PCNSA Exam 84 Questions with Verified Answers 2023,100% CORRECT

Document Content and Description Below

PCNSA Exam 84 Questions with Verified Answers 2023 Which statement is true about a URL Filtering Profile's continue password? - There is a password per session. - There is a password per webs ... ite. - There is a single, per-firewall password. - There is a password per firewall administrator account. - CORRECT ANSWER There is a single, per-firewall password. Which three MGT port configuration settings must be configured before you can remotely access the web interface? (Choose three.) - netmask - hostname - DNS Server - IP Address - Default gateway - CORRECT ANSWER - Netmask - IP Address - Default gateway Which two statements are true about sessions on the firewall? (Choose two.) - Return traffic is allowed. - The only session information tracked in the session logs are the five tuples. - The firewall tries to match network packets to an existing session ID. - Sessions always are matched to a Security policy rule - CORRECT ANSWER - Return traffic is allowed. - The firewall tries to match network packets to an existing session ID. The network packet broker feature is supported by which four Palo Alto Networks firewall series? (Choose four.) - PA-3000 - PA-3200 - PA-5000 - PA-5200 - PA-7000 - VM-Series - CORRECT ANSWER - PA-3200 - PA-5200 - PA-7000 - VM-Series Which statement is true about firewall HTTP header insertion? - Header insertion is only applied to ingress packets. - Header insertion is only applied to egress packets. - Header insertion is configured as part of custom URL categories. - Header insertion is configured as part of a Data Filtering Profile - CORRECT ANSWER - Header insertion is only applied to egress packets. What is the maximum number of WildFire appliances that can be grouped into a WildFire appliance cluster? - 12 - 20 - 24 - 32 - CORRECT ANSWER - 20 Which user mapping method is recommended for a highly mobile user base? - GlobalProtect - Client Probing - Server Monitoring - Session Monitoring - CORRECT ANSWER - GlobalProtect Which three objects can be sent to WildFire for analysis? (Choose three.) - email attachments - MGT interface traffic - URL links found in email - known files and URL links - files traversing the firewall - CORRECT ANSWER - Email attachments - URL links found in email - files traversing the firewall Which statement describes a function provided by an Interface Management Profile? - It determines which administrators can manage which interfaces. - It determines which external services are accessible by the firewall. - It determines the NetFlow and LLDP interface management settings. - It determines which firewall services are accessible from external devices. - CORRECT ANSWER - It determines which firewall services are accessible from external devices. Which interface type does NOT require any configuration changes to adjacent network devices? - Tap - Layer 2 - Layer 3 - Virtual Wire - CORRECT ANSWER - Virtual Wire Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer? - Alert - Allow - Block - Continue - CORRECT ANSWER - Continue What is the result of performing a firewall Commit operation? - The saved configuration becomes the loaded configuration. - The candidate configuration becomes the saved configuration. - The loaded configuration becomes the candidate configuration. - The candidate configuration becomes the running configuration. - CORRECT ANSWER - The candidate configuration becomes the running configuration. What are two benefits of attaching a Decryption Profile to a Decryption policy no decrypt rule? (Choose two.) - expired certificate checking - URL category match checking - acceptable protocol checking - untrusted certificate checking - CORRECT ANSWER - expired certificate checking - untrusted certificate checking Which two separate firewall planes comprise the PANOS® architecture? (Choose two.) - control or management plane - dataplane - signature processing plane - routing plane - HA plane - CORRECT ANSWER - control or management plane - dataplane The Threat log records events from which three Security profiles? (Choose three.) - Antivirus - URL Filtering - File Blocking - Anti-Spyware - Vulnerability Protection - CORRECT ANSWER - Antivirus - Anti-Spyware - Vulnerability Protection The firewall acts as a proxy for which two types of traffic? (Choose two.) - SSH - non-SSL - SSL outbound - SSL Inbound Inspection - CORRECT ANSWER - SSH - SSL outbound SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.) - client's public key - server's private key - client's digital certificate - server's digital certificate - CORRECT ANSWER - server's private key - server's digital certificate In a Security Profile, which two actions does a firewall take when the profile's action is configured as Reset Server? (Choose two.) - The traffic responder is reset. - The client is reset. - For UDP sessions, the connection is reset. - For UDP sessions, the connection is dropped - CORRECT ANSWER - The traffic responder is reset. - For UDP sessions, the connection is dropped A Security policy rule in a destination NAT configuration should be written to match which type of address and zone? - post-NAT source and destination addresses, but the pre-NAT destination zone - post-NAT source and destination addresses, and the post-NAT destination zone - original pre-NAT source and destination addresses, and the pre-NAT destination zone - original pre-NAT source and destination addresses, but the post-NAT destination zone - CORRECT ANSWER - original pre-NAT source and destination addresses, but the post-NAT destination zone If a DNS Sinkhole is configured, any sinkhole actions that indicate a potentially infected host are recorded in which log type? - Traffic - Threat - Data Filtering - Wildfire Submissions - CORRECT ANSWER - Threat For which firewall feature should you create forward trust and forward untrust certificates? - SSH decryption - SSL Forward Proxy decryption - SSL Inbound Inspection decryption - SSL client-side certificate checking - CORRECT ANSWER - SSL Forward Proxy decryption Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you should take which action? - Reboot the firewall. - Validate your Security policy rules. - Download the URL seed database again. - Validate connectivity to the PAN-DB cloud. - CORRECT ANSWER - Validate connectivity to the PAN-DB cloud. Because a firewall examines every packet in a session, a firewall can detect application ________? - shifts - errors - filters - groups - CORRECT ANSWER - shifts Application block pages can be enabled for which applications? - any - web-based - non-TCP/IP - MGT port-based - CORRECT ANSWER - web-based App-ID running on a firewall identifies applications using which three methods? (Choose three.) - WildFire lookups - program heuristics - Application signatures - known protocol decoders - Data Filtering Profile - CORRECT ANSWER - program heuristics - Application signatures - known protocol decoders An Interface Management Profile can be attached to which two interface types? (Choose two.) - Tap - Layer 2 - Layer 3 - Loopback - Virtual Wire - CORRECT ANSWER - Layer 3 - Loopback In an Antivirus Security Profile, WildFire Actions enable you to configure the firewall to perform which operation? - delete packet data when a virus is suspected - download new antivirus signatures from WildFire - upload traffic to WildFire when a virus is suspected - block traffic when a WildFire virus signature is detected - CORRECT ANSWER - block traffic when a WildFire virus signature is detected A Security policy rule displayed in italic font indicates which condition? - The rule is active. - The rule is a clone. - The rule is disabled. - The rule has been overridden. - CORRECT ANSWER - The rule is disabled. Which two firewall objects can be configured to forward firewall logs to external destinations? (Choose two.) - Security zone - Network interface - Security policy rule - Application Override rule - CORRECT ANSWER - Security zone - Security policy rule To which three external destinations can the firewall forward log entries? (Choose three.) - Panorama - HTTP server - Email server - SMS server - AutoFocus - CORRECT ANSWER - Panorama - HTTP server - Email server Which two items describe configuration conditions that enable the firewall to generate Traffic log entries? (Choose two.) - Traffic must be decrypted by the firewall. - Traffic is allowed by a Security policy rule. - The matching Security policy rule must enable logging. - The matching Security policy rule must have an attached Security Profile - CORRECT ANSWER - Traffic is allowed by a Security policy rule. - The matching Security policy rule must enable logging. Which two log types require a configured Security Profile to generate log entries? (Choose two.) - Traffic - Threat - System - Data Filtering - CORRECT ANSWER - Threat - Data Filtering Which three firewall web interface tools enable you to specify a time period for the displayed application and threat data? (Choose three.) - ACC - logs - Dashboard - predefined reports - Security policy - CORRECT ANSWER - ACC - logs - predefined reports Which option describes the result of clicking an application's name in the Dashboard's Top Applications - The color of the application changes to indicate its risk factor. - The ACC tab opens with the application added as a global filter. - Nothing happens because the application name is not a web link. - The web interface displays a popup window with application usage details. - CORRECT ANSWER - The ACC tab opens with the application added as a global filter. Which user credential detection method enables the firewall to detect if a user attempts to connect to a remote website using their corporate username and password? - Use Multi-Factor Authentication - Use IP User Mapping - Use User-ID Mapping - Use Domain Credential Filter - CORRECT ANSWER - Use Domain Credential Filter When configuring an Authentication Enforcement object, which authentication method is designed to display a login page for the user to enter their username and password? - web-form - ntlm-challenge - no-captive-portal - browser-challenge - CORRECT ANSWER - web-form Which two elements of a credential-based attack are examples of credential theft? (Choose two.) - malware - brute force - keystroke logging - infiltration at the perimeter - CORRECT ANSWER - brute force - keystroke logging Which two protocols can be configured in a Certificate Profile to verify that a certificate is still valid? (Choose two.) - CRL - SCP - HTTP - OCSP - CORRECT ANSWER - CRL - OCSP Which object is optional during configuration of external firewall authentication? - Authentication policy - Authentication Profile - Authentication Sequence - SSL/TLS Service Profile - CORRECT ANSWER - Authentication Sequence Which two conditions must be met before the firewall can use a Security Profile to inspect network traffic for malicious activity? (Choose two.) - User-ID must be enabled. - Zone protection must be enabled. - Traffic must be in decrypted (clear text). - Traffic must match a Security policy rule. - CORRECT ANSWER - Traffic must be in decrypted (clear text). - Traffic must match a Security policy rule. Which is the most important traffic direction on which to configure a URL Filtering Profile? - local - internal - inbound - outbound - CORRECT ANSWER - outbound Which Security Profile type can you configure with a "continue" action so that it blocks an accidental drive-by download when a user accesses a website? - File Blocking - Data Filtering - Anti-Spyware - Vulnerability Protection - CORRECT ANSWER - File Blocking WildFire analysis is used to update which three Palo Alto Networks information sources? (Choose three.) - malicious domains - malicious IP addresses - PAN-DB URL categories - software vulnerabilities - Cortex XDR - CORRECT ANSWER - malicious domains - malicious IP addresses - PAN-DB URL categories Based on the guidance provided in the course, your Security policy rules and Security Profiles should be configured to protect network traffic flowing in which three directions? (Choose three.) - internal - inbound - loopback - backhaul - outbound - CORRECT ANSWER - internal - inbound - outbound Which Security Profile type is designed to scan network traffic for credit card numbers? - File Blocking - Anti-Spyware - Data Filtering - Vulnerability Protection - CORRECT ANSWER - Data Filtering Which two statements are true regarding how the firewall uses its master key? (Choose two.) - It is used to encrypt private keys. - It is used to encrypt file transfers to WildFire®. - It is used to encrypt file transfers from WildFire®. - It is used to encrypt local firewall account passwords. - CORRECT ANSWER - It is used to encrypt private keys. - It is used to encrypt local firewall account passwords. Which two statements are true regarding a firewall's SSH decryption configuration? (Choose two.) - The firewall behaves as an SSH proxy. - The firewall identifies all traffic as ssh or ssh-tunnel. - The configuration supports only SSH key-based logins. - The two end systems must pre-exchange certificates and public keys. - CORRECT ANSWER - The firewall behaves as an SSH proxy. - The firewall identifies all traffic as ssh or ssh-tunnel. Which two statements are true regarding SSL key pinning? (Choose two.) - It can prevent secure SSH Proxy connections. - It can prevent the use of counterfeit certificates. - It can prevent secure SSL Forward Proxy connections. - It can prevent secure SSL Inbound Inspection connections. - CORRECT ANSWER - It can prevent the use of counterfeit certificates. - It can prevent secure SSL Forward Proxy connections. Which type of Palo Alto Networks decryption configuration requires the firewall to import the SSL/TLS server's certificate? - static key pinning - SSL Forward Proxy - dynamic key pinning - SSL Inbound Inspection - CORRECT ANSWER - SSL Inbound Inspection Which action can you perform to ensure that an SSL/TLS client will trust a firewall's self-signed certificate? - Ensure that the SSL/TLS client pre-signs the self-signed certificate. - Ensure that the SSL/TLS server pre-signs the self-signed certificate. - Add the self-signed certificate to the SSL/TLS client's trusted certificate store. - Add the self-signed certificate to the SSL/TLS server's trusted certificate authority. - CORRECT ANSWER - Add the self-signed certificate to the SSL/TLS client's trusted certificate store. If you generate a Certificate Signing Request on the firewall, which entity must sign the certificate to prove that the certificate is valid? - firewall - SSL/TLS client - SSL/TLS server - certificate authority - CORRECT ANSWER - certificate authority Which three items are reasons to implement SSL/TLS for web-based applications? (Choose three.) - encrypts data for privacy - uses hashes for data integrity - uses certificates for authentication - simplifies web traffic communication - lower bandwidth consumption - CORRECT ANSWER - encrypts data for privacy - uses hashes for data integrity - uses certificates for authentication For which two items can you create custom threat signatures on the firewall? (Choose two.) - viruses - spyware - applications - vulnerabilities - CORRECT ANSWER - spyware - vulnerabilities Which statement is true regarding combination threat signatures? - They combine a threat signature with a time element. - They combine a threat signature with multiple actions. - They combine a vulnerability signature with an antivirus signature. -They combine a vulnerability signature with an application signature. - CORRECT ANSWER - They combine a threat signature with a time element. You have added an application to an Application Override policy rule. Which firewall operation is skipped when network traffic matches the rule? - identification by the App-ID Engine - file type inspection based on the File Blocking Profile - content inspection by the Content-ID Engine - data pattern inspection based on the Data Filtering Profile - CORRECT ANSWER - identification by the App-ID Engine Which two items are used by the firewall's Content-ID Engine to analyze network traffic for threats? (Choose two.) - Security Profiles - protocol decoders - custom application signatures - standard application signatures - CORRECT ANSWER - Security Profiles - protocol decoders Which three items are used by the firewall's App-ID Engine to identify the application in network traffic? (Choose three.) - protocol decoders - Application Override policy - custom application signatures - standard application signatures - source IP address - CORRECT ANSWER - protocol decoders - custom application signatures - standard application signatures Which item is the name of a packet capture stage rather than a packet capture filter? - drop - source port - ingress interface - protocol number - CORRECT ANSWER - drop Which two options describe legitimate issues to consider when capturing application traffic on the firewall? - The firewall has limited packet capture analysis tools. - Packet captures can negatively affect firewall performance. - The firewall can packet capture only pre-NAT network packets. - The firewall must be able to capture the application traffic on the MGT interface. - CORRECT ANSWER - The firewall has limited packet capture analysis tools. - Packet captures can negatively affect firewall performance. Which option is available to you only when the firewall encounters a commercial application that is unknown to App- ID? - Submit it to OPSWAT for a new signature. - Create a custom application with a signature. - Create a custom application without a signature. - Submit it to Palo Alto Networks for a new signature - CORRECT ANSWER - Submit it to Palo Alto Networks for a new signature Consider the following Applications and Threats content update scenario: Step 1: Download the content update. Step 2: Preview and review policy rules based on new, pending applications. Step 3: Install the content update. Step 4: Commit your configuration. After which step does the firewall begin enforcing new threat signatures? - 1 - 2 - 3 - 4 - CORRECT ANSWER - 3 Which tool is available in the management web interface to help you migrate from port-based policy rules to application-based policy rules? - Policy Optimizer - Validate Commit - Preview Changes - Candidate Checker - CORRECT ANSWER - Policy Optimizer Which three methods can you use to control network traffic identified by the firewall as an unknown application? (Choose three.) - Decrypt the application. - Create a custom application signature. - Create an Application Override policy rule. - Block the unknown application in the Security policy. - Modify Palo Alto Networks App-ID signatures to include the unknown application - CORRECT ANSWER - Create a custom application signature. - Create an Application Override policy rule. - Block the unknown application in the Security policy. Which application label will the firewall assign to a TCP connection when the three-way handshake completes but the handshake is not followed by data? - incomplete - unknown-tcp - not-applicable - insufficient-data - CORRECT ANSWER - incomplete Which two methods can the firewall use to identify SSLencrypted applications in network traffic? (Choose two.) - application filters - Authentication policy rules - certificate's Common Name field - SSL protocol's Server Name Indication field - CORRECT ANSWER - certificate's Common Name field - SSL protocol's Server Name Indication field Which three types of items can be added to a Security policy rule to control access to URLs? (Choose three.) - one or more specific URLs - one or more custom URLs - an External Dynamic List of URLs - one or more custom URL categories - one or more predefined URL categories - CORRECT ANSWER - an External Dynamic List of URLs - one or more custom URL categories - one or more predefined URL categories Which two firewall log types might record the hostname or IP address of the device trying to connect to a sinkhole IP address? (Choose two.) - Traffic - Threat - URL Filtering - Data Filtering - CORRECT ANSWER - Traffic - Threat Which Security Profile type would you configure to block access to known-malicious domains? - URL Filtering - Anti-Spyware - Data Filtering - Vulnerability Protection - CORRECT ANSWER - Anti-Spyware The firewall uses which protocol to access External Dynamic Lists? - FTP - SCP - TFTP - HTTP(S) - CORRECT ANSWER - HTTP(S) Which two types of IP address lists can be updated in your Security policy without requiring you to recommit your firewall's configuration? (Choose two.) - Address object - geographic region - External Dynamic List - Static Address Group object - CORRECT ANSWER - address object - geographic region Which three options describe characteristics of packet buffer protection? (Choose three.) - applied per zone - enabled or disabled per firewall - measures new connection rates - protects against multi-session DoS attacks - protects against single-session DoS attacks - CORRECT ANSWER - applied per zone - enabled or disabled per firewall - protects against single-session DoS attacks Which DoS Protection policy action must you configure to ensure that the firewall consults a DoS Protection Profile? - deny - allow - protect - continue - CORRECT ANSWER - protect Which option describes a characteristic of a Zone Protection Profile? - protects egress ports of an assigned zone - protects ingress ports of an assigned zone - protects against single-session DoS attacks - requires an aggregate DoS Protection Profile - CORRECT ANSWER - protects ingress ports of an assigned zone Which two options describe benefits of a DoS Protection policy and profile? (Choose two.) - firewall resource protection - session-based flood protection - protocol-based attack protection - pre-session reconnaissance protection - CORRECT ANSWER - firewall resource protection - session-based flood protection Which two statements are true regarding network segmentation? (Choose two.) - reduces the attack surface - depends on network VLAN capability - implementation requires at least two firewalls - often aligns with firewall security zone configuration - CORRECT ANSWER - reduces the attack surface - often aligns with firewall security zone configuration Which firewall profile protects against port scan reconnaissance activities? - Data Filtering Profile - DoS Protection Profile - URL Filtering Profile - Zone Protection Profile - CORRECT ANSWER - Zone Protection Profile Which two options describe characteristics of advanced persistent threats? (Choose two.) - use multiple attack vectors - designed for specific targets - stealth achieved by quickly exfiltrating data - stealth achieved by never using commodity threats - CORRECT ANSWER - use multiple attack vectors - designed for specific targets Which two options describe characteristics of commodity threats? (Choose two.) - can be targeted - are always low risk - are widely distributed - are not included in advanced persistent threats - CORRECT ANSWER - can be targeted - are widely distributed During which cyber-attack lifecycle stage does the attacker gain the equivalent of "hands-on keyboard" control of the target host? - delivery - exploitation - weaponization - command-and-control - CORRECT ANSWER - command-and-control During which cyber-attack lifecycle stage is the attacker working outside the target environment to prepare the attack method and malware? - delivery - exploitation - weaponization - reconnaissance - CORRECT ANSWER - weaponization GlobalProtect clientless VPN provides secure remote access to web applications that use which three technologies? (Choose three.) - Ruby - HTML - HTML5 - Python - JavaScript - CORRECT ANSWER - Ruby - HTML - JavaScript Which interface type is NOT assigned to a security zone? - HA - VLAN - Layer 3 - Virtual Wire - CORRECT ANSWER - HA In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.) - hellos - heartbeats - link groups - path groups - CORRECT ANSWER - heartbeats - path groups In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.) - exchanging hellos - exchanging heartbeats - synchronizing sessions - synchronizing configuration - management configuration - CORRECT ANSWER - exchanging hellos - exchanging heartbeats - synchronizing configuration [Show More]

Last updated: 2 years ago

Preview 1 out of 34 pages