Palo Alto Networks PCNSA Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSA Online Questions & Answers

• Question 131:

  Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

  A. Windows session monitoring via a domain controller
  B. passive server monitoring using the Windows-based agent
  C. Captive Portal
  D. passive server monitoring using a PAN-OS integrated User-ID agent
  C. Captive Portal

  ---

  Explanation/Reference:

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip- addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal.html

• Question 132:

  The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new EMEA Regional Panorama Administrator should be able to:

  1.

  Access only EMEA-Regional device groups with read-only privileges.

  2.

  Access only EMEA-Regional templates with read-only privileges.

  What is the correct configuration for the new EMEA Regional Panorama Administrator profile?

  A. Administrator Type = Device Group and Template Admin Admin Role = EMEA_Regional_Admin_read_only Access Domain = EMEA-Regional
  B. Administrator Type = Dynamic Admin Role = Superuser (read-only)
  C. Administrator Type = Dynamic Admin Role = Panorama Administrator
  D. Administrator Type = Custom Panorama Admin Profile = EMEA Regional Admin_read_only
  A. Administrator Type = Device Group and Template Admin Admin Role = EMEA_Regional_Admin_read_only Access Domain = EMEA-Regional

• Question 133:

  DRAG DROP

  Match the network device with the correct User-ID technology.

  Select and Place:

  

  

  ---

  Explanation/Reference:

• Question 134:

  When is the content inspection performed in the packet flow process?

  A. after the application has been identified
  B. after the SSL Proxy re-encrypts the packet
  C. before the packet forwarding process
  D. before session lookup
  A. after the application has been identified

  ---

  Explanation/Reference:

  Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g00000 0ClVHCA0

• Question 135:

  Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

  What is the quickest way to reset the hit counter to zero in all the security policy rules?

  A. At the CLI enter the command reset rules and press Enter
  B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
  C. Reboot the firewall
  D. Use the Reset Rule Hit Counter > All Rules option
  D. Use the Reset Rule Hit Counter > All Rules option

• Question 136:

  Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?

  A. Group Mapping
  B. Domain Credential
  C. Valid Username Detected Log Severity
  D. IP User
  B. Domain Credential

  ---

  Explanation/Reference:

• Question 137:

  What must be considered with regards to content updates deployed from Panorama?

  A. Content update schedulers need to be configured separately per device group.
  B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.
  C. A PAN-OS upgrade resets all scheduler configurations for content updates.
  D. Panorama can only download one content update at a time for content updates of the same type.
  D. Panorama can only download one content update at a time for content updates of the same type.

  ---

  Explanation/Reference:

  Reference:https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- licenses-and-updates/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances- using-panorama/schedule-a-content-update-usingpanorama.html

• Question 138:

  Which dynamic update type includes updated anti-spyware signatures?

  A. Applications and Threats
  B. GlobalProtect Data File
  C. Antivirus
  D. PAN-DB
  A. Applications and Threats

• Question 139:

  In a security policy what is the quickest way to rest all policy rule hit counters to zero?

  A. Use the CLI enter the command reset rules all
  B. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.
  C. use the Reset Rule Hit Counter > All Rules option.
  D. Reboot the firewall.
  C. use the Reset Rule Hit Counter > All Rules option.

• Question 140:

  Which type of profile must be applied to the Security policy rule to protect against buffer overflows illegal code execution and other attempts to exploit system flaws?

  A. anti-spyware
  B. URL filtering
  C. vulnerability protection
  D. file blocking
  C. vulnerability protection

  ---

  Explanation/Reference:

  Reference:https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface- help/objects/objects-security-profiles-vulnerability-protection.html

  Vulnerability Protection Security Profiles protect against threats entering the network. For example, Vulnerability Protection Security Profiles protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection Security Profile protects clients and servers from all known critical-, high-, and medium-severity threats. You also can create exceptions that enable you to change the response to a specific signature.