Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 1:

  When configuring a security policy, what is a best practice for User-ID?

  A. Use only one method for mapping IP addresses to usernames.

  B. Allow the User-ID agent in zones where agents are not monitoring services.

  C. Limit User-ID to users registered in an Active Directory server.

  D. Deny WMI traffic from the User-ID agent to any external zone.

  Correct Answer: D

• Question 2:

  DRAG DROP

  Drag the steps into the correct order to create a static route.

  Select and Place:

  

  Correct Answer:

  

• Question 3:

  An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out. What are two possible reasons the OK button is grayed out? (Choose two.)

  A. The entry matches a list entry.

  B. The entry doesn't match a list entry.

  C. The entry contains wildcards.

  D. The entry is duplicated.

  Correct Answer: BD

• Question 4:

  In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

  A. Objects tab > Applications

  B. Objects tab > Application Groups

  C. Objects tab > Application Filters

  D. ACC tab > Global Filters

  E. Policies tab > Security

  Correct Answer: ABC

• Question 5:

  What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)

  A. Zone

  B. Service

  C. User

  D. Application

  E. Address

  Correct Answer: ACE

• Question 6:

  Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

  A. Device > Dynamic Updates > Review App-IDs

  B. Objects > Dynamic Updates > Review App-IDs

  C. Objects > Dynamic Updates > Review Policies

  D. Device > Dynamic Updates > Review Policies

  Correct Answer: D

• Question 7:

  What are three configurable interface types for a data-plane ethernet interface? (Choose three.)

  A. VWire

  B. Layer 2

  C. Management

  D. HSCI

  E. Layer 3

  Correct Answer: ABE

• Question 8:

  An administrator wants to enable access to www.paloaltonetworks.com while denying access to all other sites in the same category.

  Which object should the administrator create to use as a match condition for the security policy rule that allows access to www.paloaltonetworks.com?

  A. Service

  B. Address

  C. URL category

  D. Application group

  Correct Answer: C

• Question 9:

  Which action should be taken to identify threats that have been detected by using inline cloud analysis?

  A. Filter Threat logs by Type

  B. Filter Threat logs by Application

  C. Filter Threat logs by Action

  D. Filter Threat logs by Threat Category

  Correct Answer: D

• Question 10:

  Which statement best describes a common use of Policy Optimizer?

  A. Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

  B. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

  C. Policy Optimizer can display which Security policies have not been used in the last 90 days.

  D. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

  Correct Answer: C