El Test-NSA-60

1.Which two components can be combined into a Security Profile Group for easier policy application?. A. Antivirus. B. Application Override. C. Anti-Spyware. D. Authentication Policy.

2.A Security Profile is applied to a policy rule. At what stage of traffic processing is the profile enforced?. A. After routing decision. B. Before session creation. C. After App-ID and Content-ID inspection. D. During NAT translation.

3.Which two security profiles would you configure to detect command-and-control traffic?. A. URL Filtering. B. Anti-Spyware. C. Antivirus. D. Data Filtering.

4.When creating a decryption profile, which two checks can be enforced on SSL/TLS traffic?. A. Block expired certificates. B. Restrict key exchange algorithms. C. Enforce file blocking. D. Detect brute-force login attempts.

5.Which of the following describes an External Dynamic List (EDL)?. A. A static IP list imported from Panorama. B. A firewall-managed list of local subnets. C. A dynamic list retrieved from an external source. D. A custom log forwarding filter.

6.Which two object types can be defined within an External Dynamic List (EDL)?. A. FQDN. B. IP Address. C. Custom Data Patterns. D. URL.

7.You need to create a custom object to block access to “gambling” websites not included in default categories. What type of custom object would you configure?. A. Application Override. B. Custom URL Category. C. Security Profile Group. D. Data Pattern.

8.Which two actions can be taken when applying a custom URL category to a policy?. A. Alert. B. Drop. C. Allow. D. Encrypt.

9.Which feature allows administrators to forward firewall logs to an external SIEM solution? A. Log Forwarding Profile B. Decryption Profile C. Data Filtering Profile D. Custom Object. A. Log Forwarding Profile. B. Decryption Profile. C. Data Filtering Profile. D. Custom Object.

10.When configuring a Log Forwarding Profile, which two destinations can be selected? A. Email Server B. SNMP Manager C. Panorama D. DNS Server. A. Email Server. B. SNMP Manager. C. Panorama. D. DNS Server.

11.Which profile ensures that sensitive data such as credit card numbers are not transmitted in clear text?. A. Antivirus Profile. B. Data Filtering Profile. C. Decryption Profile. D. File Blocking Profile.

12.Which two options are available when defining Data Filtering rules?. A. Predefined data patterns. B. File size thresholds. C. Regular expressions. D. Certificate validation.

13.IoT security profiles help administrators in which two ways?. A. Identifying unmanaged IoT devices. B. Blocking malicious IoT traffic. C. Encrypting IoT traffic. D. Providing IoT patch management.

14.Which DoS Protection Profile setting limits the number of concurrent connections to a service? A. SYN Cookies B. Max Concurrent Sessions C. Random Early Drop D. Aggressive Aging. A. SYN Cookies. B. Max Concurrent Sessions. D. Aggressive Aging. D. Aggressive Aging.

15.A customer requires protection against volumetric floods on their public web server. Which feature should be applied?. A. DoS Protection Profile. B. Data Filtering Profile. C. Antivirus Profile. D. SD-WAN Policy.

16.Which two actions can be enforced by DoS Protection Profiles?. A. Block IP. B. SYN Cookies. C. File Blocking. D. URL Filtering.

17.What is the purpose of an SD-WAN profile in Palo Alto Networks firewalls?. A. Define traffic distribution rules across multiple WAN links. B. Encrypt inter-branch VPN traffi. C. Create URL filtering categories for WAN traffic. D. Monitor endpoint compliance.

18.Which two link health parameters can be configured in an SD-WAN profile?. A. Latency. B. CPU Utilization. C. Jitter. D. Session Table Size.

19.Which SD-WAN object defines the criteria for choosing the best path for an application?. A. Path Quality Profile. B. Log Forwarding Profile. C. Data Filtering Profile. D. Device Group.

20.When using SD-WAN templates in Panorama, which benefit is achieved?. A. Centralized configuration of SD-WAN policies. B. Built-in malware signature updates. C. Automatic SSL decryption bypass. D. On-demand firewall upgrades.

21.Which log types can be forwarded using a Log Forwarding Profile?. A. Threat Logs. B. HIP Logs. C. Tunnel Inspection Logs. D. Traffic Logs.

22.When configuring log forwarding, which transport protocol is most commonly used for external SIEM integration?. A. UDP Syslog. B. SMTP. C. SNMP. D. FTP.

23.Which two actions can a Log Forwarding Profile apply when a log entry is generated?. A. Forward to Panorama. B. Send to External Syslog. C. Trigger SSL Decryption. D. Enforce File Blocking.

24.Which profile should you use to prevent leakage of sensitive corporate intellectual property via uploads?. A. Data Filtering. B. Antivirus. C. URL Filtering. D. DoS Protection.

25.Which two data identifiers are available in predefined Data Filtering profiles?. A. Credit Card Numbers. B. Social Security Numbers. C. Usernames and Passwords. D. Malware Signatures.

26.You must enforce GDPR compliance by preventing users from uploading EU citizen personal data. Which two options should you configure?. A. Predefined data patterns. B. Custom regex expressions. C. IoT security profiles. D. Antivirus signatures.

27.IoT security profiles integrate with which Palo Alto service to classify devices? A. App-ID B. Device-ID C. GlobalProtect D. Cortex Data Lake. A. App-ID. B. Device-ID. C. GlobalProtect. D. Cortex Data Lake.

28.Which two types of policies can use IoT security profiles for enforcement?. A. Security Policy. B. Decryption Policy. C. DoS Protection Policy. D. SD-WAN Policy.

29.Which IoT profile capability allows detection of abnormal behavior such as sudden spikes in traffic from an IoT camera? A. URL Filtering B. Behavioral Anomaly Detection C. File Blocking D. Log Forwarding. A. URL Filtering. B. Behavioral Anomaly Detection. C. File Blocking. D. Log Forwarding.

30.Which DoS protection mechanism prevents SYN flood attacks from exhausting server resources?. A. SYN Cookies. B. Application Override. C. Antivirus Signature Matching. D. File Blocking.

31.Which two types of DoS Protection policies exist in PAN-OS?. A. Aggregate. B. Zone-Based. C. Classified. D. GlobalProtect.

32.Which option describes the function of "Random Early Drop (RED)" in DoS profiles?. A. Terminates SSL sessions. B. Preemptively drops packets before thresholds are exceeded. C. Blocks specific URL categories. D. Filters sensitive data.

33.Which two parameters can be configured in DoS Protection profiles to mitigate volumetric floods?. A. Maximum Concurrent Sessions. B. Max Bandwidth per User. C. SYN Flood Thresholds. D. UDP Flood Thresholds.

34.Which SD-WAN feature ensures that voice traffic uses the lowest-latency path?. A. Application SLA Profile. B. Path Quality Profile. C. Data Filtering Profile. D. Antivirus Profile.

35.Which two factors can trigger SD-WAN path failover?. A. Excessive Latency. B. Application Signature Change. C. High Jitter. D. Username Change.

36.In Panorama-managed SD-WAN, what is the main role of an SD-WAN template?. A. Enforcing file blocking policies. B. Centralizing SD-WAN policy deployment across firewalls. C. Controlling certificate validity checks. D. Creating decryption bypass rules.

37.Which metric is critical for SD-WAN path selection when streaming video applications are used?. A. Packet Loss. B. Session Timeout. C. CPU Utilization. D. URL Category.

38.Which two link types are typically included in SD-WAN path selection?. A. MPLS. B. Broadband Internet. C. USB Tethering. D. Internal Loopback.

39.Which SD-WAN policy object defines what applications are subject to path selection rules?. A. Application SLA Profile. B. Application Group. C. Device Group. D. QoS Profile.

40.What benefit does SD-WAN provide for SaaS applications like Office 365?. A. Encrypts all SaaS traffic. B. Routes traffic based on application performance metrics. C. Blocks malicious domains automatically. D. Reduces the need for antivirus scanning.

41.In a security rule using App-ID, when does the firewall finalize application identification?. A. After first packet arrival. B. After TCP 3-way handshake only. C. After sufficient packets/payload to classify the app. D. Only after decryption completes.

42.Which User-ID sources can directly map usernames to IPs for policy?. A. GlobalProtect portal. B. Syslog parsing from AAA servers. C. URL Filtering logs. D. XML API from identity providers.

43.You attach Antivirus and Vulnerability Protection profiles to a rule. What traffic is inspected?. A. Allowed traffic matching the rule. B. Denied traffic matching the rule. C. Any intra-zone traffic only. D. Only decrypted traffic.

44.A rule uses User-ID and App-ID. Which is true about enforcement?. A. User-ID is checked after App-ID. B. App-ID is checked after user mapping and rule match. C. User-ID is ignored if App-ID matches. D. Both are simultaneously ignored during first packet.

45.Which statement about NAT rule match criteria is correct?. A. NAT matches on post-NAT addresses and zones. B. NAT matches on pre-NAT addresses and zones. C. NAT matches on security profiles. D. NAT follows user mappings for match.

46.For Destination NAT, which addresses/zones does the security policy use?. A. Post-NAT IP and post-NAT zone. B. Pre-NAT IP and pre-NAT zone. C. Pre-NAT IP and post-NAT zone. D. Post-NAT IP and pre-NAT zone.

47.Which NAT type best fits “many-to-one” Internet egress?. A. Static bidirectional NAT. B. Dynamic IP and Port (PAT). C. Dynamic IP (pool without port). D. Destination NAT.

48.You need to host a web server on a public IP and preserve its real source IP on logs. Which is correct?. A. Use Destination NAT with static translation; disable source NAT. B. Use Source NAT PAT on server replies. C. Use U-Turn NAT only. D. Use Dynamic IP NAT for server.

49.Where is the Service field meaningful in NAT?. A. Source NAT only. B. Destination NAT only. C. Both Source and Destination NAT. D. Never used in PAN-OS.

50.Order of operations for encrypted traffic is best described as: A. App-ID ® Decryption ® Content-ID. B. Decryption policy decision ® Decryption ® App-ID/Content-ID. C. Content-ID ® Decryption ® App-ID. D. NAT ® Content-ID ® Decryption.