Year End Sale - Special Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 44314956B5

Good News !!! PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) is now Stable and Pass

PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Question and Answers

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)

Last Update 13 hours ago
Total Questions : 247

PCNSA Exam is stable now with all latest questions are added 13 hours ago. Just download our Full package and start your journey with Paloalto Networks Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) certification. All these Paloalto Networks Exam PCNSA questions are real and verified by our Experts in the related industry fields.

PCNSA PDF

PCNSA PDF (Printable)
$54
$119.99

PCNSA Testing Engine

PCNSA PDF (Printable)
$63
$139.99

PCNSA PDF + Testing Engine

PCNSA PDF (Printable)
$79.65
$176.99
Question # 1

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

Options:

A.  

Palo Alto Networks Bulletproof IP Addresses

B.  

Palo Alto Networks C&C IP Addresses

C.  

Palo Alto Networks Known Malicious IP Addresses

D.  

Palo Alto Networks High-Risk IP Addresses

Discussion 0
Question # 2

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

Options:

A.  

change the logging action on the rule

B.  

review the System Log

C.  

refresh the Traffic Log

D.  

tune your Traffic Log filter to include the dates

Discussion 0
Question # 3

Based on the show security policy rule would match all FTP traffic from the inside zone to the outside zone?

Question # 3

Options:

A.  

internal-inside-dmz

B.  

engress outside

C.  

inside-portal

D.  

intercone-default

Discussion 0
Question # 4

Which component is a building block in a Security policy rule?

Options:

A.  

decryption profile

B.  

destination interface

C.  

timeout (min)

D.  

application

Discussion 0
Question # 5

After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

Options:

A.  

Import named config snapshot

B.  

Load named configuration snapshot

C.  

Revert to running configuration

D.  

Revert to last saved configuration

Discussion 0
Question # 6

Which three types of authentication services can be used to authenticate user traffic flowing through the firewalls data plane? (Choose three )

Options:

A.  

TACACS

B.  

SAML2

C.  

SAML10

D.  

Kerberos

E.  

TACACS+

Discussion 0
Question # 7

Which protocol used to map username to user groups when user-ID is configured?

Options:

A.  

SAML

B.  

RADIUS

C.  

TACACS+

D.  

LDAP

Discussion 0
Question # 8

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

Options:

A.  

Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

B.  

Configure a frequency schedule to clear group mapping cache

C.  

Configure a Primary Employee ID number for user-based Security policies

D.  

Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Discussion 0
Question # 9

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security Policy rules that permits only this type of access.

Question # 9

Choose two.

Options:

A.  

Service = "any"

B.  

Application = "Telnet"

C.  

Service - "application-default"

D.  

Application = "any"

Discussion 0
Question # 10

What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

Options:

A.  

Implement a threat intel program.

B.  

Configure a URL Filtering profile.

C.  

Train your staff to be security aware.

D.  

Rely on a DNS resolver.

E.  

Plan for mobile-employee risk

Discussion 0
Question # 11

Which object would an administrator create to block access to all high-risk applications?

Options:

A.  

HIP profile

B.  

application filter

C.  

application group

D.  

Vulnerability Protection profile

Discussion 0
Question # 12

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?

Options:

A.  

Create a Security policy rule to allow the traffic.

B.  

Create a new NAT rule with the correct parameters and leave the translation type as None

C.  

Create a static NAT rule with an application override.

D.  

Create a static NAT rule translating to the destination interface.

Discussion 0
Question # 13

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Options:

A.  

Active Directory monitoring

B.  

Windows session monitoring

C.  

Windows client probing

D.  

domain controller monitoring

Discussion 0
Question # 14

An administrator wishes to follow best practices for logging traffic that traverses the firewall

Which log setting is correct?

Options:

A.  

Disable all logging

B.  

Enable Log at Session End

C.  

Enable Log at Session Start

D.  

Enable Log at both Session Start and End

Discussion 0
Question # 15

View the diagram.

Question # 15

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A)

Question # 15

B)

Question # 15

C)

Question # 15

D)

Question # 15

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Question # 16

An administrator would like to determine the default deny action for the application dns-over-https

Which action would yield the information?

Options:

A.  

View the application details in beacon paloaltonetworks.com

B.  

Check the action for the Security policy matching that traffic

C.  

Check the action for the decoder in the antivirus profile

D.  

View the application details in Objects > Applications

Discussion 0
Question # 17

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

Options:

A.  

Security policy rule

B.  

ACC global filter

C.  

external dynamic list

D.  

NAT address pool

Discussion 0
Question # 18

What are the requirements for using Palo Alto Networks EDL Hosting Sen/ice?

Options:

A.  

any supported Palo Alto Networks firewall or Prisma Access firewall

B.  

an additional subscription free of charge

C.  

a firewall device running with a minimum version of PAN-OS 10.1

D.  

an additional paid subscription

Discussion 0
Question # 19

Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

Options:

A.  

Prisma SaaS

B.  

AutoFocus

C.  

Panorama

D.  

GlobalProtect

Discussion 0
Question # 20

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Options:

A.  

pattern based application identification

B.  

application override policy match

C.  

session application identified

D.  

application changed from content inspection

Discussion 0
Question # 21

Which URL profiling action does not generate a log entry when a user attempts to access that URL?

Options:

A.  

Override

B.  

Allow

C.  

Block

D.  

Continue

Discussion 0
Question # 22

Which statement is true regarding a Prevention Posture Assessment?

Options:

A.  

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B.  

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C.  

It provides a percentage of adoption for each assessment area

D.  

It performs over 200 security checks on Panorama/firewall for the assessment

Discussion 0
Question # 23

Which two features can be used to tag a user name so that it is included in a dynamic user group? (Choose two)

Options:

A.  

XML API

B.  

log forwarding auto-tagging

C.  

GlobalProtect agent

D.  

User-ID Windows-based agent

Discussion 0
Question # 24

Which Security profile can you apply to protect against malware such as worms and Trojans?

Options:

A.  

data filtering

B.  

antivirus

C.  

vulnerability protection

D.  

anti-spyware

Discussion 0
Question # 25

Given the cyber-attack lifecycle diagram identify the stage in which the attacker can run malicious code against a vulnerability in a targeted machine.

Question # 25

Options:

A.  

Exploitation

B.  

Installation

C.  

Reconnaissance

D.  

Act on the Objective

Discussion 0
Question # 26

Match each rule type with its example

Question # 26

Options:

Discussion 0
Question # 27

You need to allow users to access the office–suite application of their choice. How should you configure the firewall to allow access to any office-suite application?

Options:

A.  

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

B.  

Create an Application Group and add business-systems to it.

C.  

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

D.  

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Discussion 0
Question # 28

When creating a custom URL category object, which is a valid type?

Options:

A.  

domain match

B.  

host names

C.  

wildcard

D.  

category match

Discussion 0
Question # 29

An administrator is reviewing another administrator s Security policy log settings

Which log setting configuration is consistent with best practices tor normal traffic?

Options:

A.  

Log at Session Start and Log at Session End both enabled

B.  

Log at Session Start disabled Log at Session End enabled

C.  

Log at Session Start enabled Log at Session End disabled

D.  

Log at Session Start and Log at Session End both disabled

Discussion 0
Question # 30

Which statement is true regarding a Best Practice Assessment?

Options:

A.  

The BPA tool can be run only on firewalls

B.  

It provides a percentage of adoption for each assessment data

C.  

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

D.  

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Discussion 0
Question # 31

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.  

Before deploying content updates, always check content release version compatibility.

B.  

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C.  

Content updates for firewall A/A HA pairs need a defined master device.

D.  

After deploying content updates, perform a commit and push to Panorama.

Discussion 0
Question # 32

Which User-ID mapping method should be used for an environment with clients that do not authenticate to Windows Active Directory?

Options:

A.  

Windows session monitoring via a domain controller

B.  

passive server monitoring using the Windows-based agent

C.  

Captive Portal

D.  

passive server monitoring using a PAN-OS integrated User-ID agent

Discussion 0
Question # 33

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Question # 33

Options:

Discussion 0
Question # 34

Identify the correct order to configure the PAN-OS integrated USER-ID agent.

3. add the service account to monitor the server(s)

2. define the address of the servers to be monitored on the firewall

4. commit the configuration, and verify agent connection status

1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

Options:

A.  

2-3-4-1

B.  

1-4-3-2

C.  

3-1-2-4

D.  

1-3-2-4

Discussion 0
Question # 35

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.  

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.  

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.  

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.  

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Discussion 0
Question # 36

What is the purpose of the automated commit recovery feature?

Options:

A.  

It reverts the Panorama configuration.

B.  

It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.

C.  

It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.

D.  

It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

Discussion 0
Question # 37

An administrator has configured a Security policy where the matching condition includes a single application and the action is deny

If the application s default deny action is reset-both what action does the firewall take*?

Options:

A.  

It sends a TCP reset to the client-side and server-side devices

B.  

It silently drops the traffic and sends an ICMP unreachable code

C.  

It silently drops the traffic

D.  

It sends a TCP reset to the server-side device

Discussion 0