Palo Alto Networks Certified Network Security Administrator (PCNSA) Exam Questions and Answers

The latest Palo Alto Networks Certified Network Security Administrator (PCNSA) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Palo Alto Networks Certified Network Security Administrator (PCNSA) exam and earn Palo Alto Networks Certified Network Security Administrator (PCNSA) certification.

Exam Question 81

Which statement is true regarding a Prevention Posture Assessment?

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
C. It provides a percentage of adoption for each assessment area
D. It performs over 200 security checks on Panorama/firewall for the assessment
Correct Answer:
B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Exam Question 82

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IPaddress for SERVICE-SSH
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IPaddress to any destination IP-address for application SSH
C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address
D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
Correct Answer:
B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IPaddress to any destination IP-address for application SSH

Exam Question 83

An internal host needs to connect through the firewall using source NAT to servers of the internet.
Which policy is required to enable source NAT on the firewall?

A. NAT policy with internal zone and internet zone specified
B. post-NAT policy with external source and any destination address
C. NAT policy with no internal or internet zone selected
D. pre-NAT policy with external source and any destination address
Correct Answer:
A. NAT policy with internal zone and internet zone specified

Exam Question 84

Given the topology, which zone type should you configure for firewall interface E1/1?

Given the topology, which zone type should you configure for firewall interface E1/1?

A. Tap
B. Tunnel
C. Virtual Wire
D. Layer3
Correct Answer:
A. Tap

Exam Question 85

Which protocol is used to map usernames to user groups when User-ID is configured?

A. TACACS+
B. SAML
C. LDAP
D. RADIUS
Correct Answer:
C. LDAP

Exam Question 86

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a known command-and-control server, which caused the infected laptop to begin exfiltrating corporate data.
Which security profile feature could have been used to prevent the communication with the command-andcontrol server?

A. Create an anti-spyware profile and enable DNS Sinkhole feature.
B. Create an antivirus profile and enable its DNS Sinkhole feature.
C. Create a URL filtering profile and block the DNS Sinkhole URL category
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.
Correct Answer:
D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

Exam Question 87

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall’s management plane is only slightly utilized.
Which User-ID agent is sufficient in your network?

A. Windows-based agent deployed on each domain controller
B. PAN-OS integrated agent deployed on the firewall
C. Citrix terminal server agent deployed on the network
D. Windows-based agent deployed on the internal network a domain member
Correct Answer:
A. Windows-based agent deployed on each domain controller

Exam Question 88

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?

A. global
B. intrazone
C. interzone
D. universal
Correct Answer:
B. intrazone

Exam Question 89

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?

A. interzone-default
B. internal-inside-dmz
C. inside-portal
D. egress-outside
Correct Answer:
D. egress-outside

Exam Question 90

Which type of firewall configuration contains in-progress configuration changes?

A. backup
B. candidate
C. running
D. committed
Correct Answer:
B. candidate