PCNSA EXAM QUESTIONS AND ANSWERS LATEST
UPDATE (ALREADY GRADED A+)
A security administrator has configured App-ID updates to be automatically downloaded and
installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a
content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and
SuperApp_download, which will be deployed in 30 days.Based on the information, how is the
SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer
matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until
the security administrator approves the applications
C. No impact because the firewall automatically adds the rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
D. one
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
B. Category, Subcategory, Technology, Risk, and Characteristic
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
A. Block List
D. Allow List
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
, C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Which User-ID mapping method should be used for an environment with users that do not
authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent
C. Captive Portal
An administrator needs to allow users to use their own office applications. How should the
administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems
category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems
category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
B. Create an Application Group and add business-systems to it
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest
risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture
B. It provides a percentage of adoption for each assessment area
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic
____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.
D. after it is matched by a security policy rule that allows or blocks traffic.
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which
utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days
UPDATE (ALREADY GRADED A+)
A security administrator has configured App-ID updates to be automatically downloaded and
installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a
content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and
SuperApp_download, which will be deployed in 30 days.Based on the information, how is the
SuperApp traffic affected after the 30 days have passed?
A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer
matches the SuperApp-base application
B. No impact because the apps were automatically downloaded and installed
C. No impact because the firewall automatically adds the rules to the App-ID interface
D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until
the security administrator approves the applications
C. No impact because the firewall automatically adds the rules to the App-ID interface
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. two
B. three
C. four
D. one
D. one
Which option shows the attributes that are selectable when setting up application filters?
A. Category, Subcategory, Technology, and Characteristic
B. Category, Subcategory, Technology, Risk, and Characteristic
C. Name, Category, Technology, Risk, and Characteristic
D. Category, Subcategory, Risk, Standard Ports, and Technology
B. Category, Subcategory, Technology, Risk, and Characteristic
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. Block List
B. Custom URL Categories
C. PAN-DB URL Categories
D. Allow List
A. Block List
D. Allow List
Which two statements are correct about App-ID content updates? (Choose two.)
A. Updated application content might change how Security policy rules are enforced.
B. After an application content update, new applications must be manually classified prior to use.
C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
, C. Existing security policy rules are not affected by application content updates.
D. After an application content update, new applications are automatically identified and classified.
Which User-ID mapping method should be used for an environment with users that do not
authenticate to Active Directory?
A. Windows session monitoring
B. passive server monitoring using the Windows-based agent
C. Captive Portal
D. passive server monitoring using a PAN-OS integrated User-ID agent
C. Captive Portal
An administrator needs to allow users to use their own office applications. How should the
administrator configure the firewall to allow multiple applications in a dynamic environment?
A. Create an Application Filter and name it Office Programs, then filter it on the business-systems
category, office-programs subcategory
B. Create an Application Group and add business-systems to it
C. Create an Application Filter and name it Office Programs, then filter it on the business-systems
category
D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
B. Create an Application Group and add business-systems to it
Which statement is true regarding a Best Practice Assessment?
A. The BPA tool can be run only on firewalls
B. It provides a percentage of adoption for each assessment area
C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest
risk where you should focus prevention activities
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture
B. It provides a percentage of adoption for each assessment area
Choose the option that correctly completes this statement. A Security Profile can block or allow traffic
____________.
A. on either the data place or the management plane.
B. after it is matched by a security policy rule that allows traffic.
C. before it is matched to a Security policy rule.
D. after it is matched by a security policy rule that allows or blocks traffic.
D. after it is matched by a security policy rule that allows or blocks traffic.
A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which
utility should the company use to identify out-of-date or unused rules on the firewall?
A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days
