New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Ace Your PCNSA Network Security Administrator Exam

Page: 19 / 27
Total 364 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Question 73

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

B.

Content updates for firewall A/A HA pairs need a defined master device.

C.

Before deploying content updates, always check content release version compatibility.

D.

After deploying content updates, perform a commit and push to Panorama.

Question 74

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

Options:

A.

Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B.

Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

C.

Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

D.

Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

E.

Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Question 75

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

Options:

A.

Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

B.

Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH

C.

In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address

D.

In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Question 76

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Options:

A.

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

B.

Configure a frequency schedule to clear group mapping cache

C.

Configure a Primary Employee ID number for user-based Security policies

D.

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Page: 19 / 27
Total 364 questions