Palo Alto Networks PCNSA Practice Test - Questions Answers, Page 33

A server profile identifies the external authentication service and instructs the firewall on how to connect to that authentication service and access the authentication credentials for your users. To configure SAML authentication, you must create a server profile and register the firewall and the identity provider (IdP) with each other. You can import a SAML metadata file from the IdP to automatically create a server profile and populate the connection, registration, and IdP certificate information.Reference:Configure SAML Authentication,Set Up SAML Authentication,Introduction to SAML

A dynamic address group populates its members dynamically using look ups for tags and tag-based filters. Tags are metadata elements or attribute-value pairs that are registered for each IP address. Tag-based filters use logical and and or operators to match the tags and determine the membership of the dynamic address group. For example, you can create a dynamic address group that includes all IP addresses that have the tags ''web-server'' and ''linux''. You can also use static tags as part of the filter criteria.Reference:Policy Object: Address Groups,Use Dynamic Address Groups in Policy,Statics vs. Dynamic Address Objects Groups

The Policy Optimizer feature enables an administrator to review the Security policy rule base for unused rules, unused applications, and shadowed rules. The Policy Optimizer provides information and recommendations to help optimize the Security policy rules and reduce the attack surface.The Policy Optimizer can also identify rules that can be converted to use App-ID instead of port-based criteria12.Reference:Policy Optimizer,Tips & Tricks: How to Identify Unused Policies on a Palo Alto Networks Device

The Type attribute column in the NGFW traffic logs indicates whether the log entry is for the start or end of the session. The possible values are START, END, DROP, DENY, and INVALID. The START value means that the log entry is for the start of the session, and the END value means that the log entry is for the end of the session.The other values indicate that the session was terminated by the firewall for various reasons12.Reference:Traffic Log Fields,Session Log Best Practices

Random Early Drop ---The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the more packets the firewall drops. .. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions)

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-interface/defining-policies-on-panorama

https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-dns-security#tabs-id066476b2-c4dd-4fc0-b7e4-f4ba32e19f60

Three types of entries that can be excluded from an external dynamic list (EDL) are IP addresses, domains, and URLs. An EDL is a text file that is hosted on an external web server and contains a list of objects, such as IP addresses, URLs, domains, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that the firewall can import and use in policy rules. You can exclude entries from an EDL to prevent the firewall from enforcing policy on those entries.For example, you can exclude benign domains that applications use for background traffic from Authentication policy1. To exclude entries from an EDL, you need to:

Select the EDL on the firewall and clickManual Exceptions.

Add the entries that you want to exclude in theManual Exceptionslist. The entries must match the type and format of the EDL. For example, if the EDL contains IP addresses, you can only exclude IP addresses.

ClickOKto save the changes. The firewall will not enforce policy on the excluded entries.