PCNSA Question #215: Real Exam Question with Answer & Explanation

Sign in or unlock PCNSA to reveal the answer and full explanation for question #215. The question stem and answer options stay visible for context.

Submitted by chen.hong· Apr 18, 2026Securing Traffic

Question

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones: 1. trust for internal networks 2. untrust to the internet Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two )

Options

ACreate a deny rule at the top of the policy from trust to untrust over any service and select
BCreate a deny rule at the top of the policy from trust to untrust with service application-default and
CCreate a deny rule at the top of the policy from trust to untrust over any service and add an
DCreate a deny rule at the top of the policy from trust to untrust with service application-default and

Unlock PCNSA to see the answer

You've previewed enough free PCNSA questions. Unlock PCNSA for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.

Unlock PCNSA - $49.99 / 30 days Sign in

Topics

#Security Policy#App-ID#Application Filtering#Evasive Applications

Full PCNSA Practice Browse All PCNSA Questions