Pcnsa2

Which Security Profile mitigates attacks based on packet count?. zone protection profile. URL filtering profile. antivirus profile. vulnerability profile.

Which interface type uses virtual routers and routing protocols?. Tap. Layer 3. Virtual Wire. Layer 2.

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?. Override. Allow. Block. Continue.

An internal host needs to connect through the firewall using source NAT to servers of the internet. Which policy is required to enable source NAT on the firewall?. NAT policy with internal zone and internet zone specified. post-NAT policy with external source and any destination address. NAT policy with no internal or internet zone selected. pre-NAT policy with external source and any destination address.

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP addresses?. DoS protection. URL filtering. Packet buffering. Anti-spyware.

Which path in PAN-OS 9.0 displays the list of port-based security policy rules?. Policies> Security> Rule Usage> No App Specified. Policies> Security> Rule Usage> Port only specified. Policies> Security> Rule Usage> Port-based Rules. Policies> Security> Rule Usage> Unused Apps.

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.). Layer-ID. User-ID. QoS-ID. App-ID.

Which path is used to save and load a configuration with a Palo Alto Networks firewall?. Device>Setup>Services. Device>Setup>Management. Device>Setup>Operations. Device>Setup>Interfaces.

DRAG DROP - Match the network device with the correct User-ID technology. Select and Place: Microsoft Exchange. Linux authentication. Windows Client. Citrix client.

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application signatures?. Review Policies. Review Apps. Pre-analyze. Review App Matches.

How do you reset the hit count on a Security policy rule?. Select a Security policy rule, and then select Hit Count > Reset. Reboot the data-plane. First disable and then re-enable the rule. Type the CLI command reset hitcount <POLICY-NAME>.

Given the topology, which zone type should you configure for firewall interface E1/1?. Tap. Tunnel. Virtual Wire. Layer 3.

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?. Management. High Availability. Aggregate. Aggregation.

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?. intrazone. interzone. universal. global.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL then which choice would be the last to block access to the URL?. EDL in URL Filtering Profile. Custom URL category in URL Filtering Profile. Custom URL category in Security policy rule. PAN-DB URL category in URL Filtering Profile.

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?. north-south. inbound. outbound. east-west.

Which protocol is used to map usernames to user groups when User-ID is configured?. TACACS+. SAML. LDAP. RADIUS.

Which definition describes the guiding principle of the zero-trust architecture?. trust, but verify. always connect and verify. never trust, never connect. never trust, always verify.

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone. Complete the two empty fields in the Security policy rules that permits only this type of access. Source Zone: Internal - Destination Zone: DMZ Zone - Application: _________? Service: ____________? Action: allow - (Choose two.). Service = application-default. Service = service-telnet. Application = Telnet. Application = any.

In which profile should you configure the DNS Security feature?. Anti-Spyware Profile. Zone Protection Profile. Antivirus Profile. URL Filtering Profile.

Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.). It is automatically enabled and configured. It eliminates the need for dynamic DNS updates. It functions like PAN-DB and requires activation through the app portal. It removes the 100K limit for DNS entries for the downloaded DNS updates.

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.). GlobalProtect agent. XML API. User-ID Windows-based agent. log forwarding auto-tagging.

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data. Which security profile feature could have been used to prevent the communication with the command-and-control server?. Create an anti-spyware profile and enable DNS Sinkhole feature. Create an antivirus profile and enable its DNS Sinkhole feature. Create a URL filtering profile and block the DNS Sinkhole URL category. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?. virtual router. Admin Role profile. DNS proxy. service route.

Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?. Prisma SaaS. GlobalProtect. AutoFocus. Panorama.

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?. TACACS+. RADIUS. LDAP. SAML.

Which operations are allowed when working with App-ID application tags?. Predefined tags may be deleted. Predefined tags may be augmented by custom tags. Predefined tags may be modified. Predefined tags may be updated by WildFire dynamic updates.

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized. Which User-ID agent is sufficient in your network?. Windows-based agent deployed on each domain controller. PAN-OS integrated agent deployed on the firewall. Citrix terminal server agent deployed on the network. Windows-based agent deployed on the internal network a domain member.

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?. Role-based. Multi-Factor Authentication. Dynamic. SAML.

Which statement is true regarding a Heatmap report?. When guided by authorized sales engineer, it helps determine the areas of greatest security risk. It runs only on firewalls. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture. It provides a percentage of adoption for each assessment area.

Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the policy rule?. Apps Allowed. Service. Name. Apps Seen.

Access to which feature requires the PAN-OS Filtering license?. PAN-DB database. DNS Security. Custom URL categories. URL external dynamic lists.

Based on the screenshot, what is the purpose of the Included Groups?. They are groups that are imported from RADIUS authentication servers. They are the only groups visible based on the firewall's credentials. They contain only the users you allow to manage the firewall. They are used to map users to groups.

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?. The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.

Which action results in the firewall blocking network traffic without notifying the sender?. Drop. Deny. Reset server. Reset client.

What do Dynamic User Groups help you to do?. create a policy that provides auto-remediation for anomalous user behavior and malicious activity. create a dynamic list of firewall administrators. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity. create a policy that provides auto-sizing for anomalous user behavior and malicious activity.

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows within the zones?. global. intrazone. interzone. universal.

You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which traffic would you need to monitor and block to mitigate the malicious activity?. branch office traffic. north-south traffic. perimeter traffic. east-west traffic.

DRAG DROP - Match each feature to the DoS Protection Policy or the DoS Protection Profile. Select and Place: Threat Intelligence cloud. Next-generation Firewall. Advanced Endpoint Protection.

Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?. Kerberos user. SAML user. local database user. local user.

How frequently can WildFire updates be made available to firewalls?. every 15 minutes. every 30 minutes. every 60 minutes. every 5 minutes.

Starting with PAN-OS version 9.1, which new type of object is supported for use within the User field of a Security policy rule?. remote username. dynamic user group. static user group. local username.

Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?. Review App Matches. Review Apps. Pre-analyze. Review Policies.

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?. interzone-default. internal-inside-dmz. inside-portal. egress-outside.

Which type of firewall configuration contains in-progress configuration changes?. backup. candidate. running. committed.

Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.). hostname. netmask. default gateway. auto-negotiation. IP address.

What is an advantage for using application tags?. They are helpful during the creation of new zones. They help content updates automate policy updates. They help with the creation of interfaces. They help with the design of IP address allocations in DHCP.

At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?. after clicking Check Now in the Dynamic Update window. after committing the firewall configuration. after installing the update. after downloading the update.

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server. Which Security Profile detects and prevents this threat from establishing a command-and-control connection?. Vulnerability Protection Profile applied to outbound Security policy rules. Anti-Spyware Profile applied to outbound security policies. Antivirus Profile applied to outbound Security policy rules. Data Filtering Profile applied to outbound Security policy rules.

Which statement is true regarding a Best Practice Assessment?. It runs only on firewalls. It shows how current configuration compares to Palo Alto Networks recommendations. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access the PowerBall Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also listed in the URL filtering `gambling` category. Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?. Add just the URL www.powerball.com to a Security policy allow rule. Manually remove powerball.com from the gambling URL category. Add *.powerball.com to the URL Filtering allow list. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and scanning files for sensitive information?. Prisma SaaS. AutoFocus. Panorama. GlobalProtect.

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules. Reboot the firewall. Use the Reset Rule Hit Counter > All Rules option. Use the CLI enter the command reset rules all.

Based on the Security policy rules shown, SSH will be allowed on which port?. the default port. only ephemeral ports. any port. same port as ssl and snmpv3.

You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application. Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?. Data Filtering Profile applied to outbound Security policy rules. Antivirus Profile applied to outbound Security policy rules. Data Filtering Profile applied to inbound Security policy rules. Vulnerability Protection Profile applied to inbound Security policy rules.

Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components? (Choose two.). Network Processing Engine. Policy Engine. Parallel Processing Hardware. Single Stream-based Engine.

An administrator is reviewing another administrator's Security policy log settings. Which log setting configuration is consistent with best practices for normal traffic?. Log at Session Start and Log at Session End both enabled. Log at Session Start enabled, Log at Session End disabled. Log at Session Start disabled, Log at Session End enabled. Log at Session Start and Log at Session End both disabled.

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?. URL filtering. vulnerability protection. anti-spyware. antivirus.

Given the topology, which zone type should zone A and zone B to be configured with?. Layer3. Ethernet. Layer2. Virtual Wire.

Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific website. How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.