PCNSA EXAM QUESTIONS AND ANSWERS LATEST
UPDATE (ALREADY GRADED A+)
Global user authentication is supported by which three authentication services?
SAML
RADIUS x
TACACS+
True or false? Certificate-based authentication replaces all other forms of either local or external
authentication
True
Which two items are supported routing protocols on a virtual router?
OSPF, BGP
Which three interface types are valid on a Palo Alto Networks firewall?
Tap, Virtual wire, Layer 3
Which two firewall interface types can be added to a Layer3-type security zone?
Tunnel, Loopback
Which type of firewall interface enables passive monitoring of network traffic?
Tap
True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.
True
Which two activities are part of the cyberattack lifecycle Reconnaissance stage?
ports scans, social engineering
At which cyberattack lifecycle stage does the attacker achieve "hands on keyboard" control of the
target device?
C2
Which two characteristics are common among commodity threats?
They are pervasive, they are often used as part of an APT
At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS
attacks?
Ingress
Which two items are required match criteria in a Palo Alto Networks Security policy rule?
, source zone, destination zone
Which type of Security policy rule is the default rule type?
Universal
Which action in a Security policy rule results in traffic being silently rejected?
Drop
NAT oversubscription is used in conjunction with which NAT translation type?
dynamic IP and port
True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
False
True or false? The implementation of network segmentation and security zones can reduce your
network's attack surface.
True
Which protection method can be used to mitigate single-session DoS attacks?
packet buffer protection
True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile.
False (!)
Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile?
Flood
Which firewall configuration component is used to block access to known-bad IP addresses?
Security policy
In which three locations can you configure the firewall to use an external dynamic list (EDL)?
Anti-spyware profile
URL filtering profile
Security policy
In which firewall configuration component can you use an EDL of type Domain List?
Anti-spyware profile (!)
True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile.
True
Which three methods does App-ID use to identify network traffic?
UPDATE (ALREADY GRADED A+)
Global user authentication is supported by which three authentication services?
SAML
RADIUS x
TACACS+
True or false? Certificate-based authentication replaces all other forms of either local or external
authentication
True
Which two items are supported routing protocols on a virtual router?
OSPF, BGP
Which three interface types are valid on a Palo Alto Networks firewall?
Tap, Virtual wire, Layer 3
Which two firewall interface types can be added to a Layer3-type security zone?
Tunnel, Loopback
Which type of firewall interface enables passive monitoring of network traffic?
Tap
True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.
True
Which two activities are part of the cyberattack lifecycle Reconnaissance stage?
ports scans, social engineering
At which cyberattack lifecycle stage does the attacker achieve "hands on keyboard" control of the
target device?
C2
Which two characteristics are common among commodity threats?
They are pervasive, they are often used as part of an APT
At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS
attacks?
Ingress
Which two items are required match criteria in a Palo Alto Networks Security policy rule?
, source zone, destination zone
Which type of Security policy rule is the default rule type?
Universal
Which action in a Security policy rule results in traffic being silently rejected?
Drop
NAT oversubscription is used in conjunction with which NAT translation type?
dynamic IP and port
True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
False
True or false? The implementation of network segmentation and security zones can reduce your
network's attack surface.
True
Which protection method can be used to mitigate single-session DoS attacks?
packet buffer protection
True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile.
False (!)
Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile?
Flood
Which firewall configuration component is used to block access to known-bad IP addresses?
Security policy
In which three locations can you configure the firewall to use an external dynamic list (EDL)?
Anti-spyware profile
URL filtering profile
Security policy
In which firewall configuration component can you use an EDL of type Domain List?
Anti-spyware profile (!)
True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile.
True
Which three methods does App-ID use to identify network traffic?
