Summer Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1271b8m643

PCNSA Exam Dumps - Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)

Question # 4

An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

A.

Reset-server

B.

Block

C.

Deny

D.

Drop

Full Access
Question # 5

What is the minimum timeframe that can be set on the firewall to check for new WildFire signatures?

A.

every 30 minutes

B.

every 5 minutes

C.

once every 24 hours

D.

every 1 minute

Full Access
Question # 6

In which profile should you configure the DNS Security feature?

A.

URL Filtering Profile

B.

Anti-Spyware Profile

C.

Zone Protection Profile

D.

Antivirus Profile

Full Access
Question # 7

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

A.

by minute

B.

hourly

C.

daily

D.

weekly

Full Access
Question # 8

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A.

syslog

B.

RADIUS

C.

UID redistribution

D.

XFF headers

Full Access
Question # 9

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

A.

Palo Alto Networks C&C IP Addresses

B.

Palo Alto Networks Bulletproof IP Addresses

C.

Palo Alto Networks High-Risk IP Addresses

D.

Palo Alto Networks Known Malicious IP Addresses

Full Access
Question # 10

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

A.

Add zones attached to interfaces to the virtual router

B.

Add interfaces to the virtual router

C.

Enable the redistribution profile to redistribute connected routes

D.

Add a static routes to route between the two interfaces

Full Access
Question # 11

What does an administrator use to validate whether a session is matching an expected NAT policy?

A.

system log

B.

test command

C.

threat log

D.

config audit

Full Access
Question # 12

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Full Access
Question # 13

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

A.

SAML

B.

TACACS+

C.

LDAP

D.

Kerberos

Full Access
Question # 14

What is considered best practice with regards to committing configuration changes?

A.

Disable the automatic commit feature that prioritizes content database installations before committing

B.

Validate configuration changes prior to committing

C.

Wait until all running and pending jobs are finished before committing

D.

Export configuration after each single configuration change performed

Full Access
Question # 15

Match the cyber-attack lifecycle stage to its correct description.

Full Access
Question # 16

Which two security profile types can be attached to a security policy? (Choose two.)

A.

antivirus

B.

DDoS protection

C.

threat

D.

vulnerability

Full Access
Question # 17

What is the main function of the Test Policy Match function?

A.

verify that policy rules from Expedition are valid

B.

confirm that rules meet or exceed the Best Practice Assessment recommendations

C.

confirm that policy rules in the configuration are allowing/denying the correct traffic

D.

ensure that policy rules are not shadowing other policy rules

Full Access
Question # 18

Which statement is true about Panorama managed devices?

A.

Panorama automatically removes local configuration locks after a commit from Panorama

B.

Local configuration locks prohibit Security policy changes for a Panorama managed device

C.

Security policy rules configured on local firewalls always take precedence

D.

Local configuration locks can be manually unlocked from Panorama

Full Access
Question # 19

An administrator wants to prevent access to media content websites that are risky

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two)

A.

streaming-media

B.

high-risk

C.

recreation-and-hobbies

D.

known-risk

Full Access
Question # 20

Which update option is not available to administrators?

A.

New Spyware Notifications

B.

New URLs

C.

New Application Signatures

D.

New Malicious Domains

E.

New Antivirus Signatures

Full Access
Question # 21

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

A.

Root

B.

Dynamic

C.

Role-based

D.

Superuser

Full Access
Question # 22

Which two settings allow you to restrict access to the management interface? (Choose two )

A.

enabling the Content-ID filter

B.

administrative management services

C.

restricting HTTP and telnet using App-ID

D.

permitted IP addresses

Full Access
Question # 23

Which object would an administrator create to block access to all high-risk applications?

A.

HIP profile

B.

application filter

C.

application group

D.

Vulnerability Protection profile

Full Access
Question # 24

When is the content inspection performed in the packet flow process?

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Full Access
Question # 25

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Full Access
Question # 26

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

A.

override

B.

allow

C.

block

D.

continue

Full Access
Question # 27

What is the main function of Policy Optimizer?

A.

reduce load on the management plane by highlighting combinable security rules

B.

migrate other firewall vendors’ security rules to Palo Alto Networks configuration

C.

eliminate “Log at Session Start” security rules

D.

convert port-based security rules to application-based security rules

Full Access
Question # 28

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

A.

create the service object in the specific template

B.

uncheck the shared option

C.

ensure that disable override is selected

D.

ensure that disable override is cleared

Full Access
Question # 29

An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

A.

NAT policy with source zone and destination zone specified

B.

post-NAT policy with external source and any destination address

C.

NAT policy with no source of destination zone selected

D.

pre-NAT policy with external source and any destination address

Full Access
Question # 30

Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

A.

Windows session monitoring via a domain controller

B.

passive server monitoring using the Windows-based agent

C.

Captive Portal

D.

passive server monitoring using a PAN-OS integrated User-ID agent

Full Access
Question # 31

How is the hit count reset on a rule?

A.

select a security policy rule, right click Hit Count > Reset

B.

with a dataplane reboot

C.

Device > Setup > Logging and Reporting Settings > Reset Hit Count

D.

in the CLI, type command reset hitcount

Full Access
Question # 32

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A.

on the App Dependency tab in the Commit Status window

B.

on the Policy Optimizer's Rule Usage page

C on the Application tab in the Security Policy Rule creation window

C.

on the Objects > Applications browser pages

Full Access