Palo Alto Networks Certified Network Security Administrator (PCNSA) - Exam Practice Questions

10/8/23, 5:19 PM Palo Alto Networks Certified Network Security Administrator (PCNSA): Exam Practice Questions
Completed: Oct 8 - 9:19 AM

Ankita Singh
94 %
Assessment Passed
Congratulations! You answered enough questions correctly to receive a
passing grade.
Total Points: 47/50 Correct Answers: 47/50

View Response Details
Close
https://beacon.paloaltonetworks.com/assessment_responses/report/19119569#assessment-response-details 1/25
Response Details
Print
Section Results
Section 1 Points: 47/50
Your Responses
Question 1 of 50 +1
What is an “application shift?” 8825855
an application change during the lifetime of a session
a session change during the lifetime of an application
a packet change during the lifetime of a session
application dependency
Question 2 of 50 +1
What is the default metric value of static routes? 8825855
10
20
Question 3 of 50 +1
How often are new antivirus signatures

published? 8825855
hourly
weekly
daily
monthly
Question 4 of 50 +1
Which interface type can be used to switch traffic

between multiple interfaces inside the same
VLAN? 8825855
Tap interfaces
Layer 2 interfaces
Layer 3 interfaces
other subnets
Question 5 of 50 +0 / 1
Which type of firewall configuration contains in-progress

configuration changes? 8825855
running
candidate
named
saved
The correct answer was "candidate".
Question 6 of 50 +1
Given the topology shown in the graphic, which interface

type should you configure for zone A and zone B? 8825855
Layer3
Layer2
Virtual Wire
Ethernet
Question 7 of 50 +1
What does the Save Named Configuration Snapshot

option do? 8825855
creates a tentative configuration snapshot that does not overwrite the default
snapshot (.snapshot.xml)
creates a candidate configuration snapshot that does not overwrite the default
deletes a candidate configuration snapshot that does not overwrite the default
creates a candidate configuration snapshot that does not overwrite the default
snapshot (.saved.xml)
Question 8 of 50 +1
Which statement is true about the App-ID database?

8825855
App-ID always requires an explicit Security policy rule for parent applications.
Some App-IDs implicitly allow required application without the need to explicitly
add the parent to the Security policy.
Every application has a parent application.
If an App-ID has a web-browsing dependency, you will not need to add web-
browsing to other Security polices to use web-browsing
Question 9 of 50 +1
An internal host needs to connect through the firewall

using source NAT to servers on the internet.
Which policy is required to enable source NAT on the

firewall?
8825855
NAT policy with internal zone and internet zone specified
NAT policy with no internal or internet zone selected
pre-NAT policy with external source and any destination address
post-NAT policy with external source and any destination address
Question 10 of 50 +1
Which two agents can be used to monitor servers and

gather User-ID information? (Choose two.) 8825855
Built-in agent inside the PAN-OS® firewall
Windows-based client
Traps agent
Cortex Data Lake
What are two URL Filtering Security Profile actions?

(Choose two.) 8825855
Continue
Approved
Deny
Allow
What are two predefined anti-spyware profiles? (Choose

two.)
8825855
Default
Standard
Secure
Strict
What are two types of Security profiles? (Choose two.)

8825855
Antivirus
URL Filtering
Spyware Filtering
File Filtering
Review the graphic. When creating a source NAT policy,

which entry in the Translated Packet tab will display the
options Dynamic IP and Port, Dynamic, Static IP, and
None? 8825855
Translation Type
Address Type
Interface
IP Address
What are two dynamic roles? (Choose two.) 8825855
Superuser
Dynamic User
Device User
Device Administrator
The firewall sends employees an application block page

when they try to access YouTube.
Using the graphic, which Security policy rule is blocking

the YouTube application?
8825855
Deny Google
allowed-security services
intrazone-default
interzone-default
The data plane provides which two data processing

features of the firewall? (Choose two.)
8825855
signature matching
reporting
network processing
access to the firewall
What allows a security administrator to preview the

Security policy rules that match new application
signatures? 8825855
Dynamic Updates--Review App
Review Release Notes
Policy Optimizer--New App Viewer
Dynamic Updates--Review Policies
Which file is used to save the running configuration on a

Palo Alto Networks firewall?
8825855
run-config.xml
running-configuration.xml
running-config.xml
run-configuration.xml
Which license must an administrator acquire prior to

downloading Antivirus updates for use with the firewall?
8825855
Antivirus
Threat Prevention
URL Filtering
WildFire
In a Security policy, what is the quickest way to reset all

policy rule hit counters to zero? 8825855
Reboot the firewall
Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
Use the Reset Rule Hit Counter > All Rules option
Use the CLI enter the command reset rules all
Which type of Security policy rule would match traffic

that flows between different zones, but would not match
traffic that flows within the same zones? 8825855
intrazone
interzone
universal
global
What is the advantage of using application tags? 8825855
Identify applications with unknown vulnerabilities
Dynamically enforce new and updated App-IDs
Use to determine application tunneling
Identify applications capable of exploitation
What process would an administrator use to customize

the entries in a built-in IP address EDL? 8825855
Administrators cannot modify the content of the built-in lists
Objects -> Address Groups -> Add
Objects -> External Dynamic Lists -> Edit
Device -> Dynamic Updates -> Upload
Which data-plane feature identifies and defends against

malware and exploits? 8825855
Security Matching
Network Processing
Security Processing
Signature Matching
Given the following information with regards to traffic

flow and session initiation requirements, which NAT type
needs to be configured?
Session initiated from DMZ to Internet:

Original Packet: Src IP 10.10.10.10 and Dst IP
204.204.204.204
Translated Packet: Src IP 20.20.20.20 and Dst IP

204.204.204.204
Session initiated from Internet to DMZ:

Original Packet: Src IP 204.204.204.204 and Dst IP
20.20.20.20
Translated Packet: Src IP 204.204.204.204 and Dst IP
10.10.10.10
8825855
Bi-Directional NAT
U-Turn NAT
Source NAT
Source DIPP NAT
An administrator wants to act upon websites that match a

specific set of categories, and where each website
matches all categories in the list.
Which object should the administrator create to enable

this function? 8825855
Custom URL category
URL Filtering profile
service
address
What is true about Panorama managed firewalls?

8825855
After a commit on a local firewall, a backup of its running configuration is sent to

Panorama.
By default, Panorama stores up to ten backups for each firewall.
By default, Panorama stores up to ten device states for each firewall.
Commit on local firewalls can be prohibited, which results in no configuration

backups on local firewalls.
URL site-access options will generate a log for each of the

following actions except one. Which one does not log the
event? 8825855
allow
block
alert
continue
What are two valid tag types for use in a DAG? (Choose
two.) 8825855
static tag
dynamic tag
membership tag
wildcard tag
An administrator is reviewing the security policy

configuration and notices that the policy to block traffic
to an internal web server uses the reset-both action.
What are two potential risks associated with the reset-

both Security policy action? (Choose two.)
8825855
Sending a reset can facilitate malicious use such as reverse mapping through
port scanning.
Sending a reset will consume server resources with half-open sockets.
Sending a reset yields a poor end-user experience.
Sending a reset allows the TCP session to send data, which may allow malicious
traffic.
What are three types of address objects that can be

created? (Choose three.) 8825855
IP Netmask
IP Range
FQDN
EDL
Tag
During the packet flow process, which two processes are

performed in application identification? (Choose
two.) 8825855
pattern-based application identification
application override policy match
application changed from content inspection
session application identified
How often are new and modified threat signatures and

modified application signatures published?
8825855
weekly
hourly
daily
monthly
Which two interface types can be used for firewall

management? (Choose two.) 8825855
Virtual Wire
Loopback
VLAN
Layer2
An administrator wants to secure a specific server in the

DMZ.
Which Security profile can provide protection against

ICMP floods, based on individual combinations of a
packet’s source and destination IP addresses? 8825855
Packet Buffering
DoS Protection
Anti-Spyware
Zone Protection
You receive notification about a new malware that infects

hosts. An infection results in the infected host attempting
to contact a command-and-control server.
Which Security Profile, when applied to outbound

Security policy rules, detects and prevents this threat
from establishing a command-and-control connection?
8825855
Data Filtering Profile
Antivirus Profile
Vulnerability Protection Profile
Anti-Spyware Profile
Based on the screenshot presented, which column

contains the link that when clicked, opens a window to
display all applications matched to the policy rule? 8825855
Name
Service
Apps Allowed
Apps Seen
Which type of Security policy rule would match traffic

flowing between the Inside zone and Outside zone, as
well as within the Inside zone, and within the Outside
zone? 8825855
intrazone
interzone
global
universal
What is a function of application tags?

8825855
IP address allocations in DHCP
automated referenced applications in a policy
creation of new zones
application prioritization
The CFO found a malware infected USB drive in the

parking lot, which when inserted infected their corporate
laptop. The malware contacted a known command-and-
control server, which caused the infected laptop to begin
exfiltrating corporate data.
Which Security Profile feature could have been used to

prevent the communication with the command-and-
control server?
8825855
Create an Antivirus Profile and enable its DNS sinkhole feature.
Create a URL Filtering Profile and block the DNS sinkhole URL category.
Create an Anti-Spyware Profile and enable its DNS sinkhole feature.
Create a Data Filtering Profiles and enable its DNS sinkhole feature.
An administrator wants to allow employees to use only

Facebook Messenger but not Facebook email.
Which two App-ID applications will you need to allow in

your Security policy to use facebook-chat only? (Choose
two.) 8825855
facebook-base
web-browsing
facebook
facebook-chat
Which type of address object is

www.paloaltonetworks.com? 8825855
FQDN
IP netmask
IP range
Named address
An administrator wishes to follow best practices for

logging traffic that traverses the firewall.
Which log setting is correct?

8825855
Enable Log at Session End
Enable Log at Session Start
Enable Log at both Session Start and End
Disable all logging
An administrator has configured a Security policy where

the matching condition includes a single application, and
the action is deny.
If the application’s default deny action is reset-both, what

action does the firewall take?
8825855
It sends a TCP reset to the client-side and server-side devices.
It silently drops the traffic.
It sends a TCP reset to the server-side device.
It silently drops the traffic and sends an ICMP unreachable code.
When directing management services through a proxy

server, which protocol is represented by the "Port" field in
the screenshot?
8825855
DNS
NTP
SSH
HTTP
The correct answer was "HTTP".
Given the screenshot, what two types of route is the

administrator configuring? (Choose two.)
When directing management services though a proxy

server, which protocol is represented by the "Port" field in
the screenshot?
8825855
default route
OSPF
BGP
static route
What are two ways to reset the hit count on a Security

policy rule? (Choose two.) 8825855
First disable and then re-enable the rule.
From a Security policy rule, click Hit Count > Reset.
Type the command on the CLI, reset hitcount <POLICY-NAME>.
Clone the rule and delete the previous rule.
The correct answer was "From a Security policy rule, click Hit Count >
Reset., Clone the rule and delete the previous rule.".
Which two statements are correct about App-ID content

updates? (Choose two.) 8825855
After an application content update, new applications are automatically identified

and classified.
After an application content update, new applications must be manually

classified prior to use.
Updated application content might change how Security policy rules are
enforced.
Existing security policy rules are not affected by application content updates.
Which firewall component enables you to configure

protection for a specific asset?
8825855
DoS Protection profile
DoS Protection policy
Zone Protection profile
QoS profile

Palo Alto Networks Certified Network Security Administrator (PCNSA) - Exam Practice Questions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Palo Alto Networks Certified Network Security Administrator (PCNSA) - Exam Practice Questions

Uploaded by

Copyright:

Available Formats

10/8/23, 5:19 PM Palo Alto Networks Certified Network Security Administrator (PCNSA): Exam Practice Questions

Completed: Oct 8 - 9:19 AM

Total Points: 47/50 Correct Answers: 47/50

What is an “application shift?” 8825855

an application change during the lifetime of a session

a session change during the lifetime of an application

a packet change during the lifetime of a session

What is the default metric value of static routes? 8825855

How often are new antivirus signatures

Which interface type can be used to switch traffic

Which type of firewall configuration contains in-progress

The correct answer was "candidate".

Given the topology shown in the graphic, which interface

What does the Save Named Configuration Snapshot

Which statement is true about the App-ID database?

Every application has a parent application.

An internal host needs to connect through the firewall

Which policy is required to enable source NAT on the

NAT policy with internal zone and internet zone specified

NAT policy with no internal or internet zone selected

pre-NAT policy with external source and any destination address

post-NAT policy with external source and any destination address

Which two agents can be used to monitor servers and

Built­-in agent inside the PAN­-OS® firewall

Cortex Data Lake

What are two URL Filtering Security Profile actions?

What are two predefined anti-spyware profiles? (Choose

What are two types of Security profiles? (Choose two.)

Review the graphic. When creating a source NAT policy,

What are two dynamic roles? (Choose two.) 8825855

The firewall sends employees an application block page

Using the graphic, which Security policy rule is blocking

The data plane provides which two data processing

access to the firewall

What allows a security administrator to preview the

Dynamic Updates--Review App

Review Release Notes

Policy Optimizer--New App Viewer

Dynamic Updates--Review Policies

Which file is used to save the running configuration on a

Which license must an administrator acquire prior to

In a Security policy, what is the quickest way to reset all

Reboot the firewall

Use the CLI enter the command reset rules all

Which type of Security policy rule would match traffic

What is the advantage of using application tags? 8825855

Identify applications with unknown vulnerabilities

Dynamically enforce new and updated App-IDs

Use to determine application tunneling

Identify applications capable of exploitation

What process would an administrator use to customize

Administrators cannot modify the content of the built-in lists

Objects -> Address Groups -> Add

Objects -> External Dynamic Lists -> Edit

Device -> Dynamic Updates -> Upload

Which data-plane feature identifies and defends against

Given the following information with regards to traffic

Session initiated from DMZ to Internet:

Translated Packet: Src IP 20.20.20.20 and Dst IP

Session initiated from Internet to DMZ:

Source DIPP NAT

An administrator wants to act upon websites that match a

Built-in agent inside the PAN-OS® firewall