PCNSA FULL STUDY GUIDE – COMPLETE
QUESTIONS AND VERIFIED ANSWERS | PALO
ALTO
NETWORKS CERTIFIED NETWORK SECURITY
ADMINISTRATOR EXAM
Which of the three types of Security policy rules that can be created is the default rule type?
a. intrazone
b. interzone
c. universal ✔✔c. universal
(T/F) The intrazone-default and interzone-default rules cannot be modified.
a. true
b. false ✔✔b. false
Which three items are names of valid source NAT translation types? (Choose three.)
a. dynamic IP
Page 1 of 40
,b. dynamic IP/Port
c. port forwarding
d. static ✔✔a. dynamic IP
b. dynamic IP/Port
d. static
(T/F) Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
a. true
b. false ✔✔b. false
Which item is the name of an object that dynamically groups applications based on application
attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic?
a. application
b. application filter
c. application group
d. Application Profile ✔✔b. application filter
(T/F) In Palo Alto Networks terms, an application is a specific program or feature that can be
detected, monitored, and blocked if necessary.
a. true
Page 2 of 40
,b. false ✔✔a. true
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which
application?
a. unknown-tcp
b. unknown-udp
c. web-browsing ✔✔c. web-browsing
Which three statements are true regarding App-ID? (Choose three.)
a. It addresses the traffic classification limitations of traditional firewalls.
b. It is the Palo Alto Networks traffic classification mechanism.
c. It uses multiple identification mechanisms to determine the exact identity of applications
traversing the network.
d. It still is in the developmental stage and is not yet released. ✔✔a. It addresses the traffic
classification limitations of traditional firewalls.
b. It is the Palo Alto Networks traffic classification mechanism.
c. It uses multiple identification mechanisms to determine the exact identity of applications
traversing the network.
Application groups can contain applications, filters, or other application groups.
a. true
b. false ✔✔a. true
Page 3 of 40
, Which anti-spyware feature enables an administrator to quickly identify a potentially infected host
on the network?
a. Data Filtering log entry
b. continue response page
c. DNS sinkhole
d. CVE number ✔✔c. DNS sinkhole
(T/F) A Security Profile attached to a Security policy rule is evaluated only if the Security policy
rule matches traffic and the rule action is set to "Allow."
a. true
b. false ✔✔a. true
Zone Protection Profiles are applied to which item?
a. ingress ports
b. Security policy rules
c. egress ports
d. Address Groups ✔✔b. Security policy rules
(T/F) The Antivirus Security Profile defines actions to be taken if an infected file is detected as
part of an application.
Page 4 of 40
QUESTIONS AND VERIFIED ANSWERS | PALO
ALTO
NETWORKS CERTIFIED NETWORK SECURITY
ADMINISTRATOR EXAM
Which of the three types of Security policy rules that can be created is the default rule type?
a. intrazone
b. interzone
c. universal ✔✔c. universal
(T/F) The intrazone-default and interzone-default rules cannot be modified.
a. true
b. false ✔✔b. false
Which three items are names of valid source NAT translation types? (Choose three.)
a. dynamic IP
Page 1 of 40
,b. dynamic IP/Port
c. port forwarding
d. static ✔✔a. dynamic IP
b. dynamic IP/Port
d. static
(T/F) Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
a. true
b. false ✔✔b. false
Which item is the name of an object that dynamically groups applications based on application
attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic?
a. application
b. application filter
c. application group
d. Application Profile ✔✔b. application filter
(T/F) In Palo Alto Networks terms, an application is a specific program or feature that can be
detected, monitored, and blocked if necessary.
a. true
Page 2 of 40
,b. false ✔✔a. true
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which
application?
a. unknown-tcp
b. unknown-udp
c. web-browsing ✔✔c. web-browsing
Which three statements are true regarding App-ID? (Choose three.)
a. It addresses the traffic classification limitations of traditional firewalls.
b. It is the Palo Alto Networks traffic classification mechanism.
c. It uses multiple identification mechanisms to determine the exact identity of applications
traversing the network.
d. It still is in the developmental stage and is not yet released. ✔✔a. It addresses the traffic
classification limitations of traditional firewalls.
b. It is the Palo Alto Networks traffic classification mechanism.
c. It uses multiple identification mechanisms to determine the exact identity of applications
traversing the network.
Application groups can contain applications, filters, or other application groups.
a. true
b. false ✔✔a. true
Page 3 of 40
, Which anti-spyware feature enables an administrator to quickly identify a potentially infected host
on the network?
a. Data Filtering log entry
b. continue response page
c. DNS sinkhole
d. CVE number ✔✔c. DNS sinkhole
(T/F) A Security Profile attached to a Security policy rule is evaluated only if the Security policy
rule matches traffic and the rule action is set to "Allow."
a. true
b. false ✔✔a. true
Zone Protection Profiles are applied to which item?
a. ingress ports
b. Security policy rules
c. egress ports
d. Address Groups ✔✔b. Security policy rules
(T/F) The Antivirus Security Profile defines actions to be taken if an infected file is detected as
part of an application.
Page 4 of 40
