PCNSA-UPDATED

Number: 000-000
Passing Score: 700
Time Limit: 120 min
File Version: 1.0

PCNSA.examcollection.premium.exam.98q

Number: PCNSA
Passing Score: 700
Time Limit: 120 min
File Version: 3.0

PCNSA

Palo Alto Networks Certified Network Security Administrator

Version 3.0

Sections
1. (none)
Exam A

QUESTION 1
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate
processor?

A. management
B. network processing
C. data
D. security processing

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 2
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is
currently using an application identified by App-ID as SuperApp_base. On a content update notice, Palo Alto Networks is
adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-
base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator
approves the applications

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 3
How many zones can an interface be assigned with a Palo Alto Networks firewall?

A. two
B. three
C. four
D. one

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-zones/ security-zone-
overview

QUESTION 4
Which two configuration settings shown are not the default? (Choose two.)
A. Enable Security Log
B. Server Log Monitor Frequency (sec)
C. Enable Session
D. Enable Probing

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device- user-
identification-user-mapping/enable-server-monitoring

QUESTION 5
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto
Networks Firewall?
A. Signature Matching
B. Network Processing
C. Security Processing
D. Data Interfaces

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 6
Which option shows the attributes that are selectable when setting up application filters?

A. Category, Subcategory, Technology, and Characteristic

B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects- application-filters

QUESTION 7
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 8
Which two statements are correct about App-ID content updates? (Choose two.)

A. Updated application content may change how security policy rules are enforced
B. After an application content update, new applications must be manually classified prior to use
C. Existing security policy rules are not affected by application content updates
D. After an application content update, new applications are automatically identified and classified

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 9
Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active
Directory?

A. Windows session monitoring via a domain controller

B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 10
An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall
to allow multiple applications in a dynamic environment?

A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs
subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 11
Which statement is true regarding a Best Practice Assessment?

A. The BPA tool can be run only on firewalls

B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should
focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security
architecture

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best- practice-
security-policy/use-palo-alto-networks-assessment-and-review-tools

QUESTION 12
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the
YouTube application?

A. intrazone-default
B. Deny Google
C. allowed-security services
D. interzone-default

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 13
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A. on either the data place or the management plane.

B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-policy.html

QUESTION 14
When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port,
Dynamic, Static IP, and None?

A. Translation Type
B. Interface
C. Address Type
D. IP Address

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 15
Which interface does not require a MAC or IP address?

A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 16
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the
company use to identify out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified

B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 17
What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 18
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are
helping.
What is the quickest way to reset the hit counter to zero in all the security policy rules?

A. At the CLI enter the command reset rules and press Enter
B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. Reboot the firewall
D. Use the Reset Rule Hit Counter > All Rules option

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-security/ creating-and-
managing-policies

QUESTION 19
Which two App-ID applications will need to be allowed to use facebook-chat? (Choose two.)

A. facebook
B. facebook-chat
C. facebook-base
D. facebook-email

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

QUESTION 20
Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall
management plane resources?

A. Windows-based agent deployed on the internal network

B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 21
Your company requires positive username attribution of every IP address used by wireless devices to support a new
compliance requirement. You must collect IP to-user mappings as soon as possible with minimal downtime and minimal
configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 22
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host
attempting to contact a command-and-control (C2) server. Which two security profile components will detect and prevent this
threat after the firewall's signature database has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies

B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/create-best-practice-security- profiles

QUESTION 23

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)

Explanation

Explanation/Reference:

QUESTION 24
Identify the correct order to configure the PAN-OS integrated USER-ID agent.

1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
2. define the address of the servers to be monitored on the firewall
3. add the service account to monitor the server(s)
4. commit the configuration, and verify agent connection status

A. 2-3-4-1
B. 1-4-3-2
C. 3-1-2-4
D. 1-2-3-4

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 25
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone. Complete the security policy to ensure
only Telnet is allowed. Security Policy: Source Zone: Internal to DMZ Zone __________services "Application defaults", and
action = Allow

A. Destination IP: 192.168.1.123/24

B. Application = "Telnet"
C. Log Forwarding
D. USER-ID = "Allow users in Trusted"

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 26
Based on the security policy rules shown, ssh will be allowed on which port?

A. 80
B. 53
C. 22
D. 23

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 27
Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/install-content-and- software-
updates.html

QUESTION 28
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity.
Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 29
Given the topology, which zone type should zone A and zone B to be configured with?

A. Layer3
B. Tap
C. Layer2
D. Virtual Wire

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 30
To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

A. domain controller
B. TACACS+
C. LDAP
D. RADIUS

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 31
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

A. Layer 2
B. Tap
C. Layer 3
D. Virtual Wire

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 32
Which administrator type provides more granular options to determine what the administrator can view and modify when
creating an administrator account?

A. Root
B. Dynamic
C. Role-based
D. Superuser

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 33
Which administrator type utilizes predefined roles for a local administrator account?

A. Superuser
B. Role-based
C. Dynamic
D. Device administrator
Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/get-started-with-the-cli/give- administrators-
access-to-the-cli/administrative-privileges?PageSpeed=noscript

QUESTION 34
Which two security profile types can be attached to a security policy? (Choose two.)

A. antivirus
B. DDoS protection
C. threat
D. vulnerability

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/security-profiles

QUESTION 35
The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it
that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected
machine to begin Exfiltrating data from the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

A. Create an anti-spyware profile and enable DNS Sinkhole

B. Create an antivirus profile and enable DNS Sinkhole
C. Create a URL filtering profile and block the DNS Sinkhole category
D. Create a security policy and enable DNS Sinkhole

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-security- profiles-anti-
spyware-profile

QUESTION 36
Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

A. Active Directory monitoring

B. Windows session monitoring
C. Windows client probing
D. domain controller monitoring

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 37
What are three differences between security policies and security profiles? (Choose three.)

A. Security policies are attached to security profiles

B. Security profiles are attached to security policies
C. Security profiles should only be used on allowed traffic
D. Security profiles are used to block traffic by themselves
E. Security policies can block or allow traffic

Correct Answer: BCE

Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 38
Given the image, which two options are true about the Security policy rules. (Choose two.)

A. The Allow Office Programs rule is using an Application Filter

B. In the Allow FTP to web server rule, FTP is allowed using App-ID
C. The Allow Office Programs rule is using an Application Group
D. In the Allow Social Networking rule, allows all of Facebook's functions

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 39
Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the
Outside zone?

A. global
B. intrazone
C. interzone
D. universal

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

QUESTION 40
Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic
deployed as internet gateways?

A. GlobalProtect/Prisma Access
B. AutoFocus
C. Aperture
D. Panorama

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 41
Given the scenario, which two statements are correct regarding multiple static default routes? (Choose two.)
A. Path monitoring does not determine if route is useable
B. Route with highest metric is actively used
C. Path monitoring determines if route is useable
D. Route with lowest metric is actively used

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 42
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted
machine.

A. Exploitation
B. Installation
C. Reconnaissance
D. Act on Objective

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 43
Which file is used to save the running configuration with a Palo Alto Networks firewall?

A. running-config.xml
B. run-config.xml
C. running-configuration.xml
D. run-configuration.xml

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
QUESTION 44
In the example security policy shown, which two websites would be blocked? (Choose two.)

A. LinkedIn
B. Facebook
C. YouTube
D. Amazon

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 45
Which Palo Alto Networks component provides consolidated policy creation and centralized management?

A. GlobalProtect
B. Panorama
C. Prisma SaaS
D. AutoFocus

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.paloaltonetworks.com/resources/datasheets/panorama-centralized-management- datasheet

QUESTION 46
Which statement is true regarding a Prevention Posture Assessment?

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of
architecture, and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security
architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best- practice-
security-policy/use-palo-alto-networks-assessment-and-review-tools

QUESTION 47
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats?
(Choose five.)

A. User identification
B. Filtration protection
C. Vulnerability protection
D. Antivirus
E. Application identification
F. Anti-spyware

Correct Answer: ACDEF

Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 48
The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing
employees to check the number, but doesn't want to unblock the gambling URL category. Which two methods will allow the
employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category? (Choose two.)

A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling
category to allow.
B. Manually remove powerball.com from the gambling URL category.
C. Add *.powerball.com to the allow list
D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 49
Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning
files for sensitive information?

A. Aperture
B. AutoFocus
C. Panorama
D. GlobalProtect

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 50
Which administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected
host attempting to contact and command-and-control (C2) server. Which security profile components will detect and prevent
this threat after the firewall`s signature database has been updated?

A. antivirus profile applied to outbound security policies

B. data filtering profile applied to inbound security policies
C. data filtering profile applied to outbound security policies
D. vulnerability profile applied to inbound security policies

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 51
Which update option is not available to administrators?

A. New Spyware Notifications

B. New URLs
C. New Application Signatures
D. New Malicious Domains
E. New Antivirus Signatures

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 52
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud
environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What
configuration-changes should the Firewall-admin make?

A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone
USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP- address for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP- address to any
destination IP-address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port- TCP-22 should
be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-
RETURN for any source-IP-address to any destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to
any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 53
How often does WildFire release dynamic updates?

A. every 5 minutes
B. every 15 minutes
C. every 60 minutes
D. every 30 minutes

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute- wildfire-updates

QUESTION 54
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?

A. every 30 minutes
B. every 5 minutes
C. every 24 hours
D. every 1 minute

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

Reference: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/wildfire-features/five-minute- wildfire-updates

QUESTION 55
Your company has 10 Active domain controllers spread across multiple WAN links. All users authenticate to Active Directory.
Each link has substantial network bandwidth to support all mission-critical applications. Given the scenario, which type of User-
ID agent is considered a best practice by Palo Alto Networks?

A. Windows-based agent on a domain controller

B. Captive Portal
C. Citrix terminal server with adequate data-plane resources
D. PAN-OS integrated agent

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 56
What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-
local account?

A. authentication sequence
B. LDAP server profile
C. authentication server list
D. authentication list profile

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/framemaker/pan-os/7-1/pan- os-admin.pdf
page 144
QUESTION 57
Which Security Profile mitigates attacks based on packet count?

A. zone protection profile

B. URL filtering profile
C. antivirus profile
D. vulnerability profile

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 58
Which interface type can use virtual routers and routing protocols?

A. Tap
B. Layer3
C. Virtual Wire
D. Layer2

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 59
Which URL profiling action does not generate a log entry when a user attempts to access that URL?

A. Override
B. Allow
C. Block
D. Continue

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/url-filtering/url-filtering-concepts/url- filtering-profile-
actions

QUESTION 60
An internal host wants to connect to servers of the internet through using source NAT. Which policy is required to enable
source NAT on the firewall?

A. NAT policy with source zone and destination zone specified

B. post-NAT policy with external source and any destination address
C. NAT policy with no source of destination zone selected
D. pre-NAT policy with external source and any destination address

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 61
Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s
source and destination IP address?

A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 62
Which path in PAN-OS 9.0 displays the list of port-based security policy rules?

A. Policies> Security> Rule Usage> No App Specified

B. Policies> Security> Rule Usage> Port only specified
C. Policies> Security> Rule Usage> Port-based Rules
D. Policies> Security> Rule Usage> Unused Apps

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 63
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall?
(Choose two.)

A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: http://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single- pass-parallel-
processing-hardware-architecture.html

QUESTION 64
Which path is used to save and load a configuration with a Palo Alto Networks firewall?

A. Device>Setup>Services
B. Device>Setup>Management
C. Device>Setup>Operations
D. Device>Setup>Interfaces

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 65
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches
new application signatures?

A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids- introduced-in-content-
releases/review-new-app-id-impact-on-existing-policy-rules

QUESTION 66
How is the hit count reset on a rule?

A. select a security policy rule, right click(Drop down list) Hit Count > Reset
B. with a dataplane reboot
C. Device > Setup > Logging and Reporting Settings > Reset Hit Count
D. in the CLI, type command reset hitcount <POLICY-NAME>

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 67
Given the topology, which zone type should interface E1/1 be configured with?

A. Tap
B. Tunnel
C. Virtual Wire
D. Layer3

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 68
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

A. Management
B. High Availability
C. Aggregate
D. Aggregation

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 69
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does
not match traffic that passes within the zones?

A. intrazone
B. interzone
C. universal
D. global

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 70
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice
to block the same URL then which choice would be the last to block access to the URL?

A. EDL in URL Filtering Profile

B. Custom URL category in URL Filtering Profile
C. Custom URL category in Security policy rule
D. PAN-DB URL category in URL Filtering Profile

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 71
Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter- only firewall
deployment?

A. north-south
B. inbound
C. outbound
D. east-west

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 72
Which protocol is used to map usernames to user groups when User-ID is configured?

A. TACACS+
B. SAML
C. LDAP
D. RADIUS

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

QUESTION 73
Which definition describes the guiding principle of the zero-trust architecture?

A. trust, but verify

B. always connect and verify
C. never trust, never connect
D. never trust, always verify

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

QUESTION 74
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.
Complete the two empty fields in the Security policy rules that permits only this type of access.

Source Zone: Internal

Destination Zone: DMZ Zone

Application: _________?
Service: ____________?
Action: allow

(Choose two.)

A. Service = "application-default"
B. Service = "service-telnet"
C. Application = "Telnet"
D. Application = "any"

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 75
In which profile should you configure the DNS Security feature?

A. Anti-Spyware Profile
B. Zone Protection Profile
C. Antivirus Profile
D. URL Filtering Profile

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable- dns-
security.html

QUESTION 76
Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)

A. It is automatically enabled and configured.

B. It eliminates the need for dynamic DNS updates.
C. It functions like PAN-DB and requires activation through the app portal.
D. It removes the 100K limit for DNS entries for the downloaded DNS updates.
Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 77
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A. GlobalProtect agent
B. XML API
C. User-ID Windows-based agent
D. log forwarding auto-tagging

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 78
The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop.the
malware contacted a known command-and-control server, which caused the infected laptop to begin exfiltrating corporate
data.

Which security profile feature could have been used to prevent the communication with the command-and- control server?

A. Create an anti-spyware profile and enable DNS Sinkhole feature.

B. Create an antivirus profile and enable its DNS Sinkhole feature.
C. Create a URL filtering profile and block the DNS Sinkhole URL category
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 79
You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control
plane?

A. virtual router
B. Admin Role profile
C. DNS proxy
D. service route

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation
Explanation/Reference:
Reference: https://weberblog.net/palo-alto-dns-proxy-for-management-services/

QUESTION 80
Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?

A. Prisma SaaS
B. GlobalProtect
C. AutoFocus
D. Panorama

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://www.paloaltonetworks.com/resources/whitepapers/protecting-the-extended-perimeter-with- globalprotect-
cloud-service-full

QUESTION 81
For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?

A. TACACS+
B. RADIUS
C. LDAP
D. SAML

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-an- authentication-profile-
and-sequence

QUESTION 82
Which operations are allowed when working with App-ID application tags?

A. Predefined tags may be deleted.

B. Predefined tags may be augmented by custom tags.
C. Predefined tags may be modified.
D. Predefined tags may be updated by WildFire dynamic updates.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 83
Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network.
The firewall's management plane is only slightly utilized.

Which User-ID agent is sufficient in your network?

A. Windows-based agent deployed on each domain controller

B. PAN-OS integrated agent deployed on the firewall
C. Citrix terminal server agent deployed on the network
D. Windows-based agent deployed on the internal network a domain member

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/

configure-user-mapping-using-the-windows-user-id-agent/configure-the-windows-based-user-id-agent-for-user- mapping.html

QUESTION 84
Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set
of firewall permissions?

A. Role-based
B. Multi-Factor Authentication
C. Dynamic
D. SAML

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage- firewall-
administrators/administrative-role-types.html

QUESTION 85
Which statement is true regarding a Heatmap report?

A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk
B. It runs only on firewalls.
C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security
architecture.
D. It provides a percentage of adoption for each assessment area.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice-assessment- bpa-tool-for-
ngfw-and-panorama/ba-p/248343

QUESTION 86
Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all
applications matched to the policy rule?
A. Apps Allowed
B. Service
C. Name
D. Apps Seen

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 87
Access to which feature requires the PAN-OS Filtering license?

A. PAN-DB database
B. DNS Security
C. Custom URL categories
D. URL external dynamic lists

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/activate-licenses-and-
subscriptions.html

QUESTION 88
Based on the screenshot, what is the purpose of the Included Groups?

A. They are groups that are imported from RADIUS authentication servers.
B. They are the only groups visible based on the firewall's credentials.
C. They contain only the users you allow to manage the firewall.
D. They are used to map users to groups.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.html

QUESTION 89
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

A. The User-ID agent is connected to a domain controller labeled lab-client.

B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 90
Which action results in the firewall blocking network traffic without notifying the sender?

A. Drop
B. Deny
C. Reset Server
D. Reset Client

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 91
What do Dynamic User Groups help you to do?

A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity
B. create a dynamic list of firewall administrators
C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user- groups

QUESTION 92
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match
traffic that flows within the zones?

A. global
B. intrazone
C. interzone
D. universal

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 93
You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the
image shown, which traffic would you need to monitor and block to mitigate the malicious activity?
A. branch office traffic
B. north-south traffic
C. perimeter traffic
D. east-west traffic

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 94
Match the Palo Alto Networks Security Operating Platform architecture to its description.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 95
Match the Cyber-Attack Lifecycle stage to its correct description.

Select and Place:

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 96
Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

Select and Place:

Correct Answer:
Section: (none)
Explanation

Explanation/Reference:

QUESTION 97
Arrange the correct order that the URL classifications are processed within the system.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference:

QUESTION 98
Match the network device with the correct User-ID technology.

Select and Place:

Correct Answer:

Section: (none)
Explanation

Explanation/Reference: