PCNSA exam Questions and Correct
Answers Rated A+ 2025
Which firewall plane provides configuration, logging, and reporting functions on
a separate processor? - ANSWER>>Control plane
A security administrator has configured App-ID updates to be automatically
downloaded and installed. The company is currently using an application
identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto
Networks is adding new app signatures labeled SuperApp_chat and
SuperApp_download, which will be deployed in 30 days.Based on the
information, how is the SuperApp traffic affected after the 30 days have
passed? - ANSWER>>No impact because the firewall automatically adds the
rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks
firewall? - ANSWER>>One
Which two configuration settings shown are not the default? - ANSWER>>Server
Log Monitor Frequency (sec)
Enable Session
Which data-plane processor layer provides uniform matching for spyware and
vulnerability exploits on a Palo Alto Networks Firewall? - ANSWER>>Signature
Matching
Which option shows the attributes that are selectable when setting up
application filters? - ANSWER>>Category, Subcategory, Technology, Risk, and
Characteristic
,Actions can be set for which two items in a URL filtering security profile? -
ANSWER>>Custom URL Categories
PAN-DB URL Categories
Which two statements are correct about App-ID content updates? -
ANSWER>>Existing security policy rules are not affected by application content
updates
After an application content update, new applications are automatically
identified and classified
Which User-ID mapping method should be used for an environment with clients
that do not authenticate to Windows Active Directory? - ANSWER>>Captive
Portal
An administrator needs to allow users to use their own office applications. How
should the administrator configure the firewall to allow multiple applications in
a dynamic environment? - ANSWER>>Create an Application Group and add
business-systems to it
Which statement is true regarding a Best Practice Assessment? - ANSWER>>It
provides a percentage of adoption for each assessment data
Complete the statement. A security profile can block or allow traffic. -
ANSWER>>after it is evaluated by a security policy that allows traffic
When creating a Source NAT policy, which entry in the Translated Packet tab
will display the options Dynamic IP and Port, Dynamic, Static IP, and None? -
ANSWER>>Translation Type
Which interface does not require a MAC or IP address? - ANSWER>>Virtual Wire
A company moved its old port-based firewall to a new Palo Alto Networks
NGFW 60 days ago. Which utility should the company use to identify out-of-
, date or unused rules on the firewall? - ANSWER>>Rule Usage Filter > Hit Count >
Unused in 90 days
What are two differences between an implicit dependency and an explicit
dependency in App-ID? - ANSWER>>An implicit dependency does not require
the dependent application to be added in the security policy
An explicit dependency requires the dependent application to be added in the
security policy
Recently changes were made to the firewall to optimize the policies and the
security team wants to see if those changes are helping.What is the quickest
way to reset the hit counter to zero in all the security policy rules? -
ANSWER>>Use the Reset Rule Hit Counter > All Rules option
Which two App-ID applications will need to be allowed to use Facebook-chat? -
ANSWER>>Facebook-base
Facebook-chat
Which User-ID agent would be appropriate in a network with multiple WAN
links, limited network bandwidth, and limited firewall management plane
resources? - ANSWER>>Windows-based agent deployed on the internal network
Your company requires positive username attribution of every IP address used
by wireless devices to support a new compliance requirement. You must collect
IP-to-user mappings as soon as possible with minimal downtime and minimal
configuration changes to the wireless devices themselves. The wireless devices
are from various manufactures.Given the scenario, choose the option for
sending IP-to-user mappings to the NGFW. - ANSWER>>syslog
An administrator receives a global notification for a new malware that infects
hosts. The infection will result in the infected host attempting to contact a
command- and-control (C2) server. Which two security profile components will
detect and prevent this threat after the firewall's signature database has been
Answers Rated A+ 2025
Which firewall plane provides configuration, logging, and reporting functions on
a separate processor? - ANSWER>>Control plane
A security administrator has configured App-ID updates to be automatically
downloaded and installed. The company is currently using an application
identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto
Networks is adding new app signatures labeled SuperApp_chat and
SuperApp_download, which will be deployed in 30 days.Based on the
information, how is the SuperApp traffic affected after the 30 days have
passed? - ANSWER>>No impact because the firewall automatically adds the
rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks
firewall? - ANSWER>>One
Which two configuration settings shown are not the default? - ANSWER>>Server
Log Monitor Frequency (sec)
Enable Session
Which data-plane processor layer provides uniform matching for spyware and
vulnerability exploits on a Palo Alto Networks Firewall? - ANSWER>>Signature
Matching
Which option shows the attributes that are selectable when setting up
application filters? - ANSWER>>Category, Subcategory, Technology, Risk, and
Characteristic
,Actions can be set for which two items in a URL filtering security profile? -
ANSWER>>Custom URL Categories
PAN-DB URL Categories
Which two statements are correct about App-ID content updates? -
ANSWER>>Existing security policy rules are not affected by application content
updates
After an application content update, new applications are automatically
identified and classified
Which User-ID mapping method should be used for an environment with clients
that do not authenticate to Windows Active Directory? - ANSWER>>Captive
Portal
An administrator needs to allow users to use their own office applications. How
should the administrator configure the firewall to allow multiple applications in
a dynamic environment? - ANSWER>>Create an Application Group and add
business-systems to it
Which statement is true regarding a Best Practice Assessment? - ANSWER>>It
provides a percentage of adoption for each assessment data
Complete the statement. A security profile can block or allow traffic. -
ANSWER>>after it is evaluated by a security policy that allows traffic
When creating a Source NAT policy, which entry in the Translated Packet tab
will display the options Dynamic IP and Port, Dynamic, Static IP, and None? -
ANSWER>>Translation Type
Which interface does not require a MAC or IP address? - ANSWER>>Virtual Wire
A company moved its old port-based firewall to a new Palo Alto Networks
NGFW 60 days ago. Which utility should the company use to identify out-of-
, date or unused rules on the firewall? - ANSWER>>Rule Usage Filter > Hit Count >
Unused in 90 days
What are two differences between an implicit dependency and an explicit
dependency in App-ID? - ANSWER>>An implicit dependency does not require
the dependent application to be added in the security policy
An explicit dependency requires the dependent application to be added in the
security policy
Recently changes were made to the firewall to optimize the policies and the
security team wants to see if those changes are helping.What is the quickest
way to reset the hit counter to zero in all the security policy rules? -
ANSWER>>Use the Reset Rule Hit Counter > All Rules option
Which two App-ID applications will need to be allowed to use Facebook-chat? -
ANSWER>>Facebook-base
Facebook-chat
Which User-ID agent would be appropriate in a network with multiple WAN
links, limited network bandwidth, and limited firewall management plane
resources? - ANSWER>>Windows-based agent deployed on the internal network
Your company requires positive username attribution of every IP address used
by wireless devices to support a new compliance requirement. You must collect
IP-to-user mappings as soon as possible with minimal downtime and minimal
configuration changes to the wireless devices themselves. The wireless devices
are from various manufactures.Given the scenario, choose the option for
sending IP-to-user mappings to the NGFW. - ANSWER>>syslog
An administrator receives a global notification for a new malware that infects
hosts. The infection will result in the infected host attempting to contact a
command- and-control (C2) server. Which two security profile components will
detect and prevent this threat after the firewall's signature database has been
