ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSA

Palo Alto Networks PCNSA Practice Test - Questions Answers, Page 20

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which action would an administrator take to ensure that a service object will be available only to the selected device group?
Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?
An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains. Which type of single unified engine will get this result?
Which statement is true about Panorama managed devices?
Review the Screenshot: Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only. Which rule group enables the required traffic? A) B) C) D)
Which order of steps is the correct way to create a static route?
What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)
An administrator is updating Security policy to align with best practices. Which Policy Optimizer feature is shown in the screenshot below?
Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

Question 191

Report
Export
Collapse

Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?

A.
reconnaissance
A.
reconnaissance
Answers
B.
delivery
B.
delivery
Answers
C.
exploitation
C.
exploitation
Answers
D.
installation
D.
installation
Answers
Suggested answer: B

Explanation:

Weaponization and Delivery: Attackers will then determine which methods to use in order to deliver malicious payloads. Some of the methods they might utilize are automated tools, such as exploit kits, spear phishing attacks with malicious links, or attachments and malvertizing.

Gain full visibility into all traffic, including SSL, and block high-risk applications. Extend those protections to remote and mobile devices.

Protect against perimeter breaches by blocking malicious or risky websites through URL filtering.

Block known exploits, malware and inbound command-and-control communications using multiple threat prevention disciplines, including IPS, anti-malware, anti-CnC, DNS monitoring and sinkholing, and file and content blocking.

Detect unknown malware and automatically deliver protections globally to thwart new attacks.

Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc.

https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle

Question 192

Report
Export
Collapse

What are three factors that can be used in domain generation algorithms? (Choose three.)

A.
cryptographic keys
A.
cryptographic keys
Answers
B.
time of day
B.
time of day
Answers
C.
other unique values
C.
other unique values
Answers
D.
URL custom categories
D.
URL custom categories
Answers
E.
IP address
E.
IP address
Answers
Suggested answer: A, B, C

Explanation:

Domain generation algorithms (DGAs) are used to auto-generate domains, typically in large numbers within the context of establishing a malicious command-and-control (C2) communications channel.

DGA-based malware (such as Pushdo, BankPatch, and CryptoLocker) limit the number of domains from being blocked by hiding the location of their active C2 servers within a large number of possible suspects, and can be algorithmically generated based on factors such as time of day, cryptographic keys, or other unique values.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/dnssecurity/domain-generation-algorithm-detection

Question 193

Report
Export
Collapse

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

A.
create the service object in the specific template
A.
create the service object in the specific template
Answers
B.
uncheck the shared option
B.
uncheck the shared option
Answers
C.
ensure that disable override is selected
C.
ensure that disable override is selected
Answers
D.
ensure that disable override is cleared
D.
ensure that disable override is cleared
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/managedevice-groups/create-objects-for-use-in-shared-or-device-group-policy

Question 194

Report
Export
Collapse

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

A.
Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL
A.
Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL
Answers
B.
Configure a frequency schedule to clear group mapping cache
B.
Configure a frequency schedule to clear group mapping cache
Answers
C.
Configure a Primary Employee ID number for user-based Security policies
C.
Configure a Primary Employee ID number for user-based Security policies
Answers
D.
Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389
D.
Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389
Answers
Suggested answer: B

Explanation:


Question 195

Report
Export
Collapse

Which administrative management services can be configured to access a management interface?

A.
HTTP, CLI, SNMP, HTTPS
A.
HTTP, CLI, SNMP, HTTPS
Answers
B.
HTTPS, SSH telnet SNMP
B.
HTTPS, SSH telnet SNMP
Answers
C.
SSH: telnet HTTP, HTTPS
C.
SSH: telnet HTTP, HTTPS
Answers
D.
HTTPS, HTTP. CLI, API
D.
HTTPS, HTTP. CLI, API
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/managementinterfacesYou can use the following user interfaces to manage the Palo Alto Networks firewall:

Use the Web Interface to perform configuration and monitoring tasks with relative ease. This graphical interface allows you to access the firewall using HTTPS (recommended) or HTTP and it is the best way to perform administrative tasks.

Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH (recommended), Telnet, or the console port. The CLI is a no-frills interface that supports two command modes, operational and configure, each with a distinct hierarchy of commands and statements. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency.

Use the XML API to streamline your operations and integrate with existing, internally developed applications and repositories. The XML API is a web service implemented using HTTP/HTTPS requests and responses.

Use Panorama to perform web-based management, reporting, and log collection for multiple firewalls. The Panorama web interface resembles the firewall web interface but with additional functions for centralized management.

Question 196

Report
Export
Collapse

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?

A.
Palo Alto Networks Bulletproof IP Addresses
A.
Palo Alto Networks Bulletproof IP Addresses
Answers
B.
Palo Alto Networks C&C IP Addresses
B.
Palo Alto Networks C&C IP Addresses
Answers
C.
Palo Alto Networks Known Malicious IP Addresses
C.
Palo Alto Networks Known Malicious IP Addresses
Answers
D.
Palo Alto Networks High-Risk IP Addresses
D.
Palo Alto Networks High-Risk IP Addresses
Answers
Suggested answer: A

Explanation:

To block hosts that use bulletproof hosts to provide malicious, illegal, and/or unethical content, use the bulletproof IP address list in policy.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspectionfeatures/edl-for-bulletproofisps#:~:text=A%20new%20built%2Din%20external,%2C%20illegal%2C%20and%20unethical%20content.

Question 197

Report
Export
Collapse

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

A.
tag
A.
tag
Answers
B.
wildcard mask
B.
wildcard mask
Answers
C.
IP address
C.
IP address
Answers
D.
subnet mask
D.
subnet mask
Answers
Suggested answer: A

Explanation:

Dynamic Address Groups: A dynamic address group populates its members dynamically using looks ups for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-addressgroups

Question 198

Report
Export
Collapse

View the diagram.

What is the most restrictive yet fully functional rule to allow general Internet and SSH traffic into both the DMZ and Untrust/lnternet zones from each of the lOT/Guest and Trust Zones?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
Suggested answer: C

Question 199

Report
Export
Collapse

An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

A.
User-ID
A.
User-ID
Answers
B.
App-ID
B.
App-ID
Answers
C.
Security Processing Engine
C.
Security Processing Engine
Answers
D.
Content-ID
D.
Content-ID
Answers
Suggested answer: A

Question 200

Report
Export
Collapse

Which solution is a viable option to capture user identification when Active Directory is not in use?

A.
Cloud Identity Engine
A.
Cloud Identity Engine
Answers
B.
group mapping
B.
group mapping
Answers
C.
Directory Sync Service
C.
Directory Sync Service
Answers
D.
Authentication Portal
D.
Authentication Portal
Answers
Suggested answer: D
Total 362 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms