PCNSA Free Practice Test

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

1. A. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL
2. B. Configure a frequency schedule to clear group mapping cache
3. C. Configure a Primary Employee ID number for user-based Security policies
4. D. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389

Correct Answer: B
If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root domain controllers on port 389. This helps ensure that users and group information is available for all domains and subdomains.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

1. A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
2. B. No impact because the apps were automatically downloaded and installed
3. C. No impact because the firewall automatically adds the rules to the App-ID interface
4. D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the applications

Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content

Which action results in the firewall blocking network traffic with out notifying the sender?

1. A. Drop
2. B. Deny
3. C. Reset Server
4. D. Reset Client

Correct Answer: B

Given the detailed log information above, what was the result of the firewall traffic inspection?

1. A. It was blocked by the Vulnerability Protection profile action.
2. B. It was blocked by the Anti-Virus Security profile action.
3. C. It was blocked by the Anti-Spyware Profile action.
4. D. It was blocked by the Security policy action.

Correct Answer: C

Which component is a building block in a Security policy rule?

1. A. decryption profile
2. B. destination interface
3. C. timeout (min)
4. D. application

Correct Answer: D