PCNSA Exam
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago.
Which utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days - ANS - D. Rule Usage Filter > Hit Count
> Unused in 90 days
\A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
pre-configuration. Once deployed, each firewall must establish secure tunnels back to multiple
regional data centers to include the future regional data centers. Which VPN configuration
would adapt to changes when deployed to the future site? - ANS - Pre-configured Global
Protect Satellite
\A customer wants to set up a VLAN interface for a layer 2 Ethernet port. Which two mandatory
options are used to configure a VLAN interface? ( Choose Two) - ANS - -Virtual Router
-Security Zone
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect Threats?
A. Traps
B. WildFire
C. URL Filtering
D. Expedition
E. DNS Security - ANS - B. Wildfire
C. URL filtering
E. DNS Security
\A security administrator has configured App-ID updates to be automatically downloaded and
installed. The company is currently using an application identified byApp-ID as
SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures
labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on
the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no
longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied
until the security administrator approves the applications - ANS - C. No impact because the
firewall automatically adds the rules to the App-ID interface
\A Security policy rule is configured with a vulnerability protection profile and an action of
"Deny". which action will this cause configuration on the matched traffic? - ANS - The
configuration will allow the matched session unless a vulnerability signature is detected. the
, "deny" action will supersede the per-severity defined actions in the associated vulnerability
protection profile.
\A session in the traffic log is reporting the application as "incomplete". What does incomplete
mean? - ANS - The three-way handshake did not complete
\A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and
the switch port to which it connects. How would an administrator configure the interface to 1
Gbps? - ANS - Set device config system speed-duplex 1 gbps-gull-duplex
\A user traffic traversing a Palo Alto Network NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured
with a PBF rule if the next hop does down? - ANS - Create and add a monitor profile with an
action of failover in the PBF rule in question
\A web server is hosted in the DMZ, and he servers is configured to listen for incoming
connections only on the TCP port 8080. a security policy rule allowing access from the trust
zone to the DMZ zone need to be configured to enable web browsing access tot he server.
Which application and service need to be configured to allow only cleartext web-browsing traffic
to thins server on tcp/8080? - ANS - application: web browsing; service: application default
\Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List - ANS - A. Block List
D. Allow List
\An administrator encountered problems with inbound decryption. which option should the
administrator investigate as part of the triage? - ANS - Security policy rule allowing SSL to the
target server
\An administrator has been asked to configure a Palo Alto Network NGFW to provide protection
against worms and trojans. Which security profile type will protect against worms and trojans? -
ANS - -Anti-virus
\An administrator has been asked to configure active/passive HA for a pair of Palo Alto
Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is
correct for the passive firewall? - ANS - -255
\An administrator has configured the Palo Alto networks NGFW management interface to
connect to the internet through a dedicated path that does not transverse back through the
NGFW itself. which configuration setting or setup will allow the firewall to get automatic
application signature updates? - ANS - A service route will need to be configured
\An administrator has enable OSPF on a virtual router on the NGFW OSPF is not adding new
routes to the virtual router. Which two options enable the administrator to troubleshoot this
issue? - ANS - -View Runtime stats in the Virtual router
-View System Logs
\An administrator is using DNAT to map two servers to a single public IP address. traffic will be
steered to the specific server based on the application, where Host A (10.1.1.100) receives
HTTP traffic and Host B (10.1.1.101) receives SSH traffic. Which two security policy rules will
accomplish this configuration? - ANS - -Untrust (Any) to DMZ (10.1.1.100), web-browsing- Allow
-Untrust (Any) to DMZ (10.1.1.101), SSH-Allow
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago.
Which utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days - ANS - D. Rule Usage Filter > Hit Count
> Unused in 90 days
\A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
pre-configuration. Once deployed, each firewall must establish secure tunnels back to multiple
regional data centers to include the future regional data centers. Which VPN configuration
would adapt to changes when deployed to the future site? - ANS - Pre-configured Global
Protect Satellite
\A customer wants to set up a VLAN interface for a layer 2 Ethernet port. Which two mandatory
options are used to configure a VLAN interface? ( Choose Two) - ANS - -Virtual Router
-Security Zone
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect Threats?
A. Traps
B. WildFire
C. URL Filtering
D. Expedition
E. DNS Security - ANS - B. Wildfire
C. URL filtering
E. DNS Security
\A security administrator has configured App-ID updates to be automatically downloaded and
installed. The company is currently using an application identified byApp-ID as
SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures
labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on
the information, how is the SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no
longer matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied
until the security administrator approves the applications - ANS - C. No impact because the
firewall automatically adds the rules to the App-ID interface
\A Security policy rule is configured with a vulnerability protection profile and an action of
"Deny". which action will this cause configuration on the matched traffic? - ANS - The
configuration will allow the matched session unless a vulnerability signature is detected. the
, "deny" action will supersede the per-severity defined actions in the associated vulnerability
protection profile.
\A session in the traffic log is reporting the application as "incomplete". What does incomplete
mean? - ANS - The three-way handshake did not complete
\A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and
the switch port to which it connects. How would an administrator configure the interface to 1
Gbps? - ANS - Set device config system speed-duplex 1 gbps-gull-duplex
\A user traffic traversing a Palo Alto Network NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured
with a PBF rule if the next hop does down? - ANS - Create and add a monitor profile with an
action of failover in the PBF rule in question
\A web server is hosted in the DMZ, and he servers is configured to listen for incoming
connections only on the TCP port 8080. a security policy rule allowing access from the trust
zone to the DMZ zone need to be configured to enable web browsing access tot he server.
Which application and service need to be configured to allow only cleartext web-browsing traffic
to thins server on tcp/8080? - ANS - application: web browsing; service: application default
\Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List - ANS - A. Block List
D. Allow List
\An administrator encountered problems with inbound decryption. which option should the
administrator investigate as part of the triage? - ANS - Security policy rule allowing SSL to the
target server
\An administrator has been asked to configure a Palo Alto Network NGFW to provide protection
against worms and trojans. Which security profile type will protect against worms and trojans? -
ANS - -Anti-virus
\An administrator has been asked to configure active/passive HA for a pair of Palo Alto
Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is
correct for the passive firewall? - ANS - -255
\An administrator has configured the Palo Alto networks NGFW management interface to
connect to the internet through a dedicated path that does not transverse back through the
NGFW itself. which configuration setting or setup will allow the firewall to get automatic
application signature updates? - ANS - A service route will need to be configured
\An administrator has enable OSPF on a virtual router on the NGFW OSPF is not adding new
routes to the virtual router. Which two options enable the administrator to troubleshoot this
issue? - ANS - -View Runtime stats in the Virtual router
-View System Logs
\An administrator is using DNAT to map two servers to a single public IP address. traffic will be
steered to the specific server based on the application, where Host A (10.1.1.100) receives
HTTP traffic and Host B (10.1.1.101) receives SSH traffic. Which two security policy rules will
accomplish this configuration? - ANS - -Untrust (Any) to DMZ (10.1.1.100), web-browsing- Allow
-Untrust (Any) to DMZ (10.1.1.101), SSH-Allow
