Reference: Ethernet Interface Types, Virtual Wire Interfaces, Layer 2 Interfaces, Layer 3 Interfaces,
ht

[Certifications - Palo Alto Networks], [Palo Alto Networks Certified Network Security Administrator
(PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Question: 348

Where does a user assign a tag group to a policy rule in the policy creation window?

A. Application tab

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 151/157

B. General tab

C. Actions tab

D. Usage tab

Answer: B
Explanation:

om
A user can assign a tag group to a policy rule in the policy creation window by selecting the General
tab. A tag group is a collection of tags that can be used to identify and filter policy rules based on

.c
different criteria, such as function, location, or priority. A user can create a tag group on Panorama

ps
and assign it to a policy rule to apply the same set of tags to multiple firewalls or device groups1. To
assign a tag group to a policy rule, the user needs to:

m
Select the General tab in the policy creation window.

du
Click the Tag Group drop-down menu and select the tag group that the user wants to assign to the
policy rule.
am
Click OK to save the changes. The policy rule will inherit the tags from the tag group and display them
in the Tag column.
Reference: Assign a Tag Group to a Policy Rule, Policy, Certifications - Palo Alto Networks, Palo Alto
ex

Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified
id

Network Security Administrator (PAN-OS 10.0)].

al

Question: 349
.v
w

Which policy set should be used to ensure that a policy is applied just before the default security
w

rules?
// w

A. Parent device-group post-rulebase

s:

B. Child device-group post-rulebase

tp

C. Local Firewall policy

ht

D. Shared post-rulebase

Answer: D
Explanation:

The policy set that should be used to ensure that a policy is applied just before the default security
rules is the shared post-rulebase. The shared post-rulebase is a set of Security policy rules that are
defined on Panorama and apply to all firewalls or device groups. The shared post-rulebase is
evaluated after the local firewall policy and the child device-group post-rulebase, but before the

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 152/157

default security rules. The shared post-rulebase can be used to enforce common security policies
across multiple firewalls or device groups, such as blocking high-risk applications or
traffic1. Reference: Security Policy Rule Hierarchy, Security Policy Rulebase, Certifications - Palo Alto
Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto
Networks Certified Network Security Administrator (PAN-OS 10.0)].

Question: 350

om
In which two types of NAT can oversubscription be used? (Choose two.)

A. Static IP

.c
B. Destination NAT

ps
C. Dynamic IP and Port (DIPP)
D. Dynamic IP

m
du
Answer: CD
Explanation:
am
Oversubscription is a feature that allows you to use more private IP addresses than public IP
ex

addresses for NAT. This means that multiple private IP addresses can share the same public IP
address, as long as they use different ports. Oversubscription can be used in two types of NAT:
id

Dynamic IP and Port (DIPP) and Dynamic IP. DIPP NAT translates both the source IP address and the
source port number of the outgoing packets, and can have an oversubscription rate greater than 1.
al

Dynamic IP NAT translates only the source IP address of the outgoing packets, and can have an
.v

oversubscription rate of 1 or less. Static IP and Destination NAT do not support oversubscription, as
w

they require a one-to-one mapping between the private and public IP addresses. Reference: Source
NAT, Configure NAT, NAT
w
w

Question: 351
//
s:
tp

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?
ht

A. Objects > Schedules

B. Policies > Policy Optimizer
C. Monitor > Packet Capture
D. Monitor > Reports

Answer: B
Explanation:

The Policy Optimizer is a feature in the PAN-OS GUI that allows an administrator to monitor the rule

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 153/157

usage for a specified period of time, as well as optimize the security policies based on the traffic logs
and recommendations. The Policy Optimizer can help the administrator to improve the security
posture, reduce the attack surface, and simplify the policy management. The Policy Optimizer can be
accessed from Policies > Policy Optimizer in the PAN-OS GUI. Reference: Policy Optimizer, View Policy
Rule Usage, Updated Certifications for PAN-OS 10.1

Question: 352

Which security profile should be used to classify malicious web content?

om
A. URL Filtering

B. Antivirus

.c
ps
C. Web Content

m
D. Vulnerability Protection

du Answer: A
am
Explanation:
ex

URL Filtering is a security profile that allows you to classify web content based on the URL category
and reputation of the website. URL Filtering can help you block access to malicious web content,
id

such as phishing, malware, or command and control sites, as well as enforce acceptable use policies
for web browsing. URL Filtering uses the PAN-DB cloud service to provide up-to-date information on
al

the URL categories and reputations of millions of websites. You can configure URL Filtering policies to
.v

allow, block, alert, continue, or override web requests based on the URL category and reputation, as
w

well as customize the response pages and exceptions for different user groups. Reference: URL
Filtering, Set Up a Basic Security Policy, Updated Certifications for PAN-OS 10.1
w
// w
s:

Question: 353
tp
ht

In order to attach an Antivirus, Anti-Spyware and Vulnerability Protection security profile to your
Security Policy rules, which setting must be selected?

A. Policies > Security > Actions Tab > Select Group-Profiles as Profile Type
B. Policies > Security > Actions Tab > Select Default-Profiles as Profile Type
C. Policies > Security > Actions Tab > Select Profiles as Profile Type
D. Policies > Security > Actions Tab > Select Tagged-Profiles as Profile Type

Answer: C
Explanation:

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 154/157

To enable the firewall to scan the traffic that it allows based on a Security policy rule, you must also
attach Security Profiles —including URL Filtering, Antivirus, Anti-Spyware, File Blocking, and WildFire
Analysis—to each rule. To attach a Security Profile to a Security policy rule, you must select Profiles
as the Profile Type in the Actions tab of the rule. This allows you to choose from the predefined or
custom Security Profiles that you have configured. Group-Profiles, Default-Profiles, and Tagged-
Profiles are not valid options for attaching Security Profiles to Security policy rules. Reference: Set Up
a Basic Security Policy, Security Profiles, Updated Certifications for PAN-OS 10.1

Question: 354

om
Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for
analysis?

.c
A. Application Category

ps
B. Source
C. File Size

m
D. Direction

du Answer: D
am
Explanation:
ex

A WildFire Analysis Profile allows you to specify which files or email links to forward for WildFire
analysis based on the application, file type, and transmission direction (upload or download) of the
id

traffic. The direction match criteria determines whether the file or email link was sent from the
source zone to the destination zone (upload) or from the destination zone to the source zone
al

(download). You can also select both directions to forward files or email links regardless of the
.v

direction of the traffic. Reference: Security Profile: Wildfire Analysis, Objects > Security Profiles >
w

WildFire Analysis
w

Question: 355
// w
s:

What must first be created on the firewall for SAML authentication to be configured?
tp

A. Server Policy
ht

B. Server Profile

C. Server Location

D. Server Group

Answer: B
Explanation:

A server profile identifies the external authentication service and instructs the firewall on how to

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 155/157

connect to that authentication service and access the authentication credentials for your users. To
configure SAML authentication, you must create a server profile and register the firewall and the
identity provider (IdP) with each other. You can import a SAML metadata file from the IdP to
automatically create a server profile and populate the connection, registration, and IdP certificate
information. Reference: Configure SAML Authentication, Set Up SAML Authentication, Introduction
to SAML

Question: 356

Which two options does the firewall use to dynamically populate address group members? (Choose

om
two.)

A. IP Addresses

.c
ps
B. Tags

m
C. MAC Addresses

du
D. Tag-based filters
am
Answer: BD
ex

Explanation:
id

A dynamic address group populates its members dynamically using look ups for tags and tag-based
filters. Tags are metadata elements or attribute-value pairs that are registered for each IP address.
al

Tag-based filters use logical and and or operators to match the tags and determine the membership
.v

of the dynamic address group. For example, you can create a dynamic address group that includes all
w

IP addresses that have the tags “web-server” and “linux”. You can also use static tags as part of the
filter criteria. Reference: Policy Object: Address Groups, Use Dynamic Address Groups in
w

Policy, Statics vs. Dynamic Address Objects Groups

// w

Question: 357
s:
tp

What two actions can be taken when implementing an exception to an External Dynamic List?
ht

(Choose two.)

A. Exclude an IP address by making use of wildcards.

B. Exclude a URL entry by making use of regular expressions.
C. Exclude an IP address by making use of regular expressions.
D. Exclude a URL entry by making use of wildcards.

Answer: AB
Explanation:

Question: 358

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 156/157

Which feature enables an administrator to review the Security policy rule base for unused rules?

A. Security policy tags

B. Test Policy Match
C. View Rulebase as Groups
D. Policy Optimizer

Answer: D
Explanation:

om
The Policy Optimizer feature enables an administrator to review the Security policy rule base for
unused rules, unused applications, and shadowed rules. The Policy Optimizer provides information

.c
and recommendations to help optimize the Security policy rules and reduce the attack surface. The

ps
Policy Optimizer can also identify rules that can be converted to use App-ID instead of port-based
criteria12. Reference: Policy Optimizer, Tips & Tricks: How to Identify Unused Policies on a Palo Alto

m
Networks Device

Question: 359
du
am
An administrator should filter NGFW traffic logs by which attribute column to determine if the entry
ex

is for the start or end of the session?

id

A. Receive Time
B. Type
al

C. Destination
.v

D. Source
w

Answer: B
w

Explanation:
// w

The Type attribute column in the NGFW traffic logs indicates whether the log entry is for the start or
s:

end of the session. The possible values are START, END, DROP, DENY, and INVALID. The START value
tp

means that the log entry is for the start of the session, and the END value means that the log entry is
for the end of the session. The other values indicate that the session was terminated by the firewall
ht

for various reasons12. Reference: Traffic Log Fields, Session Log Best Practices

https://www.validexamdumps.com/PCNSA.html
Questions and Answers PDF 157/157

Thank you for your visit.

To try more exams, please visit below link
https://www.validexamdumps.com/PCNSA.html

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/PCNSA.html