PCNSA Flash Cards
21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - ANS - BD
\A company has strict security requirements that require inspection of every connection between
two internal computers. Those internal computers are connected and disconnected by
non-technical users in an environment without a DHCP server. How does traffic get forwarded
between those internal computers?
A. a switch
B. a firewall configured as a switch, with Layer 2 interfaces
C. a firewall configured as a router, with Layer 3 interfaces
D. a firewall in TAP mode or Virtual Mirror mode - ANS - B
\A company uses a small SaaS application provider. This application is accessed through
HTTPS but suddenly stops working through the firewall. However, when the application is
accessed from home, users receive an error about the certificate. Which two situations would
explain this behavior? (Choose two.)
A. The SaaS's certificate had expired. The firewall's decryption policy is configured to block
connections with expired certificates.
B. The SaaS's certificate had expired. The firewall's decryption policy is configured to use the
untrusted CA with expired certificates.
C. The SaaS's certificate was replaced with one whose certificate authority is not known to the
firewall. The firewall's decryption policy is configured to block connections with certificates
whose CA is not trusted.
D. The SaaS's certificate was replaced with one whose certificate authority is not known to the
firewall. The firewall's decryption polic - ANS - AC
\A customer's custom application uses SMTP (email) to transfer directory information, which
needs to be filtered in a different manner from normal SMTP. How do you configure this
filtering?
A. You cannot do it with the NGFW. You need to manually configure a proxy.
B. Create specific rules for the sources and destinations that run this application.
C. Create a custom signature and specify the SMTP fields that are different from normal SMTP
use and patterns to identify when it is the custom application.
D. Create an Application Override policy and specify the sources and destinations that run this
application. - ANS - C
\A firewall administrator is deploying 50 Palo Alto Networks firewalls to protect remote sites.
Each firewall must have a site-to-site IPsec VPN tunnel to each of three campus locations.
Which configuration function is the basis for automatic site-to-site IPsec tunnels set up from
each remote location to the three campuses?
,A. import of a settings table into the remote firewall's IPsec tunnel config
B. import of a settings table into the IPsec tunnel config of the three campuses
C. configuration of the GlobalProtect satellite settings of the campus and remote firewalls
D. entry of campus IPsec tunnel settings for each remote firewall's IPsec Profile - ANS - C
\A firewall can forward log events to which two types of log formats? (Choose two.)
A. XES
B. SNMP
C. Http
D. databases using xml format
E. NCSA - ANS - BC
\A firewall's virtual router can connect to which three types of interfaces? (Choose three.)
A. virtual wire
B. management
C. Layer 3 traffic
D. HA1
E. HA2
F. loopback
G. tunnel - ANS - CFG
\A GlobalProtect Gateway is solely responsible for which function?
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - ANS - A
\A Heatmap provides an adoption rate for which three features? (Choose three.)
A. WildFire
B. Traps
C. File Blocking
D. User-ID
E. Authentication Profiles - ANS - ACD
\A legacy virtual router can use a Redistribution Profile to share routes between which three
routing protocols? (Choose three.)
A. static routes
B. IGRP
C. RIP
D. OSPF
E. multicast - ANS - ACD
\A NAT policy rule is created to change the destination address of any packets with a source of
any address and a destination address of 10.10.10.10 (in the DMZ zone) to 192.168.3.45 (in the
Trust zone). Which Security policy rule components are required for a packet that has this rule
applied to match and allow this traffic?
A. source address any, source zone any, destination address 192.168.3.45, destination zone
Trust, action = allow
,B. source address any, source zone any, destination address 10.10.10.10, destination zone
Trust, action = allow
C. source address any, source zone any, destination address 192.168.3.45, destination zone
DMZ, action = allow
D. source address any, source zone any, destination address 10.10.10.10, destination zone
DMZ, action = allow - ANS - B
\A Palo Alto Networks firewall can forward DHCP packets to servers connected to which two
kinds of networks? (Choose two.)
A. virtual wire
B. Layer 2
C. Layer 3
D. aggregate - ANS - CD
\A Palo Alto Networks firewall can obtain a certificate for its internal use through which three
methods? (Choose three.)
A. import a certificate file generated by an external CA
B. reference an externally stored certificate by a URL configured in an SSL/TLS Service Profile
C. generate a certificate directly by manually entering certificate data
D. obtain a certificate from an SCEP server using an SCEP Profile
E. import a certificate from an external CA by using an Authentication Profile - ANS - ACD
\A Panorama template stack contains two templates and one configuration setting has a
different value in each template. When Panorama pushes the template stack to the managed
firewalls, which setting value will the firewalls receive?
A. value from the top template of the stack
B. value from the bottom template in the stack
C. value from the template designated as the parent
D. value an administrator selects from the two available values - ANS - A
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? (Choose three.)
A. Cortex XDR
B. WildFire
C. URL Filtering
D. Expedition
E. DNS Security - ANS - BCE
\A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single
vCenter. How many firewall VMs are needed to implement micro-segmentation?
A. one
B. four
C. five
D. 20 - ANS - C
\A server on the DMZ with a private NIC address has network access provided by a NAT policy
rule whose Bi-directional check box is selected in the Translated Packet settings for static IP
source address translation. Which Security policy rule must be created to allow bidirectional
traffic to and from the DMZ server?
, A. a rule for each direction of travel using the pre-NAT server IP address
B. a rule with the post-NAT source IP address
C. a rule for each direction of travel using the post-NAT server IP address
D. a rule with the pre-NAT source IP address - ANS - A
\A tag can be dynamically assigned to data in which four types of logs? (Choose four.)
A. Traffic
B. Threat
C. URL Filtering
D. HIP Match
E. Tunnel Inspection
F. Configuration
G. System - ANS - ABCE
\A URL Filtering Profile is part of which type of identification?
A. App-ID
B. Content-ID
C. User-ID
D. Service - ANS - B
\A VM-Series firewall being deployed in Azure can be automatically configured by
bootstrapping. Azure requires which features for Bootstrapping to work?
A. Storage Account configured for Azure Files Service
B. PowerShell script that feeds a configuration file to the firewall
C. XML configuration file included in the base firewall provisioning
D. Azure Backup services configured with a config file and included in the firewall provisioning -
ANS - A
\A VM-Series virtual firewall differs from a physical Palo Alto Networks firewall in which way?
A. A VM-Series firewall cannot be managed by Panorama.
B. A VM-Series firewall supports fewer traffic interface types.
C. A VM-Series firewall cannot terminate VPN site-to-site tunnels.
D. A VM-Series firewall cannot use dynamic routing protocols. - ANS - B
\Administrators within the enterprise want to replace the default certificate used by the firewall to
secure the management web interface traffic with a certificate generated by their existing
certificate authority. Which certificate property must be set for their new certificate to function?
A. Certificate CN set to a domain name that resolves to any traffic port address of the firewall.
B. Certificate must be signed by the firewall root certificate.
C. Certificate must have the Forward Trust Certificate property set.
D. CN must be set to the management port of the firewall. - ANS - D
\After an Applications and Threats dynamic update is downloaded to the firewall, where can
information about changes to the App-IDs be found?
A. Summary link in the log event detail reporting the dynamic update file download
B. Review Policies link at the bottom of the Security policy rules display
C. Review Apps link appearing next to the downloaded Applications and Threats file
D. Details link in the dynamic file availability announcement appearing in the News Feed widget
on the dashboard - ANS - C
21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - ANS - BD
\A company has strict security requirements that require inspection of every connection between
two internal computers. Those internal computers are connected and disconnected by
non-technical users in an environment without a DHCP server. How does traffic get forwarded
between those internal computers?
A. a switch
B. a firewall configured as a switch, with Layer 2 interfaces
C. a firewall configured as a router, with Layer 3 interfaces
D. a firewall in TAP mode or Virtual Mirror mode - ANS - B
\A company uses a small SaaS application provider. This application is accessed through
HTTPS but suddenly stops working through the firewall. However, when the application is
accessed from home, users receive an error about the certificate. Which two situations would
explain this behavior? (Choose two.)
A. The SaaS's certificate had expired. The firewall's decryption policy is configured to block
connections with expired certificates.
B. The SaaS's certificate had expired. The firewall's decryption policy is configured to use the
untrusted CA with expired certificates.
C. The SaaS's certificate was replaced with one whose certificate authority is not known to the
firewall. The firewall's decryption policy is configured to block connections with certificates
whose CA is not trusted.
D. The SaaS's certificate was replaced with one whose certificate authority is not known to the
firewall. The firewall's decryption polic - ANS - AC
\A customer's custom application uses SMTP (email) to transfer directory information, which
needs to be filtered in a different manner from normal SMTP. How do you configure this
filtering?
A. You cannot do it with the NGFW. You need to manually configure a proxy.
B. Create specific rules for the sources and destinations that run this application.
C. Create a custom signature and specify the SMTP fields that are different from normal SMTP
use and patterns to identify when it is the custom application.
D. Create an Application Override policy and specify the sources and destinations that run this
application. - ANS - C
\A firewall administrator is deploying 50 Palo Alto Networks firewalls to protect remote sites.
Each firewall must have a site-to-site IPsec VPN tunnel to each of three campus locations.
Which configuration function is the basis for automatic site-to-site IPsec tunnels set up from
each remote location to the three campuses?
,A. import of a settings table into the remote firewall's IPsec tunnel config
B. import of a settings table into the IPsec tunnel config of the three campuses
C. configuration of the GlobalProtect satellite settings of the campus and remote firewalls
D. entry of campus IPsec tunnel settings for each remote firewall's IPsec Profile - ANS - C
\A firewall can forward log events to which two types of log formats? (Choose two.)
A. XES
B. SNMP
C. Http
D. databases using xml format
E. NCSA - ANS - BC
\A firewall's virtual router can connect to which three types of interfaces? (Choose three.)
A. virtual wire
B. management
C. Layer 3 traffic
D. HA1
E. HA2
F. loopback
G. tunnel - ANS - CFG
\A GlobalProtect Gateway is solely responsible for which function?
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - ANS - A
\A Heatmap provides an adoption rate for which three features? (Choose three.)
A. WildFire
B. Traps
C. File Blocking
D. User-ID
E. Authentication Profiles - ANS - ACD
\A legacy virtual router can use a Redistribution Profile to share routes between which three
routing protocols? (Choose three.)
A. static routes
B. IGRP
C. RIP
D. OSPF
E. multicast - ANS - ACD
\A NAT policy rule is created to change the destination address of any packets with a source of
any address and a destination address of 10.10.10.10 (in the DMZ zone) to 192.168.3.45 (in the
Trust zone). Which Security policy rule components are required for a packet that has this rule
applied to match and allow this traffic?
A. source address any, source zone any, destination address 192.168.3.45, destination zone
Trust, action = allow
,B. source address any, source zone any, destination address 10.10.10.10, destination zone
Trust, action = allow
C. source address any, source zone any, destination address 192.168.3.45, destination zone
DMZ, action = allow
D. source address any, source zone any, destination address 10.10.10.10, destination zone
DMZ, action = allow - ANS - B
\A Palo Alto Networks firewall can forward DHCP packets to servers connected to which two
kinds of networks? (Choose two.)
A. virtual wire
B. Layer 2
C. Layer 3
D. aggregate - ANS - CD
\A Palo Alto Networks firewall can obtain a certificate for its internal use through which three
methods? (Choose three.)
A. import a certificate file generated by an external CA
B. reference an externally stored certificate by a URL configured in an SSL/TLS Service Profile
C. generate a certificate directly by manually entering certificate data
D. obtain a certificate from an SCEP server using an SCEP Profile
E. import a certificate from an external CA by using an Authentication Profile - ANS - ACD
\A Panorama template stack contains two templates and one configuration setting has a
different value in each template. When Panorama pushes the template stack to the managed
firewalls, which setting value will the firewalls receive?
A. value from the top template of the stack
B. value from the bottom template in the stack
C. value from the template designated as the parent
D. value an administrator selects from the two available values - ANS - A
\A potential customer says it wants to maximize the threat detection capability of its
next-generation firewall. Which three additional services should it consider implementing to
enhance its firewall's capability to detect threats? (Choose three.)
A. Cortex XDR
B. WildFire
C. URL Filtering
D. Expedition
E. DNS Security - ANS - BCE
\A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single
vCenter. How many firewall VMs are needed to implement micro-segmentation?
A. one
B. four
C. five
D. 20 - ANS - C
\A server on the DMZ with a private NIC address has network access provided by a NAT policy
rule whose Bi-directional check box is selected in the Translated Packet settings for static IP
source address translation. Which Security policy rule must be created to allow bidirectional
traffic to and from the DMZ server?
, A. a rule for each direction of travel using the pre-NAT server IP address
B. a rule with the post-NAT source IP address
C. a rule for each direction of travel using the post-NAT server IP address
D. a rule with the pre-NAT source IP address - ANS - A
\A tag can be dynamically assigned to data in which four types of logs? (Choose four.)
A. Traffic
B. Threat
C. URL Filtering
D. HIP Match
E. Tunnel Inspection
F. Configuration
G. System - ANS - ABCE
\A URL Filtering Profile is part of which type of identification?
A. App-ID
B. Content-ID
C. User-ID
D. Service - ANS - B
\A VM-Series firewall being deployed in Azure can be automatically configured by
bootstrapping. Azure requires which features for Bootstrapping to work?
A. Storage Account configured for Azure Files Service
B. PowerShell script that feeds a configuration file to the firewall
C. XML configuration file included in the base firewall provisioning
D. Azure Backup services configured with a config file and included in the firewall provisioning -
ANS - A
\A VM-Series virtual firewall differs from a physical Palo Alto Networks firewall in which way?
A. A VM-Series firewall cannot be managed by Panorama.
B. A VM-Series firewall supports fewer traffic interface types.
C. A VM-Series firewall cannot terminate VPN site-to-site tunnels.
D. A VM-Series firewall cannot use dynamic routing protocols. - ANS - B
\Administrators within the enterprise want to replace the default certificate used by the firewall to
secure the management web interface traffic with a certificate generated by their existing
certificate authority. Which certificate property must be set for their new certificate to function?
A. Certificate CN set to a domain name that resolves to any traffic port address of the firewall.
B. Certificate must be signed by the firewall root certificate.
C. Certificate must have the Forward Trust Certificate property set.
D. CN must be set to the management port of the firewall. - ANS - D
\After an Applications and Threats dynamic update is downloaded to the firewall, where can
information about changes to the App-IDs be found?
A. Summary link in the log event detail reporting the dynamic update file download
B. Review Policies link at the bottom of the Security policy rules display
C. Review Apps link appearing next to the downloaded Applications and Threats file
D. Details link in the dynamic file availability announcement appearing in the News Feed widget
on the dashboard - ANS - C
