Pcnsa5

Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.). HTTPS. RDP. SCP. SSH.

A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR. Which two types of traffic will the rule apply to? (Choose two). traffic between zone IT and zone Finance. traffic between zone Finance and zone HR. traffic within zone IT. traffic within zone HR.

You receive notification about new malware that infects hosts through malicious files transferred by FTP. Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?. Data Filtering profile applied to outbound Security policy rules. Vulnerability Protection profile applied to outbound Security policy rules. URL Filtering profile applied to inbound Security policy rules. Antivirus profile applied to inbound Security policy rules.

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic. Which security policy action causes this?. Drop. Drop, send ICMP Unreachable. Reset both. Reset client.

What does an application filter help you to do?. It dynamically shapes defined application traffic based on active sessions and bandwidth usage. It dynamically filters applications based on critical, high, medium, low, or informational severity. It dynamically groups applications based on application attributes such as category and subcategory. It dynamically provides application statistics based on network, threat, and blocked activity.

Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?. continue. override. hold. exclude.

Which type of address object is www.paloaltonetworks.com?. named address. IP range. FQDN. IP netmask.

What are the requirements for using Palo Alto Networks EDL Hosting Service?. an additional paid subscription. any supported Palo Alto Networks firewall or Prisma Access firewall. a firewall device running with a minimum version of PAN-OS 10.1. an additional subscription free of charge.

What are two valid selections within an Antivirus profile? (Choose two.). deny. drop. block-ip. default.

Your company is highly concerned with their intellectual property being accessed by unauthorized resources. There is a mature process to store and include metadata tags for all confidential documents. Which Security profile can further ensure that these documents do not exit the corporate network?. File Blocking. Data Filtering. Anti-Spyware. URL Filtering.

An administrator is reviewing the Security policy rules shown in the screenshot below. Which statement is correct about the information displayed?. Highlight Unused Rules is checked. There are seven Security policy rules on this firewall. The view Rulebase as Groups is checked. Eleven rules use the “Infrastructure” tag.

Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location. What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?. export named configuration snapshot. save named configuration snapshot. export device state. save candidate config.

DRAG DROP - Match each rule type with its example. Create a policy with sources zones A and B.The rule will apply to all traffic within zone A and all traffic within zone B , but not to traffic between zones A and B. Create a policy with sources zones A and B amd destination zones A and B.The rule should apply to all traffic within zona A , all traffic within zone B , all traffic from zone A to zone B , and all traffic from zone B to Zone A. Create a policy with sources zones A and B amd destination zones A and B.The rule would to traffic from zone A to zone B , and from zone B to zone A, but not traffic within zones A or B.

What are the two default behaviors for the intrazone-default policy? (Choose two.). Allow. Log at Session End. Deny. Logging disabled.

Which statement is true regarding NAT rules?. Translation of the IP address and port occurs before security processing. Firewall supports NAT on Layer 3 interfaces only. Static NAT rules have precedence over other forms of NAT. NAT rules are processed in order from top to bottom.

An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets. What are two security policy actions the administrator can select? (Choose two.). Reset server. Deny. Drop. Reset both.

An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address. What is the most appropriate NAT policy to achieve this?. Static IP. Destination. Dynamic ip and Port. Dynamic Ip.

What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.). Configure a URL Filtering profile. Train your staff to be security aware. Plan for mobile-employee risk. Rely on a DNS resolver. Implement a threat intel program.

An administrator would like to see the traffic that matches the intrazone-default rule in the traffic logs. What is the correct process to enable this logging?. Select the intrazone-default rule and click Override; on the Actions tab, select Log at Session End and click OK. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK. This rule has traffic logging enabled by default; no further action is required.

What is a function of application tags?. automated referenced applications in a policy. application prioritization. IP address allocations in DHCP. creation of new zones.

An administrator wants to filter access to www.paloaltonetworks.com via a custom URL category. Which syntax would match this?. https://paloaltonetworks.com. #.paloaltonetworks.com. http://paloaltonetworks.com. *.paloaltonetworks.com.

What are two valid selections within an Anti-Spyware profile? (Choose two.). Random early drop. Drop. Deny. Default.

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?. Configure an authentication profile. Configure an authentication sequence. Isolate the management interface on a dedicated management VLAN. Configure an authentication policy.

Which Security policy set should be used to ensure that a policy is applied first?. Local firewall policy. Shared pre-rulebase. Parent device-group pre-rulebase. Child device-group pre-rulebase.

An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red. What would cause this error?. Entries contain symbols. Entries are wildcards. Entries contain regular expressions. Entries are duplicated.

What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?. Increase the per-firewall capacity for address and service objects. Reduce the configuration and session synchronization time between HA pairs. Increase the backup capacity for configuration backups per firewall. Reduce the number of objects pushed to a firewall.

Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2) servers?. URL Filtering. Antivirus. Vulnerability. Anti-Spyware.

An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list. What is the maximum number of entries that they can be excluded?. 50. 100. 200. 1000.

A website is unexpectedly allowed due to miscategorization. What are two ways to resolve this issue for a proper response? (Choose two.). Create a URL category and assign the affected URL. Update the active URL Filtering profile site access setting for the custom URL category to block. Review the categorization of the website on https://urlfiltering paloaltonetworks.com. Submit for "request change", identifying the appropriate categorization, and wait for confirmation before testing again. Identify the URL category being assigned to the website. Edit the active URL Filtering profile and update that category's site access settings to block. Create a URL category and assign the affected URL. Add a Security policy with a URL category qualifier of the custom URL category below the original policy. Set the policy action to Deny.

If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should E1/1 be configured as?. Tap. Virtual Wire. Layer2. Layer3.

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped. Which type of NAT was configured?. Dynamic IP. Static ip. Dynamic ip and port. Destination nat.

Question #272Topic 1 The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new EMEA Regional Panorama Administrator should be able to: Access only EMEA-Regional device groups with read-only privileges Access only EMEA-Regional templates with read-only privileges What is the correct configuration for the new EMEA Regional Panorama Administrator profile?. Administrator Type = Device Group and Template Admin Admin Role = EMEA_Regional_Admin_read_only Access Domain = EMEA-Regional. Administrator Type = Dynamic - Admin Role = Superuser (read-only). Administrator Type = Dynamic - Admin Role = Panorama Administrator. Administrator Type = Custom Panorama Admin Profile = EMEA Regional Admin_read_only.

An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices groups and five templates. Which configuration action should the administrator take when creating the address object?. Ensure that Disable Override is cleared. Ensure that the Shared option is cleared. Ensure that the Shared option is checked. Tag the address object with the Global tag.

Which type of policy allows an administrator to both enforce rules and take action?. Authentication. Security. Nat. Decryption.

With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?. Within five minutes, after downloading updates. Instantly, after downloading updates. Within five minutes, without downloading updates. Instantly, without downloading updates.

Why should a company have a File Blocking profile that is attached to a Security policy?. To block uploading and downloading of any type of files. To block uploading and downloading of specific types of files. To detonate files in a sandbox environment. To analyze file types.

What can be used as match criteria for creating a dynamic address group?. MAC addresses. Ip address. Usernames. Tags.

An administrator is reviewing packet captures to troubleshoot a problem with an application, and they observe TCP resets to the client and the server. Which security policy action causes this?. Drop. Reset server. Reset client. Reset both.

An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution. Which Security profile should be used?. Vulnerability protection. Anti-spyware. URL filtering. Antivirus.

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization. What object is best suited for this configuration?. Application Group. Tag. External Dynamic list. Application filter.

Which two configurations does an administrator need to compare in order to see differences between the active configuration and potential changes if committed? (Choose two.). Device state. Active. Candidate. Running.

An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny. What deny action will the firewall perform?. Discard the session’s packets and send a TCP reset packet to let the client know the session has been terminated. Drop the traffic silently. Perform the default deny action as defined in the App-ID database for the application. Send a TCP reset packet to the client- and server-side devices.

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?. Source Zone: Trusted - Destination Zone: DMZ - Services: SSH - Applications: Any - Action: Allow. Source Zone: Trusted - Destination Zone: DMZ - Services: Application-Default - Applications: SSH - Action: Allow. Source Zone: Trusted - Destination Zone: DMZ - Services: Application-Default - Applications: SSH - Action: Deny. Source Zone: Trusted - Destination Zone: DMZ - Services: SSH - Applications: Any - Action: Deny.

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile. If a virus gets detected, how will the firewall handle the traffic?. It allows the traffic but generates an entry in the Threat logs. It drops the traffic because the profile was not set to explicitly allow the traffic. It allows the traffic because the profile was not set the explicitly deny the traffic. It uses the default action assigned to the virus signature.

An administrator needs to allow users to use only certain email applications. How should the administrator configure the firewall to restrict users to specific email applications?. Create an application filter and filter it on the collaboration category. Create an application filter and filter it on the collaboration category, email subcategory. Create an application group and add the email applications to it. Create an application group and add the email category to it.

DNS exceptions can be set under which Security profile?. Data Filtering. URL Filtering. Anti-Spyware. Antivirus.

An administrator is troubleshooting an issue with an accounts payable application. Which log setting could be temporarily configured to improve visibility?. Log at Session Start and Log at Session End both enabled. Log at Session Start and Log at Session End both disabled. Log at Session Start enabled, Log at Session End disabled. Log at Session Start disabled, Log at Session End enabled.

By default, which action is assigned to the interzone-default rule?. Allow. Deny. Reset-client. Reset-server.

What is the maximum volume of concurrent administrative account sessions?. 2. unlimited. 10. 1.

An administrator is updating Security policy to align with best practices. Which Policy Optimizer feature is shown in the screenshot below?. Rules without App Controls. New App Viewer. Rule Usage – Unused. Unused Apps.

Where within the firewall GUI can all existing tags be viewed?. Policies > Tags. Network > Tags. Objects > Tags. Monitor > Tags.

What is the Anti-Spyware Security profile default action?. Sinkhole. Reset-client. Drop. Reset-both.

To enable DNS sinkholing, which two addresses should be reserved? (Choose two.). MAC. IPv6. Email. IPv4.

A NetSec manager was asked to create a new firewall administrator profile with customized privileges. The new firewall administrator must be able to download TSF File and Starts Dump File but must not be able to reboot the device. Where does the NetSec manager go to configure the new firewall administrator role profile?. Device > Admin Roles > Add > XML API > Configuration. Device > Admin Roles > Add > XML API > Operational Request. Device > Admin Roles > Add > Web UI > Support. Device > Admin Roles > Add > Web UI > Operations.

What must exist in order for the firewall to route traffic between Layer 3 interfaces?. Virtual router. Virtual wires. Traffic Distribution profile. VLANS.

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?. Panorama > Device Deployment > Dynamic Updates > Schedules > Add. Panorama > Device Deployment > Content Updates > Schedules > Add. Panorama > Dynamic Updates > Device Deployment > Schedules > Add. Panorama > Content Updates > Device Deployment > Schedules > Add.

In which threat profile object would you configure the DNS Security service?. Antivirus. Anti-spyware. Wildfire. Url Filtering.

Which rule type is appropriate for matching traffic occurring within a specified zone?. Universal. Shadowed. Intrazone. Interzone.

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.). Pre-NAT address. Post-NAT address. Pre-NAT zone. Post-NAT zone.

If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?. Some traffic between A & B. Some traffic within A. All traffic within zones A & B. Some traffic within B.