Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 231:

  In a security policy what is the quickest way to rest all policy rule hit counters to zero?

  A. Use the CLI enter the command reset rules all

  B. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

  C. use the Reset Rule Hit Counter > All Rules option.

  D. Reboot the firewall.

  Correct Answer: C

• Question 232:

  Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP-to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

  Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

  A. syslog

  B. RADIUS

  C. UID redistribution

  D. XFF headers

  Correct Answer: A

• Question 233:

  What is the maximum volume of concurrent administrative account sessions?

  A. Unlimited

  B. 2

  C. 10

  D. 1

  Correct Answer: A

• Question 234:

  Based on the security policy rules shown, ssh will be allowed on which port?

  

  A. any port

  B. same port as ssl and snmpv3

  C. the default port

  D. only ephemeral ports

  Correct Answer: C

• Question 235:

  Which objects would be useful for combining several services that are often defined together?

  A. shared service objects

  B. service groups

  C. application groups

  D. application filters

  Correct Answer: B

  Reference:

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects- services.html

• Question 236:

  An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?

  A. Create a Security policy rule to allow the traffic.

  B. Create a new NAT rule with the correct parameters and leave the translation type as None

  C. Create a static NAT rule with an application override.

  D. Create a static NAT rule translating to the destination interface.

  Correct Answer: B

• Question 237:

  How often does WildFire release dynamic updates?

  A. every 5 minutes

  B. every 15 minutes

  C. every 60 minutes

  D. every 30 minutes

  Correct Answer: A

• Question 238:

  Selecting the option to revert firewall changes will replace what settings?

  A. the running configuration with settings from the candidate configuration

  B. the device state with settings from another configuration

  C. the candidate configuration with settings from the running configuration

  D. dynamic update scheduler settings

  Correct Answer: C

• Question 239:

  An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.

  Why doesn't the administrator see the traffic?

  A. Logging on the interzone-default policy is disabled.

  B. Traffic is being denied on the interzone-default policy.

  C. The Log Forwarding profile is not configured on the policy.

  D. The interzone-default policy is disabled by default.

  Correct Answer: A

• Question 240:

  Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choices to block the sameURL then which choice would be the last to block access to the URL?

  A. EDL in URL Filtering Profile.

  B. Custom URL category in Security Policy rule.

  C. Custom URL category in URL Filtering Profile.

  D. PAN-DB URL category in URL Filtering Profile.

  Correct Answer: D

  The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs Objects - 2) Allow list: Manually entered allowed URLs Objects - 3) Custom URL Categories - 4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) 5) Pre-Defined Categories: PAN-DB or Brightcloud categories.