New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Paloalto Networks PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Exam Practice Test

Page: 1 / 36
Total 364 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

Options:

A.

Policies> Security> Rule Usage> No App Specified

B.

Policies> Security> Rule Usage> Port only specified

C.

Policies> Security> Rule Usage> Port-based Rules

D.

Policies> Security> Rule Usage> Unused Apps

Question 2

Starting with PAN_OS version 9.1 which new type of object is supported for use within the user field of a security policy rule?

Options:

A.

local username

B.

dynamic user group

C.

remote username

D.

static user group

Question 3

An administrator needs to allow users to use only certain email applications.

How should the administrator configure the firewall to restrict users to specific email applications?

Options:

A.

Create an application filter and filter it on the collaboration category, email subcategory.

B.

Create an application group and add the email applications to it.

C.

Create an application filter and filter it on the collaboration category.

D.

Create an application group and add the email category to it.

Question 4

Given the topology, which zone type should you configure for firewall interface E1/1?

Options:

A.

Tap

B.

Tunnel

C.

Virtual Wire

D.

Layer3

Question 5

Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?

Options:

A.

reconnaissance

B.

delivery

C.

exploitation

D.

installation

Question 6

Which administrative management services can be configured to access a management interface?

Options:

A.

HTTP, CLI, SNMP, HTTPS

B.

HTTPS, SSH telnet SNMP

C.

SSH: telnet HTTP, HTTPS

D.

HTTPS, HTTP. CLI, API

Question 7

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

Options:

A.

Data redistribution

B.

Dynamic updates

C.

SNMP setup

D.

Service route

Question 8

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

Options:

A.

Application Category

B.

Source

C.

File Size

D.

Direction

Question 9

What is the purpose of the automated commit recovery feature?

Options:

A.

It reverts the Panorama configuration.

B.

It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.

C.

It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.

D.

It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

Question 10

Which Security policy set should be used to ensure that a policy is applied first?

Options:

A.

Child device-group pre-rulebase

B.

Shared pre-rulebase

C.

Parent device-group pre-rulebase

D.

Local firewall policy

Question 11

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.

What is the correct process to enable this logging1?

Options:

A.

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session Start and click OK

B.

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session End and click OK

C.

This rule has traffic logging enabled by default no further action is required

D.

Select the interzone-default rule and click Override on the Actions tab select Log at Session End and click OK

Question 12

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

Options:

A.

Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B.

Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

C.

Untrust (Any) to Untrust (10.1.1.1), ssh -Allow

D.

Untrust (Any)to DMZ (10.1.1.100. 10.1.1.101), ssh, web-browsing-Allow

E.

Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Question 13

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

Options:

A.

Layer-ID

B.

User-ID

C.

QoS-ID

D.

App-ID

Question 14

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.

On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.

Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

Options:

A.

All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application

B.

No impact because the apps were automatically downloaded and installed

C.

No impact because the firewall automatically adds the rules to the App-ID interface

D.

All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

Question 15

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall handle the traffic?

Options:

A.

It allows the traffic because the profile was not set to explicitly deny the traffic.

B.

It drops the traffic because the profile was not set to explicitly allow the traffic.

C.

It uses the default action assigned to the virus signature.

D.

It allows the traffic but generates an entry in the Threat logs.

Question 16

Which option lists the attributes that are selectable when setting up an Application filters?

Options:

A.

Category, Subcategory, Technology, and Characteristic

B.

Category, Subcategory, Technology, Risk, and Characteristic

C.

Name, Category, Technology, Risk, and Characteristic

D.

Category, Subcategory, Risk, Standard Ports, and Technology

Question 17

Based on the network diagram provided, which two statements apply to traffic between the User and Server networks? (Choose two.)

Options:

A.

Traffic is permitted through the default intrazone "allow" rule.

B.

Traffic restrictions are possible by modifying intrazone rules.

C.

Traffic restrictions are not possible, because the networks are in the same zone.

D.

Traffic is permitted through the default interzone "allow" rule.

Question 18

Which three filter columns are available when setting up an Application Filter? (Choose three.)

Options:

A.

Parent App

B.

Category

C.

Risk

D.

Standard Ports

E.

Subcategory

Question 19

What Policy Optimizer policy view differ from the Security policy do?

Options:

A.

It shows rules that are missing Security profile configurations.

B.

It indicates rules with App-ID that are not configured as port-based.

C.

It shows rules with the same Source Zones and Destination Zones.

D.

It indicates that a broader rule matching the criteria is configured above a more specific rule.

Question 20

Where in Panorama Would Zone Protection profiles be configured?

Options:

A.

Shared

B.

Templates

C.

Device Groups

D.

Panorama tab

Question 21

Which two Palo Alto Networks security management tools provide a consolidated creation of policies, centralized management and centralized threat intelligence. (Choose two.)

Options:

A.

GlobalProtect

B.

Panorama

C.

Aperture

D.

AutoFocus

Question 22

Which Security policy action will message a user's browser thai their web session has been terminated?

Options:

A.

Reset server

B.

Deny

C.

Drop

D.

Reset client

Question 23

Access to which feature requires the PAN-OS Filtering license?

Options:

A.

PAN-DB database

B.

DNS Security

C.

Custom URL categories

D.

URL external dynamic lists

Question 24

Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?

Options:

A.

Inline Cloud Analysis

B.

Signature Exceptions

C.

Machine Learning Policies

D.

Signature Policies

Question 25

Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose three.)

Options:

A.

Virtual Wire

B.

Tap

C.

Dynamic

D.

Layer 3

E.

Static

Question 26

What action will inform end users when their access to Internet content is being restricted?

Options:

A.

Create a custom 'URL Category' object with notifications enabled.

B.

Publish monitoring data for Security policy deny logs.

C.

Ensure that the 'site access" setting for all URL sites is set to 'alert'.

D.

Enable 'Response Pages' on the interface providing Internet access.

Question 27

Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

Options:

A.

save named configuration snapshot

B.

export device state

C.

export named configuration snapshot

D.

save candidate config

Question 28

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?

Options:

A.

Objects > Schedules

B.

Policies > Policy Optimizer

C.

Monitor > Packet Capture

D.

Monitor > Reports

Question 29

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Question 30

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

Options:

A.

Create an anti-spyware profile and enable DNS Sinkhole

B.

Create an antivirus profile and enable DNS Sinkhole

C.

Create a URL filtering profile and block the DNS Sinkhole category

D.

Create a security policy and enable DNS Sinkhole

Question 31

At which point in the app-ID update process can you determine if an existing policy rule is affected by an app-ID update?

Options:

A.

after clicking Check New in the Dynamic Update window

B.

after connecting the firewall configuration

C.

after downloading the update

D.

after installing the update

Question 32

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)

Options:

A.

URL Filtering

B.

Vulnerability Protection

C.

Antivirus b

D.

Anti-spyware

Question 33

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.

What object is best suited for this configuration?

Options:

A.

Application Group

B.

Tag

C.

External Dynamic List

D.

Application Filter

Question 34

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

Options:

A.

Palo Alto Networks C&C IP Addresses

B.

Palo Alto Networks Bulletproof IP Addresses

C.

Palo Alto Networks High-Risk IP Addresses

D.

Palo Alto Networks Known Malicious IP Addresses

Question 35

An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

Options:

A.

NAT policy with source zone and destination zone specified

B.

post-NAT policy with external source and any destination address

C.

NAT policy with no source of destination zone selected

D.

pre-NAT policy with external source and any destination address

Question 36

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

Options:

A.

Objects > Dynamic Updates > Review App-IDs

B.

Device > Dynamic Updates > Review Policies

C.

Device > Dynamic Updates > Review App-IDs

D.

Objects > Dynamic Updates > Review Policies

Question 37

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

Options:

A.

Anti-Spyware

B.

Antivirus

C.

Vulnerability Protection

D.

URL Filtering

Question 38

Which two rule types allow the administrator to modify the destination zone? (Choose two )

Options:

A.

interzone

B.

intrazone

C.

universal

D.

shadowed

Question 39

Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

Options:

A.

Apps Allowed

B.

Name

C.

Apps Seen

D.

Service

Question 40

How is the hit count reset on a rule?

Options:

A.

select a security policy rule, right click Hit Count > Reset

B.

with a dataplane reboot

C.

Device > Setup > Logging and Reporting Settings > Reset Hit Count

D.

in the CLI, type command reset hitcount

Question 41

Which two statements are correct about App-ID content updates? (Choose two.)

Options:

A.

Updated application content may change how security policy rules are enforced

B.

After an application content update, new applications must be manually classified prior to use

C.

Existing security policy rules are not affected by application content updates

D.

After an application content update, new applications are automatically identified and classified

Question 42

Which two settings allow you to restrict access to the management interface? (Choose two )

Options:

A.

enabling the Content-ID filter

B.

administrative management services

C.

restricting HTTP and telnet using App-ID

D.

permitted IP addresses

Question 43

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?

Options:

A.

destination address

B.

source address

C.

destination zone

D.

source zone

Question 44

When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)

Options:

A.

password profile

B.

access domain

C.

admin rote

D.

server profile

Question 45

Which setting is available to edit when a tag is created on the local firewall?

Options:

A.

Location

B.

Color

C.

Order

D.

Priority

Question 46

Match the Cyber-Attack Lifecycle stage to its correct description.

Options:

Question 47

Place the steps in the correct packet-processing order of operations.

Options:

Question 48

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

Options:

A.

The web session was unsuccessfully decrypted.

B.

The traffic was denied by security profile.

C.

The traffic was denied by URL filtering.

D.

The web session was decrypted.

Question 49

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

Options:

A.

on either the data place or the management plane.

B.

after it is matched by a security policy rule that allows traffic.

C.

before it is matched to a Security policy rule.

D.

after it is matched by a security policy rule that allows or blocks traffic.

Question 50

What must first be created on the firewall for SAML authentication to be configured?

Options:

A.

Server Policy

B.

Server Profile

C.

Server Location

D.

Server Group

Question 51

When is an event displayed under threat logs?

Options:

A.

When traffic matches a corresponding Security Profile

B.

When traffic matches any Security policy

C.

Every time a session is blocked

D.

Every time the firewall drops a connection

Question 52

Which link in the web interface enables a security administrator to view the security policy rules that match new application signatures?

Options:

A.

Review Apps

B.

Review App Matches

C.

Pre-analyze

D.

Review Policies

Question 53

How do you reset the hit count on a security policy rule?

Options:

A.

First disable and then re-enable the rule.

B.

Reboot the data-plane.

C.

Select a Security policy rule, and then select Hit Count > Reset.

D.

Type the CLI command reset hitcount .

Question 54

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

Options:

A.

Panorama > Device Deployment > Dynamic Updates > Schedules > Add

B.

Panorama > Device Deployment > Content Updates > Schedules > Add

C.

Panorama > Dynamic Updates > Device Deployment > Schedules > Add

D.

Panorama > Content Updates > Device Deployment > Schedules > Add

Question 55

What is an advantage for using application tags?

Options:

A.

They are helpful during the creation of new zones

B.

They help with the design of IP address allocations in DHCP.

C.

They help content updates automate policy updates

D.

They help with the creation of interfaces

Question 56

Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management?

Options:

A.

Prisma SaaS

B.

Panorama

C.

AutoFocus

D.

GlobalProtect

Question 57

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Question 58

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

Options:

A.

tag

B.

wildcard mask

C.

IP address

D.

subnet mask

Question 59

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?

Options:

A.

Create a Security policy rule to allow the traffic.

B.

Create a new NAT rule with the correct parameters and leave the translation type as None

C.

Create a static NAT rule with an application override.

D.

Create a static NAT rule translating to the destination interface.

Question 60

What do you configure if you want to set up a group of objects based on their ports alone?

Options:

A.

Application groups

B.

Service groups

C.

Address groups

D.

Custom objects

Question 61

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Options:

A.

pattern based application identification

B.

application override policy match

C.

session application identified

D.

application changed from content inspection

Question 62

You receive notification about new malware that is being used to attack hosts The malware exploits a software bug in a common application

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

Options:

A.

Data Filtering Profile applied to outbound Security policy rules

B.

Antivirus Profile applied to outbound Security policy rules

C.

Data Filtering Profile applied to inbound Security policy rules

D.

Vulnerability Profile applied to inbound Security policy rules

Question 63

Which component is a building block in a Security policy rule?

Options:

A.

decryption profile

B.

destination interface

C.

timeout (min)

D.

application

Question 64

What are three ways application characteristics are used? (Choose three.)

Options:

A.

As an attribute to define an application group

B.

As a setting to define a new custom application

C.

As an Object to define Security policies

D.

As an attribute to define an application filter

E.

As a global filter in the Application Command Center (ACC)

Question 65

An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.

Which Security profile should be used?

Options:

A.

Antivirus

B.

URL filtering

C.

Anti-spyware

D.

Vulnerability protection

Question 66

Arrange the correct order that the URL classifications are processed within the system.

Options:

Question 67

Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?

Options:

A.

DNS Malicious signatures

B.

DNS Malware signatures

C.

DNS Block signatures

D.

DNS Security signatures

Question 68

Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

Options:

A.

It defines the SSUTLS encryption strength used to protect the management interface.

B.

It defines the CA certificate used to verify the client's browser.

C.

It defines the certificate to send to the client's browser from the management interface.

D.

It defines the firewall's global SSL/TLS timeout values.

Question 69

You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Options:

A.

Antivirus Profile

B.

Data Filtering Profile

C.

Vulnerability Protection Profile

D.

Anti-Spyware Profile

Question 70

Which two DNS policy actions in the anti-spyware security profile can prevent hacking attacks through DNS queries to malicious domains? (Choose two.)

Options:

A.

Deny

B.

Sinkhole

C.

Override

D.

Block

Question 71

Which Security policy action will message a user's browser that their web session has been terminated?

Options:

A.

Drop

B.

Deny

C.

Reset client

D.

Reset server

Question 72

An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address. What is the most appropriate NAT policy to achieve this?

Options:

A.

Dynamic IP and Port

B.

Dynamic IP

C.

Static IP

D.

Destination

Question 73

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

Options:

A.

URL Filtering profile applied to inbound Security policy rules.

B.

Data Filtering profile applied to outbound Security policy rules.

C.

Antivirus profile applied to inbound Security policy rules.

D.

Vulnerability Prote

ction profile applied to outbound Security policy rules.

Question 74

Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

Options:

A.

TACACS

B.

SAML2

C.

SAML10

D.

Kerberos

E.

TACACS+

Question 75

Which two configuration settings shown are not the default? (Choose two.)

Options:

A.

Enable Security Log

B.

Server Log Monitor Frequency (sec)

C.

Enable Session

D.

Enable Probing

Question 76

Which plane on a Palo alto networks firewall provides configuration logging and reporting functions on a separate processor?

Options:

A.

data

B.

network processing

C.

management

D.

security processing

Question 77

What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)

Options:

A.

Service

B.

User

C.

Application

D.

Address

E.

Zone ab

Question 78

An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list. What is the maximum number of entries that they can be exclude?

Options:

A.

50

B.

100

C.

200

D.

1,000

Question 79

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

Options:

A.

Override

B.

Allow

C.

Block

D.

Continue

Question 80

What must be configured before setting up Credential Phishing Prevention?

Options:

A.

Anti Phishing Block Page

B.

Threat Prevention

C.

Anti Phishing profiles

D.

User-ID

Question 81

What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?

Options:

A.

Increase the backup capacity for configuration backups per firewall

B.

Increase the per-firewall capacity for address and service objects

C.

Reduce the configuration and session synchronization time between HA pairs

D.

Reduce the number of objects pushed to a firewall

Question 82

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

Options:

A.

block

B.

sinkhole

C.

alert

D.

allow

Question 83

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

Options:

A.

Dynamic IP and Port (DIPP)

B.

Static IP

C.

Static Port

D.

Dynamic IP

E.

Static IP and Port (SIPP)

Question 84

Which type of address object is "10 5 1 1/0 127 248 2"?

Options:

A.

IP subnet

B.

IP wildcard mask

C.

IP netmask

D.

IP range

Question 85

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

Options:

A.

At the CLI enter the command reset rules and press Enter

B.

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

C.

Reboot the firewall

D.

Use the Reset Rule Hit Counter > All Rules option

Question 86

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)

Options:

A.

SAML

B.

TACACS+

C.

LDAP

D.

Kerberos

Question 87

Which the app-ID application will you need to allow in your security policy to use facebook-chat?

Options:

A.

facebook-email

B.

facebook-base

C.

facebook

D.

facebook-chat

Question 88

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet The firewall is configured with two zones;

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

Options:

A.

Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic

B.

Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

C.

Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application

D.

Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

Question 89

In the PAN-OS Web Interface, which is a session distribution method offered under NAT Translated Packet Tab to choose how the firewall assigns sessions?

Options:

A.

Destination IP Hash b

B.

Concurrent Sessions

C.

Max Sessions

D.

IP Modulo

Question 90

An administrator wants to prevent access to media content websites that are risky

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two)

Options:

A.

streaming-media

B.

high-risk

C.

recreation-and-hobbies

D.

known-risk

Question 91

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Options:

A.

GlobalProtect agent

B.

XML API

C.

User-ID Windows-based agent

D.

log forwarding auto-tagging

Question 92

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

Options:

A.

Device>Setup>Services

B.

Device>Setup>Management

C.

Device>Setup>Operations

D.

Device>Setup>Interfaces

Question 93

An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

Options:

A.

Reset-server

B.

Block

C.

Deny

D.

Drop

Question 94

How many zones can an interface be assigned with a Palo Alto Networks firewall?

Options:

A.

two

B.

three

C.

four

D.

one

Question 95

How are Application Fillers or Application Groups used in firewall policy?

Options:

A.

An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group

B.

An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group

C.

An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group

D.

An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group

Question 96

What can be used as match criteria for creating a dynamic address group?

Options:

A.

Usernames

B.

IP addresses

C.

Tags

D.

MAC addresses

Question 97

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

Options:

A.

Auth KO because RADIUS server lost user and password for SYS01 Admin

B.

Auth KO because LDAP server is not reachable

C.

Auth OK because of the Auth Profile Local

D.

Auth OK because of the Auth Profile TACACS -

Question 98

Which order of steps is the correct way to create a static route?

Options:

A.

1) Enter the route and netmask

2) Enter the IP address for the specific next hop

3) Specify the outgoing interface for packets to use to go to the next hop

4) Add an IPv4 or IPv6 route by name

B.

1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop

3) Enter the IP address for the specific next hop

4) Add an IPv4 or IPv6 route by name

C.

1) Enter the IP address for the specific next hop

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name

4) Specify the outgoing interface for packets to use to go to the next hop

D.

1) Enter the IP address for the specific next hop

2) Add an IPv4 or IPv6 route by name

3) Enter the route and netmask

4) Specify the outgoing interface for packets to use to go to the next hop

Question 99

Which dynamic update type includes updated anti-spyware signatures?

Options:

A.

Applications and Threats

B.

GlobalProtect Data File

C.

Antivirus

D.

PAN-DB

Question 100

A network administrator creates an intrazone security policy rule on a NGFW. The source zones are set to IT. Finance, and HR.

To which two types of traffic will the rule apply? (Choose two.)

Options:

A.

Within zone HR

B.

Within zone IT

C.

Between zone IT and zone HR

D.

Between zone IT and zone Finance

Question 101

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?

Options:

A.

Select the unified log entry in the side menu.

B.

Modify the number of columns visible on the page

C.

Modify the number of logs visible on each page.

D.

Select the system logs entry in the side menu.

Question 102

What in the minimum frequency for which you can configure the firewall too check for new wildfire antivirus signatures?

Options:

A.

every 5 minutes

B.

every 1 minute

C.

every 24 hours

D.

every 30 minutes

Question 103

Which option is part of the content inspection process?

Options:

A.

IPsec tunnel encryption

B.

Packet egress process

C.

SSL Proxy re-encrypt

D.

Packet forwarding process

Question 104

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

Options:

A.

HIP profile

B.

Application group

C.

URL category

D.

Application filter

Question 105

Place the following steps in the packet processing order of operations from first to last.

Options:

Question 106

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Options:

Question 107

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Options:

A.

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

B.

Configure a frequency schedule to clear group mapping cache

C.

Configure a Primary Employee ID number for user-based Security policies

D.

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Question 108

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

Options:

A.

syslog

B.

RADIUS

C.

UID redistribution

D.

XFF headers

Page: 1 / 36
Total 364 questions