Pcnsa3

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?. authorization. continue. authentication. override.

How are Application Filters or Application Groups used in firewall policy?. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.

Which tab would an administrator click to create an address object?. Objects. Monitor. Device. Policies.

An administrator wishes to follow best practices for logging traffic that traverses the firewall. Which log setting is correct?. Enable Log at Session Start. Disable all logging. Enable Log at both Session Start and End. Enable Log at Session End.

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.). QoS profile. DoS Protection profile. Zone Protection profile. DoS Protection policy.

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs. What is the correct process to enable this logging?. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK. This rule has traffic logging enabled by default; no further action is required.

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1. What changes are required on VR-1 to route traffic between two interfaces on the NGFW?. Add static routes to route between the two interfaces. Add interfaces to the virtual router. Add zones attached to interfaces to the virtual router. Enable the redistribution profile to redistribute connected routes.

An administrator wants to prevent users from submitting corporate credentials in a phishing attack. Which Security profile should be applied?. antivirus. anti-spyware. URL-filtering. vulnerability protection.

Which two rule types allow the administrator to modify the destination zone? (Choose two.). interzone. shadowed. intrazone. universal.

What is the main function of Policy Optimizer?. reduce load on the management plane by highlighting combinable security rules. migrate other firewall vendors' security rules to Palo Alto Networks configuration. eliminate Log at Session Start security rules. convert port-based security rules to application-based security rules.

Based on the screenshot, what is the purpose of the group in User labelled `it`?. Allows any users to access servers in the DMZ zone. Allows users to access IT applications on all ports. Allow users in group it to access IT applications. Allow users in group DMZ to access IT applications.

Which action results in the firewall blocking network traffic without notifying the sender?. Drop. Deny. No notification. Reset Client.

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic. Which statement accurately describes how the firewall will apply an action to matching traffic?. If it is a block rule, then Security Profile action is applied last. If it is an allow rule, then the Security policy rule is applied last. If it is a block rule, then the Security policy rule action is applied last. If it is an allowed rule, then the Security Profile action is applied last.

Which Security profile can you apply to protect against malware such as worms and Trojans?. antivirus. data filtering. vulnerability protection. anti-spyware.

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH, web-browsing and SSL applications. Which policy achieves the desired results?. 03A 172.16.16.0/24 192.168.0.0/24 1.1.1.0/24 10.0.1.0/24. 04A 172.16.16.0/24 192.168.0.0/24 any. 01A 10.0.1.0/24 172.16.16.0/24 1.1.1.0/24 192.168.0.0/24. 02A 172.16.18.0/24 192.168.0.0/24 any.

Which license is required to use the Palo Alto Networks built-in IP address EDLs?. DNS Security. Threat Prevention. WildFire. SD-Wan.

Which statement is true about Panorama managed devices?. Panorama automatically removes local configuration locks after a commit from Panorama. Local configuration locks prohibit Security policy changes for a Panorama managed device. Security policy rules configured on local firewalls always take precedence. Local configuration locks can be manually unlocked from Panorama.

A Security Profile can block or allow traffic at which point?. on either the data plane or the management plane. after it is matched to a Security policy rule that allows or blocks traffic. after it is matched to a Security policy rule that allows traffic. before it is matched to a Security policy rule.

DRAG DROP - Place the following steps in the packet processing order of operations from first to last. Select and Place: Dos protection. Security policy lookup. content inspection. QOS shaping applied.

hich type of address object is `10.5.1.1/0.127.248.2`?. IP netmask. IP subnet. IP wildcard mask. IP range.

Which component is a building block in a Security policy rule?. decryption profile. destination interface. timeout (min). application.

You have been tasked to configure access to a new web server located in the DMZ. Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10.1.1.0/24 network to 192.168.1.0/24?. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.10. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254.

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available. Which security policy action causes this?. Reset server. Reset both. Deny. Drop.

Selecting the option to revert firewall changes will replace what settings?. the candidate configuration with settings from the running configuration. dynamic update scheduler settings. the running configuration with settings from the candidate configuration. the device state with settings from another configuration.

An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop. If the application's default deny action is reset-both, what action does the firewall take?. It silently drops the traffic. It silently drops the traffic and sends an ICMP unreachable code. It sends a TCP reset to the server-side device. It sends a TCP reset to the client-side and server-side devices.

Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.). SAML 2.0. Kerberos. TACACS. TACACS+. SAML 1.0.

Which objects would be useful for combining several services that are often defined together?. application filters. service groups. shared service objects. application groups.

Given the screenshot, what two types of route is the administrator configuring? (Choose two.). Bgp. Static Route. default route. Ospf.

Which rule type is appropriate for matching traffic both within and between the source and destination zones?. interzone. shadowed. intrazone. universal.

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code `communication with the destination is administratively prohibited`. Which security policy action causes this?. Drop. Drop, send ICMP Unreachable. Reset both. Reset server.

You receive notification about new malware that infects hosts through malicious files transferred by FTP. Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?. URL Filtering profile applied to inbound Security policy rules. Data Filtering profile applied to outbound Security policy rules. Antivirus profile applied to inbound Security policy rules. Vulnerability Protection profile applied to outbound Security policy rules.

An administrator wants to prevent access to media content websites that are risky. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.). recreation-and-hobbies. streaming-media. known-risk. high-risk.

Which dynamic update type includes updated anti-spyware signatures?. PAN-DB. Applications and Threats. GlobalProtect Data File. Antivirus.

An administrator would like to silently drop traffic from the internet to a ftp server. Which Security policy action should the administrator select?. Drop. Deny. Block. Reset-server.

Which object would an administrator create to block access to all high-risk applications?. HIP profile. Vulnerability Protection profile. application group. application filter.

Which option is part of the content inspection process?. Packet forwarding process. IPsec tunnel encryption. SSL Proxy re-encrypt. Packet egress process.

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?. Disable automatic updates during weekdays. Automatically download and install but with the disable new applications option used. Automatically download only and then install Applications and Threats later, after the administrator approves the update. Configure the option for Threshold.

What must be considered with regards to content updates deployed from Panorama?. Content update schedulers need to be configured separately per device group. Panorama can only install up to five content versions of the same type for potential rollback scenarios. A PAN-OS upgrade resets all scheduler configurations for content updates. Panorama can only download one content update at a time for content updates of the same type.

During the packet flow process, which two processes are performed in application identification? (Choose two.). pattern based application identification. application override policy match. session application identified. application changed from content inspection.

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow.

What does an administrator use to validate whether a session is matching an expected NAT policy?. system log. test command. threat log. config audit.

What is the purpose of the automated commit recovery feature?. It reverts the Panorama configuration. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?. by minute. hourly. daily. weekly.

DRAG DROP - Place the steps in the correct packet-processing order of operations. Select and Place: Zone protection. decryption. Security profile enforcement. App-Id.

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?. destination address. source address. destination zone. source zone.

URL categories can be used as match criteria on which two policy types? (Choose two.). authentication. decryption. application override. NAT.

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.). The web session was unsuccessfully decrypted. The traffic was denied by security profile. The traffic was denied by URL filtering. The web session was decrypted.

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow. Untrust (Any) to Untrust (10.1.1.1), ssh - Allow. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing - Allow. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow.

Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws?. URL filtering. vulnerability protection. file blocking. anti-spyware.

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.). on the App Dependency tab in the Commit Status window. on the Policy Optimizer's Rule Usage page. on the Application tab in the Security Policy Rule creation window. on the Objects > Applications browser pages.

What action will inform end users when their access to Internet content is being restricted?. Create a custom URL Category object with notifications enabled. Publish monitoring data for Security policy deny logs. Ensure that the site access setting for all URL sites is set to alert. Enable Response Pages on the interface providing Internet access.

What is a recommended consideration when deploying content updates to the firewall from Panorama?. Before deploying content updates, always check content release version compatibility. Content updates for firewall A/P HA pairs can only be pushed to the active firewall. Content updates for firewall A/A HA pairs need a defined master device. After deploying content updates, perform a commit and push to Panorama.

Which information is included in device state other than the local configuration?. uncommitted changes. audit logs to provide information of administrative account changes. system logs to provide information of PAN-OS changes. device group and template settings pushed from Panorama.

Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?. It defines the SSL/TLS encryption strength used to protect the management interface. It defines the CA certificate used to verify the client's browser. It defines the certificate to send to the client's browser from the management interface. It defines the firewall's global SSL/TLS timeout values.

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration. What should the administrator do?. change the logging action on the rule. review the System Log. refresh the Traffic Log. tune your Traffic Log filter to include the dates.

When is the content inspection performed in the packet flow process?. after the application has been identified. after the SSL Proxy re-encrypts the packet. before the packet forwarding process. before session lookup.

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?. check now. review policies. test policy match. download.

When creating a custom URL category object, which is a valid type?. domain match. host names. wildcard. category match.

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?. 80. 8443. 4443. 443.

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control (RBAC)? (Choose two.). SAML. TACACS+. LDAP. Kerberos.