Palo Alto Networks Certified Network Security Administrator (PCNSA) Exam Questions and Answers

The latest Palo Alto Networks Certified Network Security Administrator (PCNSA) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Palo Alto Networks Certified Network Security Administrator (PCNSA) exam and earn Palo Alto Networks Certified Network Security Administrator (PCNSA) certification.

Exam Question 11

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and None?

A. Translation Type
B. Interface
C. Address Type
D. IP Address
Correct Answer:
A. Translation Type

Exam Question 12

Which interface does not require a MAC or IP address?

A. Virtual Wire
B. Layer3
C. Layer2
D. Loopback
Correct Answer:
A. Virtual Wire

Exam Question 13

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified
B. Rule Usage Filter >Hit Count > Unused in 30 days
C. Rule Usage Filter > Unused Apps
D. Rule Usage Filter > Hit Count > Unused in 90 days
Correct Answer:
D. Rule Usage Filter > Hit Count > Unused in 90 days

Exam Question 14

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security policy
B. An implicit dependency requires the dependent application to be added in the security policy
C. An explicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy
Correct Answer:
A. An implicit dependency does not require the dependent application to be added in the security policy
D. An explicit dependency requires the dependent application to be added in the security policy

Exam Question 15

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

A. Windows-based agent deployed on the internal network
B. PAN-OS integrated agent deployed on the internal network
C. Citrix terminal server deployed on the internal network
D. Windows-based agent deployed on each of the WAN Links
Correct Answer:
A. Windows-based agent deployed on the internal network

Exam Question 16

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You must collect IP –to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufactures.
Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A. syslog
B. RADIUS
C. UID redistribution
D. XFF headers
Correct Answer:
A. syslog

Exam Question 17

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact a command-and-control (C2) server.
Which two security profile components will detect and prevent this threat after the firewall’s signature database has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies
B. anti-spyware profile applied to outbound security policies
C. antivirus profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies
Correct Answer:
B. anti-spyware profile applied to outbound security policies
D. URL filtering profile applied to outbound security policies

Exam Question 18

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

A. Delivery
B. Reconnaissance
C. Command and Control
D. Exploitation
Correct Answer:
D. Exploitation

Exam Question 19

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services “Application defaults”, and action = Allow

A. Destination IP: 192.168.1.123/24
B. Application = “Telnet”
C. Log Forwarding
D. USER-ID = “Allow users in Trusted”
Correct Answer:
B. Application = “Telnet”

Exam Question 20

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

A. Threat Prevention
B. WildFire
C. Antivirus
D. URL Filtering
Correct Answer:
A. Threat Prevention