Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Exam Practice Test

Page: 1 / 29
Total 286 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Question 1

When creating a custom URL category object, which is a valid type?

Options:

A.

domain match

B.

host names

C.

wildcard

D.

category match

Question 2

Which three configuration settings are required on a Palo Alto networks firewall management interface?

Options:

A.

default gateway

B.

netmask

C.

IP address

D.

hostname

E.

auto-negotiation

Question 3

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

Options:

A.

Clone and edit the Strict profile.

B.

Use URL filtering to limit categories in which users can transfer files.

C.

Set the action to Continue.

D.

Edit the Strict profile.

Question 4

What action will inform end users when their access to Internet content is being restricted?

Options:

A.

Create a custom 'URL Category' object with notifications enabled.

B.

Publish monitoring data for Security policy deny logs.

C.

Ensure that the 'site access" setting for all URL sites is set to 'alert'.

D.

Enable 'Response Pages' on the interface providing Internet access.

Question 5

In which profile should you configure the DNS Security feature?

Options:

A.

URL Filtering Profile

B.

Anti-Spyware Profile

C.

Zone Protection Profile

D.

Antivirus Profile

Question 6

Which action results in the firewall blocking network traffic with out notifying the sender?

Options:

A.

Drop

B.

Deny

C.

Reset Server

D.

Reset Client

Question 7

Which interface type can use virtual routers and routing protocols?

Options:

A.

Tap

B.

Layer3

C.

Virtual Wire

D.

Layer2

Question 8

What do you configure if you want to set up a group of objects based on their ports alone?

Options:

A.

Application groups

B.

Service groups

C.

Address groups

D.

Custom objects

Question 9

Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

Options:

A.

TACACS

B.

SAML2

C.

SAML10

D.

Kerberos

E.

TACACS+

Question 10

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

Options:

A.

application filter

B.

URL category

C.

HIP profile

D.

application group

Question 11

Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)

Question # 11

Options:

A.

Path monitoring does not determine if route is useable

B.

Route with highest metric is actively used

C.

Path monitoring determines if route is useable

D.

Route with lowest metric is actively used

Question 12

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

Options:

A.

An implicit dependency does not require the dependent application to be added in the security policy

B.

An implicit dependency requires the dependent application to be added in the security policy

C.

An explicit dependency does not require the dependent application to be added in the security policy

D.

An explicit dependency requires the dependent application to be added in the security policy

Question 13

How are Application Fillers or Application Groups used in firewall policy?

Options:

A.

An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group

B.

An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group

C.

An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group

D.

An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group

Question 14

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

Question # 14

Options:

A.

branch office traffic

B.

north-south traffic

C.

perimeter traffic

D.

east-west traffic

Question 15

Based on the security policy rules shown, ssh will be allowed on which port?

Question # 15

Options:

A.

80

B.

53

C.

22

D.

23

Question 16

Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

Options:

A.

URL filtering

B.

Antivirus

C.

WildFire

D.

Threat Prevention

Question 17

Which update option is not available to administrators?

Options:

A.

New Spyware Notifications

B.

New URLs

C.

New Application Signatures

D.

New Malicious Domains

E.

New Antivirus Signatures

Question 18

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

Options:

A.

Layer 2

B.

Tap

C.

Layer 3

D.

Virtual Wire

Question 19

In the example security policy shown, which two websites fcked? (Choose two.)

Question # 19

Options:

A.

LinkedIn

B.

Facebook

C.

YouTube

D.

Amazon

Question 20

Place the steps in the correct packet-processing order of operations.

Question # 20

Options:

Question 21

What must be configured before setting up Credential Phishing Prevention?

Options:

A.

Anti Phishing Block Page

B.

Threat Prevention

C.

Anti Phishing profiles

D.

User-ID

Question 22

Question # 22

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

Options:

A.

Rules without App Controls

B.

New App Viewer

C.

Rule Usage

D.

Unused Unused Apps

Question 23

Which type of address object is "10 5 1 1/0 127 248 2"?

Options:

A.

IP subnet

B.

IP wildcard mask

C.

IP netmask

D.

IP range

Question 24

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

Options:

A.

URL traffic

B.

vulnerability protection

C.

anti-spyware

D.

antivirus

Question 25

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

Options:

A.

Create an Application Filter and name it Office Programs, the filter it on the business-systems category, office-programs subcategory

B.

Create an Application Group and add business-systems to it

C.

Create an Application Filter and name it Office Programs, then filter it on the business-systems category

D.

Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

Question 26

Which type of address object is www.paloaltonetworks.com?

Options:

A.

IP range

B.

IP netmask

C.

named address

D.

FQDN

Question 27

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

Options:

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Question 28

Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

Question # 28

Options:

A.

It defines the SSUTLS encryption strength used to protect the management interface.

B.

It defines the CA certificate used to verify the client's browser.

C.

It defines the certificate to send to the client's browser from the management interface.

D.

It defines the firewall's global SSL/TLS timeout values.

Question 29

Which link in the web interface enables a security administrator to view the security policy rules that match new application signatures?

Options:

A.

Review Apps

B.

Review App Matches

C.

Pre-analyze

D.

Review Policies

Question 30

View the diagram.

Question # 30

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

Question # 30

B)

Question # 30

C)

Question # 30

D)

Question # 30

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 31

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

Options:

A.

Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

B.

Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application.

C.

Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic.

D.

Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic

Question 32

Which Security profile can you apply to protect against malware such as worms and Trojans?

Options:

A.

data filtering

B.

antivirus

C.

vulnerability protection

D.

anti-spyware

Question 33

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

Options:

A.

global

B.

intrazone

C.

interzone

D.

universal

Question 34

Given the image, which two options are true about the Security policy rules. (Choose two.)

Question # 34

Options:

A.

The Allow Office Programs rule is using an Application Filter

B.

In the Allow FTP to web server rule, FTP is allowed using App-ID

C.

The Allow Office Programs rule is using an Application Group

D.

In the Allow Social Networking rule, allows all of Facebook’s functions

Question 35

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

Options:

A.

Add zones attached to interfaces to the virtual router

B.

Add interfaces to the virtual router

C.

Enable the redistribution profile to redistribute connected routes

D.

Add a static routes to route between the two interfaces

Question 36

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

Options:

A.

HIP profile

B.

Application group

C.

URL category

D.

Application filter

Question 37

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.)

Options:

A.

Packets sent/received

B.

IP Protocol

C.

Action

D.

Decrypted

Question 38

Given the topology, which zone type should zone A and zone B to be configured with?

Question # 38

Options:

A.

Layer3

B.

Tap

C.

Layer2

D.

Virtual Wire

Question 39

What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?

Options:

A.

every 5 minutes

B.

every 1 minute

C.

every 24 hours

D.

every 30 minutes

Question 40

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Question 41

Why does a company need an Antivirus profile?

Options:

A.

To prevent command-and-control traffic

B.

To protect against viruses, worms, and trojans

C.

To prevent known exploits

D.

To prevent access to malicious web content

Question 42

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

Options:

A.

User-ID

B.

App-ID

C.

Security Processing Engine

D.

Content-ID

Page: 1 / 29
Total 286 questions