PCNSA : Palo Alto Networks Certified Network Security Administrator : Part 04

PCNSA : Palo Alto Networks Certified Network Security Administrator : Part 04

1. Which Security Profile mitigates attacks based on packet count?

   • zone protection profile
   • URL filtering profile
   • antivirus profile
   • vulnerability profile

2. Which interface type uses virtual routers and routing protocols?

   • Tap
   • Layer3
   • Virtual Wire
   • Layer2

3. Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

   • Override
   • Allow
   • Block
   • Continue

   Explanation:

   Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions

4. An internal host needs to connect through the firewall using source NAT to servers of the internet.

   Which policy is required to enable source NAT on the firewall?

   • NAT policy with internal zone and internet zone specified
   • post-NAT policy with external source and any destination address
   • NAT policy with no internal or internet zone selected
   • pre-NAT policy with external source and any destination address

5. Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet’s source and destination IP addresses?

   • DoS protection
   • URL filtering
   • packet buffering
   • anti-spyware

6. Which path in PAN-OS 9.0 displays the list of port-based security policy rules?

   • Policies> Security> Rule Usage> No App Specified
   • Policies> Security> Rule Usage> Port only specified
   • Policies> Security> Rule Usage> Port-based Rules
   • Policies> Security> Rule Usage> Unused Apps

7. Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

   • Layer-ID
   • User-ID
   • QoS-ID
   • App-ID
   Explanation:
   Reference: http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-pass-parallel-processing-hardware-architecture.html

8. Which path is used to save and load a configuration with a Palo Alto Networks firewall?

   • Device>Setup>Services
   • Device>Setup>Management
   • Device>Setup>Operations
   • Device>Setup>Interfaces

9. DRAG DROP

   Match the network device with the correct User-ID technology.

   

   

10. Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?

    • Review Policies
    • Review Apps
    • Pre-analyze
    • Review App Matches
    Explanation:
    Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules

11. How do you reset the hit count on a Security policy rule?

    • Select a Security policy rule, and then select Hit Count > Reset.
    • Reboot the data-plane.
    • First disable and then re-enable the rule.
    • Type the CLI command reset hitcount <POLICY-NAME>.

12. Given the topology, which zone type should you configure for firewall interface E1/1?

    

    • Tap
    • Tunnel
    • Virtual Wire
    • Layer3

13. Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

    • Management
    • High Availability
    • Aggregate
    • Aggregation

14. Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

    • intrazone
    • interzone
    • universal
    • global

15. Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?

    • EDL in URL Filtering Profile
    • Custom URL category in URL Filtering Profile
    • Custom URL category in Security policy rule
    • PAN-DB URL category in URL Filtering Profile

16. Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?

    • north-south
    • inbound
    • outbound
    • east-west

17. Which protocol is used to map usernames to user groups when User-ID is configured?

    • TACACS+
    • SAML
    • LDAP
    • RADIUS
    Explanation:
    Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

18. Which definition describes the guiding principle of the zero-trust architecture?

    • trust, but verify
    • always connect and verify
    • never trust, never connect
    • never trust, always verify
    Explanation:
    Reference: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

19. All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.

    Complete the two empty fields in the Security policy rules that permits only this type of access.

    Source Zone: Internal
    Destination Zone: DMZ Zone
    Application: _________?
    Service: ____________?
    Action: allow

    (Choose two.)

    • Service = “application-default”
    • Service = “service-telnet”
    • Application = “Telnet”
    • Application = “any”

20. In which profile should you configure the DNS Security feature?

    • Anti-Spyware Profile
    • Zone Protection Profile
    • Antivirus Profile
    • URL Filtering Profile
    Explanation:
    Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security.html