Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 321:

  An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices groups and five templates.

  Which configuration action should the administrator take when creating the address object?

  A. Ensure that Disable Override is cleared.

  B. Ensure that the Shared option is cleared.

  C. Ensure that the Shared option is checked.

  D. Tag the address object with the Global tag.

  Correct Answer: C

• Question 322:

  Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user will be assigned?

  A. 1. Navigate to Device > Local User Database > Users and click Add.

  2.

  Enter a Name for the user.

  3.

  Enter and Confirm a Password or Hash.

  4.

  Enable the account and click OK.

  5.

  Navigate to Device > Local User Database > User Groups and click Add.

  6.

  Enter a Name for the group.

  7.

  Add the user to the group and click OK.

  B. 1. Navigate to Device > Authentication Profile > Users and click Add.

  2.

  Enter a Name for the user.

  3.

  Enter and Confirm a Password or Hash.

  4.

  Enable the account and click OK.

  5.

  Navigate to Device > Local User Database > User Groups and click Add.

  6.

  Enter a Name for the group.

  7.

  Add the user to the group and click OK.

  C. 1. Navigate to Device > Users and click Add.

  2.

  Enter a Name for the user.

  3.

  Enter and Confirm a Password or Hash.

  4.

  Enable the account and click OK.

  5.

  Navigate to Device > User Groups and click Add.

  6.

  Enter a Name for the group.

  7.

  Add the user to the group and click OK.

  D. 1. Navigate to Device > Admins and click Add.

  2.

  Enter a Name for the user.

  3.

  Enter and Confirm a Password or Hash.

  4.

  Enable the account and click OK.

  5.

  Navigate to Device > User Groups and click Add.

  6.

  Enter a Name for the group.

  7.

  Add the user to the group and click OK.

  Correct Answer: A

• Question 323:

  What are the three DNS Security categories available to control DNS traffic? (Choose three.)

  A. Parked Domains

  B. Spyware Domains

  C. Vulnerability Domains

  D. Phishing Domains

  E. Malware Domains

  Correct Answer: ADE

  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security Malware—test-malware.testpanw.com Phishing—test-phishing.testpanw.com Parked—test-parked.testpanw.com

• Question 324:

  

  Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only. Which rule group enables the required traffic?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

  C is correct as the packet keep same sorce and destination addresses intact so the rules should be configured accordingly

• Question 325:

  An administrator is creating a NAT policy.

  Which combination of address and zone are used as match conditions? (Choose two.)

  A. Pre-NAT address

  B. Pre-NAT zone

  C. Post-NAT address

  D. Post-NAT zone

  Correct Answer: AB

  A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security policy that match the packet based on pre-NAT src and dst address and post-Nat zone

• Question 326:

  An administrator wants to prevent hacking attacks through DNS queries to malicious domains.

  Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)

  A. deny

  B. block

  C. sinkhole

  D. override

  Correct Answer: BC

• Question 327:

  A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data. Which Security Profile feature could have been used to detect the malware on the laptop?

  A. DNS Sinkhole

  B. WildFire Analysis

  C. Antivirus

  D. DoS Protection

  Correct Answer: A

  The PA AV isnt running on the endpoint. Malware is delivered via USB. S, now only DNS sinkhole can get info about infected endpoints.https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-toidentify-infected-hosts-on-the-network/dns-sinkholing.

• Question 328:

  According to best practices, how frequently should WildFire updates he made to perimeter firewalls?

  A. every 10 minutes

  B. every minute

  C. every 5 minutes

  D. in real time

  Correct Answer: D

  https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practicesIf you are running PAN-OS 10.0 or later, configure your firewall to retrieve WildFire signatures in real-time. This provides access to newly-discovered malware signatures as soon as the WildFire public cloud can generate them, thereby preventing successful attacks by minimizing your exposure time to malicious activity.

• Question 329:

  Access to which feature requires a URL Filtering license?

  A. PAN-DB database

  B. External dynamic lists

  C. DNS Security

  D. Custom URL categories

  Correct Answer: A

  Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-and-subscriptions.html

• Question 330:

  What are two valid selections within a Vulnerability Protection profile? (Choose two.)

  A. deny

  B. drop

  C. default

  D. sinkhole

  Correct Answer: BC