Palo Alto Networks PCNSA Palo Alto Networks Certified Network Security Administrator Exam Practice Test

Page: 1 / 14
Total 362 questions
Question 1

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?



Answer : A

The show system fqdn command displays the FQDN objects configured on the firewall and their resolved IP addresses. This can help confirm if the FQDN objects are resolved correctly and if they match the expected traffic. A shadow rule is a rule that is never matched because a preceding rule covers the same traffic. If a shadow rule uses FQDN objects, it is possible that the FQDN objects are not resolved or have different IP addresses than the traffic, causing the rule to be ineffective.


Question 2

An administrator should filter NGFW traffic logs by which attribute column to determine if the entry is for the start or end of the session?



Answer : B

The Type attribute column in the NGFW traffic logs indicates whether the log entry is for the start or end of the session. The possible values are START, END, DROP, DENY, and INVALID. The START value means that the log entry is for the start of the session, and the END value means that the log entry is for the end of the session.The other values indicate that the session was terminated by the firewall for various reasons12.Reference:Traffic Log Fields,Session Log Best Practices


Question 3

Which feature enables an administrator to review the Security policy rule base for unused rules?



Answer : D

The Policy Optimizer feature enables an administrator to review the Security policy rule base for unused rules, unused applications, and shadowed rules. The Policy Optimizer provides information and recommendations to help optimize the Security policy rules and reduce the attack surface.The Policy Optimizer can also identify rules that can be converted to use App-ID instead of port-based criteria12.Reference:Policy Optimizer,Tips & Tricks: How to Identify Unused Policies on a Palo Alto Networks Device


Question 4

What two actions can be taken when implementing an exception to an External Dynamic List? (Choose two.)



Answer : A, B


Question 5

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)



Answer : A, D, E

The application characteristics can be found in three places on the PAN-OS interface: Objects tab > Application Filters, Objects tab > Application Groups, and Objects tab > Applications. These places allow you to view and manage the applications and application groups that are used in your Security policy rules.You can also create custom applications and application filters based on various attributes, such as category, subcategory, technology, risk, and behavior1. Some of the characteristics of these places are:

Objects tab > Application Filters: An application filter is a dynamic object that groups applications based on specific criteria. You can use an application filter to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application filter that includes all applications that have a high risk level or use peer-to-peer technology.

Objects tab > Application Groups: An application group is a static object that groups applications based on your custom requirements. You can use an application group to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application group that includes all applications that are related to a specific business function or project.

Objects tab > Applications: An application is an object that identifies and classifies network traffic based on App-ID, which is a technology that uses multiple attributes to identify applications. You can use an application to match a specific application in a Security policy rule and control its access and behavior. For example, you can use an application to allow web browsing but block file sharing or social networking.


Question 6

Which feature enables an administrator to review the Security policy rule base for unused rules?



Answer : B

Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID based rulebase, which improves your security by reducing the attack surface and gaining visibility into applications so you can safely enable them. Policy Optimizer can also identify unused rules, duplicate rules, and rules that can be merged or reordered to optimize your rulebase.You can use Policy Optimizer to review the usage statistics of your rules and take actions to clean up or modify your rulebase as needed1.Reference:Security Policy Rule Optimization,Updated Certifications for PAN-OS 10.1,Free PCNSE Questions for Palo Alto Networks PCNSE Exam


Question 7

Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)



Answer : A, D

Static IP and Dynamic IP and Port (DIPP) are two features that implement one-to-one translation of a source IP address while allowing the source port to change.Static IP translates a single source address to a specific public address, and allows the source port to change dynamically1.Dynamic IP and Port (DIPP) translates the source IP address or range to a single IP address, and uses the source port to differentiate between multiple source IPs that share the same translated address2. Both of these features provide a one-to-one translation of IP addresses, but do not restrict the source port.Reference:

Static IP - Palo Alto Networks

Dynamic IP and Port - Palo Alto Networks


Page:    1 / 14   
Total 362 questions