Browse Exams Pricing

ExamsPCNSAQuestions

PCNSA Exam Questions

422 real PCNSA exam questions with expert-verified answers and explanations. Page 4 of 9.

Question #156Configure
Which two rule types allow the administrator to modify the destination zone? (Choose two.)
Security PoliciesRule TypesZone Configuration
Question #157Policy Evaluation and Management
What is the main function of Policy Optimizer?
Policy OptimizerSecurity PoliciesApplication-based rulesRule Optimization
Question #158Policy Evaluation and Management
Based on the screenshot, what is the purpose of the group in User labelled "it"?
User-IDSecurity PolicyUser GroupsAccess Control
Question #159Securing Traffic
Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic. Which statement accurately describes how the firewall...
Security PolicySecurity ProfilesAction PrecedenceTraffic Flow
Question #161Securing Traffic
Which license is required to use the Palo Alto Networks built-in IP address EDLs?
LicensingExternal Dynamic Lists (EDL)Threat PreventionSecurity Features
Question #162Device Management and Services
Which statement is true about Panorama managed devices?
PanoramaCentralized ManagementConfiguration LocksDevice Management
Question #163Policy Evaluation and Management
Which component is a building block in a Security policy rule?
Security PolicyPolicy RuleApplication
Question #164Configure
You have been tasked to configure access to a new web server located in the DMZ. Based on the diagram what configuration changes are required in the NGFW virtual router to route tr...
RoutingStatic RoutesVirtual RouterDMZ
Question #165Policy Evaluation and Management
An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new content becomes available. Which security...
App-IDSecurity PolicyDynamic UpdatesPolicy Actions
Question #166Device Management and Services
Selecting the option to revert firewall changes will replace what settings?
Configuration managementRevert changesCandidate configurationRunning configuration
Question #167Securing Traffic
An administrator has configured a Security policy where the matching condition includes a single application, and the action is deny. If the application's default deny action is re...
Security PolicyApplication Deny ActionTCP ResetTraffic Enforcement
Question #168Configure
Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)
Authentication ProtocolsData PlaneUser AuthenticationFirewall Configuration
Question #169Configure
Given the screenshot, what two types of route is the administrator configuring? (Choose two.)
Static routesDefault routesNetwork routingFirewall configuration
Question #170Securing Traffic
Which rule type is appropriate for matching traffic both within and between the source and destination zones?
Security PolicyRule TypesUniversal RulesTraffic Zones
Question #171Securing Traffic
An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the ICMP code "communication with the...
Security Policy ActionsICMP UnreachableTraffic ControlPalo Alto Firewall
Question #172Securing Traffic
You receive notification about new malware that infects hosts through malicious files transferred by FTP. Which Security profile detects and protects your internal networks from th...
Security ProfilesAntivirusThreat PreventionInbound Traffic
Question #173Securing Traffic
An administrator wants to prevent access to media content websites that are risky. Which two URL categories should be combined in a custom URL category to accomplish this goal? (Ch...
URL FilteringCustom URL CategoriesSecurity ProfilesRisk Categories
Question #174Securing Traffic
Which dynamic update type includes updated anti-spyware signatures?
Dynamic UpdatesAnti-spywareThreat PreventionFirewall Updates
Question #175Managing Objects
Which object would an administrator create to block access to all high-risk applications?
Application controlApplication filterSecurity policy objectsApplication identification
Question #176Securing Traffic
Which option is part of the content inspection process?
SSL DecryptionContent InspectionSecurity Profiles
Question #179Operate
What must be considered with regards to content updates deployed from Panorama?
PanoramaContent UpdatesUpdate ManagementOperational Constraints
Question #180Securing Traffic
During the packet flow process, which two processes are performed in application identification? (Choose two.)
App-IDPacket FlowApplication IdentificationApplication Override
Question #181Securing Traffic
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?
DNATSecurity PolicyPolicy MatchingFirewall Rules
Question #182Policy Evaluation and Management
What does an administrator use to validate whether a session is matching an expected NAT policy?
NAT policysession validationdiagnostic commandstroubleshooting
Question #183Device Management and Services
What is the purpose of the automated commit recovery feature?
Automated Commit RecoveryPanorama ManagementFirewall Configuration RevertConfiguration Management
Question #184Device Management and Services
According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?
Antivirus UpdatesSecurity Best PracticesThreat Prevention
Question #186Securing Traffic
Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?
Security PolicyExternal Dynamic List (EDL)Source AddressPolicy Matching
Question #187Securing Traffic
URL categories can be used as match criteria on which two policy types? (Choose two.)
URL categoriesAuthentication policySSL decryptionPolicy match criteria
Question #188Operate
Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)
Traffic LogsSecurity ProfilesSSL DecryptionFirewall Monitoring
Question #189Securing Traffic
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, wher...
DNATSecurity PolicyApplication ControlZone-Based Policy
Question #190Securing Traffic
Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to exploit system flaws?
Vulnerability ProtectionSecurity ProfilesExploit PreventionSecurity Policy
Question #191Policy Evaluation and Management
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
Application DependenciesPAN-OS GUISecurity PoliciesCommit Status
Question #192Policy Evaluation and Management
What action will inform end users when their access to Internet content is being restricted?
Response PagesUser NotificationURL FilteringPolicy Enforcement
Question #193Device Management and Services
What is a recommended consideration when deploying content updates to the firewall from Panorama?
Content UpdatesPanorama ManagementVersion CompatibilityFirewall Management
Question #194Device Management and Services
Which information is included in device state other than the local configuration?
PanoramaDevice ConfigurationConfiguration ManagementDevice State
Question #195Device Management and Services
Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?
SSL/TLSCertificatesService ProfilesDevice Management
Question #196Policy Evaluation and Management
An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration. What should the administrator do?
TroubleshootingSecurity PolicyLoggingIntrazone Traffic
Question #197Securing Traffic
When is the content inspection performed in the packet flow process?
Packet FlowContent InspectionApp-IDSecurity Processing
Question #198Policy Evaluation and Management
During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?
App-ID UpdateSecurity PolicyPolicy ManagementFirewall Administration
Question #199Managing Objects
When creating a custom URL category object, which is a valid type?
Custom URL CategoriesURL FilteringPolicy ObjectsPalo Alto Networks Configuration
Question #200Device Management and Services
When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?
Management portsGlobalProtectHTTPS managementPort conflict
Question #201Device Management and Services
What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control? (Choose two.)
Authentication MethodsRole-Based Access Control (RBAC)TACACS+SAML
Question #202Securing Traffic
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
DNS SecuritySinkholingThreat PreventionSecurity Policy Action
Question #203Operate
Which stage of the cyber-attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and risky websites?
Cyber Kill ChainUser AwarenessPhishing PreventionAttack Delivery Stage
Question #204Securing Traffic
What are three factors that can be used in domain generation algorithms? (Choose three.)
Domain Generation AlgorithmsMalware C2Network Security
Question #205Managing Objects
Which action would an administrator take to ensure that a service object will be available only to the selected device group?
PanoramaObject ManagementService ObjectsDevice Group Hierarchy
Question #206Configure
If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?
User-IDActive DirectoryGroup MappingLDAP
Question #207Device Management and Services
Which administrative management services can be configured to access a management interface?
Management InterfaceAdministrative ProtocolsCLI AccessGUI Access
Question #208Securing Traffic
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute il...
Threat PreventionBulletproof HostingIP BlockingThreat Intelligence
Question #209Managing Objects
Which attribute can a dynamic address group use as a filtering condition to determine its membership?
Dynamic Address GroupsObjectsFilteringTags

PreviousPage 4 of 9Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.