Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 141:

  Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

  A. Prisma SaaS

  B. AutoFocus

  C. Panorama

  D. GlobalProtect

  Correct Answer: A

• Question 142:

  You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

  A. Antivirus Profile

  B. Data Filtering Profile

  C. Vulnerability Protection Profile

  D. Anti-Spyware Profile

  Correct Answer: D

  Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate with external command-and-control (C2) servers, thus enabling you to detect malicious traffic leaving the network from infected clients.

• Question 143:

  Which statements is true regarding a Heatmap report?

  A. When guided by authorized sales engineer, it helps determine te areas of greatest security risk.

  B. It provides a percentage of adoption for each assessment area.

  C. It runs only on firewall.

  D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

  Correct Answer: B

  Reference: https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best- practice-assessment-bpa-tool-for-ngfw-and-panorama/ba-p/248343

• Question 144:

  Which two security profile types can be attached to a security policy? (Choose two.)

  A. antivirus

  B. DDoS protection

  C. threat

  D. vulnerability

  Correct Answer: AD

• Question 145:

  Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

  A. Windows session monitoring via a domain controller

  B. passive server monitoring using the Windows-based agent

  C. Captive Portal

  D. passive server monitoring using a PAN-OS integrated User-ID agent

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip- addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal.html

• Question 146:

  Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B

  (10.1.1.101) receives SSH traffic.

  

  Which two Security policy rules will accomplish this configuration? (Choose two.)

  A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

  B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

  C. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

  D. Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

  E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

  Correct Answer: AE

• Question 147:

  What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

  A. authentication sequence

  B. LDAP server profile

  C. authentication server list

  D. authentication list profile

  Correct Answer: A

• Question 148:

  To what must an interface be assigned before it can process traffic?

  A. Security Zone

  B. Security policy

  C. Security Protection

  D. Security profile

  Correct Answer: A

• Question 149:

  According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

  A. by minute

  B. hourly

  C. daily

  D. weekly

  Correct Answer: C

  Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat- prevention/best-practices-for-content-and-threat-content-updates/best-practices-mission- critical.html

• Question 150:

  What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)

  A. It uses techniques such as DGA.DNS tunneling detection and machine learning.

  B. It requires a valid Threat Prevention license.

  C. It enables users to access real-time protections using advanced predictive analytics.

  D. It requires a valid URL Filtering license.

  E. It requires an active subscription to a third-party DNS Security service.

  Correct Answer: ABC

  DNS Security subscription enables users to access real-time protections using advanced predictive analytics. When techniques such as DGA/DNS tunneling detection and machine learning are used, threats hidden within DNS traffic can be proactively identified and shared through an infinitely scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of ever-expanding signatures that have been generated using a multitude of data sources. This list of signatures allows you to defend against an array of threats using DNS in real- time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and prevention capabilities of the DNS Security service will be available through content releases. To access the DNS Security service, you must have a Threat Prevention license and DNS Security license.