Winter Sale- Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Paloalto Networks PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Exam Practice Test

Page: 1 / 29
Total 286 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Question 1

What can be used as match criteria for creating a dynamic address group?

Options:

A.

Usernames

B.

IP addresses

C.

Tags

D.

MAC addresses

Question 2

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

Options:

A.

Blometric scanning results from iOS devices

B.

Firewall logs

C.

Custom API scripts

D.

Security Information and Event Management Systems (SIEMS), such as Splun

E.

DNS Security service

Question 3

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

Options:

A.

interzone

B.

shadowed

C.

intrazone

D.

universal

Question 4

An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.

Why doesn't the administrator see the traffic?

Options:

A.

Traffic is being denied on the interzone-default policy.

B.

The Log Forwarding profile is not configured on the policy.

C.

The interzone-default policy is disabled by default

D.

Logging on the interzone-default policy is disabled

Question 5

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

Options:

A.

User identification

B.

Filtration protection

C.

Vulnerability protection

D.

Antivirus

E.

Application identification

F.

Anti-spyware

Question 6

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

Options:

A.

Aperture

B.

AutoFocus

C.

Parisma SaaS

D.

GlobalProtect

Question 7

What is the main function of Policy Optimizer?

Options:

A.

reduce load on the management plane by highlighting combinable security rules

B.

migrate other firewall vendors’ security rules to Palo Alto Networks configuration

C.

eliminate “Log at Session Start” security rules

D.

convert port-based security rules to application-based security rules

Question 8

Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized.

Which user-ID agent sufficient in your network?

Options:

A.

PAN-OS integrated agent deployed on the firewall

B.

Windows-based agent deployed on the internal network a domain member

C.

Citrix terminal server agent deployed on the network

D.

Windows-based agent deployed on each domain controller

Question 9

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?

Options:

A.

Create a Security policy rule to allow the traffic.

B.

Create a new NAT rule with the correct parameters and leave the translation type as None

C.

Create a static NAT rule with an application override.

D.

Create a static NAT rule translating to the destination interface.

Question 10

A Security Profile can block or allow traffic at which point?

Options:

A.

after it is matched to a Security policy rule that allows traffic

B.

on either the data plane or the management plane

C.

after it is matched to a Security policy rule that allows or blocks traffic

D.

before it is matched to a Security policy rule

Question 11

Which two rule types allow the administrator to modify the destination zone? (Choose two )

Options:

A.

interzone

B.

intrazone

C.

universal

D.

shadowed

Question 12

Which license is required to use the Palo Alto Networks built-in IP address EDLs?

Options:

A.

DNS Security

B.

Threat Prevention

C.

WildFire

D.

SD-Wan

Question 13

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

Options:

A.

intrazone

B.

interzone

C.

universal

D.

global

Question 14

Which statement best describes a common use of Policy Optimizer?

Options:

A.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

B.

Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

C.

Policy Optimizer can display which Security policies have not been used in the last 90 days.

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

Question 15

Which two statements are correct about App-ID content updates? (Choose two.)

Options:

A.

Updated application content may change how security policy rules are enforced

B.

After an application content update, new applications must be manually classified prior to use

C.

Existing security policy rules are not affected by application content updates

D.

After an application content update, new applications are automatically identified and classified

Question 16

Access to which feature requires PAN-OS Filtering licens?

Options:

A.

PAN-DB database

B.

URL external dynamic lists

C.

Custom URL categories

D.

DNS Security

Question 17

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

Options:

A.

Clone and edit the Strict profile.

B.

Use URL filtering to limit categories in which users can transfer files.

C.

Set the action to Continue.

D.

Edit the Strict profile.

Question 18

Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)

Options:

A.

Layer 2

B.

Virtual Wire

C.

Tap

D.

Layer 3

E.

HA

Question 19

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

Options:

A.

User-ID

B.

App-ID

C.

Security Processing Engine

D.

Content-ID

Question 20

Which type of address object is www.paloaltonetworks.com?

Options:

A.

IP range

B.

IP netmask

C.

named address

D.

FQDN

Question 21

Which three configuration settings are required on a Palo Alto networks firewall management interface?

Options:

A.

default gateway

B.

netmask

C.

IP address

D.

hostname

E.

auto-negotiation

Question 22

Complete the statement. A security profile can block or allow traffic____________

Options:

A.

on unknown-tcp or unknown-udp traffic

B.

after it is matched by a security policy that allows traffic

C.

before it is matched by a security policy

D.

after it is matched by a security policy that allows or blocks traffic

Question 23

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

Options:

A.

override

B.

authorization

C.

authentication

D.

continue

Question 24

Which rule type is appropriate for matching traffic occurring within a specified zone?

Options:

A.

Interzone

B.

Universal

C.

Intrazone

D.

Shadowed

Question 25

Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management?

Options:

A.

Prisma SaaS

B.

Panorama

C.

AutoFocus

D.

GlobalProtect

Question 26

Which link in the web interface enables a security administrator to view the security policy rules that match new application signatures?

Options:

A.

Review Apps

B.

Review App Matches

C.

Pre-analyze

D.

Review Policies

Question 27

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

Options:

A.

Management

B.

High Availability

C.

Aggregate

D.

Aggregation

Question 28

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

Options:

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Question 29

An administrator wants to prevent access to media content websites that are risky

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two)

Options:

A.

streaming-media

B.

high-risk

C.

recreation-and-hobbies

D.

known-risk

Question 30

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

Options:

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on Objective

Question 31

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

Options:

A.

Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the allow list

D.

Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Question 32

An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets. What are two security policy actions the administrator can select? (Choose two.)

Options:

A.

Reset server

B.

Reset both

C.

Drop

D.

Deny

Question 33

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

Options:

A.

80

B.

8443

C.

4443

D.

443

Question 34

You have been tasked to configure access to a new web server located in the DMZ

Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10 1 1 0/24 network to 192 168 1 0/24?

Options:

A.

Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of 192.168 1.10

B.

Add a route with the destination of 192 168 1 0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2

C.

Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2

D.

Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254

Question 35

Based on the screenshot what is the purpose of the included groups?

Options:

A.

They are only groups visible based on the firewall's credentials.

B.

They are used to map usernames to group names.

C.

They contain only the users you allow to manage the firewall.

D.

They are groups that are imported from RADIUS authentication servers.

Question 36

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

Options:

A.

Device>Setup>Services

B.

Device>Setup>Management

C.

Device>Setup>Operations

D.

Device>Setup>Interfaces

Question 37

Which Security profile would you apply to identify infected hosts on the protected network uwall user database?

Options:

A.

Anti-spyware

B.

Vulnerability protection

C.

URL filtering

D.

Antivirus

Question 38

Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?

Options:

A.

DoS protection

B.

URL filtering

C.

packet buffering

D.

anti-spyware

Question 39

What must be considered with regards to content updates deployed from Panorama?

Options:

A.

Content update schedulers need to be configured separately per device group.

B.

Panorama can only install up to five content versions of the same type for potential rollback scenarios.

C.

A PAN-OS upgrade resets all scheduler configurations for content updates.

D.

Panorama can only download one content update at a time for content updates of the same type.

Question 40

What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

Options:

A.

any supported Palo Alto Networks firewall or Prisma Access firewall

B.

an additional subscription free of charge

C.

a firewall device running with a minimum version of PAN-OS 10.1

D.

an additional paid subscription

Question 41

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)

Options:

A.

Post-NAT address

B.

Post-NAT zone

C.

Pre-NAT zone

D.

Pre-NAT address

Question 42

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

Options:

A.

Rule Usage Filter > No App Specified

B.

Rule Usage Filter >Hit Count > Unused in 30 days

C.

Rule Usage Filter > Unused Apps

D.

Rule Usage Filter > Hit Count > Unused in 90 days

Page: 1 / 29
Total 286 questions