Free PCNSA Sample Questions — Palo Alto Networks Certified Network Security Administrator

How many levels can there be in a device-group hierarchy, below the shared level?

• A. 2
• B. 3
• C. 4
• D. 5

Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose three.)

• A. Static
• B. Tap
• C. Dynamic
• D. Layer 3
• E. Virtual Wire

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains. Which type of single, unified engine will get this result?

• A. Content ID
• B. App-ID
• C. Security Processing Engine
• D. User-ID

A Security Profile can block or allow traffic at which point?

• A. on either the data plane or the management plane
• B. after it is matched to a Security policy rule that allows or blocks traffic
• C. after it is matched to a Security policy rule that allows traffic
• D. before it is matched to a Security policy rule

A network administrator is required to use a dynamic routing protocol for network connectivity. Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

• A. OSPF
• B. EIGRP
• C. IS-IS
• D. BGP
• E. RIP

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from the laptop. Which security profile feature could have been used to prevent the communication with the CnC server?

• A. Create an anti-spyware profile and enable DNS Sinkhole
• B. Create an antivirus profile and enable DNS Sinkhole
• C. Create a URL filtering profile and block the DNS Sinkhole category
• D. Create a security policy and enable DNS Sinkhole

What must first be created on the firewall for SAML authentication to be configured?

• A. Server Profile
• B. Server Policy
• C. Server Location
• D. Server Group

An administrator wants to prevent access to media content websites that are risky. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

• A. recreation-and-hobbies
• B. streaming-media
• C. known-risk
• D. high-risk

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?

• A. north-south
• B. inbound
• C. outbound
• D. east-west

What is the purpose of the automated commit recovery feature?

• A. It reverts the Panorama configuration
• B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama
• C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change
• D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition the configuration was not saved prior to making the changes. Which action will allow the administrator to undo the changes?

• A. Revert to running configuration
• B. Load named configuration snapshot, and choose the first item on the list
• C. Revert to last saved configuration
• D. Load configuration version, and choose the first item on the list

Why should a company have a File Blocking profile that is attached to a Security policy?

• A. To block uploading and downloading of any type of files
• B. To block uploading and downloading of specific types of files
• C. To detonate files in a sandbox environment
• D. To analyze file types

An administrator would like to create a URL Filtering log entry when users browse to any gambling website. What combination of Security policy and Security profile actions is correct?

• A. Security policy = deny, Gambling category in URL profile = block
• B. Security policy = drop, Gambling category in URL profile = allow
• C. Security policy = allow, Gambling category in URL profile = alert
• D. Security policy = allow, Gambling category in URL profile = allow

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple applications in a dynamic environment?

• A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory
• B. Create an Application Group and add business-systems to it
• C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category
• D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?

• A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules
• B. Reboot the firewall
• C. Use the Reset Rule Hit Counter > All Rules option
• D. Use the CLI enter the command reset rules all

What must be configured before setting up Credential Phishing Prevention?

• A. Threat Prevention
• B. Anti Phishing Block Page
• C. User-ID
• D. Anti Phishing profiles

With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?

• A. Vulnerability Exceptions
• B. Advanced Rules
• C. Inline Cloud Analysis
• D. WildFire Inline ML

In which profile should you configure the DNS Security feature?

• A. Anti-Spyware Profile
• B. Zone Protection Profile
• C. Antivirus Profile
• D. URL Filtering Profile

Which statement is true regarding NAT rules?

• A. Translation of the IP address and port occurs before security processing
• B. Firewall supports NAT on Layer 3 interfaces only
• C. Static NAT rules have precedence over other forms of NAT
• D. NAT rules are processed in order from top to bottom

Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws?

• A. URL filtering
• B. vulnerability protection
• C. file blocking
• D. anti-spyware