Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 371:

  Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website.

  How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

  A. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

  B. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

  C. Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

  D. Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

  Correct Answer: D

• Question 372:

  Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

  

  Which Security policy rule will allow traffic to flow to the web server?

  A. Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

  B. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow

  C. Untrust (any) to Untrust (10.1.1.100), web browsing -Allow

  D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

  Correct Answer: D

  Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat- configuration-examples/destination-nat-exampleone-to-one-mapping

• Question 373:

  Which statement best describes the use of Policy Optimizer?

  A. Policy Optimizer can display which Security policies have not been used in the last 90 days

  B. Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications

  C. Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected

  D. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists Admins can then manually enable policies they want to keep and delete ones they want to remove

  Correct Answer: A

  https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/create-prisma-access-policy/policy-optimizer

• Question 374:

  Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

  What is the quickest way to reset the hit counter to zero in all the security policy rules?

  A. At the CLI enter the command reset rules and press Enter

  B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

  C. Reboot the firewall

  D. Use the Reset Rule Hit Counter > All Rules option

  Correct Answer: D

• Question 375:

  Selecting the option to revert firewall changes will replace what settings?

  A. The running configuration with settings from the candidate configuration

  B. The candidate configuration with settings from the running configuration

  C. The device state with settings from another configuration

  D. Dynamic update scheduler settings

  Correct Answer: A

• Question 376:

  What is a recommended consideration when deploying content updates to the firewall from Panorama?

  A. Before deploying content updates, always check content release version compatibility.

  B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

  C. Content updates for firewall A/A HA pairs need a defined master device.

  D. After deploying content updates, perform a commit and push to Panorama.

  Correct Answer: D

  Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- licenses-and-updates/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances- using-panorama/schedule-a-content-update-usingpanorama.html

• Question 377:

  Which type of address object is "10 5 1 1/0 127 248 2"?

  A. IP subnet

  B. IP wildcard mask

  C. IP netmask

  D. IP range

  Correct Answer: B

• Question 378:

  Given the screenshot what two types of route is the administrator configuring? (Choose two )

  

  A. default route

  B. OSPF

  C. BGP

  D. static route

  Correct Answer: A

• Question 379:

  Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

  A. GlobalProtect agent

  B. XML API

  C. User-ID Windows-based agent

  D. log forwarding auto-tagging

  Correct Answer: BC

• Question 380:

  What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

  A. SAML

  B. TACACS+

  C. LDAP

  D. Kerberos

  Correct Answer: AB

  Reference:https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall- administration/manage-firewall-administrators/administrative-authentication.html

  The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.