Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 211:

  Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment?

  A. outbound

  B. north south

  C. inbound

  D. east west

  Correct Answer: D

• Question 212:

  What are three factors that can be used in domain generation algorithms? (Choose three.)

  A. cryptographic keys

  B. time of day

  C. other unique values

  D. URL custom categories

  E. IP address

  Correct Answer: ABC

  Domain generation algorithms (DGAs) are used to auto-generate domains, typically in large numbers within the context of establishing a malicious command-and- control (C2) communications channel. DGA-based malware (such as Pushdo,

  BankPatch, and CryptoLocker) limit the number of domains from being blocked by hiding the location of their active C2 servers within a large number of possible suspects, and can be algorithmically generated based on factors such as time of

  day, cryptographic keys, or other unique values.

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns- security/domain-generation-algorithm-detection

• Question 213:

  Your company is highly concerned with their Intellectual property being accessed by unauthorized resources. There is a mature process to store and include metadata tags for all confidential documents. Which Security profile can further ensure that these documents do not exit the corporate network?

  A. File Blocking

  B. Data Filtering

  C. Anti-Spyware

  D. URL Filtering

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects- security-profiles-data-filtering

• Question 214:

  An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)

  A. vulnerability protection profile applied to outbound security policies

  B. anti-spyware profile applied to outbound security policies

  C. antivirus profile applied to outbound security policies

  D. URL filtering profile applied to outbound security policies

  Correct Answer: BC

• Question 215:

  The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

  1.

  trust for internal networks

  2.

  untrust to the internet

  Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

  A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic

  B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

  C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application

  D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

  Correct Answer: AD

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-applications/applications-overview

• Question 216:

  Given the topology, which zone type should you configure for firewall interface E1/1?

  

  A. Tap

  B. Tunnel

  C. Virtual Wire

  D. Layer3

  Correct Answer: A

• Question 217:

  Which operations are allowed when working with App-ID application tags?

  A. Predefined tags may be deleted.

  B. Predefined tags may be augmented by custom tags.

  C. Predefined tags may be modified.

  D. Predefined tags may be updated by WildFire dynamic updates.

  Correct Answer: B

• Question 218:

  Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?

  A. exclude

  B. continue

  C. hold

  D. override

  Correct Answer: D

  The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL Filtering log. The Override webpage doesn't display properly on client systems configured to use a proxy server.

• Question 219:

  Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

  A. Palo Alto Networks CandC IP Addresses

  B. Palo Alto Networks Bulletproof IP Addresses

  C. Palo Alto Networks High-Risk IP Addresses

  D. Palo Alto Networks Known Malicious IP Addresses

  Correct Answer: D

  Palo Alto Networks Known Malicious IP Addresses --Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry (Share ThreatIntelligence with Palo Alto Networks). Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external- dynamic-list-in-policy/built-in-edls

• Question 220:

  Which object would an administrator create to enable access to all applications in the office-programs subcategory?

  A. HIP profile

  B. Application group

  C. URL category

  D. Application filter

  Correct Answer: B

  An application filter is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk factor, and characteristic. For example, you may want to enable employees to choose their own office programs (such as Evernote, Google Docs, or Microsoft Office 365) for business use. To safely enable these types of applications, you could create an application filter that matches on the Category business-systems and the Subcategory office-programs.