Paloalto Networks PCNSA Exam Questions Free Practice Test

Viewing page 2 out of 11 pages

Viewing questions 11-20 out of questions

Questions # 11:

Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment?

Options:

outbound

north south

inbound

east west

Expert Solution

Questions # 12:

What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)

Options:

Service

User

Application

Address

Zone ab

Expert Solution

Answer

B, C, E

Explanation

Three valid source or destination conditions available as Security policy qualifiers are User, Application, and Zone. These qualifiers allow you to define the match criteria for a Security policy rule based on the identity of the user, the application used, and the zone where the traffic originates or terminates. You can use these qualifiers to enforce granular security policies that control access to network resources and prevent threats1. Some of the characteristics of these qualifiers are:

User: The User qualifier allows you to specify the source or destination user or user group for a Security policy rule. The firewall can identify users based on various methods, such as User-ID, Captive Portal, or GlobalProtect. You can use the User qualifier to apply different security policies for different users or user groups, such as allowing access to certain applications or resources based on user roles or privileges2.

Application: The Application qualifier allows you to specify the application or application group for a Security policy rule. The firewall can identify applications based on App-ID, which is a technology that classifies applications based on multiple attributes, such as signatures, protocol decoders, heuristics, and SSL decryption. You can use the Application qualifier to allow or deny access to specific applications or application groups, such as enabling web browsing but blocking social networking or file sharing3.

Zone: The Zone qualifier allows you to specify the source or destination zone for a Security policy rule. A zone is a logical grouping of one or more interfaces that have similar functions or security requirements. The firewall can apply security policies based on the zones where the traffic originates or terminates, such as intrazone, interzone, or universal. You can use the Zone qualifier to segment your network and isolate traffic based on different trust levels or network functions4.

References: Security Policy, Zones, User-ID, App-ID, Certifications - Palo Alto Networks, [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Questions # 13:

An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets. What are two security policy actions the administrator can select? (Choose two.)

Options:

Reset server

Reset both

Drop

Deny

Expert Solution

Questions # 14:

Which two security profile types can be attached to a security policy? (Choose two.)

Options:

antivirus

DDoS protection

threat

vulnerability

Expert Solution

Questions # 15:

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.

What is the correct process to enable this logging1?

Options:

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session Start and click OK

Select the interzone-default rule and edit the rule on the Actions tab select Log at Session End and click OK

This rule has traffic logging enabled by default no further action is required

Select the interzone-default rule and click Override on the Actions tab select Log at Session End and click OK

Expert Solution

Questions # 16:

Your company occupies one floor in a single building you have two active directory domain controllers on a single networks the firewall s management plane is only slightly utilized.

Which user-ID agent sufficient in your network?

Options:

PAN-OS integrated agent deployed on the firewall

Windows-based agent deployed on the internal network a domain member

Citrix terminal server agent deployed on the network

Windows-based agent deployed on each domain controller

Expert Solution

Questions # 17:

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

Options:

intrazone

interzone

universal

global

Expert Solution

Questions # 18:

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

Options:

Rule Usage Filter > No App Specified

Rule Usage Filter >Hit Count > Unused in 30 days

Rule Usage Filter > Unused Apps

Rule Usage Filter > Hit Count > Unused in 90 days

Expert Solution

Questions # 19:

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

Options:

on the App Dependency tab in the Commit Status window

on the Policy Optimizer's Rule Usage page

C on the Application tab in the Security Policy Rule creation window

on the Objects > Applications browser pages

Expert Solution

Questions # 20:

Review the Screenshot:

Question # 20

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the

SERVER zone to the DMZ on SSH only.

Which rule group enables the required traffic?

Question # 20