New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Paloalto Networks PCNSA Dumps Questions Answers

Page: 1 / 27
Total 364 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Question 1

What two actions can be taken when implementing an exception to an External Dynamic List? (Choose two.)

Options:

A.

Exclude an IP address by making use of wildcards.

B.

Exclude a URL entry by making use of regular expressions.

C.

Exclude an IP address by making use of regular expressions.

D.

Exclude a URL entry by making use of wildcards.

Buy Now
Question 2

URL categories can be used as match criteria on which two policy types? (Choose two.)

Options:

A.

authentication

B.

decryption

C application override

C.

NAT

Question 3

Which dynamic update type includes updated anti-spyware signatures?

Options:

A.

Applications and Threats

B.

GlobalProtect Data File

C.

Antivirus

D.

PAN-DB

Question 4

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

Options:

A.

Application Category

B.

Source

C.

File Size

D.

Direction

Question 5

Given the screenshot what two types of route is the administrator configuring? (Choose two )

Options:

A.

default route

B.

OSPF

C.

BGP

D.

static route

Question 6

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

Options:

A.

Objects > Dynamic Updates > Review App-IDs

B.

Device > Dynamic Updates > Review Policies

C.

Device > Dynamic Updates > Review App-IDs

D.

Objects > Dynamic Updates > Review Policies

Question 7

What are three valid ways to map an IP address to a username? (Choose three.)

Options:

A.

using the XML API

B.

DHCP Relay logs

C.

a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

D.

usernames inserted inside HTTP Headers

E.

WildFire verdict reports

Question 8

Match the Palo Alto Networks Security Operating Platform architecture to its description.

Options:

Question 9

Match the network device with the correct User-ID technology.

Options:

Question 10

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

Options:

A.

Translation Type

B.

Interface

C.

Address Type

D.

IP Address

Question 11

Based on the show security policy rule would match all FTP traffic from the inside zone to the outside zone?

Options:

A.

internal-inside-dmz

B.

engress outside

C.

inside-portal

D.

intercone-default

Question 12

Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall`s signature database has been updated?

Options:

A.

antivirus profile applied to outbound security policies

B.

data filtering profile applied to inbound security policies

C.

data filtering profile applied to outbound security policies

D.

vulnerability profile applied to inbound security policies

Question 13

Which administrator type utilizes predefined roles for a local administrator account?

Options:

A.

Superuser

B.

Role-based

C.

Dynamic

D.

Device administrator

Question 14

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

Options:

A.

Eleven rules use the "Infrastructure* tag.

B.

The view Rulebase as Groups is checked.

C.

There are seven Security policy rules on this firewall.

D.

Highlight Unused Rules is checked.

Question 15

What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

Options:

A.

any supported Palo Alto Networks firewall or Prisma Access firewall

B.

an additional subscription free of charge

C.

a firewall device running with a minimum version of PAN-OS 10.1

D.

an additional paid subscription

Question 16

By default, which action is assigned to the interzone-default rule?

Options:

A.

Reset-client

B.

Reset-server

C.

Deny

D.

Allow

Question 17

When creating a custom URL category object, which is a valid type?

Options:

A.

domain match

B.

host names

C.

wildcard

D.

category match

Question 18

Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

Options:

A.

Windows session monitoring via a domain controller

B.

passive server monitoring using the Windows-based agent

C.

Captive Portal

D.

passive server monitoring using a PAN-OS integrated User-ID agent

Question 19

Which feature must be configured to enable a data plane interface to submit DNS queries originated from the firewall on behalf of the control plane?

Options:

A.

Service route

B.

Admin role profile

C.

DNS proxy

D.

Virtual router

Question 20

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?

Options:

A.

Domain Credential

B.

IP User

C.

Group Mapping

D.

Valid Username Detected Log Severity

Question 21

Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

Options:

A.

Layer 3

B.

Virtual Wire

C.

Tap

D.

Layer 2

Question 22

Which component is a building block in a Security policy rule?

Options:

A.

decryption profile

B.

destination interface

C.

timeout (min)

D.

application

Question 23

Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?

Options:

A.

reconnaissance

B.

delivery

C.

exploitation

D.

installation

Question 24

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

Options:

A.

Network ab

B.

Policies

C.

Objects

D.

Device

Question 25

Which protocol used to map username to user groups when user-ID is configured?

Options:

A.

SAML

B.

RADIUS

C.

TACACS+

D.

LDAP

Question 26

To what must an interface be assigned before it can process traffic?

Options:

A.

Security Zone

B.

Security policy

C.

Security Protection

D.

Security profile

Question 27

Which solution is a viable option to capture user identification when Active Directory is not in use?

Options:

A.

Cloud Identity Engine

B.

group mapping

C.

Directory Sync Service

D.

Authentication Portal

Question 28

How is the hit count reset on a rule?

Options:

A.

select a security policy rule, right click Hit Count > Reset

B.

with a dataplane reboot

C.

Device > Setup > Logging and Reporting Settings > Reset Hit Count

D.

in the CLI, type command reset hitcount

Question 29

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.

Which Security profile feature could have been used to prevent the communications with the command-and-control server?

Options:

A.

Create a Data Filtering Profile and enable its DNS sinkhole feature.

B.

Create an Antivirus Profile and enable its DNS sinkhole feature.

C.

Create an Anti-Spyware Profile and enable its DNS sinkhole feature.

D.

Create a URL Filtering Profile and block the DNS sinkhole URL category.

Question 30

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

Options:

Question 31

Which firewall plane provides configuration, logging, and reporting functions on a separate processor?

Options:

A.

control

B.

network processing

C.

data

D.

security processing

Question 32

An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.

Why doesn't the administrator see the traffic?

Options:

A.

Traffic is being denied on the interzone-default policy.

B.

The Log Forwarding profile is not configured on the policy.

C.

The interzone-default policy is disabled by default

D.

Logging on the interzone-default policy is disabled

Question 33

Which interface type can use virtual routers and routing protocols?

Options:

A.

Tap

B.

Layer3

C.

Virtual Wire

D.

Layer2

Question 34

Which type of profile must be applied to the Security policy rule to protect against buffer overflows illegal code execution and other attempts to exploit system flaws?

Options:

A.

anti-spyware

B.

URL filtering

C.

vulnerability protection

D.

file blocking

Question 35

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

Options:

A.

on either the data place or the management plane.

B.

after it is matched by a security policy rule that allows traffic.

C.

before it is matched to a Security policy rule.

D.

after it is matched by a security policy rule that allows or blocks traffic.

Question 36

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

Options:

A.

Objects tab > Application Filters

B.

Policies tab > Security

C.

ACC tab > Global Filters

D.

Objects tab > Application Groups

E.

Objects tab > Applications

Question 37

Which policy set should be used to ensure that a policy is applied just before the default security rules?

Options:

A.

Parent device-group post-rulebase

B.

Child device-group post-rulebase

C.

Local Firewall policy

D.

Shared post-rulebase

Question 38

Based on the screenshot what is the purpose of the group in User labelled ''it"?

Options:

A.

Allows users to access IT applications on all ports

B.

Allows users in group "DMZ" lo access IT applications

C.

Allows "any" users to access servers in the DMZ zone

D.

Allows users in group "it" to access IT applications

Question 39

When a security rule is configured as Intrazone, which field cannot be changed?

Options:

A.

Actions

B.

Source Zone

C.

Application

D.

Destination Zone

Question 40

What are the two default behaviors for the intrazone-default policy? (Choose two.)

Options:

A.

Allow

B.

Logging disabled

C.

Log at Session End

D.

Deny

Question 41

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

Options:

A.

Threat Prevention License

B.

Threat Implementation License

C.

Threat Environment License

D.

Threat Protection License

Question 42

Place the steps in the correct packet-processing order of operations.

Options:

Question 43

How are service routes used in PAN-OS?

Options:

A.

By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network

B.

To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services

C.

For routing, because they are the shortest path selected by the BGP routing protocol

D.

To route management plane services through data interfaces rather than the management interface

Question 44

A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Options:

A.

Windows-based agent on a domain controller

B.

Captive Portal

C.

Citrix terminal server with adequate data-plane resources

D.

PAN-OS integrated agent

Question 45

Which profile should be used to obtain a verdict regarding analyzed files?

Options:

A.

WildFire analysis

B.

Vulnerability profile

C.

Content-ID

D.

Advanced threat prevention

Question 46

Given the image, which two options are true about the Security policy rules. (Choose two.)

Options:

A.

The Allow Office Programs rule is using an Application Filter

B.

In the Allow FTP to web server rule, FTP is allowed using App-ID

C.

The Allow Office Programs rule is using an Application Group

D.

In the Allow Social Networking rule, allows all of Facebook’s functions

Question 47

Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

Options:

A.

Apps Allowed

B.

Name

C.

Apps Seen

D.

Service

Question 48

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

Options:

A.

override

B.

authorization

C.

authentication

D.

continue

Question 49

Which file is used to save the running configuration with a Palo Alto Networks firewall?

Options:

A.

running-config.xml

B.

run-config.xml

C.

running-configuration.xml

D.

run-configuratin.xml

Question 50

Match the Cyber-Attack Lifecycle stage to its correct description.

Options:

Question 51

Why should a company have a File Blocking profile that is attached to a Security policy?

Options:

A.

To block uploading and downloading of specific types of files

B.

To detonate files in a sandbox environment

C.

To analyze file types

D.

To block uploading and downloading of any type of files

Question 52

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering “gambling” category.

Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the “gambling” URL category?

Options:

A.

Add just the URL www.powerball.com to a Security policy allow rule.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the URL Filtering allow list.

D.

Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Question 53

Which action can be performed when grouping rules by group tags?

Options:

A.

Delete Tagged Rule(s)

B.

Edit Selected Rule(s)

C.

Apply Tag to the Selected Rule(s)

D.

Tag Selected Rule(s)

Question 54

When HTTPS for management and GlobalProtect are enabled on the same data plane interface, which TCP port is used for management access?

Options:

A.

80

B.

443

C.

4443

D.

8443

Question 55

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

Options:

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Question 56

Access to which feature requires PAN-OS Filtering licens?

Options:

A.

PAN-DB database

B.

URL external dynamic lists

C.

Custom URL categories

D.

DNS Security

Question 57

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

Options:

A.

URL traffic

B.

vulnerability protection

C.

anti-spyware

D.

antivirus

Question 58

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?

Options:

A.

Objects > Schedules

B.

Policies > Policy Optimizer

C.

Monitor > Packet Capture

D.

Monitor > Reports

Question 59

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

Options:

A.

intrazone

B.

interzone

C.

universal

D.

global

Question 60

Which situation is recorded as a system log?

Options:

A.

An attempt to access a spoofed website has been blocked.

B.

A connection with an authentication server has been dropped.

C.

A file that has been analyzed is potentially dangerous for the system.

D.

A new asset has been discovered on the network.

Question 61

Given the topology, which zone type should zone A and zone B to be configured with?

Options:

A.

Layer3

B.

Tap

C.

Layer2

D.

Virtual Wire

Question 62

When is the content inspection performed in the packet flow process?

Options:

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Question 63

Which security profile should be used to classify malicious web content?

Options:

A.

URL Filtering

B.

Antivirus

C.

Web Content

D.

Vulnerability Protection

Question 64

Which order of steps is the correct way to create a static route?

Options:

A.

1) Enter the route and netmask

2) Enter the IP address for the specific next hop

3) Specify the outgoing interface for packets to use to go to the next hop

4) Add an IPv4 or IPv6 route by name

B.

1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop

3) Enter the IP address for the specific next hop

4) Add an IPv4 or IPv6 route by name

C.

1) Enter the IP address for the specific next hop

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name

4) Specify the outgoing interface for packets to use to go to the next hop

D.

1) Enter the IP address for the specific next hop

2) Add an IPv4 or IPv6 route by name

3) Enter the route and netmask

4) Specify the outgoing interface for packets to use to go to the next hop

Question 65

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

Options:

A.

Panorama > Device Deployment > Dynamic Updates > Schedules > Add

B.

Panorama > Device Deployment > Content Updates > Schedules > Add

C.

Panorama > Dynamic Updates > Device Deployment > Schedules > Add

D.

Panorama > Content Updates > Device Deployment > Schedules > Add

Question 66

Which prevention technique will prevent attacks based on packet count?

Options:

A.

zone protection profile

B.

URL filtering profile

C.

antivirus profile

D.

vulnerability profile

Question 67

Which license is required to use the Palo Alto Networks built-in IP address EDLs?

Options:

A.

DNS Security

B.

Threat Prevention

C.

WildFire

D.

SD-Wan

Question 68

Which license must an administrator acquire prior to downloading Antivirus updates for use with the firewall?

Options:

A.

URL filtering

B.

Antivirus

C.

WildFire

D.

Threat Prevention

Question 69

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?

Options:

A.

Select the unified log entry in the side menu.

B.

Modify the number of columns visible on the page

C.

Modify the number of logs visible on each page.

D.

Select the system logs entry in the side menu.

Question 70

Selecting the option to revert firewall changes will replace what settings?

Options:

A.

the running configuration with settings from the candidate configuration

B.

the device state with settings from another configuration

C.

the candidate configuration with settings from the running configuration

D.

dynamic update scheduler settings

Question 71

Which feature enables an administrator to review the Security policy rule base for unused rules?

Options:

A.

Security policy tags

B.

Test Policy Match

C.

View Rulebase as Groups

D.

Policy Optimizer

Question 72

An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list. What is the maximum number of entries that they can be exclude?

Options:

A.

50

B.

100

C.

200

D.

1,000

Question 73

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

B.

Content updates for firewall A/A HA pairs need a defined master device.

C.

Before deploying content updates, always check content release version compatibility.

D.

After deploying content updates, perform a commit and push to Panorama.

Question 74

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

Options:

A.

Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B.

Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

C.

Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

D.

Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

E.

Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Question 75

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

Options:

A.

Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

B.

Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

C.

In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

D.

In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Question 76

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Options:

A.

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

B.

Configure a frequency schedule to clear group mapping cache

C.

Configure a Primary Employee ID number for user-based Security policies

D.

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Question 77

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

Options:

A.

Clone and edit the Strict profile.

B.

Use URL filtering to limit categories in which users can transfer files.

C.

Set the action to Continue.

D.

Edit the Strict profile.

Question 78

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic

Which statement accurately describes how the firewall will apply an action to matching traffic?

Options:

A.

If it is an allowed rule, then the Security Profile action is applied last

B.

If it is a block rule then the Security policy rule action is applied last

C.

If it is an allow rule then the Security policy rule is applied last

D.

If it is a block rule then Security Profile action is applied last

Question 79

What is the correct process tor creating a custom URL category?

Options:

A.

Objects > Security Profiles > URL Category > Add

B.

Objects > Custom Objects > URL Filtering > Add

C.

Objects > Security Profiles > URL Filtering > Add

D.

Objects > Custom Objects > URL Category > Add

Question 80

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

Options:

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on Objective

Question 81

In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

Options:

A.

Weaponization

B.

Reconnaissance

C.

Installation

D.

Command and Control

E.

Exploitation

Question 82

Based on the security policy rules shown, ssh will be allowed on which port?

Options:

A.

80

B.

53

C.

22

D.

23

Question 83

In a security policy what is the quickest way to rest all policy rule hit counters to zero?

Options:

A.

Use the CLI enter the command reset rules all

B.

Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.

C.

use the Reset Rule Hit Counter > All Rules option.

D.

Reboot the firewall.

Question 84

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Question 85

Which two addresses should be reserved to enable DNS sinkholing? (Choose two.)

Options:

A.

IPv6

B.

Email

C.

IPv4

D.

MAC

Question 86

Which statement best describes a common use of Policy Optimizer?

Options:

A.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

B.

Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

C.

Policy Optimizer can display which Security policies have not been used in the last 90 days.

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists. Admins can then manually enable policies they want to keep and delete ones they want to remove.

Question 87

What do you configure if you want to set up a group of objects based on their ports alone?

Options:

A.

Application groups

B.

Service groups

C.

Address groups

D.

Custom objects

Question 88

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.)

Options:

A.

Packets sent/received

B.

IP Protocol

C.

Action

D.

Decrypted

Question 89

Which two statements are correct about App-ID content updates? (Choose two.)

Options:

A.

Updated application content may change how security policy rules are enforced

B.

After an application content update, new applications must be manually classified prior to use

C.

Existing security policy rules are not affected by application content updates

D.

After an application content update, new applications are automatically identified and classified

Question 90

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check the number, but doesn’t want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

Options:

A.

Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to allow.

B.

Manually remove powerball.com from the gambling URL category.

C.

Add *.powerball.com to the allow list

D.

Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Question 91

An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

Options:

A.

name

B.

source zone

C.

destination interface

D.

destination address

E.

destination zone

Question 92

Which two configuration settings shown are not the default? (Choose two.)

Options:

A.

Enable Security Log

B.

Server Log Monitor Frequency (sec)

C.

Enable Session

D.

Enable Probing

Question 93

What must be considered with regards to content updates deployed from Panorama?

Options:

A.

Content update schedulers need to be configured separately per device group.

B.

Panorama can only install up to five content versions of the same type for potential rollback scenarios.

C.

A PAN-OS upgrade resets all scheduler configurations for content updates.

D.

Panorama can only download one content update at a time for content updates of the same type.

Question 94

What is an advantage for using application tags?

Options:

A.

They are helpful during the creation of new zones

B.

They help with the design of IP address allocations in DHCP.

C.

They help content updates automate policy updates

D.

They help with the creation of interfaces

Question 95

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition, the configuration was not saved prior to

making the changes.

Which action will allow the administrator to undo the changes?

Options:

A.

Load configuration version, and choose the first item on the list.

B.

Load named configuration snapshot, and choose the first item on the list.

C.

Revert to last saved configuration.

D.

Revert to running configuration.

Question 96

A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.

Which two types of traffic will the rule apply to? (Choose two)

Options:

A.

traffic between zone IT and zone Finance

B.

traffic between zone Finance and zone HR

C.

traffic within zone IT

D.

traffic within zone HR

Question 97

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Options:

A.

Root

B.

Dynamic

C.

Role-based

D.

Superuser

Question 98

You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Options:

A.

Antivirus Profile

B.

Data Filtering Profile

C.

Vulnerability Protection Profile

D.

Anti-Spyware Profile

Question 99

Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?

Options:

A.

exclude

B.

continue

C.

hold

D.

override

Question 100

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Before deploying content updates, always check content release version compatibility.

B.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C.

Content updates for firewall A/A HA pairs need a defined master device.

D.

After deploying content updates, perform a commit and push to Panorama.

Question 101

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.

What object is best suited for this configuration?

Options:

A.

Application Group

B.

Tag

C.

External Dynamic List

D.

Application Filter

Question 102

Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)

Options:

A.

Static IP

B.

Dynamic IP / Port Fallback

C.

Dynamic IP

D.

Dynamic IP and Port (DIPP)

Question 103

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

Options:

A.

Server profile

B.

Authentication profile

C.

Security profile

D.

Interface Management profile

Question 104

Which Security policy action will message a user's browser thai their web session has been terminated?

Options:

A.

Reset server

B.

Deny

C.

Drop

D.

Reset client

Question 105

An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

Options:

A.

Reset-server

B.

Block

C.

Deny

D.

Drop

Question 106

Files are sent to the WildFire cloud service via the WildFire Analysis Profile. How are these files used?

Options:

A.

WildFire signature updates

B.

Malware analysis

C.

Domain Generation Algorithm (DGA) learning

D.

Spyware analysis

Question 107

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

Options:

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Question 108

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

Options:

A.

User identification

B.

Filtration protection

C.

Vulnerability protection

D.

Antivirus

E.

Application identification

F.

Anti-spyware

Page: 1 / 27
Total 364 questions