March Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Exam Practice Test

Demo: 108 questions
Total 362 questions

Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Question 1

You receive notification about a new malware that infects hosts An infection results in the infected host attempting to contact a command-and-control server Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Options:

A.

Antivirus Profile

B.

Data Filtering Profile

C.

Vulnerability Protection Profile

D.

Anti-Spyware Profile

Question 2

What are three configurable interface types for a data-plane ethernet interface? (Choose three.)

Options:

A.

Layer 3

B.

HSCI

C.

VWire

D.

Layer 2

E.

Management

Question 3

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

Options:

A.

Rules without App Controls

B.

New App Viewer

C.

Rule Usage

D.

Unused Unused Apps

Question 4

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

Options:

A.

Windows-based agent deployed on the internal network

B.

PAN-OS integrated agent deployed on the internal network

C.

Citrix terminal server deployed on the internal network

D.

Windows-based agent deployed on each of the WAN Links

Question 5

Which interface type can use virtual routers and routing protocols?

Options:

A.

Tap

B.

Layer3

C.

Virtual Wire

D.

Layer2

Question 6

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

Options:

A.

domain controller

B.

TACACS+

C.

LDAP

D.

RADIUS

Question 7

By default, which action is assigned to the interzone-default rule?

Options:

A.

Reset-client

B.

Reset-server

C.

Deny

D.

Allow

Question 8

Based on the screenshot presented which column contains the link that when clicked opens a window to display all applications matched to the policy rule?

Options:

A.

Apps Allowed

B.

Name

C.

Apps Seen

D.

Service

Question 9

What are two valid selections within an Anti-Spyware profile? (Choose two.)

Options:

A.

Default

B.

Deny

C.

Random early drop

D.

Drop

Question 10

How does the Policy Optimizer policy view differ from the Security policy view?

Options:

A.

It provides sorting options that do not affect rule order.

B.

It displays rule utilization.

C.

It details associated zones.

D.

It specifies applications seen by rules.

Question 11

Which definition describes the guiding principle of the zero-trust architecture?

Options:

A.

never trust, never connect

B.

always connect and verify

C.

never trust, always verify

D.

trust, but verity

Question 12

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate username and the associated password?

Options:

A.

Domain Credential

B.

IP User

C.

Group Mapping

D.

Valid Username Detected Log Severity

Question 13

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?

Options:

A.

Data redistribution

B.

Dynamic updates

C.

SNMP setup

D.

Service route

Question 14

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

Options:

A.

Management

B.

High Availability

C.

Aggregate

D.

Aggregation

Question 15

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.)

Options:

A.

Packets sent/received

B.

IP Protocol

C.

Action

D.

Decrypted

Question 16

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

Options:

A.

Blometric scanning results from iOS devices

B.

Firewall logs

C.

Custom API scripts

D.

Security Information and Event Management Systems (SIEMS), such as Splun

E.

DNS Security service

Question 17

Based on the security policy rules shown, ssh will be allowed on which port?

Options:

A.

any port

B.

same port as ssl and snmpv3

C.

the default port

D.

only ephemeral ports

Question 18

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

Options:

A.

Application Category

B.

Source

C.

File Size

D.

Direction

Question 19

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

Options:

A.

Active Directory monitoring

B.

Windows session monitoring

C.

Windows client probing

D.

domain controller monitoring

Question 20

Which type firewall configuration contains in-progress configuration changes?

Options:

A.

backup

B.

running

C.

candidate

D.

committed

Question 21

Which operations are allowed when working with App-ID application tags?

Options:

A.

Predefined tags may be deleted.

B.

Predefined tags may be augmented by custom tags.

C.

Predefined tags may be modified.

D.

Predefined tags may be updated by WildFire dynamic updates.

Question 22

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

B.

Content updates for firewall A/A HA pairs need a defined master device.

C.

Before deploying content updates, always check content release version compatibility.

D.

After deploying content updates, perform a commit and push to Panorama.

Question 23

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

Options:

A.

Eleven rules use the "Infrastructure* tag.

B.

The view Rulebase as Groups is checked.

C.

There are seven Security policy rules on this firewall.

D.

Highlight Unused Rules is checked.

Question 24

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

Options:

A.

override

B.

allow

C.

block

D.

continue

Question 25

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

Options:

A.

Configure an authentication policy

B.

Configure an authentication sequence

C.

Configure an authentication profile

D.

Isolate the management interface on a dedicated management VLAN

Question 26

You need to allow users to access the office–suite application of their choice. How should you configure the firewall to allow access to any office-suite application?

Options:

A.

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

B.

Create an Application Group and add business-systems to it.

C.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

D.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Question 27

What Policy Optimizer policy view differ from the Security policy do?

Options:

A.

It shows rules that are missing Security profile configurations.

B.

It indicates rules with App-ID that are not configured as port-based.

C.

It shows rules with the same Source Zones and Destination Zones.

D.

It indicates that a broader rule matching the criteria is configured above a more specific rule.

Question 28

Match each rule type with its example

Options:

Question 29

Which Palo Alto networks security operating platform service protects cloud-based application such as Dropbox and salesforce by monitoring permissions and shared and scanning files for Sensitive information?

Options:

A.

Prisma SaaS

B.

AutoFocus

C.

Panorama

D.

GlobalProtect

Question 30

In the example security policy shown, which two websites fcked? (Choose two.)

Options:

A.

LinkedIn

B.

Facebook

C.

YouTube

D.

Amazon

Question 31

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

Options:

A.

branch office traffic

B.

north-south traffic

C.

perimeter traffic

D.

east-west traffic

Question 32

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

Options:

A.

At the CLI enter the command reset rules and press Enter

B.

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

C.

Reboot the firewall

D.

Use the Reset Rule Hit Counter > All Rules option

Question 33

What is used to monitor Security policy applications and usage?

Options:

A.

Policy Optimizer

B.

App-ID

C.

Security profile

D.

Policy-based forwarding

Question 34

Given the topology, which zone type should zone A and zone B to be configured with?

Options:

A.

Layer3

B.

Tap

C.

Layer2

D.

Virtual Wire

Question 35

Where within the firewall GUI can all existing tags be viewed?

Options:

A.

Network > Tags

B.

Monitor > Tags

C.

Objects > Tags

D.

Policies > Tags

Question 36

Which statement is true regarding a Prevention Posture Assessment?

Options:

A.

The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C.

It provides a percentage of adoption for each assessment area

D.

It performs over 200 security checks on Panorama/firewall for the assessment

Question 37

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

Options:

A.

interzone

B.

shadowed

C.

intrazone

D.

universal

Question 38

Which option is part of the content inspection process?

Options:

A.

IPsec tunnel encryption

B.

Packet egress process

C.

SSL Proxy re-encrypt

D.

Packet forwarding process

Question 39

Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

Options:

A.

save named configuration snapshot

B.

export device state

C.

export named configuration snapshot

D.

save candidate config

Question 40

Which Security policy action will message a user's browser thai their web session has been terminated?

Options:

A.

Reset server

B.

Deny

C.

Drop

D.

Reset client

Question 41

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1 What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

Options:

A.

Add zones attached to interfaces to the virtual router

B.

Add interfaces to the virtual router

C.

Enable the redistribution profile to redistribute connected routes

D.

Add a static routes to route between the two interfaces

Question 42

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

Options:

A.

block

B.

sinkhole

C.

alert

D.

allow

Question 43

What are three factors that can be used in domain generation algorithms? (Choose three.)

Options:

A.

cryptographic keys

B.

time of day

C.

other unique values

D.

URL custom categories

E.

IP address

Question 44

What do you configure if you want to set up a group of objects based on their ports alone?

Options:

A.

Application groups

B.

Service groups

C.

Address groups

D.

Custom objects

Question 45

Which plane on a Palo alto networks firewall provides configuration logging and reporting functions on a separate processor?

Options:

A.

data

B.

network processing

C.

management

D.

security processing

Question 46

By default, what is the maximum number of templates that can be added to a template stack?

Options:

A.

6

B.

8

C.

10

D.

12

Question 47

Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Options:

A.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES

B.

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES

C.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate Data Filtering profile

D.

Create a Security policy that references NO-FILES as a URL Category qualifier, with an appropriate File Blocking profile

Question 48

Which data-plane processor layer of the graphic shown provides uniform matching for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

Options:

A.

Signature Matching

B.

Network Processing

C.

Security Processing

D.

Security Matching

Question 49

Access to which feature requires PAN-OS Filtering licens?

Options:

A.

PAN-DB database

B.

URL external dynamic lists

C.

Custom URL categories

D.

DNS Security

Question 50

In a File Blocking profile, which two actions should be taken to allow file types that support critical apps? (Choose two.)

Options:

A.

Clone and edit the Strict profile.

B.

Use URL filtering to limit categories in which users can transfer files.

C.

Set the action to Continue.

D.

Edit the Strict profile.

Question 51

What action will inform end users when their access to Internet content is being restricted?

Options:

A.

Create a custom 'URL Category' object with notifications enabled.

B.

Publish monitoring data for Security policy deny logs.

C.

Ensure that the 'site access" setting for all URL sites is set to 'alert'.

D.

Enable 'Response Pages' on the interface providing Internet access.

Question 52

To what must an interface be assigned before it can process traffic?

Options:

A.

Security Zone

B.

Security policy

C.

Security Protection

D.

Security profile

Question 53

What is the maximum volume of concurrent administrative account sessions?

Options:

A.

Unlimited

B.

2

C.

10

D.

1

Question 54

How do you reset the hit count on a security policy rule?

Options:

A.

First disable and then re-enable the rule.

B.

Reboot the data-plane.

C.

Select a Security policy rule, and then select Hit Count > Reset.

D.

Type the CLI command reset hitcount .

Question 55

How are Application Fillers or Application Groups used in firewall policy?

Options:

A.

An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group

B.

An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group

C.

An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group

D.

An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group

Question 56

Which statement best describes the use of Policy Optimizer?

Options:

A.

Policy Optimizer can display which Security policies have not been used in the last 90 days

B.

Policy Optimizer on a VM-50 firewall can display which Layer 7 App-ID Security policies have unused applications

C.

Policy Optimizer can add or change a Log Forwarding profile for each Secunty policy selected

D.

Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App-ID Security policy for every Layer 4 policy that exists Admins can then manually enable policies they want to keep and delete ones they want to remove

Question 57

Which Security profile can you apply to protect against malware such as worms and Trojans?

Options:

A.

data filtering

B.

antivirus

C.

vulnerability protection

D.

anti-spyware

Question 58

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Options:

Question 59

Palo Alto Networks firewall architecture accelerates content map minimizing latency using which two components'? (Choose two )

Options:

A.

Network Processing Engine

B.

Single Stream-based Engine

C.

Policy Engine

D.

Parallel Processing Hardware

Question 60

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop the malware contacted a known command-and-control server which exfiltrating corporate data.

Which Security profile feature could have been used to prevent the communications with the command-and-control server?

Options:

A.

Create a Data Filtering Profile and enable its DNS sinkhole feature.

B.

Create an Antivirus Profile and enable its DNS sinkhole feature.

C.

Create an Anti-Spyware Profile and enable its DNS sinkhole feature.

D.

Create a URL Filtering Profile and block the DNS sinkhole URL category.

Question 61

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

Options:

A.

Tagged

B.

Intrazone

C.

Universal

D.

Interzone

Question 62

Which Palo Alto network security operating platform component provides consolidated policy creation and centralized management?

Options:

A.

Prisma SaaS

B.

Panorama

C.

AutoFocus

D.

GlobalProtect

Question 63

What is a function of application tags?

Options:

A.

creation of new zones

B.

application prioritization

C.

automated referenced applications in a policy

D.

IP address allocations in DHCP

Question 64

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

Options:

A.

change the logging action on the rule

B.

review the System Log

C.

refresh the Traffic Log

D.

tune your Traffic Log filter to include the dates

Question 65

What is a recommended consideration when deploying content updates to the firewall from Panorama?

Options:

A.

Before deploying content updates, always check content release version compatibility.

B.

Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C.

Content updates for firewall A/A HA pairs need a defined master device.

D.

After deploying content updates, perform a commit and push to Panorama.

Question 66

Which Security policy action will message a user's browser that their web session has been terminated?

Options:

A.

Drop

B.

Deny

C.

Reset client

D.

Reset server

Question 67

Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?

Options:

A.

Inline Cloud Analysis

B.

Signature Exceptions

C.

Machine Learning Policies

D.

Signature Policies

Question 68

Which protocol used to map username to user groups when user-ID is configured?

Options:

A.

SAML

B.

RADIUS

C.

TACACS+

D.

LDAP

Question 69

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and password.

What is the "SYS01 Admin" login capability after the outage?

Options:

A.

Auth KO because RADIUS server lost user and password for SYS01 Admin

B.

Auth KO because LDAP server is not reachable

C.

Auth OK because of the Auth Profile Local

D.

Auth OK because of the Auth Profile TACACS -

Question 70

Which profile should be used to obtain a verdict regarding analyzed files?

Options:

A.

WildFire analysis

B.

Vulnerability profile

C.

Content-ID

D.

Advanced threat prevention

Question 71

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?

Options:

A.

TACACS+

B.

RADIUS

C.

LDAP

D.

SAML

Question 72

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH. web-browsing and SSL applications

Which policy achieves the desired results?

A)

B)

C)

D)

Options:

A.

Option

B.

Option

C.

Option

D.

Option

Question 73

Based on the screenshot what is the purpose of the included groups?

Options:

A.

They are only groups visible based on the firewall's credentials.

B.

They are used to map usernames to group names.

C.

They contain only the users you allow to manage the firewall.

D.

They are groups that are imported from RADIUS authentication servers.

Question 74

Based on the network diagram provided, which two statements apply to traffic between the User and Server networks? (Choose two.)

Options:

A.

Traffic is permitted through the default intrazone "allow" rule.

B.

Traffic restrictions are possible by modifying intrazone rules.

C.

Traffic restrictions are not possible, because the networks are in the same zone.

D.

Traffic is permitted through the default interzone "allow" rule.

Question 75

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?

Options:

A.

Objects > Schedules

B.

Policies > Policy Optimizer

C.

Monitor > Packet Capture

D.

Monitor > Reports

Question 76

How frequently can wildfire updates be made available to firewalls?

Options:

A.

every 15 minutes

B.

every 30 minutes

C.

every 60 minutes

D.

every 5 minutes

Question 77

An administrator is configuring a NAT rule

At a minimum, which three forms of information are required? (Choose three.)

Options:

A.

name

B.

source zone

C.

destination interface

D.

destination address

E.

destination zone

Question 78

An administrator wants to enable access to www.paloaltonetworks.com while denying access to all other sites in the same category.

Which object should the administrator create to use as a match condition for the security policy rule that allows access to www.paloaltonetworks.com?

Options:

A.

Application group

B.

Address ab

C.

URL category

D.

Service

Question 79

Which path in PAN-OS 10.0 displays the list of port-based security policy rules?

Options:

A.

Policies> Security> Rule Usage> No App Specified

B.

Policies> Security> Rule Usage> Port only specified

C.

Policies> Security> Rule Usage> Port-based Rules

D.

Policies> Security> Rule Usage> Unused Apps

Question 80

Place the following steps in the packet processing order of operations from first to last.

Options:

Question 81

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can initiate malicious code against a targeted machine.

Options:

A.

Exploitation

B.

Installation

C.

Reconnaissance

D.

Act on Objective

Question 82

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

Options:

A.

syslog

B.

RADIUS

C.

UID redistribution

D.

XFF headers

Question 83

A Security Profile can block or allow traffic at which point?

Options:

A.

after it is matched to a Security policy rule that allows traffic

B.

on either the data plane or the management plane

C.

after it is matched to a Security policy rule that allows or blocks traffic

D.

before it is matched to a Security policy rule

Question 84

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

Options:

A.

User-ID

B.

App-ID

C.

Security Processing Engine

D.

Content-ID

Question 85

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?

Options:

A.

SAML

B.

Multi-Factor Authentication

C.

Role-based

D.

Dynamic

Question 86

A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Options:

A.

Windows-based agent on a domain controller

B.

Captive Portal

C.

Citrix terminal server with adequate data-plane resources

D.

PAN-OS integrated agent

Question 87

When is the content inspection performed in the packet flow process?

Options:

A.

after the application has been identified

B.

after the SSL Proxy re-encrypts the packet

C.

before the packet forwarding process

D.

before session lookup

Question 88

Which type of security rule will match traffic between the Inside zone and Outside zone, within the Inside zone, and within the Outside zone?

Options:

A.

global

B.

intrazone

C.

interzone

D.

universal

Question 89

What is the default action for the SYN Flood option within the DoS Protection profile?

Options:

A.

Alert

B.

Random Early Drop

C.

Reset-client

D.

Sinkhole

Question 90

What must be configured for the firewall to access multiple authentication profiles for external services to authenticate a non-local account?

Options:

A.

authentication sequence

B.

LDAP server profile

C.

authentication server list

D.

authentication list profile

Question 91

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive information?

Options:

A.

Aperture

B.

AutoFocus

C.

Parisma SaaS

D.

GlobalProtect

Question 92

What is an advantage for using application tags?

Options:

A.

They are helpful during the creation of new zones

B.

They help with the design of IP address allocations in DHCP.

C.

They help content updates automate policy updates

D.

They help with the creation of interfaces

Question 93

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action (or the profile. If a virus gets detected, how wilt the firewall handle the traffic?

Options:

A.

It allows the traffic because the profile was not set to explicitly deny the traffic.

B.

It drops the traffic because the profile was not set to explicitly allow the traffic.

C.

It uses the default action assigned to the virus signature.

D.

It allows the traffic but generates an entry in the Threat logs.

Question 94

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 95

Which action can be performed when grouping rules by group tags?

Options:

A.

Delete Tagged Rule(s)

B.

Edit Selected Rule(s)

C.

Apply Tag to the Selected Rule(s)

D.

Tag Selected Rule(s)

Question 96

In which two types of NAT can oversubscription be used? (Choose two.)

Options:

A.

Static IP

B.

Destination NAT

C.

Dynamic IP and Port (DIPP)

D.

Dynamic IP

Question 97

An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny. What deny action will the firewall perform?

Options:

A.

Drop the traffic silently

B.

Perform the default deny action as defined in the App-ID database for the application

C.

Send a TCP reset packet to the client- and server-side devices

D.

Discard the session's packets and send a TCP reset packet to let the client know the session has been terminated

Question 98

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.

What object is best suited for this configuration?

Options:

A.

Application Group

B.

Tag

C.

External Dynamic List

D.

Application Filter

Question 99

Which two statements are correct about App-ID content updates? (Choose two.)

Options:

A.

Updated application content may change how security policy rules are enforced

B.

After an application content update, new applications must be manually classified prior to use

C.

Existing security policy rules are not affected by application content updates

D.

After an application content update, new applications are automatically identified and classified

Question 100

Why does a company need an Antivirus profile?

Options:

A.

To prevent command-and-control traffic

B.

To protect against viruses, worms, and trojans

C.

To prevent known exploits

D.

To prevent access to malicious web content

Question 101

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Options:

A.

Root

B.

Dynamic

C.

Role-based

D.

Superuser

Question 102

What is the best-practice approach to logging traffic that traverses the firewall?

Options:

A.

Enable both log at session start and log at session end.

B.

Enable log at session start only.

C.

Enable log at session end only.

D.

Disable all logging options.

Question 103

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis Unit 42 research and data gathered from telemetry?

Options:

A.

Palo Alto Networks C&C IP Addresses

B.

Palo Alto Networks Bulletproof IP Addresses

C.

Palo Alto Networks High-Risk IP Addresses

D.

Palo Alto Networks Known Malicious IP Addresses

Question 104

Which type of address object is www.paloaltonetworks.com?

Options:

A.

IP range

B.

IP netmask

C.

named address

D.

FQDN

Question 105

A website is unexpectedly allowed due to miscategorization.

What are two way-s to resolve this issue for a proper response? (Choose two.)

Options:

A.

Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.

B.

Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category to block.

C.

Review the categorization of the website on https://urlfiltering.paloaltonetworks.com.

Submit for "request change*, identifying the appropriate categorization, and wait for confirmation before testing again.

D.

Create a URL category and assign the affected URL.

Add a Security policy with a URL category qualifier of the custom URL category below the original policy. Set the policy action to Deny.

Question 106

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)

Options:

A.

Post-NAT address

B.

Post-NAT zone

C.

Pre-NAT zone

D.

Pre-NAT address

Question 107

Identify the correct order to configure the PAN-OS integrated USER-ID agent.

3. add the service account to monitor the server(s)

2. define the address of the servers to be monitored on the firewall

4. commit the configuration, and verify agent connection status

1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

Options:

A.

2-3-4-1

B.

1-4-3-2

C.

3-1-2-4

D.

1-3-2-4

Question 108

What are three ways application characteristics are used? (Choose three.)

Options:

A.

As an attribute to define an application group

B.

As a setting to define a new custom application

C.

As an Object to define Security policies

D.

As an attribute to define an application filter

E.

As a global filter in the Application Command Center (ACC)

Demo: 108 questions
Total 362 questions