DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master the Palo Alto PCNSA Exam with Realistic Practice Tests

SPOTO's PCNSA exam questions and answers, along with practice questions and mock exams, are designed to cover the essential topics tested in the PCNSA certification exam. These resources simulate the exam environment, allowing candidates to familiarize themselves with the exam format and improve their exam readiness. SPOTO's study materials provide comprehensive coverage of key concepts and practical scenarios relevant to network security administration with Palo Alto Networks NGFWs. With SPOTO's exam resources and study aids, candidates can enhance their exam preparation and increase their chances of passing the PCNSA exam successfully.
Take other online exams

Question #1
Given the topology, which zone type should you configure for firewall interface E1/1?
A. ap
B. unnel
C. irtual Wire
D. ayer3
View answer
Correct Answer: A
Question #2
The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering `gambling` category.Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?
A. dd just the URL www
B. anually remove powerball
C. dd *
D. reate a custom URL category, add *
View answer
Correct Answer: A
Question #3
Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from telemetry?
A. alo Alto Networks High-Risk IP Addresses
B. alo Alto Networks Known Malicious IP Addresses
C. alo Alto Networks C&C IP Addresses
D. alo Alto Networks Bulletproof IP Addresses
View answer
Correct Answer: B
Question #4
Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)
A. indows-based agent deployed on the internal network
B. AN-OS integrated agent deployed on the internal network
C. itrix terminal server deployed on the internal network
D. indows-based agent deployed on each of the WAN Links
View answer
Correct Answer: BC
Question #5
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. evice>Setup>Services
B. evice>Setup>Management
C. evice>Setup>Operations
D. evice>Setup>Interfaces
View answer
Correct Answer: BD
Question #6
How frequently can WildFire updates be made available to firewalls?
A. very 15 minutes
B. very 30 minutes
C. very 60 minutes
D. very 5 minutes
View answer
Correct Answer: D
Question #7
An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?
A. ranch office traffic
B. orth-south traffic
C. erimeter traffic
D. ast-west traffic
View answer
Correct Answer: D
Question #8
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. wo
B. hree
C. our
D. ne
View answer
Correct Answer: D
Question #9
What does an administrator use to validate whether a session is matching an expected NAT policy?
A. ystem log
B. est command
C. hreat log
D. onfig audit
View answer
Correct Answer: B
Question #10
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?
A. DL in URL Filtering Profile
B. ustom URL category in URL Filtering Profile
C. ustom URL category in Security policy rule
D. AN-DB URL category in URL Filtering Profile
View answer
Correct Answer: D
Question #11
All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.Complete the two empty fields in the Security policy rules that permits only this type of access.Source Zone: Internal -Destination Zone: DMZ Zone -Application: _________?Service: ____________?Action: allow -(Choose two.)
A. nti-Spyware Profile
B. one Protection Profile
C. ntivirus Profile
D. RL Filtering Profile
View answer
Correct Answer: AC
Question #12
How many zones can an interface be assigned with a Palo Alto Networks firewall?
A. nable Security Log
B. erver Log Monitor Frequency (sec)
C. nable Session
D. nable Probing
View answer
Correct Answer: D
Question #13
Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized.Which User-ID agent is sufficient in your network?
A. indows-based agent deployed on each domain controller
B. AN-OS integrated agent deployed on the firewall
C. itrix terminal server agent deployed on the network
D. indows-based agent deployed on the internal network a domain member
View answer
Correct Answer: B
Question #14
The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones:1. trust for internal networks2. untrust to the internetBased on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.)
A. t was blocked by the Vulnerability Protection profile action
B. t was blocked by the Security policy action
C. t was blocked by the Anti-Virus Security profile action
D. t was blocked by the Anti-Spyware Profile action
View answer
Correct Answer: AD
Question #15
Selecting the option to revert firewall changes will replace what settings?
A. he candidate configuration with settings from the running configuration
B. ynamic update scheduler settings
C. he running configuration with settings from the candidate configuration
D. he device state with settings from another configuration
View answer
Correct Answer: D
Question #16
06. In path monitoring, what is used to monitor remote network devices?
A. i
B. SL
C. TTP
D. TTPS
View answer
Correct Answer: A
Question #17
Given the topology, which interface type should you configure for firewall interface E1/1?
A. ayer 2
B. irtual wire
C. ap
D. irror port
View answer
Correct Answer: C
Question #18
When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?
A. ayer 3
B. irtual Wire
C. ap
D. unnel
View answer
Correct Answer: A
Question #19
05. The data plane provides which two data processing features of the firewall?
A. ignaturematchi
B. eporti
C. etworkprocessi
D. oggi
View answer
Correct Answer: AC
Question #20
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
A. nterzone
B. hadowed
C. ntrazone
D. niversal
View answer
Correct Answer: A
Question #21
An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration.Why doesn't the administrator see the traffic?
A. he interzone-default policy is disabled by default
B. raffic is being denied on the interzone-default policy
C. ogging on the interzone-default policy is disabled
D. he Log Forwarding profile is not configured on the policy
View answer
Correct Answer: C
Question #22
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command- and-control (C2) server.Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)
A. elivery
B. econnaissance
C. ommand and Control
D. xploitation
View answer
Correct Answer: BC
Question #23
In the example security policy shown, which two websites would be blocked? (Choose two.)
A. lobalProtect
B. anorama
C. risma SaaS
D. utoFocus
View answer
Correct Answer: AB
Question #24
Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?
A. Review Policies
B. Review Apps
C. Pre-analyze
D. Review App Matches
View answer
Correct Answer: A
Question #25
How do you reset the hit count on a Security policy rule?
A. Select a Security policy rule, and then select Hit Count > Reset
B. Reboot the data-plane
C. First disable and then re-enable the rule
D. Type the CLI command reset hitcount
View answer
Correct Answer: A
Question #26
07. How often are new and modified threat signatures and modified applications signatures published?
A. ayer2interface
B. ayer3interface
C. irtualroute
D. irtualsystem
View answer
Correct Answer: A
Question #27
Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?
A. RL filtering
B. ulnerability protection
C. nti-spyware
D. ntivirus
View answer
Correct Answer: C
Question #28
An administrator would like to determine the default deny action for the application dns-over-https.Which action would yield the information?
A. iew the application details in beacon
B. heck the action for the Security policy matching that traffic
C. heck the action for the decoder in the antivirus profile
D. iew the application details in Objects > Applications
View answer
Correct Answer: B
Question #29
Based on the screenshot, what is the purpose of the Included Groups?
A. hey are groups that are imported from RADIUS authentication servers
B. hey are the only groups visible based on the firewall's credentials
C. hey contain only the users you allow to manage the firewall
D. hey are used to map users to groups
View answer
Correct Answer: D
Question #30
Which Security Profile mitigates attacks based on packet count?
A. zone protection profile
B. URL filtering profile
C. antivirus profile
D. vulnerability profile
View answer
Correct Answer: A
Question #31
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. anagement
B. etwork processing
C. ata
D. ecurity processing
View answer
Correct Answer: A
Question #32
An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.What is the best way to do this?
A. reate a static NAT rule translating to the destination interface
B. reate a static NAT rule with an application override
C. reate a Security policy rule to allow the traffic
D. reate a new NAT rule with the correct parameters and leave the translation type as None
View answer
Correct Answer: D
Question #33
Which option shows the attributes that are selectable when setting up application filters?
A. lock List
B. ustom URL Categories
C. AN-DB URL Categories
D. llow List
View answer
Correct Answer: B
Question #34
How is an address object of type IP range correctly defined?
A. 92
B. 92
C. 92
D. 92
View answer
Correct Answer: A
Question #35
DRAG DROP (Drag and Drop is not supported)Match each feature to the DoS Protection Policy or the DoS Protection Profile.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #36
During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?
A. heck now
B. eview policies
C. est policy match
D. ownload
View answer
Correct Answer: B
Question #37
An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?
A. ntivirus profile applied to outbound security policies
B. ata filtering profile applied to inbound security policies
C. ata filtering profile applied to outbound security policies
D. ulnerability profile applied to inbound security policies
View answer
Correct Answer: A
Question #38
What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?
A. very 30 minutes
B. very 5 minutes
C. very 24 hours
D. very 1 minute
View answer
Correct Answer: D
Question #39
For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?
A. ACACS+
B. ADIUS
C. DAP
D. AML
View answer
Correct Answer: C
Question #40
What is the main function of the Test Policy Match function?
A. nsure that policy rules are not shadowing other policy rules
B. onfirm that rules meet or exceed the Best Practice Assessment recommendations
C. onfirm that policy rules in the configuration are allowing donning the correct traffic
D. erify that policy rules from Expedition are valid
View answer
Correct Answer: D
Question #41
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
A. t defines the SSL/TLS encryption strength used to protect the management interface
B. t defines the CA certificate used to verify the client's browser
C. t defines the certificate to send to the client's browser from the management interface
D. t defines the firewall's global SSL/TLS timeout values
View answer
Correct Answer: C
Question #42
Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP Addresses list?
A. ource address
B. estination address
C. ource zone
D. estination zone
View answer
Correct Answer: A
Question #43
What is the main function of Policy Optimizer?
A. llows ג€anyג€ users to access servers in the DMZ zone
B. llows users to access IT applications on all ports
C. llow users in group ג€itג€ to access IT applications
D. llow users in group ג€DMZג€ to access IT applications
View answer
Correct Answer: D
Question #44
DRAG DROP (Drag and Drop is not supported)Match the Cyber-Attack Lifecycle stage to its correct description.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #45
Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?
A. eview App Matches
B. eview Apps
C. re-analyze
D. eview Policies
View answer
Correct Answer: D
Question #46
An administrator would like to create a URL Filtering log entry when users browse to any gambling website.What combination of Security policy and Security profile actions is correct?
A. ecurity policy = deny, Gambling category in URL profile = block
B. ecurity policy = drop, Gambling category in URL profile = allow
C. ecurity policy = allow, Gambling category in URL profile = alert
D. ecurity policy = allow, Gambling category in URL profile = allow
View answer
Correct Answer: C
Question #47
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
A. nsure that disable override is selected
B. ncheck the shared option
C. nsure that disable override is cleared
D. reate the service object in the specific template
View answer
Correct Answer: B
Question #48
Which administrative management services can be configured to access a management interface?
A. TTPS, HTTP, CLI, API
B. TTPS, SSH, telnet, SNMP
C. SH, telnet, HTTP, HTTPS
D. TTP, CLI, SNMP, HTTPS
View answer
Correct Answer: C
Question #49
What must be considered with regards to content updates deployed from Panorama?
A. ontent update schedulers need to be configured separately per device group
B. anorama can only install up to five content versions of the same type for potential rollback scenarios
C. PAN-OS upgrade resets all scheduler configurations for content updates
D. anorama can only download one content update at a time for content updates of the same type
View answer
Correct Answer: D
Question #50
DRAG DROP (Drag and Drop is not supported)Match the network device with the correct User-ID technology.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #51
Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?
A. reate an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
B. reate an Application Group and add business-systems to it
C. reate an Application Filter and name it Office Programs, then filter it on the business-systems category
D. reate an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
View answer
Correct Answer: C
Question #52
Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP addresses?
A. DoS protection
B. URL filtering
C. packet buffering
D. anti-spyware
View answer
Correct Answer: A
Question #53
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
A. ntrazone-default
B. eny Google
C. llowed-security services
D. nterzone-default
View answer
Correct Answer: D
Question #54
What action will inform end users when their access to Internet content is being restricted?
A. efore deploying content updates, always check content release version compatibility
B. ontent updates for firewall A/P HA pairs can only be pushed to the active firewall
C. ontent updates for firewall A/A HA pairs need a defined master device
D. fter deploying content updates, perform a commit and push to Panorama
View answer
Correct Answer: D
Question #55
Which statement is true regarding a Prevention Posture Assessment?
A. he Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories
B. t provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. t provides a percentage of adoption for each assessment area
D. t performs over 200 security checks on Panorama/firewall for the assessment
View answer
Correct Answer: B
Question #56
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. ntrust (any) to DMZ (10
B. ntrust (any) to Untrust (1
C. ntrust (any) to Untrust (10
D. ntrust (any) to DMZ (1
View answer
Correct Answer: AB
Question #57
Which definition describes the guiding principle of the zero-trust architecture?
A. rust, but verify
B. lways connect and verify
C. ever trust, never connect
D. ever trust, always verify
View answer
Correct Answer: D
Question #58
At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?
A. -3-4-1
B. -4-3-2
C. -1-2-4
D. -3-2-4
View answer
Correct Answer: D
Question #59
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
A. lock
B. inkhole
C. llow
D. lert
View answer
Correct Answer: B
Question #60
Based on the screenshot, what is the purpose of the group in User labelled `it`?
A. rop
B. eny
C. o notification
D. eset Client
View answer
Correct Answer: C
Question #61
01. What are two predefined Anti­Spyware profiles?
A. efaul
B. tandard
C. ecure
D. tric
View answer
Correct Answer: AD
Question #62
An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.Which type of single, unified engine will get this result?
A. ontent ID
B. pp-ID
C. ecurity Processing Engine
D. ser-ID
View answer
Correct Answer: C
Question #63
Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?
A. erberos user
B. AML user
C. ocal database user
D. ocal user
View answer
Correct Answer: D
Question #64
The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop.Which security profile feature could have been used to prevent the communication with the CnC server?
A. ctive Directory monitoring
B. indows session monitoring
C. indows client probing
D. omain controller monitoring
View answer
Correct Answer: A
Question #65
Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.What is the quickest way to reset the hit counter to zero in all the security policy rules?
A. t the CLI enter the command reset rules and press Enter
B. ighlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule
C. eboot the firewall
D. se the Reset Rule Hit Counter > All Rules option
View answer
Correct Answer: D
Question #66
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IPAddresses list?
A. estination address
B. ource address
C. estination zone
D. ource zone
View answer
Correct Answer: D
Question #67
An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.What is the correct process to enable this logging?
A. dd static routes to route between the two interfaces
B. dd interfaces to the virtual router
C. dd zones attached to interfaces to the virtual router
D. nable the redistribution profile to redistribute connected routes
View answer
Correct Answer: B
Question #68
Identify the correct order to configure the PAN-OS integrated USER-ID agent.3. add the service account to monitor the server(s)2. define the address of the servers to be monitored on the firewall4. commit the configuration, and verify agent connection status1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent
A. estination IP: 192
B. pplication = "Telnet"
C. og Forwarding
D. SER-ID = "Allow users in Trusted"
View answer
Correct Answer: D
Question #69
Which statement best describes a common use of Policy Optimizer?
A. olicy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that exist
B. olicy Optimizer can display which Security policies have not been used in the last 90 days
C. olicy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications
D. olicy Optimizer can add or change a Log Forwarding profile for each Security policy selected
View answer
Correct Answer: D
Question #70
An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.If the application's default deny action is reset-both, what action does the firewall take?
A. t silently drops the traffic
B. t silently drops the traffic and sends an ICMP unreachable code
C. t sends a TCP reset to the server-side device
D. t sends a TCP reset to the client-side and server-side devices
View answer
Correct Answer: D
Question #71
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?
A. intrazone
B. interzone
C. universal
D. global
View answer
Correct Answer: B
Question #72
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. ategory, Subcategory, Technology, and Characteristic
B. ategory, Subcategory, Technology, Risk, and Characteristic
C. ame, Category, Technology, Risk, and Characteristic
D. ategory, Subcategory, Risk, Standard Ports, and Technology
View answer
Correct Answer: A
Question #73
DRAG DROP (Drag and Drop is not supported)Order the steps needed to create a new security zone with a Palo Alto Networks firewall.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #74
Which option is part of the content inspection process?
A. acket forwarding process
B. Psec tunnel encryption
C. SL Proxy re-encrypt
D. acket egress process
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: