PCNSA exam
Study online at https://quizlet.com/_hu5334
1. Which firewall plane provides configuration, logging, and reporting functions
on a separate processor?: Control plane
2. A security administrator has configured App-ID updates to be automatical-
ly downloaded and installed. The company is currently using an application
identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto
Networks is adding new app signatures labeled SuperApp_chat and Super-
App_download, which will be deployed in 30 days.Based on the information,
how is the SuperApp traffic affected after the 30 days have passed?: No impact
because the firewall automatically adds the rules to the App-ID interface
3. How many zones can an interface be assigned with a Palo Alto Networks
firewall?: One
4. Which two configuration settings shown are not the default?: Server Log Monitor
Frequency (sec)
Enable Session
5. Which data-plane processor layer provides uniform matching for spyware
and vulnerability exploits on a Palo Alto Networks Firewall?: Signature Matching
6. Which option shows the attributes that are selectable when setting up appli-
cation filters?: Category, Subcategory, Technology, Risk, and Characteristic
7. Actions can be set for which two items in a URL filtering security profile?: Custom
URL Categories
PAN-DB URL Categories
8. Which two statements are correct about App-ID content updates?: Existing security
policy rules are not affected by application content updates
After an application content update, new applications are automatically identified and classified
9. Which User-ID mapping method should be used for an environment with
clients that do not authenticate to Windows Active Directory?: Captive Portal
10. An administrator needs to allow users to use their own office applications.
How should the administrator configure the firewall to allow multiple applica-
tions in a dynamic environment?: Create an Application Group and add business-systems to it
11. Which statement is true regarding a Best Practice Assessment?: It provides a
percentage of adoption for each assessment data
, PCNSA exam
Study online at https://quizlet.com/_hu5334
12. Complete the statement. A security profile can block or allow traffic.: after it is
evaluated by a security policy that allows traffic
13. When creating a Source NAT policy, which entry in the Translated Packet tab
will display the options Dynamic IP and Port, Dynamic, Static IP, and None?: -
Translation Type
14. Which interface does not require a MAC or IP address?: Virtual Wire
15. A company moved its old port-based firewall to a new Palo Alto Networks
NGFW 60 days ago. Which utility should the company use to identify out-of-date
or unused rules on the firewall?: Rule Usage Filter > Hit Count > Unused in 90 days
16. What are two differences between an implicit dependency and an explicit
dependency in App-ID?: An implicit dependency does not require the dependent application to be added
in the security policy
An explicit dependency requires the dependent application to be added in the security policy
17. Recently changes were made to the firewall to optimize the policies and the
security team wants to see if those changes are helping.What is the quickest
way to reset the hit counter to zero in all the security policy rules?: Use the Reset Rule
Hit Counter > All Rules option
18. Which two App-ID applications will need to be allowed to use Face-
book-chat?: Facebook-base
Facebook-chat
19. Which User-ID agent would be appropriate in a network with multiple WAN
links, limited network bandwidth, and limited firewall management plane re-
sources?: Windows-based agent deployed on the internal network
20. Your company requires positive username attribution of every IP address
used by wireless devices to support a new compliance requirement. You must
collect IP-to-user mappings as soon as possible with minimal downtime and
minimal configuration changes to the wireless devices themselves. The wire-
less devices are from various manufactures.Given the scenario, choose the
option for sending IP-to-user mappings to the NGFW.: syslog
21. An administrator receives a global notification for a new malware that infects
hosts. The infection will result in the infected host attempting to contact a
command- and-control (C2) server. Which two security profile components will
Study online at https://quizlet.com/_hu5334
1. Which firewall plane provides configuration, logging, and reporting functions
on a separate processor?: Control plane
2. A security administrator has configured App-ID updates to be automatical-
ly downloaded and installed. The company is currently using an application
identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto
Networks is adding new app signatures labeled SuperApp_chat and Super-
App_download, which will be deployed in 30 days.Based on the information,
how is the SuperApp traffic affected after the 30 days have passed?: No impact
because the firewall automatically adds the rules to the App-ID interface
3. How many zones can an interface be assigned with a Palo Alto Networks
firewall?: One
4. Which two configuration settings shown are not the default?: Server Log Monitor
Frequency (sec)
Enable Session
5. Which data-plane processor layer provides uniform matching for spyware
and vulnerability exploits on a Palo Alto Networks Firewall?: Signature Matching
6. Which option shows the attributes that are selectable when setting up appli-
cation filters?: Category, Subcategory, Technology, Risk, and Characteristic
7. Actions can be set for which two items in a URL filtering security profile?: Custom
URL Categories
PAN-DB URL Categories
8. Which two statements are correct about App-ID content updates?: Existing security
policy rules are not affected by application content updates
After an application content update, new applications are automatically identified and classified
9. Which User-ID mapping method should be used for an environment with
clients that do not authenticate to Windows Active Directory?: Captive Portal
10. An administrator needs to allow users to use their own office applications.
How should the administrator configure the firewall to allow multiple applica-
tions in a dynamic environment?: Create an Application Group and add business-systems to it
11. Which statement is true regarding a Best Practice Assessment?: It provides a
percentage of adoption for each assessment data
, PCNSA exam
Study online at https://quizlet.com/_hu5334
12. Complete the statement. A security profile can block or allow traffic.: after it is
evaluated by a security policy that allows traffic
13. When creating a Source NAT policy, which entry in the Translated Packet tab
will display the options Dynamic IP and Port, Dynamic, Static IP, and None?: -
Translation Type
14. Which interface does not require a MAC or IP address?: Virtual Wire
15. A company moved its old port-based firewall to a new Palo Alto Networks
NGFW 60 days ago. Which utility should the company use to identify out-of-date
or unused rules on the firewall?: Rule Usage Filter > Hit Count > Unused in 90 days
16. What are two differences between an implicit dependency and an explicit
dependency in App-ID?: An implicit dependency does not require the dependent application to be added
in the security policy
An explicit dependency requires the dependent application to be added in the security policy
17. Recently changes were made to the firewall to optimize the policies and the
security team wants to see if those changes are helping.What is the quickest
way to reset the hit counter to zero in all the security policy rules?: Use the Reset Rule
Hit Counter > All Rules option
18. Which two App-ID applications will need to be allowed to use Face-
book-chat?: Facebook-base
Facebook-chat
19. Which User-ID agent would be appropriate in a network with multiple WAN
links, limited network bandwidth, and limited firewall management plane re-
sources?: Windows-based agent deployed on the internal network
20. Your company requires positive username attribution of every IP address
used by wireless devices to support a new compliance requirement. You must
collect IP-to-user mappings as soon as possible with minimal downtime and
minimal configuration changes to the wireless devices themselves. The wire-
less devices are from various manufactures.Given the scenario, choose the
option for sending IP-to-user mappings to the NGFW.: syslog
21. An administrator receives a global notification for a new malware that infects
hosts. The infection will result in the infected host attempting to contact a
command- and-control (C2) server. Which two security profile components will
