Pcnsa4

Which administrative management services can be configured to access a management interface?. HTTPS, HTTP, CLI, API. HTTPS, SSH, telnet, SNMP. SSH, telnet, HTTP, HTTPS. HTTP, CLI, SNMP, HTTPS.

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently used by attackers to distribute illegal or unethical material?. Palo Alto Networks C&G IP Addresses. Palo Alto Networks High Risk IP Addresses. Palo Alto Networks Known Malicious IP Addresses. Palo Alto Networks Bulletproof IP Addresses.

Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP Addresses list?. source address. destination address. source zone. destination zone.

Which three filter columns are available when setting up an Application Filter? (Choose three.). Parent App. Category. Risk. Standard Ports. Subcategory.

Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?. reconnaissance. delivery. installation. exploitation.

A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data. Which Security Profile feature could have been used to detect the malware on the laptop?. DNS Sinkhole. WildFire Analysis. Antivirus. DoS Protection.

What must be configured before setting up Credential Phishing Prevention?. Threat Prevention. Anti Phishing Block Page. User-ID. Anti Phishing profiles.

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?. block. sinkhole. allow. alert.

Which statement best describes a common use of Policy Optimizer?. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that exist. Admins can then manually enable policies they want to keep and delete ones they want to remove. Policy Optimizer can display which Security policies have not been used in the last 90 days. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.). The route with lowest metric is used. The route with the highest administrative distance is used. The virtual router would load balance across the two routes. Path monitoring determines whether a route is usable.

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?. Security policy rule. ACC global fitter. NAT address pool. external dynamic list.

Question #192Topic 1 You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-control server. Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control connection?. Anti-Spyware Profile. Data Filtering Profile. Antivirus Profile. Vulnerability Protection Profile.

Which Palo Alto Networks component provides consolidated policy creation?. Policy Optimizer. Prisma SaaS. GlobalProtect. Panorama.

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone. The administrator does not want to allow traffic between the DMZ and LAN zones. Which Security policy rule type should they use?. interzone. intrazone. default. universal.

According to best practices, how frequently should WildFire updates he made to perimeter firewalls?. every 10 minutes. every minute. every 5 minutes. in real time.

Given the topology, which interface type should you configure for firewall interface E1/1?. Layer 2. virtual wire. tap. mirror port.

Which solution is a viable option to capture user identification when Active Directory is not in use?. Cloud identity Engine. Directory Sync Service. group mapping. Authentication Portal.

What allows a security administrator to preview the Security policy rules that match new application signatures?. Policy Optimizer--New App Viewer. Dynamic Updates--Review App. Review Release Notes. Dynamic Updates--Review Policies.

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?. Configure a Primary Employee ID number for user-based Security policies. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL. Configure a frequency schedule to clear group mapping cache.

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains. Which type of single, unified engine will get this result?. Content ID. App-ID. Security Processing Engine. User-ID.

Which action would an administrator take to ensure that a service object will be available only to the selected device group?. ensure that disable override is selected. uncheck the shared option. ensure that disable override is cleared. create the service object in the specific template.

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit 42 research, and data gathered from telemetry?. Palo Alto Networks High-Risk IP Addresses. Palo Alto Networks Known Malicious IP Addresses. Palo Alto Networks C&C IP Addresses. Palo Alto Networks Bulletproof IP Addresses.

An administrator would like to determine the default deny action for the application dns-over-https. Which action would yield the information?. View the application details in beacon.paloaltonetworks.com. Check the action for the Security policy matching that traffic. Check the action for the decoder in the antivirus profile. View the application details in Objects > Applications.

Access to which feature requires a URL Filtering license?. PAN-DB database. External dynamic lists. DNS Security. Custom URL categories.

What is the main function of the Test Policy Match function?. ensure that policy rules are not shadowing other policy rules. confirm that rules meet or exceed the Best Practice Assessment recommendations. confirm that policy rules in the configuration are allowing donning the correct traffic. verify that policy rules from Expedition are valid.

Which attribute can a dynamic address group use as a filtering condition to determine its membership?. subnet mask. tag. ip address. wildcard mask.

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones?. 172.16.16.0/24 192.168.0.0/24 - 1.1.1.0/24 10.0.1.0/24. 172.16.16.0/24 192.168.0.0/24 - any. 10.0.1.0/24 172.16.16.0/24 - 1.1.1.0/24 192.168.0.0/24. 172.16.18.0/24 192.168.0.0/24 - any.

What are the three DNS Security categories available to control DNS traffic? (Choose three.). Parked Domains. Spyware Domains. Vulnerability Domains. Phishing Domains. Malware Domains.

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.). firewall logs. custom API scripts. Security Information and Event Management Systems (SIEMS), such as Splunk. biometric scanning results from iOS devices. DNS Security service.

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones: 1. trust for internal networks 2. untrust to the internet Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.). Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic.

Which object would an administrator create to enable access to all applications in the office-programs subcategory?. HIP profile. URL category. application group. application filter.

Given the detailed log information above, what was the result of the firewall traffic inspection?. It was blocked by the Vulnerability Protection profile action. It was blocked by the Security policy action. It was blocked by the Anti-Virus Security profile action. It was blocked by the Anti-Spyware Profile action.

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule. What is the best way to do this?. Create a static NAT rule translating to the destination interface. Create a static NAT rule with an application override. Create a Security policy rule to allow the traffic. Create a new NAT rule with the correct parameters and leave the translation type as None.

What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *. You can specify the location as pre- or post-rules to push policy rules. You can specify the firewalls in a device group to which to push policy rules. Doing so provides audit information prior to making changes for selected policy rules. Doing so limits the templates that receive the policy rules.

When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?. Layer 3. Virtual wire. Tap. Tunnel.

An administrator would like to create a URL Filtering log entry when users browse to any gambling website. What combination of Security policy and Security profile actions is correct?. Security policy = deny, Gambling category in URL profile = block. Security policy = drop, Gambling category in URL profile = allow. Security policy = allow, Gambling category in URL profile = alert. Security policy = allow, Gambling category in URL profile = allow.

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.). IP Protocol. Packets sent/received. Decrypted. Action.

What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.). It requires an active subscription to a third-party DNS Security service. It requires a valid URL Filtering license. It uses techniques such as DGA/DNS tunneling detection and machine learning. It requires a valid Threat Prevention license. It enables users to access real-time protections using advanced predictive analytics.

After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration that matches the running configuration. Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?. Revert to running configuration. Load named configuration snapshot. Revert to last saved configuration. Import named config snapshot.

What are three valid ways to map an IP address to a username? (Choose three.). a user connecting into a GlobalProtect gateway using a GlobalProtect Agent. WildFire verdict reports. DHCP Relay logs. using the XML API. usernames inserted inside HTTP Headers.

How is an address object of type IP range correctly defined?. 192.168.40.1-192.168.40.255. 192.168.40.1-255. 192.168.40.1, 192.168.40.255. 192.168.40.1/24.

An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the traffic logs on the firewall. The interzone-default was never changed from its default configuration. Why doesn't the administrator see the traffic?. The interzone-default policy is disabled by default. Traffic is being denied on the interzone-default policy. Logging on the interzone-default policy is disabled. The Log Forwarding profile is not configured on the policy.

What do you configure if you want to set up a group of objects based on their ports alone?. address groups. custom objects. application groups. service groups.

What are two valid selections within a Vulnerability Protection profile? (Choose two.). deny. drop. default. sinkhole.

Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.). Tap. Ha. Layer 3. Layer 2. Virtual Wire.

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic. Which security policy action causes this?. Drop. Drop, send ICMP Unreachable. Reset both. Reset server.

When creating an Admin Role profile, if no changes are made, which two administrative methods will you have full access to? (Choose two.). web UI. XML API. command line. RESTAPI.

An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released. Which object should the administrator use as a match condition in the Security policy?. the Online Storage and Backup URL category. the Content Delivery Networks URL category. an application group containing all of the file-sharing App-IDs reported in the traffic logs. an application filter for applications whose subcategory is file-sharing.

Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user will be assigned?. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.

When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.). server profile. admin role. password profile. access domain.

An administrator is configuring a NAT rule. At a minimum, which three forms of information are required? (Choose three.). source zone. name. destination interface. destination zone. destination address.

An administrator wants to prevent hacking attacks through DNS queries to malicious domains. Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.). deny. block. sinkhole. override.

An administrator is creating a NAT policy. Which combination of address and zone are used as match conditions? (Choose two.). Pre-NAT address. Pre-NAT zone. Post-NAT address. Post-NAT zone.

A network administrator is required to use a dynamic routing protocol for network connectivity. Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.). OSPF. EIGRP. IS-IS. BGP. RIP.

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only. Which rule group enables the required traffic?. DMZ 10.0.1.0/24 Interlink 10.0.10.0/30 Interlink 10.0.10.0/30 Server 172.20.20.0/24 Interlink 10.0.10.0/30 DMZ 10.0.1.0/24 Server 172.20.20.0/24 Interlink 10.0.10./30. DMZ 10.0.1.0/24 Server 172.20.20.0/24 DMZ 10.0.1.0/24 Server 172.20.20.0/24 server 172.20.20.0/24 DMZ 10.0.1.0/24 server 172.20.20.0/24 DMZ 10.0.1.0/24. DMZ 10.0.1.0/24 Interlink 172.20.20.0/24 Interlink 10.0.1.0/24 Server 172.20.20.0/24 Interlink 172.20.20.0/24 DMZ 10.0.1.0/24 Server 172.20.20.0/24 Interlink 10.0.1.0/24. DMZ 10.0.1.0/24 Server 172.20.20.0/24 Interlink 10.0.1.0/24 Server 172.20.20.0/24 Server 172.20.20.0/24 DMZ 10.0.1.0/24 Server 172.20.20.0/24 Interlink 10.0.1.0/24.

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?. service route. dynamic updates. SNMP setup. data redistribution.

In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which protocol should you select when adding a new scheduled config export?. HTTPS. SMB v3. SCP. FTP.

All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone. Complete the empty field in the Security policy using an application object to permit only this type of access. Source Zone: Internal - Destination Zone: DMZ Zone - Application: __________ Service: application-default - Action: allow. Application = "any". Application = "web-browsing". Application = "ssl". Application = "http".

An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. Set the hacking category to continue. Set the phishing category to override. Set the malware category to block. Set the Command and Control category to block.

An administrator would like to follow the best-practice approach to log the traffic that traverses the firewall. What action should they take?. Enable both Log at Session Start and Log at Session End. Enable Log at Session End. Enable Log at Session Start. Disable all logging options.