PCNSA EXAM: LATEST A+ QUESTIONS AND ANSWERS
FOR THE WIN!
Which type of Security policy rule is the default rule type?
Universal
Which action in a Security policy rule results in traffic being silently rejected?
Drop
NAT oversubscription is used in conjunction with which NAT translation type?
dynamic IP and port
True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
False
True or false? The implementation of network segmentation and security zones can reduce your
network's attack surface.
True
Which protection method can be used to mitigate single-session DoS attacks?
packet buffer protection
True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile.
False (!)
Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile?
Flood
Which firewall configuration component is used to block access to known-bad IP addresses?
Security policy
In which three locations can you configure the firewall to use an external dynamic list (EDL)?
Anti-spyware profile
URL filtering profile
Security policy
In which firewall configuration component can you use an EDL of type Domain List?
Anti-spyware profile (!)
True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile.
True
, Which three methods does App-ID use to identify network traffic?
Signatures
protocol decoders
Heuristics
How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is
sent to identify an application?
Insufficient-data
True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks
firewall, a best practice is to always migrate the existing Security policy.
True
When an Applications and Threats content update is performed, which is the earliest point where you
can review the impact of new application signatures on existing policies?
After download
Which item is the name of an object that dynamically identifies, and associate's applications based on
application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic?
application filter
True or false? In Palo Alto Networks terms, an application is a specific program or feature that can be
detected, monitored, and blocked if necessary.
true
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which
application?
SSL
When are brand-new application signatures released by Palo Alto Networks?
Once per month
What triggers Security policy rule match in the Policy Optimizer's No App Specified window?
"any" in the Application column
By default, which two application names might App-ID assign to a custom, web-based application
running in your environment?
web-browsing
SSL
Re-order the steps so that they could be used to create and use a custom application with a custom
signature.
FOR THE WIN!
Which type of Security policy rule is the default rule type?
Universal
Which action in a Security policy rule results in traffic being silently rejected?
Drop
NAT oversubscription is used in conjunction with which NAT translation type?
dynamic IP and port
True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by
default.
False
True or false? The implementation of network segmentation and security zones can reduce your
network's attack surface.
True
Which protection method can be used to mitigate single-session DoS attacks?
packet buffer protection
True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile.
False (!)
Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile?
Flood
Which firewall configuration component is used to block access to known-bad IP addresses?
Security policy
In which three locations can you configure the firewall to use an external dynamic list (EDL)?
Anti-spyware profile
URL filtering profile
Security policy
In which firewall configuration component can you use an EDL of type Domain List?
Anti-spyware profile (!)
True or false? A best practice is to enable the "sinkhole" action in an Anti-Spyware Profile.
True
, Which three methods does App-ID use to identify network traffic?
Signatures
protocol decoders
Heuristics
How would App-ID label TCP traffic when the three-way handshake completes, but not enough data is
sent to identify an application?
Insufficient-data
True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks
firewall, a best practice is to always migrate the existing Security policy.
True
When an Applications and Threats content update is performed, which is the earliest point where you
can review the impact of new application signatures on existing policies?
After download
Which item is the name of an object that dynamically identifies, and associate's applications based on
application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic?
application filter
True or false? In Palo Alto Networks terms, an application is a specific program or feature that can be
detected, monitored, and blocked if necessary.
true
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which
application?
SSL
When are brand-new application signatures released by Palo Alto Networks?
Once per month
What triggers Security policy rule match in the Policy Optimizer's No App Specified window?
"any" in the Application column
By default, which two application names might App-ID assign to a custom, web-based application
running in your environment?
web-browsing
SSL
Re-order the steps so that they could be used to create and use a custom application with a custom
signature.
