Professional Documents
Culture Documents
PCNSA - Prepaway.premium - Exam.98q: Number: PCNSA Passing Score: 800 Time Limit: 120 Min File Version: 3.0
PCNSA - Prepaway.premium - Exam.98q: Number: PCNSA Passing Score: 800 Time Limit: 120 Min File Version: 3.0
98q
Number: PCNSA
Passing Score: 800
Time Limit: 120 min
File Version: 3.0
PCNSA
Version 3.0
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Exam A
QUESTION 1
DRAG DROP
Match the Palo Alto Networks Security Operating Platform architecture to its description.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a
separate processor?
A. management
B. network processing
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
C. data
D. security processing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
A security administrator has configured App-ID updates to be automatically downloaded and installed. The
company is currently using an application identified by App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and
SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches
the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the
security administrator approves the applications
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-zones/
security-zone-overview
QUESTION 5
Which two configuration settings shown are not the default? (Choose two.)
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. Enable Security Log
B. Server Log Monitor Frequency (sec)
C. Enable Session
D. Enable Probing
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device-
user-identification-user-mapping/enable-server-monitoring
QUESTION 6
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits
on a Palo Alto Networks Firewall?
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Which option shows the attributes that are selectable when setting up application filters?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-
application-filters
QUESTION 8
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
DRAG DROP
Correct Answer:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content may change how security policy rules are enforced
B. After an application content update, new applications must be manually classified prior to use
C. Existing security policy rules are not affected by application content updates
D. After an application content update, new applications are automatically identified and classified
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Which User-ID mapping method should be used for an environment with clients that do not authenticate to
Windows Active Directory?
Correct Answer: C
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
An administrator needs to allow users to use their own office applications. How should the administrator
configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category,
office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Which statement is true regarding a Best Practice Assessment?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-
practice-security-policy/use-palo-alto-networks-assessment-and-review-tools
QUESTION 14
Employees are shown an application block page when they try to access YouTube. Which security policy is
blocking the YouTube application?
A. intrazone-default
B. Deny Google
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
C. allowed-security services
D. interzone-default
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic
____________.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html
QUESTION 16
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic
IP and Port, Dynamic, Static IP, and None?
A. Translation Type
B. Interface
C. Address Type
D. IP Address
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Which interface does not require a MAC or IP address?
A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility
should the company use to identify out-of-date or unused rules on the firewall?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
DRAG DROP
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose
two.)
A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
QUESTION 21
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those
changes are helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/
creating-and-managing-policies
QUESTION 22
Which two App-ID applications will need to be allowed to use facebook-chat? (Choose two.)
A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK
QUESTION 23
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth,
and limited firewall management plane resources?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Your company requires positive username attribution of every IP address used by wireless devices to support a
new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal
downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are
from various manufactures.
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.
A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
An administrator receives a global notification for a new malware that infects hosts. The infection will result in
the infected host attempting to contact a command-and-control (C2) server. Which two security profile
components will detect and prevent this threat after the firewall’s signature database has been updated?
(Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/create-best-practice-security-
profiles
QUESTION 26
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?
A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation
Correct Answer: D
Section: (none)
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Explanation
Explanation/Reference:
QUESTION 27
Identify the correct order to configure the PAN-OS integrated USER-ID agent.
A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-3-2-4
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action =
Allow
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Based on the security policy rules shown, ssh will be allowed on which port?
A. 80
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
B. 53
C. 22
D. 23
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?
A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/install-content-and-
software-updates.html
QUESTION 31
An administrator notices that protection is needed for traffic within the network due to malicious lateral
movement activity. Based on the image shown, which traffic would the administrator need to monitor and block
to mitigate the malicious activity?
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
Given the topology, which zone type should zone A and zone B to be configured with?
A. Layer3
B. Tap
C. Layer2
D. Virtual Wire
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
To use Active Directory to authenticate administrators, which server profile is required in the authentication
profile?
A. domain controller
B. TACACS+
C. LDAP
D. RADIUS
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?
A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Which administrator type provides more granular options to determine what the administrator can view and
modify when creating an administrator account?
A. Root
B. Dynamic
C. Role-based
D. Superuser
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Which administrator type utilizes predefined roles for a local administrator account?
A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/get-started-with-the-cli/give-
administrators-access-to-the-cli/administrative-privileges?PageSpeed=noscript
QUESTION 37
Which two security profile types can be attached to a security policy? (Choose two.)
A. antivirus
B. DDoS protection
C. threat
D. vulnerability
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/security-profiles
QUESTION 38
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive
had malware on it that loaded onto their computer and then contacted a known command and control (CnC)
server, which ordered the infected machine to begin Exfiltrating data from the laptop.
Which security profile feature could have been used to prevent the communication with the CnC server?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-security-
profiles-anti-spyware-profile
QUESTION 39
Which user mapping method could be used to discover user IDs in an environment with multiple Windows
domain controllers?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
What are three differences between security policies and security profiles? (Choose three.)
Explanation/Reference:
QUESTION 41
Given the image, which two options are true about the Security policy rules. (Choose two.)
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. The Allow Office Programs rule is using an Application Filter
B. In the Allow FTP to web server rule, FTP is allowed using App-ID
C. The Allow Office Programs rule is using an Application Group
D. In the Allow Social Networking rule, allows all of Facebook’s functions
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone,
and within the Outside zone?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
QUESTION 43
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by
inspecting traffic deployed as internet gateways?
A. GlobalProtect
B. AutoFocus
C. Aperture
D. Panorama
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. Path monitoring does not determine if route is useable
B. Route with highest metric is actively used
C. Path monitoring determines if route is useable
D. Route with lowest metric is actively used
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code
against a targeted machine.
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Which file is used to save the running configuration with a Palo Alto Networks firewall?
A. running-config.xml
B. run-config.xml
C. running-configuration.xml
D. run-configuration.xml
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
In the example security policy shown, which two websites would be blocked? (Choose two.)
A. LinkedIn
B. Facebook
C. YouTube
D. Amazon
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Which Palo Alto Networks component provides consolidated policy creation and centralized management?
A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management-
datasheet
QUESTION 49
Which statement is true regarding a Prevention Posture Assessment?
A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers,
zones, areas of architecture, and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-
practice-security-policy/use-palo-alto-networks-assessment-and-review-tools
QUESTION 50
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to
prevent threats? (Choose five.)
A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware
Explanation/Reference:
QUESTION 51
The PowerBall Lottery has reached a high payout amount and a company has decided to help employee
morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.
Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking
the gambling URL category? (Choose two.)
A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action
for the gambling category to allow.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the allow list
D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the
action to allow.
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 52
Which service protects cloud-based applications such as Dropbox and Salesforce by administering
permissions and scanning files for sensitive information?
A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 53
Which administrator receives a global notification for a new malware that infects hosts. The infection will result
in the infected host attempting to contact and command-and-control (C2) server.
Which security profile components will detect and prevent this threat after the firewall`s signature database has
been updated?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 54
Which update option is not available to administrators?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
QUESTION 55
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public
Cloud environments. All other required connections have already been enabled between the USERS- and the
OUTSIDE-zone. What configuration-changes should the Firewall-admin make?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 56
How often does WildFire release dynamic updates?
A. every 5 minutes
B. every 15 minutes
C. every 60 minutes
D. every 30 minutes
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-
wildfire-updates
QUESTION 57
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus
signatures?
A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute-
wildfire-updates
QUESTION 58
Your company has 10 Active domain controllers spread across multiple WAN links. All users authenticate to
Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. Given
the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
DRAG DROP
Arrange the correct order that the URL classifications are processed within the system.
Correct Answer:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
QUESTION 60
What must be configured for the firewall to access multiple authentication profiles for external services to
authenticate a non-local account?
A. authentication sequence
B. LDAP server profile
C. authentication server list
D. authentication list profile
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/framemaker/pan-os/7-1/pan-
os-admin.pdf page 144
QUESTION 61
Which Security Profile mitigates attacks based on packet count?
Correct Answer: A
Section: (none)
Explanation
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Explanation/Reference:
QUESTION 62
Which interface type can use virtual routers and routing protocols?
A. Tap
B. Layer3
C. Virtual Wire
D. Layer2
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
Which URL profiling action does not generate a log entry when a user attempts to access that URL?
A. Override
B. Allow
C. Block
D. Continue
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/url-
filtering-profile-actions
QUESTION 64
An internal host wants to connect to servers of the internet through using source NAT.
Which policy is required to enable source NAT on the firewall?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 65
Which security profile will provide the best protection against ICMP floods, based on individual combinations of
a packet`s source and destination IP address?
A. DoS protection
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
B. URL filtering
C. packet buffering
D. anti-spyware
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 66
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 67
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto
Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-
pass-parallel-processing-hardware-architecture.html
QUESTION 68
Which path is used to save and load a configuration with a Palo Alto Networks firewall?
A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces
Correct Answer: C
Section: (none)
Explanation
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Explanation/Reference:
QUESTION 69
DRAG DROP
Correct Answer:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
QUESTION 70
Which action related to App-ID updates will enable a security administrator to view the existing security policy
rule that matches new application signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
QUESTION 71
How is the hit count reset on a rule?
A. select a security policy rule, right click Hit Count > Reset
B. with a dataplane reboot
C. Device > Setup > Logging and Reporting Settings > Reset Hit Count
D. in the CLI, type command reset hitcount <POLICY-NAME>
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 72
Given the topology, which zone type should interface E1/1 be configured with?
A. Tap
B. Tunnel
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
C. Virtual Wire
D. Layer3
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 73
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 74
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside
zone, but does not match traffic that passes within the zones?
A. intrazone
B. interzone
C. universal
D. global
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 75
Four configuration choices are listed, and each could be used to block access to a specific URL. If you
configured each choice to block the same URL then which choice would be the last to block access to the
URL?
Correct Answer: C
Section: (none)
Explanation
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Explanation/Reference:
QUESTION 76
Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-
only firewall deployment?
A. north-south
B. inbound
C. outbound
D. east-west
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 77
Which protocol is used to map usernames to user groups when User-ID is configured?
A. TACACS+
B. SAML
C. LDAP
D. RADIUS
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html
QUESTION 78
Which definition describes the guiding principle of the zero-trust architecture?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
QUESTION 79
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Application: _________?
Service: ____________?
Action: allow
(Choose two.)
A. Service = “application-default”
B. Service = “service-telnet”
C. Application = “Telnet”
D. Application = “any”
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 80
In which profile should you configure the DNS Security feature?
A. Anti-Spyware Profile
B. Zone Protection Profile
C. Antivirus Profile
D. URL Filtering Profile
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable-
dns-security.html
QUESTION 81
Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 82
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose
two.)
A. GlobalProtect agent
B. XML API
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
C. User-ID Windows-based agent
D. log forwarding auto-tagging
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 83
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate
laptop.the malware contacted a known command-and-control server, which caused the infected laptop to begin
exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the command-and-
control server?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 84
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of
the control plane?
A. virtual router
B. Admin Role profile
C. DNS proxy
D. service route
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://weberblog.net/palo-alto-dns-proxy-for-management-services/
QUESTION 85
Which component provides network security for mobile endpoints by inspecting traffic routed through
gateways?
A. Prisma SaaS
B. GlobalProtect
C. AutoFocus
D. Panorama
Correct Answer: A
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/resources/whitepapers/protecting-the-extended-perimeter-with-
globalprotect-cloud-service-full
QUESTION 86
For the firewall to use Active Directory to authenticate users, which Server Profile is required in the
Authentication Profile?
A. TACACS+
B. RADIUS
C. LDAP
D. SAML
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an-
authentication-profile-and-sequence
QUESTION 87
Which operations are allowed when working with App-ID application tags?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 88
Your company occupies one floor in a single building. You have two Active Directory domain controllers on a
single network. The firewall’s management plane is only slightly utilized.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
configure-user-mapping-using-the-windows-user-id-agent/configure-the-windows-based-user-id-agent-for-user-
mapping.html
QUESTION 89
Which type of administrative role must you assign to a firewall administrator account, if the account must
include a custom set of firewall permissions?
A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-
firewall-administrators/administrative-role-types.html
QUESTION 90
Which statement is true regarding a Heatmap report?
A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk
B. It runs only on firewalls.
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture.
D. It provides a percentage of adoption for each assessment area.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-assessment-
bpa-tool-for-ngfw-and-panorama/ba-p/248343
QUESTION 91
Based on the screenshot presented, which column contains the link that when clicked, opens a window to
display all applications matched to the policy rule?
A. Apps Allowed
B. Service
C. Name
D. Apps Seen
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 92
Access to which feature requires the PAN-OS Filtering license?
A. PAN-DB database
B. DNS Security
C. Custom URL categories
D. URL external dynamic lists
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-and-
subscriptions.html
QUESTION 93
Based on the screenshot, what is the purpose of the Included Groups?
A. They are groups that are imported from RADIUS authentication servers.
B. They are the only groups visible based on the firewall’s credentials.
C. They contain only the users you allow to manage the firewall.
D. They are used to map users to groups.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html
QUESTION 94
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 95
Which action results in the firewall blocking network traffic without notifying the sender?
A. Drop
B. Deny
C. Reset Server
D. Reset Client
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 96
What do Dynamic User Groups help you to do?
A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
B. create a dynamic list of firewall administrators
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-
groups
QUESTION 97
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but
would not match traffic that flows within the zones?
A. global
B. intrazone
C. interzone
D. universal
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 98
You notice that protection is needed for traffic within the network due to malicious lateral movement activity.
Based on the image shown, which traffic would you need to monitor and block to mitigate the malicious
activity?
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
PCNSA
3ABBC3C88B4ECB08202D319DD2B37FF2