PCNSA Free Practice Test

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available.
Which security policy action causes this?

1. A. Reset server
2. B. Reset both
3. C. Deny
4. D. Drop

Correct Answer: C

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

1. A. block
2. B. sinkhole
3. C. alert
4. D. allow

Correct Answer: B
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, configure the
log severity and policy settings for each DNS signature category, and then attach the profile to a security policy rule.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

1. A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create asecurity-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH
2. B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH
3. C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that containssource-port-TCP-22 should be create
4. D. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to anydestination-Ip-address
5. E. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from theSSH-servers to reach the server-admin

Correct Answer: B

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

1. A. Threat Prevention License
2. B. Threat Implementation License
3. C. Threat Environment License
4. D. Threat Protection License

Correct Answer: A

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

1. A. 80
2. B. 8443
3. C. 4443
4. D. 443

Correct Answer: C