Palo Alto Networks Palo Alto Networks Certifications PCNSA Free Dumps 2023

Jonnie Karnath2023-04-20T21:58:27+00:00

Palo Alto Networks PCNSA free dumps from Certspots is an excellent resource for anyone who is preparing for the Palo Alto Networks Certifications certification exam. They are updated regularly to reflect the latest exam trends and requirements. This means that you can be sure that the questions you are practicing with are relevant to the exam you are preparing for. Using Certspots Palo Alto Networks Palo Alto Networks Certifications PCNSA free dumps can also help you identify areas where you need to focus your study efforts. By practicing with the questions, you can gauge your understanding of the material and identify areas where you may need additional study. You can practice our PCNSA free dumps today and get one step closer to achieving your certification goals.

Page 1 of 12

1. How does the Policy Optimizer policy view differ from the Security policy view?

It provides sorting options that do not affect rule order

It specifies applications seen by rules

It displays rule utilization

It details associated zones

2. Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided password?

exclude

continue

hold

override

3. An administrator has configured a Security policy where the matching condition includes a single application, and the action is deny.

If the application's default deny action is reset-both, what action does the firewall take?

A. It silently drops the traffic.

A. B. It silently drops the traffic and sends an ICMP unreachable code.

C. It sends a TCP reset to the server-side device.

D. It sends a TCP reset to the client-side and server-side devices.

4. By default, which action is assigned to the intrazone-default rule?

Reset-client

Reset-server

Deny

Allow

5. You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-control server.

Which Security Profile when applied to outbound Security policy rules detects and prevents this threat from establishing a command-and-control connection?

Antivirus Profile

Data Filtering Profile

Vulnerability Protection Profile

Anti-Spyware Profile

6. Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?

Kerberos user

SAML user

local database user

local user

7. Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)

Layer 2

Virtual Wire

Tap

Layer 3

8. Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

Untrust (any) to DMZ (10.1.1.100), web browsing -Allow

Untrust (any) to Untrust (1.1.1.100), web browsing -Allow

Untrust (any) to Untrust (10.1.1.100), web browsing -Allow

Untrust (any) to DMZ (1.1.1.100), web browsing -Allow

9. Which statement is true regarding NAT rules?

Static NAT rules have precedence over other forms of NA

Translation of the IP address and port occurs before security processing.

NAT rules are processed in order from top to bottom.

Firewall supports NAT on Layer 3 interfaces only.

10. How often does WildFire release dynamic updates?

every 5 minutes

every 15 minutes

every 60 minutes

every 30 minutes

Page 2 of 12

11. An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates.

Which filter should the administrator configure in the application filter object?

The category is media, and the characteristic includes Evasive.

The subcategory is audio-streaming, and the risk is 1.

The subcategory is audio-streaming, and the risk is 5.

The category is media, and the tag is high risk.

12. If using group mapping with Active Directory Universal Groups, what must you do when configuring the User-ID?

A. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL

A. B. Configure a frequency schedule to clear group mapping cache

C. Configure a Primary Employee ID number for user-based Security policies

D. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or

13. The data plane provides which two data processing features of the firewall? (Choose two.)

signature matching

reporting

network processing

logging

14. An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

Rules without App Controls

New App Viewer

Rule Usage -Unused

Unused Apps

15. Application groups enable access to what?

Applications that are explicitly unsanctioned for use within a company

Applications that are not explicitly unsanctioned and that an administrator wants users to be able to access

Applications that are explicitly sanctioned for use within a company

Applications that are not explicitly sanctioned and that an administrator wants users to be able to access

16. Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2) servers?

URL Filtering

Antivirus

Vulnerability

Anti-Spyware

17. An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red.

What would cause this error?

Entries contain symbols.

Entries are wildcards.

Entries contain regular expressions.

Entries are duplicated.

18. Issue to the Client a Certificate with Common Name = New Admin

19. Based on the security policy rules shown, ssh will be allowed on which port?

20. Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

override

allow

block

continue

Page 3 of 12

21. Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known Malicious IP Addresses list?

destination address

source address

destination zone

source zone

22. With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?

Vulnerability Exceptions

Advanced Rules

Inline Cloud Analysis

WildFire Inline ML

23. Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

A. authorization

B. continue

C. authentication

D. override

A.

24. The Administrator profile "PCNSA Admin" is configured with an Authentication profile "Authentication Sequence PCNSA".

The Authentication Sequence PCNSA has a profile list with four Authentication profiles: Auth Profile LDAP

Auth Profile Radius Auth Profile Local Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "PCNSA Admin" username and password.

Which option describes the "PCNSA Admin" login capabilities after the outage?

Auth OK because of the Auth Profile TACACS

Auth KO because RADIUS server lost user and password for PCNSA Admin

Auth OK because of the Auth Profile Local

Auth KO because LDAP server is not reachable

25. You notice that protection is needed for traffic within the network due to malicious lateral movement activity.

Based on the image shown, which traffic would you need to monitor and block to mitigate the malicious activity?

branch office traffic

north-south traffic

perimeter traffic

east-west traffic

26. An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ or Untrust zones.

The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where the source and destination zones are VPN.

Which Security policy rule type should they use?

Interzone

Universal

Intrazone

Default

27. In which threat profile object would you configure the DNS Security service?

Anti-Spyware

URL Filtering

Antivirus

WildFire

28. Which rule type is appropriate for matching traffic both within and between the source and destination zones?

interzone

shadowed

intrazone

universal

29. What are two valid selections within an Antivirus profile? (Choose two.)

deny

drop

default

block-ip

30. Starting with PAN-OS version 9.1, which new type of object is supported for use within the User field of a Security policy rule?

remote username

dynamic user group

static user group

local username

Page 4 of 12

31. Which solution is a viable option to capture user identification when Active Directory is not in use?

Cloud Identity Engine

group mapping

Directory Sync Service

Authentication Portal

32. An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.

What is the most appropriate NAT policy to achieve this?

Dynamic IP and Port

Dynamic IP

Static IP

Destination

33. An internal host wants to connect to servers of the internet through using source NAT.

Which policy is required to enable source NAT on the firewall?

NAT policy with source zone and destination zone specified

post-NAT policy with external source and any destination address

NAT policy with no source of destination zone selected

pre-NAT policy with external source and any destination address

34. A network has 10 domain controllers, multiple WAN links, and a network infrastructure with bandwidth needed to support mission-critical applications. Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Windows-based agent on a domain controller

Captive Portal

Citrix terminal server with adequate data-plane resources

PAN-OS integrated agent

35. Which statement is true about Panorama managed devices?

Panorama automatically removes local configuration locks after a commit from Panorama.

Local configuration locks prohibit Security policy changes for a Panorama managed device.

Security policy rules configured on local firewalls always take precedence.

Local configuration locks can be manually unlocked from Panorama.

36. How is an address object of type IP range correctly defined?

192.168.40.1-192.168.40.255

192.168.40.1-255

192.168.40.1, 192.168.40.255

192.168.40.1/24

37. When configuring a security policy, what is a best practice for User-ID?

Use only one method for mapping IP addresses to usernames.

Allow the User-ID agent in zones where agents are not monitoring services.

Limit User-ID to users registered in an Active Directory server.

Deny WMI traffic from the User-ID agent to any external zone.

38. Which information is included in device state other than the local configuration?

uncommitted changes

audit logs to provide information of administrative account changes

system logs to provide information of PAN-OS changes

device group and template settings pushed from Panorama

39. Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

At the CLI enter the command reset rules and press Enter

Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

Reboot the firewall

Use the Reset Rule Hit Counter > All Rules option

40. Why should a company have a File Blocking profile that is attached to a Security policy?

To block uploading and downloading of any type of files

To block uploading and downloading of specific types of files

To detonate files in a sandbox environment

To analyze file types

Page 5 of 12

41. Which two settings allow you to restrict access to the management interface? (Choose two )

enabling the Content-ID filter

administrative management services

restricting HTTP and telnet using App-ID

permitted IP addresses

42. Which two features can be used to tag a username so that it is included in a dynamic user group?

(Choose two.)

A. GlobalProtect agent

A. B. XML API

C. User-ID Windows-based agent

D. log forwarding auto-tagging

43. What are two valid selections within a Vulnerability Protection profile? (Choose two.)

deny

drop

default

sinkhole

44. What can be achieved by selecting a policy target prior to pushing policy rules from Panorama?

Doing so limits the templates that receive the policy rules

Doing so provides audit information prior to making changes for selected policy rules

You can specify the firewalls m a device group to which to push policy rules

You specify the location as pre can -or post-rules to push policy rules

45. Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that passes within the zones?

global

intrazone

interzone

universal

46. An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?

antivirus profile applied to outbound security policies

data filtering profile applied to inbound security policies

data filtering profile applied to outbound security policies

vulnerability profile applied to inbound security policies

47. Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?

north-south

inbound

outbound

east-west

48. An interface can belong to how many Security Zones?

A. 1

A. B. 2

C. 3

D. 4

49. With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?

Within five minutes, after downloading updates

Instantly, after downloading updates

Within five minutes, without downloading updates

Instantly, without downloading updates

50. Which Palo Alto Networks component provides consolidated policy creation and centralized management?

GlobalProtect

Panorama

Aperture

AutoFocus

Page 6 of 12

51. An administrator needs to add capability to perform real-time signature lookups to block or sinkhole all known malware domains.

Which type of single unified engine will get this result?

User-ID

App-ID

Security Processing Engine

Content-ID

52. An administrator is reviewing another administrator's Security policy log settings.

Which log setting configuration is consistent with best practices for normal traffic?

Log at Session Start and Log at Session End both enabled

Log at Session Start enabled, Log at Session End disabled

Log at Session Start disabled, Log at Session End enabled

Log at Session Start and Log at Session End both disabled

53. An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.

What is the maximum number of entries that they can be excluded?

100

200

1,000

54. A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data.

Which Security Profile feature could have been used to detect the malware on the laptop?

DNS Sinkhole

WildFire Analysis

Antivirus

DoS Protection

55. Which statement is true regarding a Best Practice Assessment?

The BPA tool can be run only on firewalls

It provides a percentage of adoption for each assessment data

The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

56. URL categories can be used as match criteria on which two policy types? (Choose two.)

authentication

decryption

application override

NAT

57. Review the screenshot below.

Based on the information it contains, which protocol decoder will detect a machine-learning match, create a Threat log entry, and permit the traffic?

A. smb

B. imap

C. ftp

D. http2

58. Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?

internal-inside-dmz

engress outside

inside-portal

interzone-default

59. A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.

Which two types of traffic will the rule apply to? (Choose two)

traffic between zone IT and zone Finance

traffic between zone Finance and zone HR

traffic within zone IT

traffic within zone HR

60. Which statement is true regarding a Prevention Posture Assessment?

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories

B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C. It provides a percentage of adoption for each assessment area

A. D. It performs over 200 security checks on Panorama/firewall for the assessment

Page 7 of 12

61. What is the maximum volume of concurrent administrative account sessions?

Unlimited

62. Where can you apply URL Filtering policy in a Security policy rule?

Within the applications selection

Within a destination address

Within a service type

Within the actions tab

63. All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.

Complete the empty field in the Security policy using an application object to permit only this type of access.

Source Zone: Internal

Destination Zone: DMZ Zone

Application: _________

Service: application-default

Action: allow

Application = "any"

Application = "web-browsing"

Application = "ssl"

Application = "http"

64. What does an application filter help you to do?

It dynamically provides application statistics based on network, threat, and blocked activity,

It dynamically filters applications based on critical, high, medium, low. or informational severity.

It dynamically groups applications based on application attributes such as category and subcategory.

It dynamically shapes defined application traffic based on active sessions and bandwidth usage.

65. An administrator is reviewing the Security policy rules shown in the screenshot.

Why are the two fields in the Security policy EDL-Deny highlighted in red?

A. Because antivirus inspection is enabled for this policy

B. Because the destination zone, address, and device are all "any"

C. Because the action is Deny

A. D. Because the Security-EDL tag has been assigned the red color

66. Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management plane is only slightly utilized.

Which User-ID agent is sufficient in your network?

Windows-based agent deployed on each domain controller

PAN-OS integrated agent deployed on the firewall

Citrix terminal server agent deployed on the network

Windows-based agent deployed on the internal network a domain member

67. Which two configuration settings shown are not the default? (Choose two.)

Enable Security Log

Server Log Monitor Frequency (sec)

Enable Session

Enable Probing

68. What are two valid selections within an Anti-Spyware profile? (Choose two.)

Random early drop

Drop

Deny

Default

69. If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?

Some traffic between A & B

Some traffic within A

All traffic within zones A & B

Some traffic within B

70. An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

A. the Content Delivery Networks URL category

B. the Online Storage and Backup URL category

C. an application group containing all of the file-sharing App-IDs reported in the traffic logs

A. D. an application filter for applications whose subcategory is file-sharing

Page 8 of 12

71. Which interface type can use virtual routers and routing protocols?

Tap

Layer3

Virtual Wire

Layer2

72. Within the WildFire Analysis profile, which three items are configurable? (Choose three.)

FileType

Direction

Service

Application

Objects

73. During the packet flow process, which two processes are performed in application identification?

(Choose two.)

pattern based application identification

application override policy match

session application identified

application changed from content inspection

74. Which protocol is used to map usernames to user groups when User-ID is configured?

SAML

RADIUS

TACACS+

LDAP

75. The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.

What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

Add static routes to route between the two interfaces

Add interfaces to the virtual router

Add zones attached to interfaces to the virtual router

Enable the redistribution profile to redistribute connected routes

76. An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices groups and five templates.

Which configuration action should the administrator take when creating the address object?

A. Ensure that Disable Override is cleared.

B. Ensure that the Shared option is cleared.

C. Ensure that the Shared option is checked.

A. D. Tag the address object with the Global tag.

77. Which dynamic update type includes updated anti-spyware signatures?

PAN-DB

Applications and Threats

GlobalProtect Data File

Antivirus

78. An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets.

What are two security policy actions the administrator can select? (Choose two.)

Reset server

Reset both

Drop

Deny

79. Which path is used to save and load a configuration with a Palo Alto Networks firewall?

Device>Setup>Services

Device>Setup>Management

Device>Setup>Operations

Device>Setup>Interfaces

80. Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A. on the App Dependency tab in the Commit Status window

B. on the Policy Optimizer's Rule Usage page

C. on the Application tab in the Security Policy Rule creation window

A. D. on the Objects > Applications browser pages

Page 9 of 12

81. Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

Tap

Virtual Wire

Layer 2

Layer 3

82. An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

Eleven rules use the "Infrastructure* tag.

The view Rulebase as Groups is checked.

There are seven Security policy rules on this firewall.

Highlight Unused Rules is checked.

83. Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall permissions?

Role-based

Multi-Factor Authentication

Dynamic

SAML

84. An administrator is creating a Security policy rule and sees that the destination zone is grayed out.

While creating the rule, which option was selected to cause this?

Interzone

Source zone

Universal (default)

Intrazone

85. Drag and Drop Question

Match the Cyber-Attack Lifecycle stage to its correct description.

86. An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.

Which Security profile should be used?

A. Vulnerability protection

A. B. Anti-spyware

C. URL filtering

D. Antivirus

87. An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are available for any known user in the organization.

What object is best suited for this configuration?

Application Group

Tag

External Dynamic List

Application Filter

88. Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

User identification

Filtration protection

Vulnerability protection

Antivirus

Application identification

Anti-spyware

89. What is the main function of Policy Optimizer?

reduce load on the management plane by highlighting combinable security rules

migrate other firewall vendors' security rules to Palo Alto Networks configuration

eliminate "Log at Session Start" security rules

convert port-based security rules to application-based security rules

90. What is an advantage for using application tags?

They are helpful during the creation of new zones

They help with the design of IP address allocations in DHC

They help content updates automate policy updates

They help with the creation of interfaces

Page 10 of 12

91. Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.)

HTTPS

RDP

SCP

SSH

92. An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

change the logging action on the rule

review the System Log

refresh the Traffic Log

tune your Traffic Log filter to include the dates

93. What are the two ways to implement an exception to an external dynamic list? (Choose two.)

Edit the external dynamic list by removing the entries to exclude.

Select the entries to exclude from the List Entries list.

Manually add an entry to the Manual Exceptions list.

Edit the external dynamic list by adding the "-" symbol before the entries to exclude.

94. Which parameter is used to view the Security policy rulebase as groups?

Tags

Service

Type

Action

95. What is the default action for the SYN Flood option within the DoS Protection profile?

Reset-client

Alert

Sinkhole

Random Early Drop

96. Which type of firewall configuration contains in-progress configuration changes?

backup

running

candidate

committed

97. Which action would an administrator take to ensure that a service object will be available only to the selected device group?

create the service object in the specific template

uncheck the shared option

ensure that disable override is selected

ensure that disable override is cleared

98. Which tab would an administrator click to create an address object?

Objects

Monitor

Device

Policies

99. How are Application Filters or Application Groups used in firewall policy?

An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.

An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.

An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.

An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.

100. Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator account?

Root

Dynamic

Role-based

Superuser

Page 11 of 12

101. Which data flow direction is protected in a zero trust firewall deployment that is not protected in a perimeter-only firewall deployment?

outbound

north south

inbound

east west

102. What action will inform end users when their access to Internet content is being restricted?

Create a custom "URL Category" object with notifications enabled.

Publish monitoring data for Security policy deny logs.

Ensure that the "site access" setting for all URL sites is set to "alert".

Enable "Response Pages" on the interface providing Internet access.

103. In which stage of the Cyber-Attack Lifecycle would the attacker inject a PDF file within an email?

A. Weaponization

B. Reconnaissance

C. Installation

A. D. Command and Control

E. Exploitation

104. When creating a custom URL category object, which is a valid type?

domain match

host names

wildcard

category match

105. Config logs display entries for which kind of firewall changes?

configuration

system logs

debugs

resets

106. Ethernet 2/1 has an IP Address of 10.0.1.2 in Zone 'trust' (LAN).

If both interfaces are connected to the same virtual router, which IP address information will an administrator need to enter in the Destination field to access the internet?

0.0.0.0

10.0.2.1/32

10.0.1.254/32

0.0.0.0/0

107. When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)

password profile

access domain

admin role

server profile

108. Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

Panorama > Device Deployment > Dynamic Updates > Schedules > Add

Panorama > Device Deployment > Content Updates > Schedules > Add

Panorama > Dynamic Updates > Device Deployment > Schedules > Add

Panorama > Content Updates > Device Deployment > Schedules > Add

109. You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

Data Filtering Profile applied to outbound Security policy rules

Antivirus Profile applied to outbound Security policy rules

Data Filtering Profile applied to inbound Security policy rules

Vulnerability Protection Profile applied to inbound Security policy rules

110. Assume a custom URL Category Object of "NO-FILES" has been created to identify a specific website?

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILE

Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile.

Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILE

Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.

Page 12 of 12

111. Which object would an administrator create to block access to all high-risk applications?

HIP profile

Vulnerability Protection profile

application group

application filter

112. An administrator is reviewing another administrator s Security policy log settings.

Which log setting configuration is consistent with best practices tor normal traffic?

A. Log at Session Start and Log at Session End both enabled

B. Log at Session Start disabled Log at Session End enabled

C. Log at Session Start enabled

A. Log at Session End disabled

D. Log at Session Start and Log at Session End both disabled

113. An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.

Which security policy action causes this?

Drop

Drop, send ICMP Unreachable

Reset both

Reset client

114. Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.

Which statement accurately describes how the firewall will apply an action to matching traffic?

If it is a block rule, then Security Profile action is applied last.

If it is an allow rule, then the Security policy rule is applied last.

If it is a block rule, then the Security policy rule action is applied last.

If it is an allowed rule, then the Security Profile action is applied last.

115. An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone. The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

A. default

B. universal

C. intrazone

D. interzone

A.

116. Which update option is not available to administrators?

New Spyware Notifications

New URLs

New Application Signatures

New Malicious Domains

New Antivirus Signatures

117. Given the topology, which zone type should zone A and zone B to be configured with?

Layer3

Ethernet

Layer2

Virtual Wire

118. An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.

If a virus gets detected, how will the firewall handle the traffic?

It allows the traffic but generates an entry in the Threat logs.

It drops the traffic because the profile was not set to explicitly allow the traffic.

It allows the traffic because the profile was not set the explicitly deny the traffic.

It uses the default action assigned to the virus signature.

Facebook Twitter LinkedIn Google + Email