Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 101:

  The Administrator profile “PCNSA Admin” is configured with an Authentication profile “Authentication Sequence PCNSA”. The Authentication Sequence PCNSA has a profile list with four Authentication profiles:

  1.

  Auth Profile LDAP

  2.

  Auth Profile Radius

  3.

  Auth Profile Local

  4.

  Auth Profile TACACS

  After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “PCNSA Admin” username and password.

  Which option describes the “PCNSA Admin” login capabilities after the outage?

  A. Auth OK because of the Auth Profile TACACS

  B. Auth KO because RADIUS server lost user and password for PCNSA Admin

  C. Auth OK because of the Auth Profile Local

  D. Auth KO because LDAP server is not reachable

  Correct Answer: C

• Question 102:

  To protect against illegal code execution, which Security profile should be applied?

  A. Antivirus profile on allowed traffic

  B. Antivirus profile on denied traffic

  C. Vulnerability Protection profile on allowed traffic

  D. Vulnerability Protection profile on denied traffic

  Correct Answer: C

• Question 103:

  Which three types of entries can be excluded from an external dynamic list? (Choose three.)

  A. IP addresses

  B. Applications

  C. User-ID

  D. Domains

  E. URLs

  Correct Answer: ADE

  Reference: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/secops-integration-paloalto-ngfw/reference/paloalto_supported_edls.html

• Question 104:

  Which three types of entries can be excluded from an external dynamic list? (Choose three.)

  A. IP addresses

  B. Applications

  C. User-ID

  D. Domains

  E. URLs

  Correct Answer: ADE

• Question 105:

  The Administrator profile “PCNSA Admin” is configured with an Authentication profile “Authentication Sequence PCNSA”.

  The Authentication Sequence PCNSA has a profile list with four Authentication profiles:

  Auth Profile LDAP -

  Auth Profile Radius -

  Auth Profile Local -

  Auth Profile TACACS After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the “PCNSA Admin” username and password.

  Which option describes the “PCNSA Admin” login capabilities after the outage?

  A. Auth OK because of the Auth Profile TACACS

  B. Auth KO because RADIUS server lost user and password for PCNSA Admin

  C. Auth OK because of the Auth Profile Local

  D. Auth KO because LDAP server is not reachable

  Correct Answer: C

• Question 106:

  Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

  A. override

  B. authorization

  C. authentication

  D. continue

  Correct Answer: A

  OVERRIDE - The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL Filtering log. The Override webpage doesn't display properly on client systems configured to use a proxy server.

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions.html

• Question 107:

  Which Security profile generates an alert based on a threshold when the action is set to Alert?

  A. Vulnerability Protection

  B. Antivirus

  C. DoS protection

  D. Anti-Spyware

  Correct Answer: C

  DoS Protection profiles set thresholds that protect against new session IP flood attacks and provide resource protection (maximum concurrent session limits for specified endpoints and resources). DoS Protection profiles protect specific devices (classified profiles) and groups of devices (aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and Other IP flood attacks. Configuring Flood Protection thresholds in a DoS Protection profile is similar to configuring Flood Protection in a Zone Protection profile, but Zone Protection profiles protect entire ingress zones, while DoS protection profiles and policy rules are granular and targeted, and can even be classified to a single device (IP address). The firewall measures the aggregate number of connections-per-second (CPS) to a group of devices (aggregate profile) or measures the CPS to individual devices (classified profile).

• Question 108:

  Where does a user assign a tag group to a policy rule in the policy creation window?

  A. General tab

  B. Usage tab

  C. Application tab

  D. Actions tab

  Correct Answer: A

• Question 109:

  By default, which action is assigned to the intrazone-default rule?

  A. Reset-client

  B. Reset-server

  C. Deny

  D. Allow

  Correct Answer: D

• Question 110:

  What is the default action for the SYN Flood option within the DoS Protection profile?

  A. Reset-client

  B. Alert

  C. Sinkhole

  D. Random Early Drop

  Correct Answer: D

  DoS Protection Profiles and Policy Rules work together to provide protection against flooding of many incoming SYN, UDP, ICMP, and ICMPv6 packets, and other types of IP packets. You determine what thresholds constitute flooding. In general, the DoS Protection profile sets the thresholds at which the firewall generates a DoS alarm, takes action such as Random Early Drop, and drops additional incoming connections. A DoS Protection policy rule configured to protect (rather than to allow or deny packets) determines the criteria for packets to match (such as source address) in order to be counted toward the thresholds. This flexibility allows you to block certain traffic, or allow certain traffic and treat other traffic as DoS traffic. When the incoming rate exceeds your maximum threshold, the firewall blocks incoming traffic from the source address.