PCNSA EXAM 2025/2026 QUESTIONS
AND ANSWERS 100% PASS.
A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire
subscription. The Security policy rule shown above matches the client HTTP session: Which
three actions take place when the firewall's Content-ID engine detects a virus in the file and the
decoder action is set to "block"? (Choose three.) - ANS A threat log entry is generated.
The file download is terminated.
The client receives a block page.
A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL
Filtering Profiles are in place and properly configured on both inbound and outbound policies. A
Security Operation Center (SOC) engineer starts his shift and faces the traffic logs presented in
the screenshot shown above. He notices that the traffic is being allowed outbound. Which
actions should the SOC engineer take to safely allow known but not yet qualified applications,
without disrupting the remaining traffic policies? - ANS Create Application Override policies
after a packet capture to identify the applications that are triggering the "unknown-tcp". Then
create new custom applications for those policies, and add these new policies above the current
policy that allows the traffic.
A company has a Palo Alto Networks firewall configured with the following three zones: Internet
DMZ Inside. All users are located on the Inside zone and are using public DNS servers for name
resolution. The company hosts a publicly accessible web application on a server in the DMZ
zone. Which NAT rule configuration will allow users on the Inside zone to access the web
application using its public IP address? - ANS Three zone U-turn NAT
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-
L3 DMZ Trust-L3. The company hosts a publicly accessible web application on a server that
resides in the Trust-L3 zone. The web server is associated with the following IP addresses: Web
Server Public IP: 2.2.2.1/24 , Web Server Private IP: 192.168.1.10/24 . The security administrator
configures the following two-zone U-Turn NAT rule to allow users using 10.10.1.0/24 on the
"Trust-L3" zone to access the web server using its public IP address in the Untrust-L3 zone:
Which statement is true in this situation? - ANS The traffic will be considered intra-zone
based on the translated destination zone.
A company is deploying a pair of PA-5060 firewalls in an environment requiring support for
asymmetric routing. Which High Availability (HA) mode best supports this design requirement? -
ANS Active-Active mode
A company policy dictates that logs must be retained in their original format for a period of time
that would exceed the space limitations of the Palo Alto Networks firewall's internal storage.
Which two options will allow the company to meet this requirement? (Choose two.) -
ANS Palo Alto Networks Log Collector
Panorama Virtual Machine with NFS storage
A company uses Active Directory and RADIUS to capture User-ID information and implement
user-based policies to control web access. Many Linux and Mac computers in the environment
that do not have IP-address-to-user mappings. What is the best way to collect user information
for those systems? - ANS Use Captive Portal to capture user information
A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode
and will be using HA-Lite. Which capability can be used in this situation? - ANS Configuration
Sync
A Management Profile to allow SSH access has been created and applied to interface
ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone
to "any" destination zone. What will happen when someone attempts to initiate an SSH
connection to ethernet1/1? - ANS SSH access to the interface will be denied because intra-
zone traffic is denied.
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
AND ANSWERS 100% PASS.
A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire
subscription. The Security policy rule shown above matches the client HTTP session: Which
three actions take place when the firewall's Content-ID engine detects a virus in the file and the
decoder action is set to "block"? (Choose three.) - ANS A threat log entry is generated.
The file download is terminated.
The client receives a block page.
A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL
Filtering Profiles are in place and properly configured on both inbound and outbound policies. A
Security Operation Center (SOC) engineer starts his shift and faces the traffic logs presented in
the screenshot shown above. He notices that the traffic is being allowed outbound. Which
actions should the SOC engineer take to safely allow known but not yet qualified applications,
without disrupting the remaining traffic policies? - ANS Create Application Override policies
after a packet capture to identify the applications that are triggering the "unknown-tcp". Then
create new custom applications for those policies, and add these new policies above the current
policy that allows the traffic.
A company has a Palo Alto Networks firewall configured with the following three zones: Internet
DMZ Inside. All users are located on the Inside zone and are using public DNS servers for name
resolution. The company hosts a publicly accessible web application on a server in the DMZ
zone. Which NAT rule configuration will allow users on the Inside zone to access the web
application using its public IP address? - ANS Three zone U-turn NAT
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-
L3 DMZ Trust-L3. The company hosts a publicly accessible web application on a server that
resides in the Trust-L3 zone. The web server is associated with the following IP addresses: Web
Server Public IP: 2.2.2.1/24 , Web Server Private IP: 192.168.1.10/24 . The security administrator
configures the following two-zone U-Turn NAT rule to allow users using 10.10.1.0/24 on the
"Trust-L3" zone to access the web server using its public IP address in the Untrust-L3 zone:
Which statement is true in this situation? - ANS The traffic will be considered intra-zone
based on the translated destination zone.
A company is deploying a pair of PA-5060 firewalls in an environment requiring support for
asymmetric routing. Which High Availability (HA) mode best supports this design requirement? -
ANS Active-Active mode
A company policy dictates that logs must be retained in their original format for a period of time
that would exceed the space limitations of the Palo Alto Networks firewall's internal storage.
Which two options will allow the company to meet this requirement? (Choose two.) -
ANS Palo Alto Networks Log Collector
Panorama Virtual Machine with NFS storage
A company uses Active Directory and RADIUS to capture User-ID information and implement
user-based policies to control web access. Many Linux and Mac computers in the environment
that do not have IP-address-to-user mappings. What is the best way to collect user information
for those systems? - ANS Use Captive Portal to capture user information
A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode
and will be using HA-Lite. Which capability can be used in this situation? - ANS Configuration
Sync
A Management Profile to allow SSH access has been created and applied to interface
ethernet1/1. A security rule with the action "deny" is applied to packets from "any" source zone
to "any" destination zone. What will happen when someone attempts to initiate an SSH
connection to ethernet1/1? - ANS SSH access to the interface will be denied because intra-
zone traffic is denied.
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
