Palo Alto Networks Palo Alto Networks Certifications PCNSA Questions & Answers

• Question 401:

  Which statement is true regarding a Best Practice Assessment?

  A. The BPA tool can be run only on firewalls

  B. It provides a percentage of adoption for each assessment data

  C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

  D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

  Correct Answer: B

  Reference:

  https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best-practice-security-policy/use-palo-alto-networks- assessment-and-review-tools

• Question 402:

  The firewall sends employees an application block page when they try to access Youtube. Which Security policy rule is blocking the youtube application?

  

  A. intrazone-default

  B. Deny Google

  C. allowed-security services

  D. interzone-default

  Correct Answer: D

• Question 403:

  What are three differences between security policies and security profiles? (Choose three.)

  A. Security policies are attached to security profiles

  B. Security profiles are attached to security policies

  C. Security profiles should only be used on allowed traffic

  D. Security profiles are used to block traffic by themselves

  E. Security policies can block or allow traffic

  Correct Answer: BCE

• Question 404:

  Which interface type can use virtual routers and routing protocols?

  A. Tap

  B. Layer3

  C. Virtual Wire

  D. Layer2

  Correct Answer: B

• Question 405:

  Which administrative management services can be configured to access a management interface?

  A. HTTP, CLI, SNMP, HTTPS

  B. HTTPS, SSH telnet SNMP

  C. SSH: telnet HTTP, HTTPS

  D. HTTPS, HTTP. CLI, API

  Correct Answer: C

  The administrative management services are http,https,telnet and ssh

• Question 406:

  What is considered best practice with regards to committing configuration changes?

  A. Disable the automatic commit feature that prioritizes content database installations before committing

  B. Validate configuration changes prior to committing

  C. Wait until all running and pending jobs are finished before committing

  D. Export configuration after each single configuration change performed

  Correct Answer: B

• Question 407:

  Which solution is a viable option to capture user identification when Active Directory is not in use?

  A. Cloud Identity Engine

  B. group mapping

  C. Directory Sync Service

  D. Authentication Portal

  Correct Answer: D

• Question 408:

  Complete the statement. A security profile can block or allow traffic____________

  A. on unknown-tcp or unknown-udp traffic

  B. after it is matched by a security policy that allows traffic

  C. before it is matched by a security policy

  D. after it is matched by a security policy that allows or blocks traffic

  Correct Answer: B

  Security profiles are objects added to policy rules that are configured with an action of allow.

• Question 409:

  Which object would an administrator create to enable access to all applications in the office-programs subcategory?

  A. application filter

  B. URL category

  C. HIP profile

  D. application group

  Correct Answer: A

• Question 410:

  What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

  A. Implement a threat intel program.

  B. Configure a URL Filtering profile.

  C. Train your staff to be security aware.

  D. Rely on a DNS resolver.

  E. Plan for mobile-employee risk

  Correct Answer: ACE

  Based on the following source, BCE appear to be the best practices https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling