ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSA

Palo Alto Networks PCNSA Practice Test - Questions Answers, Page 35

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which action would an administrator take to ensure that a service object will be available only to the selected device group?
Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?
An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains. Which type of single unified engine will get this result?
Which order of steps is the correct way to create a static route?
Which statement is true about Panorama managed devices?
What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)
An administrator is updating Security policy to align with best practices. Which Policy Optimizer feature is shown in the screenshot below?
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
Which security profile will provide the best protection against ICMP floods, based on individual combinations of a packet`s source and destination IP address?
Review the Screenshot: Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only. Which rule group enables the required traffic? A) B) C) D)

Question 341

Report
Export
Collapse

Where in Panorama Would Zone Protection profiles be configured?

A.
Shared
A.
Shared
Answers
B.
Templates
B.
Templates
Answers
C.
Device Groups
C.
Device Groups
Answers
D.
Panorama tab
D.
Panorama tab
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/use-templates-to-administer-a-base-configuration

Question 342

Report
Export
Collapse

Based on the image provided, which two statements apply to the Security policy rules? (Choose two.)

A.
The Allow-Office-Programs rule is using an application filter.
A.
The Allow-Office-Programs rule is using an application filter.
Answers
B.
The Allow-Office-Programs rule is using an application group.
B.
The Allow-Office-Programs rule is using an application group.
Answers
C.
The Allow-Social-Media rule allows all Facebook functions.
C.
The Allow-Social-Media rule allows all Facebook functions.
Answers
D.
In the Allow-FTP policy, FTP is allowed using App-ID.
D.
In the Allow-FTP policy, FTP is allowed using App-ID.
Answers
Suggested answer: A, C

Question 343

Report
Export
Collapse

How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?

A.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin then creates a Security policy allowing application 'ssh' and service 'tcp-4422'.
A.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin then creates a Security policy allowing application 'ssh' and service 'tcp-4422'.
Answers
B.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin then creates a Security policy allowing application 'ssh', service 'tcp-4422'. and service 'application-default'.
B.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin then creates a Security policy allowing application 'ssh', service 'tcp-4422'. and service 'application-default'.
Answers
C.
The admin creates a Security policy allowing application 'ssh' and service 'application-default'.
C.
The admin creates a Security policy allowing application 'ssh' and service 'application-default'.
Answers
D.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin also creates a custom service object named 'tcp-22' with port tcp/22. The admin then creates a Security policy allowing application 'ssh', service 'tcp-4422'. and service 'tcp-22'.
D.
The admin creates a custom service object named 'tcp-4422' with port tcp/4422. The admin also creates a custom service object named 'tcp-22' with port tcp/22. The admin then creates a Security policy allowing application 'ssh', service 'tcp-4422'. and service 'tcp-22'.
Answers
Suggested answer: D

Question 344

Report
Export
Collapse

Which feature must be configured to enable a data plane interface to submit DNS queries originated from the firewall on behalf of the control plane?

A.
Service route
A.
Service route
Answers
B.
Admin role profile
B.
Admin role profile
Answers
C.
DNS proxy
C.
DNS proxy
Answers
D.
Virtual router
D.
Virtual router
Answers
Suggested answer: A

Explanation:

By default, the firewall uses the management (MGT) interface to access external services, such as DNS servers, external authentication servers, Palo Alto Netw orks services such as soft ware, URL updates, licenses, and AutoFocus. An alternative to using the MGT interface is configuring a data port (a standard interface) to access these services. The path from the interface to th e service on a server is aservice route. [Palo Alto Networks]

PAN-OS 10 -> Device -> Setup -> Services -> Service Features -> Service Route Configuration

Question 345

Report
Export
Collapse

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the rule type from its default value.

What type of Security policy rule is created?

A.
Tagged
A.
Tagged
Answers
B.
Intrazone
B.
Intrazone
Answers
C.
Universal
C.
Universal
Answers
D.
Interzone
D.
Interzone
Answers
Suggested answer: C

Question 346

Report
Export
Collapse

When HTTPS for management and GlobalProtect are enabled on the same data plane interface, which TCP port is used for management access?

A.
80
A.
80
Answers
B.
443
B.
443
Answers
C.
4443
C.
4443
Answers
D.
8443
D.
8443
Answers
Suggested answer: C

Explanation:

The GlobalProtect Portal can be accessed by going to the IP address of the designated interface using https on port 443. The WebUI on the same interface can be accessed by going to the interface's IP address using https on port 4443. The port for WebUI management is changed because the tcp/443 socket used by GlobalProtect takes precedence

Question 347

Report
Export
Collapse

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240 addresses and found that connections from addresses that needed new translations were being dropped.

Which type of NAT was configured?

A.
Static IP
A.
Static IP
Answers
B.
Dynamic IP
B.
Dynamic IP
Answers
C.
Destination NAT
C.
Destination NAT
Answers
D.
Dynamic IP and Port
D.
Dynamic IP and Port
Answers
Suggested answer: B

Explanation:

The size of the NAT pool should be equal to the number of internal hosts that require address translations. By default, if the source address pool is larger than the NAT address pool and eventually all of the NAT addresses are allocated, new connections that need address translation are dropped. To override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use of DIPP addresses when necessary

Question 348

Report
Export
Collapse

What are the two main reasons a custom application is created? (Choose two.)

A.
To correctly identify an internal application in the traffic log
A.
To correctly identify an internal application in the traffic log
Answers
B.
To change the default categorization of an application
B.
To change the default categorization of an application
Answers
C.
To visually group similar applications
C.
To visually group similar applications
Answers
D.
To reduce unidentified traffic on a network
D.
To reduce unidentified traffic on a network
Answers
Suggested answer: A, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-a-custom-application

Question 349

Report
Export
Collapse

What Policy Optimizer policy view differ from the Security policy do?

A.
It shows rules that are missing Security profile configurations.
A.
It shows rules that are missing Security profile configurations.
Answers
B.
It indicates rules with App-ID that are not configured as port-based.
B.
It indicates rules with App-ID that are not configured as port-based.
Answers
C.
It shows rules with the same Source Zones and Destination Zones.
C.
It shows rules with the same Source Zones and Destination Zones.
Answers
D.
It indicates that a broader rule matching the criteria is configured above a more specific rule.
D.
It indicates that a broader rule matching the criteria is configured above a more specific rule.
Answers
Suggested answer: B

Explanation:

Policy Optimizer policy view differs from the Security policy view in several ways. One of them is that it indicates rules with App-ID that are not configured as port-based. These are rules that have the application set to ''any'' instead of a specific application or group of applications. These rules are overly permissive and can introduce security gaps, as they allow any application traffic on the specified ports.Policy Optimizer helps you convert these rules to application-based rules that follow the principle of least privilege access12.You can use Policy Optimizer to discover and convert port-based rules to application-based rules, and also to remove unused applications, eliminate unused rules, and discover new applications that match your policy criteria3.Reference:

Policy Optimizer Best Practices - Palo Alto Networks

Manage: Policy Optimizer - Palo Alto Networks | TechDocs

Why use Security Policy Optimizer and what are the benefits?

Question 350

Report
Export
Collapse

How does the Policy Optimizer policy view differ from the Security policy view?

A.
It provides sorting options that do not affect rule order.
A.
It provides sorting options that do not affect rule order.
Answers
B.
It displays rule utilization.
B.
It displays rule utilization.
Answers
C.
It details associated zones.
C.
It details associated zones.
Answers
D.
It specifies applications seen by rules.
D.
It specifies applications seen by rules.
Answers
Suggested answer: A

Explanation:

You can't filter or sort rules in PoliciesSecurity because that would change the order of the policy rules in the rulebase. Filtering and sorting PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App Viewer (if you have a SaaS Inline Security subscription) does not change the order of the rules in the rulebase. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-filtering-security-policy-rules

Total 362 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms