PCNSA Exam – Questions/Answers (Rated A+)
After making multiple changes to the candidate configuration of a firewall,
the administrator would like to start over with a candidate configuration
that matches the running-configuration.
Which command in Device>Setup>Operations would provide the most
operationally efficient way to accomplish this.
A. Import named config snapshot
B. Load named configuration snapshot
C. Revert to running configuration
D. Revert to last saved configuration Correct Ans - C. Revert to
Running Configuration
Starting with PAN-OS version 9.1, application dependency information is
now reported in which two locations. (Choose Two)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer's Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages Correct Ans - A. On
the App Dependency tab in the Commit Status Window
C. On the Application tab in the Security Policy rule creation window.
What is the advantage for using application tags?
A. They are helpful during the creation of new zones.
B. They help with the design of IP address allocations in DHCP.
C. They help content updates automate policy updates.
D. They help with the creation of interfaces. Correct Ans - C. They
help content updates automate policy updates.
An Administrator wishes to follow the best practices for logging traffic that
traverses the firewall.
Which Log Setting is correct?
A. Disable all logging
B. Enable Log at Session End
,C. Enable Log at Session Start
D. Enable Log at both Session Start and End Correct Ans - B. Enable
Log at Session End
An Address object of type 'IP Wildcard Mask' can be referenced in which
part of the configuration.
A. Security policy rule
B. ACC global filter
C. external dynamic list
D. NAT address pool Correct Ans - A. Security Policy Rule
What is the function of application tags?
A. creation of new zones
B. application prioritization
C. automates referenced applications in a policy
D. IP address allocations in DHCP Correct Ans - C. automates
referenced applications in a policy
Which three types of authentication services can be used to authenticate
user traffic flowing through the firewalls data plane? (Choose three )
A. TACACS
B. SAML2
C. SAML10
D. Kerberos
E. TACACS+ Correct Ans - A. TACACS
B. SAML2
D. Kerberos
An administrator needs to create a Security policy rule that matches DNS
traffic within the LAN zone, and also needs to match DNS traffic within the
DMZ zone The administrator does not want to allow traffic between the
DMZ and LAN zones.
Which Security policy rule type should they use?
A. default
B. universal
,C. intrazone
D. interzone Correct Ans - C. intrazone
An administrator is reviewing another administrator s Security policy log
settings Which log setting configuration is consistent with best practices
tor normal traffic?
A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start disabled Log at Session End enabled
C. Log at Session Start enabled Log at Session End disabled
D. Log at Session Start and Log at Session End both disabled Correct
Ans - B. Log at Session Start disabled Log at Session End enabled
Which type firewall configuration contains in-progress configuration
changes?
A. backup
B. running
C. candidate
D. committed Correct Ans - C. candidate
What are the two default behaviors for the intrazone-default policy?
(Choose two.)
A. Allow
B. Logging disabled
C. Log at Session End
D. Deny Correct Ans - A. Allow
B. Logging disabled
.Assume that traffic matches a Security policy rule but the attached
Security Profiles is configured to block matching traffic Which statement
accurately describes how the firewall will apply an action to matching
traffic?
A. If it is an allowed rule, then the Security Profile action is applied last.
B. If it is a block rule then the Security policy rule action is applied last.
C. If it is an allow rule then the Security policy rule is applied last.
, D. If it is a block rule then Security Profile action is applied last. Correct
Ans - A. If it is an allowed rule, then the Security Profile action is
applied last.
Palo Alto Networks firewall architecture accelerates content map
minimizing latency using which two components'? (Choose two)
A. Network Processing Engine
B. Single Stream-based Engine
C. Policy Engine
D. Parallel Processing Hardware Correct Ans - B. Single Stream-
based Engine
.You receive notification about new malware that infects hosts through
malicious files transferred by FTP. Which Security profile detects and
protects your internal networks from this threat after you update your
firewall's threat signature database?
A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Protection profile applied to outbound Security policy
rules. Correct Ans - C. Antivirus profile applied to inbound Security
policy rules.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/
security-profiles
An internal host wants to connect to servers of the internet through using
source NAT. Which policy is required to enable source NAT on the firewall?
A. NAT policy with source zone and destination zone specified.
B. post-NAT policy with external source and any destination address.
C. NAT policy with no source of destination zone selected.
D. pre-NAT policy with external source and any destination address.
Correct Ans - A. NAT policy with source zone and destination zone
specified
Which interface type requires no routing or switching but applies Security
or NAT policy rules before passing allowed traffic?
After making multiple changes to the candidate configuration of a firewall,
the administrator would like to start over with a candidate configuration
that matches the running-configuration.
Which command in Device>Setup>Operations would provide the most
operationally efficient way to accomplish this.
A. Import named config snapshot
B. Load named configuration snapshot
C. Revert to running configuration
D. Revert to last saved configuration Correct Ans - C. Revert to
Running Configuration
Starting with PAN-OS version 9.1, application dependency information is
now reported in which two locations. (Choose Two)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer's Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages Correct Ans - A. On
the App Dependency tab in the Commit Status Window
C. On the Application tab in the Security Policy rule creation window.
What is the advantage for using application tags?
A. They are helpful during the creation of new zones.
B. They help with the design of IP address allocations in DHCP.
C. They help content updates automate policy updates.
D. They help with the creation of interfaces. Correct Ans - C. They
help content updates automate policy updates.
An Administrator wishes to follow the best practices for logging traffic that
traverses the firewall.
Which Log Setting is correct?
A. Disable all logging
B. Enable Log at Session End
,C. Enable Log at Session Start
D. Enable Log at both Session Start and End Correct Ans - B. Enable
Log at Session End
An Address object of type 'IP Wildcard Mask' can be referenced in which
part of the configuration.
A. Security policy rule
B. ACC global filter
C. external dynamic list
D. NAT address pool Correct Ans - A. Security Policy Rule
What is the function of application tags?
A. creation of new zones
B. application prioritization
C. automates referenced applications in a policy
D. IP address allocations in DHCP Correct Ans - C. automates
referenced applications in a policy
Which three types of authentication services can be used to authenticate
user traffic flowing through the firewalls data plane? (Choose three )
A. TACACS
B. SAML2
C. SAML10
D. Kerberos
E. TACACS+ Correct Ans - A. TACACS
B. SAML2
D. Kerberos
An administrator needs to create a Security policy rule that matches DNS
traffic within the LAN zone, and also needs to match DNS traffic within the
DMZ zone The administrator does not want to allow traffic between the
DMZ and LAN zones.
Which Security policy rule type should they use?
A. default
B. universal
,C. intrazone
D. interzone Correct Ans - C. intrazone
An administrator is reviewing another administrator s Security policy log
settings Which log setting configuration is consistent with best practices
tor normal traffic?
A. Log at Session Start and Log at Session End both enabled
B. Log at Session Start disabled Log at Session End enabled
C. Log at Session Start enabled Log at Session End disabled
D. Log at Session Start and Log at Session End both disabled Correct
Ans - B. Log at Session Start disabled Log at Session End enabled
Which type firewall configuration contains in-progress configuration
changes?
A. backup
B. running
C. candidate
D. committed Correct Ans - C. candidate
What are the two default behaviors for the intrazone-default policy?
(Choose two.)
A. Allow
B. Logging disabled
C. Log at Session End
D. Deny Correct Ans - A. Allow
B. Logging disabled
.Assume that traffic matches a Security policy rule but the attached
Security Profiles is configured to block matching traffic Which statement
accurately describes how the firewall will apply an action to matching
traffic?
A. If it is an allowed rule, then the Security Profile action is applied last.
B. If it is a block rule then the Security policy rule action is applied last.
C. If it is an allow rule then the Security policy rule is applied last.
, D. If it is a block rule then Security Profile action is applied last. Correct
Ans - A. If it is an allowed rule, then the Security Profile action is
applied last.
Palo Alto Networks firewall architecture accelerates content map
minimizing latency using which two components'? (Choose two)
A. Network Processing Engine
B. Single Stream-based Engine
C. Policy Engine
D. Parallel Processing Hardware Correct Ans - B. Single Stream-
based Engine
.You receive notification about new malware that infects hosts through
malicious files transferred by FTP. Which Security profile detects and
protects your internal networks from this threat after you update your
firewall's threat signature database?
A. URL Filtering profile applied to inbound Security policy rules.
B. Data Filtering profile applied to outbound Security policy rules.
C. Antivirus profile applied to inbound Security policy rules.
D. Vulnerability Protection profile applied to outbound Security policy
rules. Correct Ans - C. Antivirus profile applied to inbound Security
policy rules.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/
security-profiles
An internal host wants to connect to servers of the internet through using
source NAT. Which policy is required to enable source NAT on the firewall?
A. NAT policy with source zone and destination zone specified.
B. post-NAT policy with external source and any destination address.
C. NAT policy with no source of destination zone selected.
D. pre-NAT policy with external source and any destination address.
Correct Ans - A. NAT policy with source zone and destination zone
specified
Which interface type requires no routing or switching but applies Security
or NAT policy rules before passing allowed traffic?
