DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Updated Palo Alto PCNSA Exam Questions– Your Path to Success

The SPOTO Palo Alto PCNSA Exam Questions provide a comprehensive set of exam questions and answers, practice questions, and exam questions tailored for effective exam preparation for the Palo Alto Networks Certified Network Security Administrator certification. Palo Alto Networks Certified Network Security Administrator certification helps the network security administrator develop the knowledge required for deploying and operating the Palo Alto Networks Next-Generation Firewalls (NGFWs). It assists the applicant in acquiring the necessary skills to operate in the field of cybersecurity. SPOTO's mock exams simulate the real exam environment, enabling candidates to assess their preparedness and identify areas for improvement. With SPOTO's exam resources, candidates can confidently tackle the PCNSA exam and achieve their certification goals, validating their expertise in administering Palo Alto Networks' network security solutions.
Take other online exams

Question #1
Which two configuration settings shown are not the default? (Choose two.)
A. ignature Matching
B. etwork Processing
C. ecurity Processing
D. ata Interfaces
View answer
Correct Answer: BC
Question #2
Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?
A. uthorization
B. ontinue
C. uthentication
D. verride
View answer
Correct Answer: D
Question #3
DRAG DROP (Drag and Drop is not supported)Match the Palo Alto Networks Security Operating Platform architecture to its description.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #4
Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)
A. perture
B. utoFocus
C. anorama
D. lobalProtect
View answer
Correct Answer: ACDEF
Question #5
Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?
A. ategory, Subcategory, Technology, and Characteristic
B. ategory, Subcategory, Technology, Risk, and Characteristic
C. ame, Category, Technology, Risk, and Characteristic
D. ategory, Subcategory, Risk, Standard Ports, and Technology
View answer
Correct Answer: A
Question #6
An internal host needs to connect through the firewall using source NAT to servers of the internet.Which policy is required to enable source NAT on the firewall?
A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address
View answer
Correct Answer: A
Question #7
What do you configure if you want to set up a group of objects based on their ports alone?
A. ddress groups
B. ustom objects
C. pplication groups
D. ervice groups
View answer
Correct Answer: D
Question #8
Based on the Security policy rules shown, SSH will be allowed on which port?
A. he default port
B. nly ephemeral ports
C. ny port
D. ame port as ssl and snmpv3
View answer
Correct Answer: A
Question #9
Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?
A. risma SaaS
B. lobalProtect
C. utoFocus
D. anorama
View answer
Correct Answer: B
Question #10
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. anagement
B. igh Availability
C. ggregate
D. ggregation
View answer
Correct Answer: C
Question #11
When is the content inspection performed in the packet flow process?
A. fter the application has been identified
B. fter the SSL Proxy re-encrypts the packet
C. efore the packet forwarding process
D. efore session lookup
View answer
Correct Answer: A
Question #12
A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data.Which Security Profile feature could have been used to detect the malware on the laptop?
A. NS Sinkhole
B. ildFire Analysis
C. ntivirus
D. oS Protection
View answer
Correct Answer: A
Question #13
What is an advantage for using application tags?
A. fter clicking Check Now in the Dynamic Update window
B. fter committing the firewall configuration
C. fter installing the update
D. fter downloading the update
View answer
Correct Answer: B
Question #14
What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)
A. IP profile
B. RL category
C. pplication group
D. pplication filter
View answer
Correct Answer: CDE
Question #15
Given the topology, which zone type should zone A and zone B to be configured with?
A. ayer3
B. ap
C. ayer2
D. irtual Wire
View answer
Correct Answer: A
Question #16
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?
A. onfigure a Primary Employee ID number for user-based Security policies
B. reate a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389
C. reate an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL
D. onfigure a frequency schedule to clear group mapping cache
View answer
Correct Answer: C
Question #17
Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?
A. nterzone-default
B. nternal-inside-dmz
C. nside-portal
D. gress-outside
View answer
Correct Answer: D
Question #18
Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.)
A. hey are helpful during the creation of new zones
B. hey help content updates automate policy updates
C. hey help with the creation of interfaces
D. hey help with the design of IP address allocations in DHCP
View answer
Correct Answer: BCE
Question #19
An administrator would like to silently drop traffic from the internet to a ftp server.Which Security policy action should the administrator select?
A. rop
B. eny
C. lock
D. eset-server
View answer
Correct Answer: A
Question #20
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
A. ubnet mask
B. ag
C. P address
D. ildcard mask
View answer
Correct Answer: B
Question #21
Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.
A. xploitation
B. nstallation
C. econnaissance
D. ct on Objective
View answer
Correct Answer: A
Question #22
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
A. nti-Spyware Profile
B. ata Filtering Profile
C. ntivirus Profile
D. ulnerability Protection Profile
View answer
Correct Answer: C
Question #23
A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?
A. reate a custom-service-object called SERVICE-SSH for destination-port-TCP-22
B. reate a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH
C. n addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created
D. n addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
View answer
Correct Answer: B
Question #24
Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?
A. ntrazone
B. nterzone
C. niversal
D. lobal
View answer
Correct Answer: B
Question #25
A Security Profile can block or allow traffic at which point?
A. n either the data plane or the management plane
B. fter it is matched to a Security policy rule that allows or blocks traffic
C. fter it is matched to a Security policy rule that allows traffic
D. efore it is matched to a Security policy rule
View answer
Correct Answer: C
Question #26
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)
A. elect the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK
B. elect the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK
C. elect the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK
D. his rule has traffic logging enabled by default; no further action is required
View answer
Correct Answer: BC
Question #27
You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would you need to monitor and block to mitigate the malicious activity?
A. ranch office traffic
B. orth-south traffic
C. erimeter traffic
D. ast-west traffic
View answer
Correct Answer: D
Question #28
Which statement is true regarding a Best Practice Assessment?
A. t runs only on firewalls
B. t shows how current configuration compares to Palo Alto Networks recommendations
C. hen guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities
D. t provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
View answer
Correct Answer: B
Question #29
02. What are three methods of mapping usernames to IP addresses?
A. erverMonitori
B. rap
C. inemeld
D. ysl
View answer
Correct Answer: ADF
Question #30
Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?
A. ll traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. o impact because the apps were automatically downloaded and installed
C. o impact because the firewall automatically adds the rules to the App-ID interface
D. ll traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
View answer
Correct Answer: A
Question #31
Which administrator type utilizes predefined roles for a local administrator account?
A. uperuser
B. ole-based
C. ynamic
D. evice administrator
View answer
Correct Answer: C
Question #32
You receive notification about new malware that infects hosts through malicious files transferred by FTP.Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?
A. RL Filtering profile applied to inbound Security policy rules
B. ata Filtering profile applied to outbound Security policy rules
C. ntivirus profile applied to inbound Security policy rules
D. ulnerability Protection profile applied to outbound Security policy rules
View answer
Correct Answer: C
Question #33
What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *
A. ou can specify the location as pre- or post-rules to push policy rules
B. ou can specify the firewalls in a device group to which to push policy rules
C. oing so provides audit information prior to making changes for selected policy rules
D. oing so limits the templates that receive the policy rules
View answer
Correct Answer: A
Question #34
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently used by attackers to distribute illegal or unethical material?
A. alo Alto Networks C&G IP Addresses
B. alo Alto Networks High Risk IP Addresses
C. alo Alto Networks Known Malicious IP Addresses
D. alo Alto Networks Bulletproof IP Addresses
View answer
Correct Answer: D
Question #35
Which statement is true about Panorama managed devices?
A. anorama automatically removes local configuration locks after a commit from Panorama
B. ocal configuration locks prohibit Security policy changes for a Panorama managed device
C. ecurity policy rules configured on local firewalls always take precedence
D. ocal configuration locks can be manually unlocked from Panorama
View answer
Correct Answer: A
Question #36
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
A. y minute
B. ourly
C. aily
D. eekly
View answer
Correct Answer: C
Question #37
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
A. reate a custom ג€URL Categoryג€ object with notifications enabled
B. ublish monitoring data for Security policy deny logs
C. nsure that the ג€site accessג€ setting for all URL sites is set to ג€alertג€
D. nable ג€Response Pagesג€ on the interface providing Internet access
View answer
Correct Answer: AC
Question #38
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.Which two fields could help in determining if this is normal? (Choose two.)
A. evert to running configuration
B. oad named configuration snapshot
C. evert to last saved configuration
D. mport named config snapshot
View answer
Correct Answer: BD
Question #39
What do Dynamic User Groups help you to do?
A. reate a policy that provides auto-remediation for anomalous user behavior and malicious activity
B. reate a dynamic list of firewall administrators
C. reate a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity
D. reate a policy that provides auto-sizing for anomalous user behavior and malicious activity
View answer
Correct Answer: A
Question #40
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.Which statement accurately describes how the firewall will apply an action to matching traffic?
A. f it is a block rule, then Security Profile action is applied last
B. f it is an allow rule, then the Security policy rule is applied last
C. f it is a block rule, then the Security policy rule action is applied last
D. f it is an allowed rule, then the Security Profile action is applied last
View answer
Correct Answer: D
Question #41
Which component is a building block in a Security policy rule?
A. ecryption profile
B. estination interface
C. imeout (min)
D. pplication
View answer
Correct Answer: D
Question #42
How are Application Filters or Application Groups used in firewall policy?
A. n Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group
B. n Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group
C. n Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group
D. n Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group
View answer
Correct Answer: C
Question #43
Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?
A. ayer 2
B. ap
C. ayer 3
D. irtual Wire
View answer
Correct Answer: B
Question #44
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. wo
B. hree
C. our
D. ne
View answer
Correct Answer: C
Question #45
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)
A. pplication filters
B. ervice groups
C. hared service objects
D. pplication groups
View answer
Correct Answer: ABD
Question #46
Which object would an administrator create to block access to all high-risk applications?
A. IP profile
B. ulnerability Protection profile
C. pplication group
D. pplication filter
View answer
Correct Answer: D
Question #47
Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)
A. Layer-ID
B. User-ID
C. QoS-ID
D. App-ID
View answer
Correct Answer: BD
Question #48
Which two security profile types can be attached to a security policy? (Choose two.)
A. reate an anti-spyware profile and enable DNS Sinkhole
B. reate an antivirus profile and enable DNS Sinkhole
C. reate a URL filtering profile and block the DNS Sinkhole category
D. reate a security policy and enable DNS Sinkhole
View answer
Correct Answer: AD
Question #49
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified byApp-ID as SuperApp_base.On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
A. ll traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
B. o impact because the apps were automatically downloaded and installed
C. o impact because the firewall automatically adds the rules to the App-ID interface
D. ll traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
View answer
Correct Answer: A
Question #50
Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?
A. Override
B. Allow
C. Block
D. Continue
View answer
Correct Answer: B
Question #51
An internal host needs to connect through the firewall using source NAT to servers of the internet.Which policy is required to enable source NAT on the firewall?
A. AT policy with internal zone and internet zone specified
B. ost-NAT policy with external source and any destination address
C. AT policy with no internal or internet zone selected
D. re-NAT policy with external source and any destination address
View answer
Correct Answer: A
Question #52
Which file is used to save the running configuration with a Palo Alto Networks firewall?
A. unning-config
B. un-config
C. unning-configuration
D. un-configuration
View answer
Correct Answer: A
Question #53
Which dynamic update type includes updated anti-spyware signatures?
A. AN-DB
B. pplications and Threats
C. lobalProtect Data File
D. ntivirus
View answer
Correct Answer: B
Question #54
You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server.Which Security Profile detects and prevents this threat from establishing a command-and-control connection?
A. ulnerability Protection Profile applied to outbound Security policy rules
B. nti-Spyware Profile applied to outbound security policies
C. ntivirus Profile applied to outbound Security policy rules
D. ata Filtering Profile applied to outbound Security policy rules
View answer
Correct Answer: B
Question #55
Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?
A. oot
B. ynamic
C. ole-based
D. uperuser
View answer
Correct Answer: C
Question #56
You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
A. ata Filtering Profile applied to outbound Security policy rules
B. ntivirus Profile applied to outbound Security policy rules
C. ata Filtering Profile applied to inbound Security policy rules
D. ulnerability Protection Profile applied to inbound Security policy rules
View answer
Correct Answer: D
Question #57
Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the policy rule?
A. pps Allowed
B. ervice
C. ame
D. pps Seen
View answer
Correct Answer: D
Question #58
How do you reset the hit count on a Security policy rule?
A. elect a Security policy rule, and then select Hit Count > Reset
B. eboot the data-plane
C. irst disable and then re-enable the rule
D. ype the CLI command reset hitcount
View answer
Correct Answer: A
Question #59
What allows a security administrator to preview the Security policy rules that match new application signatures?
A. olicy Optimizer--New App Viewer
B. ynamic Updates--Review App
C. eview Release Notes
D. ynamic Updates--Review Policies
View answer
Correct Answer: D
Question #60
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
A. indows-based agent on a domain controller
B. aptive Portal
C. itrix terminal server agent with adequate data-plane resources
D. AN-OS integrated agent
View answer
Correct Answer: A
Question #61
Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?
A. Management
B. High Availability
C. Aggregate
D. Aggregation
View answer
Correct Answer: C
Question #62
An administrator is reviewing another administrator's Security policy log settings.Which log setting configuration is consistent with best practices for normal traffic?
A. og at Session Start and Log at Session End both enabled
B. og at Session Start enabled, Log at Session End disabled
C. og at Session Start disabled, Log at Session End enabled
D. og at Session Start and Log at Session End both disabled
View answer
Correct Answer: C
Question #63
What must be configured before setting up Credential Phishing Prevention?
A. hreat Prevention
B. nti Phishing Block Page
C. ser-ID
D. nti Phishing profiles
View answer
Correct Answer: C
Question #64
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.Which security policy action causes this?
A. eset server
B. eset both
C. eny
D. rop
View answer
Correct Answer: C
Question #65
Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?
A. lobal
B. ntrazone
C. nterzone
D. niversal
View answer
Correct Answer: C
Question #66
Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?
A. econnaissance
B. elivery
C. nstallation
D. xploitation
View answer
Correct Answer: A
Question #67
Actions can be set for which two items in a URL filtering security profile? (Choose two.)
A. pdated application content might change how Security policy rules are enforced
B. fter an application content update, new applications must be manually classified prior to use
C. xisting security policy rules are not affected by application content updates
D. fter an application content update, new applications are automatically identified and classified
View answer
Correct Answer: AD
Question #68
Which Security profile can you apply to protect against malware such as worms and Trojans?
A. ntivirus
B. ata filtering
C. ulnerability protection
D. nti-spyware
View answer
Correct Answer: A
Question #69
04. A Heatmap provides an adoption rate for which three features?
A. ildFire
B. rap
C. ileBlocki
D. ser-ID
View answer
Correct Answer: ACD
Question #70
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A. isable automatic updates during weekdays
B. utomatically ג€download and installג€ but with the ג€disable new applicationsג€ option used
C. utomatically ג€download onlyג€ and then install Applications and Threats later, after the administrator approves the update
D. onfigure the option for ג€Thresholdג€
View answer
Correct Answer: D
Question #71
An administrator wishes to follow best practices for logging traffic that traverses the firewall.Which log setting is correct?
A. nable Log at Session Start
B. isable all logging
C. nable Log at both Session Start and End
D. nable Log at Session End
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: