Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest - PDF document

102.An administrator wants to create a NAT policy to allow multiple source IPaddresses to be translated to the same public IP address. 36 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest 99.Which URL Filtering Profile action does not generate a log entry when a userattempts to access a URL?100.Which two statements are correct about App-ID content updates? (Choose two.)A. Updated application content may change how security policy rules are enforcedbrief.html101.A website is unexpectedly allowed due to miscategorization.What are two ways to resolve this issue for a proper response? (Choose two.) 35 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest C. Vulnerability Protection ProfileD. Anti-Spyware Profile96.The data plane provides which two data processing features of the firewall?(Choose two.)97.Which type of DNS signatures are used by the firewall to identify malicious andcommand-and-control domains?98.What is an advantage for using application tags?A. They are helpful during the creation of new zonesapply to any object, can be defined and so forth. I am uncertain as to whether anyaction subsequent to their application is automated or not. The only thing I'm clear on 34 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Answer: Explanation:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVH95.You receive notification about a new malware that infects hosts. An infectionresults in the infected host attempting to contact a command-and-control server. 33 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. BGPB. static route91.What is a function of application tags?A. creation of new zones92.What is a prerequisite before enabling an administrative account which relies on alocal firewall user database?93.Which rule type is appropriate for matching traffic occurring within a specifiedzone?94.Drag and Drop QuestionPlace the following steps in the packet processing order of operations from first tolast. 32 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Which statement is correct about the information displayed?A. Eleven rules use the "Infrastructure* tag.90.Given the screenshot, what two types of route is the administrator configuring?(Choose two.) 31 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest B. after the SSL Proxy re-encrypts the packetC. before the packet forwarding process87.To enable DNS sinkholing, which two addresses should be reserved? (Choosetwo.)88.An administrator would like to apply a more restrictive Security profile to traffic forfile sharing applications. The administrator does not want to update the Security89.An administrator is reviewing the Security policy rules shown in the screenshotbelow. 30 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. DefaultB. Standard83.Where within the firewall GUI can all existing tags be viewed?�A. Policies Tags84.An administrator is reviewing another administrator s Security policy log settings.Which log setting configuration is consistent with best practices tor normal traffic?85.Which five Zero Trust concepts does a Palo Alto Networks firewall apply toachieve an integrated approach to prevent threats? (Choose five.)86.When is the content inspection performed in the packet flow process?A. after the application has been identified 29 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Panorama.B. Local configuration locks prohibit Security policy changes for a Panorama79.When an ethernet interface is configured with an IPv4 address, which type of zoneis it a80.A network administrator created an intrazone Security policy rule on the firewall.The source zones were set to IT. Finance, and HR.Which two types of traffic will the rule apply to? (Choose two)81.What is the maximum volume of concurrent administrative account sessions?A. 282.What are two predefined AntiSpyware profiles? (Choose two.) 28 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest When reviewing Traffic Log entries, there are no logs matching traffic from the testworkstation.75.What are two valid selections within an Anti-Spyware profile? (Choose two.)A. Random early drop76.Which data flow direction is protected in a zero trust firewall deployment that is notprotected in a perimeter-only firewall deployment?77.Which feature would be useful for preventing traffic from hosting providers thatplace few restrictions on content, whose services are frequently used by attackers to78.Which statement is true about Panorama managed devices?A. Panorama automatically removes local configuration locks after a commit from 27 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest 69. the NAT rules are processed first before the security rules (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0)70. the NAT rules are processed from top down (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)71.What is the minimum timeframe that can be set on the firewall to check for newWildFire signatures?72.Which Security profile can be used to detect and block compromised hosts fromtrying to communicate with external command-and-control (C2) servers?73.When creating a custom URL category object, which is a valid type?A. domain matchhelp/objects/objects-custom-objects-url-category.html74.An administrator is troubleshooting an issue with Office365 and expects that thistraffic traverses the firewall. 26 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. Translation TypeB. Interface66.What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?A. any supported Palo Alto Networks firewall or Prisma Access firewall67.Which interface type is used to monitor traffic and cannot be used to perform trafficshaping?68.Which statement is true regarding NAT rules?A. Static NAT rules have precedence over other forms of NAT. 25 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Which Policy Optimizer feature is shown in the screenshot below?A. Rules without App Controls63.How do you reset the hit count on a Security policy rule?�A. select a security policy rule, right click Hit Count Reset64.Starting with PAN-OS version 9.1, application dependency information is nowreported in which two locations? (Choose two.)65.When creating a Source NAT policy, which entry in the Translated Packet tab willdisplay the options Dynamic IP and Port, Dynamic, Static IP, and None? 24 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. Security policy = drop, Gambling category in URL profile = allowB. Security policy = deny. Gambling category in URL profile = block61.What is considered best practice with regards to committing configurationchanges?environments with a strict change window.62.An administrator is updating Security policy to align with best practices. 23 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Which action would yield the information?A. View the application details in beacon paloaltonetworks.com57.An administrator configured a Security policy rule with an Antivirus Security profile.The administrator did not change the action for the profile.58.Which security policy rule would be needed to match traffic that passes betweenthe Outside zone and Inside zone, but does not match traffic that passes within the59.An internal host wants to connect to servers of the internet through using sourceNAT.60.An administrator would like to create a URL Filtering log entry when users browseto any gambling website.What combination of Security policy and Security profile actions is correct? 22 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest After a network outage, the LDAP server is no longer reachable. The RADIUS serveris still reachable but has lost the "PCNSA Admin" username and password.54.An administrator needs to add capability to perform real-time signature lookups toblock or sinkhole all known malware domains.55.Which three types of entries can be excluded from an external dynamic list?(Choose three.)A. IP addresses56.An administrator would like to determine the default deny action for the applicationdns-over- 21 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest ���Admin Roles Add Web UI disable access to everything else������D. Device Admin Roles Add Web UI Device Authentication Profile Device 52.Based on the graphic, which statement accurately describes the output shown inthe Server Monitoring panel? A. The User-ID agent is connected to a domain controller labeled lab-client.53.The Administrator profile "PCNSA Admin" is configured with an Authenticationprofile "Authentication Sequence PCNSA". 20 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest C. It enables users to access real-time protections using advanced predictiveanalytics.using a multitude of data sources. This list of signatures allows you to defend againstan array of threats using DNS in real-time against newly generated malicious50.An administrator would like to silently drop traffic from the internet to a ftp server.Which Security policy action should the administrator select?51.The Net Sec Manager asked to create a new Firewall Operator profile withcustomized privileges. 19 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. Vulnerability Profile applied to inbound Security policy rulesB. Antivirus Profile applied to outbound Security policy rules46.What are two differences between an application group and an application filter?(Choose two.)47.Which firewall feature do you need to configure to query Palo Alto Networksservice updates over a data-plane interface instead of the management interface?48.Access to which feature requires the PAN-OS Filtering license?A. PAN-DB database49.What are three characteristics of the Palo Alto Networks DNS Security service?(Choose three.) 18 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest The admin also creates a custom service object named "tcp-22" with port tcp/22.The admin then creates a Security policy allowing application "ssh", service43.In which threat profile object would you configure the DNS Security service?A. Antivirus44.An administrator would like to protect against inbound threats such as bufferoverflows and illegal code execution.code execution, and other attempts to exploit system vulnerabilities.https://docs.paloaltonetworks.com/network-security/security-policy/security-45.An administrator receives a notification about new malware that is being used toattack hosts. 17 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Admin_read_onlyAnswer: A40.How are Application Filters or Application Groups used in firewall policy?A. An Application Group is a static way of grouping applications and cannot be41.How does an administrator schedule an Applications and Threats dynamic updatewhile delaying installation of the update for a certain amount of time?the administrator approves the updateD. Configure the option for "Threshold"42.How would a Security policy need to be written to allow outbound traffic usingSecure Shell (SSH) to destination ports tcp/22 and tcp/4422? 16 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest On a content update notice, Palo Alto Networks is adding new app signatures labeledSuperApp_chat and SuperApp_download, which will be deployed in 30 days.38.An administrator is trying to enforce policy on some (but not all) of the entries in anexternal dynamic list.dynamic-list-in-policy/exclude-entries-from-an-external-dynamic-list39.The NetSec Manager asked to create a new EMEA Regional PanoramaAdministrator profile with customized privileges. 15 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest B. blockC. sinkhole34.Which three types of authentication services can be used to authenticate usertraffic flowing through the firewall's data plane? (Choose three.)35.If a universal security rule was created for source zones A & B and destinationzones A & B, to which traffic would the rule apply?36.A network administrator is required to use a dynamic routing protocol for networkconnectivity.37.A security administrator has configured App-ID updates to be automaticallydownloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base. 14 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest center-best-practice-security-policy/use-palo-alto-networks-assessment-and-review-tools31.What are the two types of Administrator accounts? (Choose two.)A. Role Based32.An administrator would like to override the default deny action for a givenapplication, and instead would like to block the traffic and send the ICMP codeclient, set Action:Drop and enable the Send ICMP Unreachable33.An administrator wants to prevent hacking attacks through DNS queries tomalicious domains. 13 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest B. Usage tabC. Application tab29.Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?A. Management30.Which statement is true regarding a Best Practice Assessment?A. It runs only on firewalls.recommendations and instructions for how to remediate failed best practice checks.The Security Policy Adoption Heatmap component filters the information by device 12 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest D. It removes the 100K limit for DNS entries for the downloaded DNS updates.Answer: BD25.Which two settings allow you to restrict access to the management interface?(Choose two )26.An internal host wants to connect to servers of the internet through using sourceNAT.Which policy is required to enable source NAT on the firewall?27.Which Security policy set should be used to ensure that a policy is applied first?A. Local firewall policy28.Where does a user assign a tag group to a policy rule in the policy creationwindow? 11 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest /set-up-panorama/install-content-and-software-updates-for-panorama/panorama-log-collector-firewall-and-wildfire-version-22.Which administrator type provides more granular options to determine what theadministrator can view and modify when creating an administrator account?and a separate profile for your security administrators that provides access to securitypolicy definitions, logs, and reports. On a firewall with multiple virtual systems, you23.Which Palo Alto Networks component provides consolidated policy creation andcentralized management?24.Which two statements are true for the DNS Security service introduced in PAN-OSversion 10.0? 10 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Answer: B19.In order to fulfill the corporate requirement to backup the configuration ofPanorama and the Panorama-managed firewalls securely, which protocol should you20.What is the function of an application group object?A. It contains applications that you want to treat similarly in policyindividual policy rules when there is a change in the applications you support, you canupdate only the affected application groups. https://docs.paloaltonetworks.com/pan-os21.What is a recommended consideration when deploying content updates to thefirewall from Panorama? 9 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls18.An administrator reads through the following Applications and Threats ContentRelease Notes before an update: Which rule would continue to allow the file upload to confluence after the update? B) C) D) A. Option A 8 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest Answer: CExplanation:15.Which license is required to use the Palo Alto Networks built-in IP address EDLs?A. DNS Security16.Which prevention technique will prevent attacks based on packet count?A. zone protection profile17.Which built-in IP address EDL would be useful for preventing traffic from IPaddresses that are verified as unsafe based on WildFire analysis Unit 42 research42 research, and data gathered from telemetry (Share Threat Intelligence with PaloAlto Networks). Attackers use these IP addresses almost exclusively to distribute 7 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest 12.Actions can be set for which two items in a URL filtering security profile? (Choosetwo.)13.Which interface type requires no routing or switching but applies Security or NATpolicy rules before passing allowed traffic?requires no changes to adjacent network devices.A virtual wire can bind two Ethernet interfaces of the same medium (both copper or14.In order to protect users against exploit kits that exploit a vulnerability and thenautomatically download malicious payloads, which Security profile should be 6 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. Parent AppB. Category10.What are three factors that can be used in domain generation algorithms?(Choose three.)cryptographic keys, or other unique values.https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dns-11.Which Security profile must be added to Security policies to enable DNSSignatures to be checked? 5 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest authentication and authorization for role-based access control? (Choose two.)A. SAML7.What do you configure if you want to set up a group of objects based on their portsalone?A. address groups8.A Security Profile can block or allow traffic at which point?A. after it is matched to a Security policy rule that allows traffic9.Which three filter columns are available when setting up an Application Filter?(Choose three.) 4 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest A. ExploitationB. Installation4.According to the best practices for mission critical devices, what is therecommended interval for antivirus updates?5.An address object of type IP Wildcard Mask can be referenced in which part of theconfiguration?the wildcard mask, a zero (0) bit indicates that the bit being compared must match thebit in the IP address that is covered by the 0. A one (1) bit in the mask is a wildcard6.What two authentication methods on the Palo Alto Networks firewalls support 3 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest 1.Where in Panorama would Zone Protection profiles be configured?A. Templates2.An administrator wants to prevent access to media content websites that are risky.Which two URL categories should be combined in a custom URL category to3.Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attackercan run malicious code against a targeted machine. 2 / 37 Simplify Your Palo Alto Networks PCNSA Exam Prep with PCNSA Study Materials of Killtest