Palo Alto Networks PCNSA Palo Alto Networks Certified Network Security Administrator Online Training
Palo Alto Networks PCNSA Online Training
The questions for PCNSA were last updated at Nov 23,2024.
- Exam Code: PCNSA
- Exam Name: Palo Alto Networks Certified Network Security Administrator
- Certification Provider: Palo Alto Networks
- Latest update: Nov 23,2024
What are the two types of Administrator accounts? (Choose two.)
- A . Role Based
- B . Superuser
- C . Dynamic
- D . Local
AC
Explanation:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-a-firewall-administrator-account
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code "communication with the destination is administratively prohibited".
Which security policy action causes this?
- A . Drop
- B . Drop, send ICMP Unreachable
- C . Reset both
- D . Reset server
B
Explanation:
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
For Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action:
Drop and enable the Send ICMP Unreachable
check box. When enabled, the firewall sends the ICMP code for communication with the destination is administratively prohibited–ICMPv4: Type 3, Code 13; ICMPv6: Type 1, Code 1. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC#:~:text=The%20Deny%20action%20will%20tear,packets%20will%20be%20silently%20discarded.
An administrator wants to prevent hacking attacks through DNS queries to malicious domains.
Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)
- A . deny
- B . block
- C . sinkhole
- D . override
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall’s data plane? (Choose three.)
- A . SAML 2.0
- B . Kerberos
- C . TACACS
- D . TACACS+
- E . SAML 1.0
ABD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-types.html
If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?
- A . Some traffic between A & B
- B . Some traffic within A
- C . All traffic within zones A & B
- D . Some traffic within B
A network administrator is required to use a dynamic routing protocol for network connectivity.
Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)
- A . RIP
- B . OSPF
- C . IS-IS
- D . EIGRP
- E . BGP
A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
- A . All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
- B . No impact because the apps were automatically downloaded and installed
- C . No impact because the firewall automatically adds the rules to the App-ID interface
- D . All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications
A
Explanation:
To allow the new applications, we need to modify or add a new policy.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.
What is the maximum number of entries that they can be excluded?
- A . 50
- B . 100
- C . 200
- D . 1,000
B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/exclude-entries-from-an-external-dynamic-list
The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges.
In particular, the new EMEA Regional Panorama Administrator should be able to:
– Access only EMEA-Regional device groups with read-only privileges
– Access only EMEA-Regional templates with read-only privileges
What is the correct configuration for the new EMEA Regional Panorama Administrator profile?
- A . Administrator Type = Device Group and Template Admin Admin Role = EMEA_Regional_Admin_read_only
Access Domain = EMEA-Regional - B . Administrator Type = Dynamic -Admin Role = Superuser (read-only)
- C . Administrator Type = Dynamic -Admin Role = Panorama Administrator
- D . Administrator Type = Custom Panorama Admin Profile = EMEA Regional Admin_read_only
How are Application Filters or Application Groups used in firewall policy?
- A . An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.
- B . An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.
- C . An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.
- D . An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.
Latest PCNSA Dumps Valid Version with 115 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
