Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 241:

  Which link in the web interface enables a security administrator to view the security policy rules that match new application signatures?

  A. Review Apps

  B. Review App Matches

  C. Pre-analyze

  D. Review Policies

  Correct Answer: D

• Question 242:

  Which two configuration settings shown are not the default? (Choose two.)

  

  A. Enable Security Log

  B. Server Log Monitor Frequency (sec)

  C. Enable Session

  D. Enable Probing

  Correct Answer: BC

• Question 243:

  Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

  A. Review Policies

  B. Review Apps

  C. Pre-analyze

  D. Review App Matches

  Correct Answer: A

  https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new- app-ids-introduced- incontent-releases/review-new-app-id-impact-on- existing- policy-rules

• Question 244:

  A Security Profile can block or allow traffic at which point?

  A. after it is matched to a Security policy rule that allows traffic

  B. on either the data plane or the management plane

  C. after it is matched to a Security policy rule that allows or blocks traffic

  D. before it is matched to a Security policy rule

  Correct Answer: A

• Question 245:

  Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized. Which user-ID agent sufficient in your network?

  A. PAN-OS integrated agent deployed on the firewall

  B. Windows-based agent deployed on the internal network a domain member

  C. Citrix terminal server agent deployed on the network

  D. Windows-based agent deployed on each domain controller

  Correct Answer: A

  Reference:

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to- users/configureuser-mapping-using-the-windows-user-id- agent/configure-the-windows- based-user-id- agent-for-usermapping.html

• Question 246:

  What can be used as match criteria for creating a dynamic address group?

  A. Usernames

  B. IP addresses

  C. Tags

  D. MAC addresses

  Correct Answer: C

• Question 247:

  Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

  A. local username

  B. dynamic user group

  C. remote username

  D. static user group

  Correct Answer: B

• Question 248:

  An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

  

  A. branch office traffic

  B. north-south traffic

  C. perimeter traffic

  D. east-west traffic

  Correct Answer: D

• Question 249:

  An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

  Which type of single unified engine will get this result?

  A. User-ID

  B. App-ID

  C. Security Processing Engine

  D. Content-ID

  Correct Answer: D

• Question 250:

  An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save the changes, but the OK button is grayed out.

  What are two possible reasons the OK button is grayed out? (Choose two.)

  A. The entry contains wildcards.

  B. The entry is duplicated.

  C. The entry doesn't match a list entry.

  D. The entry matches a list entry.

  Correct Answer: BC