1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Topic 1 - Single Topic

Question #1 Topic 1

DRAG DROP -

Match the Palo Alto Networks Security Operating Platform architecture to its description.

Select and Place:

Question #2 Topic 1

Which plane on a Palo Alto Networks Firewall provides configuration, logging, and reporting functions on a separate processor?

A. management

B. network processing

C. data

D. security processing

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 1/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 1

A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an

application identified by

App-ID as SuperApp_base.

On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be

deployed in 30 days.

Based on the information, how is the SuperApp traffic affected after the 30 days have passed?

A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application

B. No impact because the apps were automatically downloaded and installed

C. No impact because the firewall automatically adds the rules to the App-ID interface

D. All traffic matching the SuperApp_base, SuperApp_chat, and SuperApp_download is denied until the security administrator approves the

applications

Question #4 Topic 1

How many zones can an interface be assigned with a Palo Alto Networks firewall?

A. two

B. three

C. four

D. one

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 2/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 1

Which two configuration settings shown are not the default? (Choose two.)

A. Enable Security Log

B. Server Log Monitor Frequency (sec)

C. Enable Session

D. Enable Probing

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 3/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 1

Which dataplane layer of the graphic shown provides pattern protection for spyware and vulnerability exploits on a Palo Alto Networks Firewall?

A. Signature Matching

B. Network Processing

C. Security Processing

D. Data Interfaces

Question #7 Topic 1

Which option shows the attributes that are selectable when setting up application filters?

A. Category, Subcategory, Technology, and Characteristic

B. Category, Subcategory, Technology, Risk, and Characteristic

C. Name, Category, Technology, Risk, and Characteristic

D. Category, Subcategory, Risk, Standard Ports, and Technology

Question #8 Topic 1

Actions can be set for which two items in a URL filtering security profile? (Choose two.)

A. Block List

B. Custom URL Categories

C. PAN-DB URL Categories

D. Allow List

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 4/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 1

DRAG DROP -

Match the Cyber-Attack Lifecycle stage to its correct description.

Select and Place:

Question #10 Topic 1

Which two statements are correct about App-ID content updates? (Choose two.)

A. Updated application content might change how Security policy rules are enforced.

B. After an application content update, new applications must be manually classified prior to use.

C. Existing security policy rules are not affected by application content updates.

D. After an application content update, new applications are automatically identified and classified.

Question #11 Topic 1

Which User-ID mapping method should be used for an environment with users that do not authenticate to Active Directory?

A. Windows session monitoring

B. passive server monitoring using the Windows-based agent

C. Captive Portal

D. passive server monitoring using a PAN-OS integrated User-ID agent

Question #12 Topic 1

An administrator needs to allow users to use their own office applications. How should the administrator configure the firewall to allow multiple

applications in a dynamic environment?

A. Create an Application Filter and name it Office Programs, then filter it on the business-systems category, office-programs subcategory

B. Create an Application Group and add business-systems to it

C. Create an Application Filter and name it Office Programs, then filter it on the business-systems category

D. Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 5/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 1

Which statement is true regarding a Best Practice Assessment?

A. The BPA tool can be run only on firewalls

B. It provides a percentage of adoption for each assessment area

C. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention

activities

D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Question #14 Topic 1

Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?

A. intrazone-default

B. Deny Google

C. allowed-security services

D. interzone-default

Question #15 Topic 1

Choose the option that correctly completes this statement. A Security Profile can block or allow traffic ____________.

A. on either the data place or the management plane.

B. after it is matched by a security policy rule that allows traffic.

C. before it is matched to a Security policy rule.

D. after it is matched by a security policy rule that allows or blocks traffic.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 6/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 1

When creating a Source NAT policy, which entry in the Translated Packet tab will display the options Dynamic IP and Port, Dynamic, Static IP, and

None?

A. Translation Type

B. Interface

C. Address Type

D. IP Address

Question #17 Topic 1

Which interface does not require a MAC or IP address?

A. Virtual Wire

B. Layer3

C. Layer2

D. Loopback

Question #18 Topic 1

A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify

out-of-date or unused rules on the firewall?

A. Rule Usage Filter > No App Specified

B. Rule Usage Filter >Hit Count > Unused in 30 days

C. Rule Usage Filter > Unused Apps

D. Rule Usage Filter > Hit Count > Unused in 90 days

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 7/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 1

DRAG DROP -

Order the steps needed to create a new security zone with a Palo Alto Networks firewall.

Select and Place:

Question #20 Topic 1

What are two differences between an implicit dependency and an explicit dependency in App-ID? (Choose two.)

A. An implicit dependency does not require the dependent application to be added in the security policy

B. An implicit dependency requires the dependent application to be added in the security policy

C. An explicit dependency does not require the dependent application to be added in the security policy

D. An explicit dependency requires the dependent application to be added in the security policy

Question #21 Topic 1

Recently changes were made to the firewall to optimize the policies and the security team wants to see if those changes are helping.

What is the quickest way to reset the hit counter to zero in all the security policy rules?

A. At the CLI enter the command reset rules and press Enter

B. Highlight a rule and use the Reset Rule Hit Counter > Selected Rules for each rule

C. Reboot the firewall

D. Use the Reset Rule Hit Counter > All Rules option

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 8/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 1

Which two App-ID applications will you need to allow in your Security policy to use facebook-chat? (Choose two.)

A. facebook

B. facebook-chat

C. facebook-base

D. facebook-email

Question #23 Topic 1

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management

plane resources?

A. Windows-based agent deployed on the internal network

B. PAN-OS integrated agent deployed on the internal network

C. Citrix terminal server deployed on the internal network

D. Windows-based agent deployed on each of the WAN Links

Question #24 Topic 1

Your company requires positive username attribution of every IP address used by wireless devices to support a new compliance requirement. You

must collect IP

`"to-user mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The

wireless devices are from various manufactures.

Given the scenario, choose the option for sending IP-to-user mappings to the NGFW.

A. syslog

B. RADIUS

C. UID redistribution

D. XFF headers

Question #25 Topic 1

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to

contact a command- and-control (C2) server.

Which two security profile components will detect and prevent this threat after the firewall's signature database has been updated? (Choose two.)

A. vulnerability protection profile applied to outbound security policies

B. anti-spyware profile applied to outbound security policies

C. antivirus profile applied to outbound security policies

D. URL filtering profile applied to outbound security policies

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 9/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 1

At which stage of the Cyber-Attack Lifecycle would the attacker attach an infected PDF file to an email?

A. Delivery

B. Reconnaissance

C. Command and Control

D. Exploitation

Question #27 Topic 1

Identify the correct order to configure the PAN-OS integrated USER-ID agent.

3. add the service account to monitor the server(s)

2. define the address of the servers to be monitored on the firewall

4. commit the configuration, and verify agent connection status

1. create a service account on the Domain Controller with sufficient permissions to execute the User- ID agent

A. 2-3-4-1

B. 1-4-3-2

C. 3-1-2-4

D. 1-3-2-4

Question #28 Topic 1

Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.

Complete the security policy to ensure only Telnet is allowed.

Security Policy: Source Zone: Internal to DMZ Zone __________services `Application defaults`, and action = Allow

A. Destination IP: 192.168.1.123/24

B. Application = "Telnet"

C. Log Forwarding

D. USER-ID = "Allow users in Trusted"

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 10/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 1

Based on the security policy rules shown, ssh will be allowed on which port?

A. 80

B. 53

C. 22

D. 23

Question #30 Topic 1

Which license must an Administrator acquire prior to downloading Antivirus Updates for use with the firewall?

A. Threat Prevention

B. WildFire

C. Antivirus

D. URL Filtering

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 11/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 1

An administrator notices that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image

shown, which traffic would the administrator need to monitor and block to mitigate the malicious activity?

A. branch office traffic

B. north-south traffic

C. perimeter traffic

D. east-west traffic

Question #32 Topic 1

Given the topology, which zone type should zone A and zone B to be configured with?

A. Layer3

B. Tap

C. Layer2

D. Virtual Wire

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 12/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 1

To use Active Directory to authenticate administrators, which server profile is required in the authentication profile?

A. domain controller

B. TACACS+

C. LDAP

D. RADIUS

Question #34 Topic 1

Which interface type is used to monitor traffic and cannot be used to perform traffic shaping?

A. Layer 2

B. Tap

C. Layer 3

D. Virtual Wire

Question #35 Topic 1

Which administrator type provides more granular options to determine what the administrator can view and modify when creating an administrator

account?

A. Root

B. Dynamic

C. Role-based

D. Superuser

Question #36 Topic 1

Which administrator type utilizes predefined roles for a local administrator account?

A. Superuser

B. Role-based

C. Dynamic

D. Device administrator

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 13/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 1

Which two security profile types can be attached to a security policy? (Choose two.)

A. antivirus

B. DDoS protection

C. threat

D. vulnerability

Question #38 Topic 1

The CFO found a USB drive in the parking lot and decide to plug it into their corporate laptop. The USB drive had malware on it that loaded onto

their computer and then contacted a known command and control (CnC) server, which ordered the infected machine to begin Exfiltrating data from

the laptop.

Which security profile feature could have been used to prevent the communication with the CnC server?

A. Create an anti-spyware profile and enable DNS Sinkhole

B. Create an antivirus profile and enable DNS Sinkhole

C. Create a URL filtering profile and block the DNS Sinkhole category

D. Create a security policy and enable DNS Sinkhole

Question #39 Topic 1

Which user mapping method could be used to discover user IDs in an environment with multiple Windows domain controllers?

A. Active Directory monitoring

B. Windows session monitoring

C. Windows client probing

D. domain controller monitoring

Question #40 Topic 1

Which three statements describe the operation of Security policy rules and Security Profiles? (Choose three.)

A. Security policy rules are attached to Security Profiles.

B. Security Profiles are attached to Security policy rules.

C. Security Profiles should be used only on allowed traffic.

D. Security policy rules inspect but do not block traffic.

E. Security policy rules can block or allow traffic.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 14/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 1

Given the image, which two options are true about the Security policy rules. (Choose two.)

A. The Allow-Office-Programs rule is using an Application Filter.

B. In the Allow-FTP policy, FTP is allowed using App-ID.

C. The Allow-Office-Programs rule is using an Application Group.

D. The Allow-Social-Media rule allows all of Facebook's functions.

Question #42 Topic 1

Which type of Security policy rule would match traffic flowing between the Inside zone and Outside zone, within the Inside zone, and within the

Outside zone?

A. global

B. intrazone

C. interzone

D. universal

Question #43 Topic 1

Which Palo Alto Networks firewall security platform provides network security for mobile endpoints by inspecting traffic deployed as internet

gateways?

A. GlobalProtect

B. AutoFocus

C. Aperture

D. Panorama

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 15/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 1

Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)

A. Path monitoring does not determine if route is useable.

B. Route with highest metric is actively used.

C. Path monitoring determines if route is useable.

D. Route with lowest metric is actively used.

Question #45 Topic 1

Given the Cyber-Attack Lifecycle diagram, identify the stage in which the attacker can run malicious code against a targeted machine.

A. Exploitation

B. Installation

C. Reconnaissance

D. Act on Objective

Question #46 Topic 1

Which file is used to save the running configuration with a Palo Alto Networks firewall?

A. running-config.xml

B. run-config.xml

C. running-configuration.xml

D. run-configuration.xml

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 16/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #47 Topic 1

In the example security policy shown, which two websites would be blocked? (Choose two.)

A. LinkedIn

B. Facebook

C. YouTube

D. Amazon

Question #48 Topic 1

Which Palo Alto Networks component provides consolidated policy creation and centralized management?

A. GlobalProtect

B. Panorama

C. Prisma SaaS

D. AutoFocus

Question #49 Topic 1

Which statement is true regarding a Prevention Posture Assessment?

A. The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture,

and other categories

B. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

C. It provides a percentage of adoption for each assessment area

D. It performs over 200 security checks on Panorama/firewall for the assessment

Question #50 Topic 1

Which five Zero Trust concepts does a Palo Alto Networks firewall apply to achieve an integrated approach to prevent threats? (Choose five.)

A. User identification

B. Filtration protection

C. Vulnerability protection

D. Antivirus

E. Application identification

F. Anti-spyware

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 17/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #51 Topic 1

The PowerBall Lottery has reached a high payout amount and a company has decided to help employee morale by allowing employees to check

the number, but doesn't want to unblock the gambling URL category.

Which two methods will allow the employees to get to the PowerBall Lottery site without the company unlocking the gambling URL category?

(Choose two.)

A. Add all the URLs from the gambling category except powerball.com to the block list and then set the action for the gambling category to

allow.

B. Manually remove powerball.com from the gambling URL category.

C. Add *.powerball.com to the allow list

D. Create a custom URL category called PowerBall and add *.powerball.com to the category and set the action to allow.

Question #52 Topic 1

Which service protects cloud-based applications such as Dropbox and Salesforce by administering permissions and scanning files for sensitive

information?

A. Aperture

B. AutoFocus

C. Panorama

D. GlobalProtect

Question #53 Topic 1

An administrator receives a global notification for a new malware that infects hosts. The infection will result in the infected host attempting to

contact and command-and-control (C2) server.

Which security profile components will detect and prevent this threat after the firewall's signature database has been updated?

A. antivirus profile applied to outbound security policies

B. data filtering profile applied to inbound security policies

C. data filtering profile applied to outbound security policies

D. vulnerability profile applied to inbound security policies

Question #54 Topic 1

Which update option is not available to administrators?

A. New Spyware Notifications

B. New URLs

C. New Application Signatures

D. New Malicious Domains

E. New Antivirus Signatures

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 18/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #55 Topic 1

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other

required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-

admin make?

A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE

to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH

B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-

address for application SSH

C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second

security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any

destination-Ip-address

D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-

IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin

Question #56 Topic 1

How often does WildFire release dynamic updates?

A. every 5 minutes

B. every 15 minutes

C. every 60 minutes

D. every 30 minutes

Question #57 Topic 1

What is the minimum frequency for which you can configure the firewall to check for new WildFire antivirus signatures?

A. every 30 minutes

B. every 5 minutes

C. every 24 hours

D. every 1 minute

Question #58 Topic 1

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link

has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.

Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

A. Windows-based agent on a domain controller

B. Captive Portal

C. Citrix terminal server agent with adequate data-plane resources

D. PAN-OS integrated agent

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 19/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #59 Topic 1

DRAG DROP -

Arrange the correct order that the URL classifications are processed within the system.

Select and Place:

Question #60 Topic 1

What must you configure to enable the firewall to access multiple Authentication Profiles to authenticate a non-local account?

A. authentication sequence

B. LDAP server profile

C. authentication server list

D. authentication list profile

Question #61 Topic 1

Which Security Profile mitigates attacks based on packet count?

A. zone protection profile

B. URL filtering profile

C. antivirus profile

D. vulnerability profile

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 20/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #62 Topic 1

Which interface type uses virtual routers and routing protocols?

A. Tap

B. Layer3

C. Virtual Wire

D. Layer2

Question #63 Topic 1

Which URL Filtering Profile action does not generate a log entry when a user attempts to access a URL?

A. Override

B. Allow

C. Block

D. Continue

Question #64 Topic 1

An internal host needs to connect through the firewall using source NAT to servers of the internet.

Which policy is required to enable source NAT on the firewall?

A. NAT policy with internal zone and internet zone specified

B. post-NAT policy with external source and any destination address

C. NAT policy with no internal or internet zone selected

D. pre-NAT policy with external source and any destination address

Question #65 Topic 1

Which Security Profile can provide protection against ICMP floods, based on individual combinations of a packet's source and destination IP

addresses?

A. DoS protection

B. URL filtering

C. packet buffering

D. anti-spyware

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 21/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #66 Topic 1

Which path in PAN-OS 9.0 displays the list of port-based security policy rules?

A. Policies> Security> Rule Usage> No App Specified

B. Policies> Security> Rule Usage> Port only specified

C. Policies> Security> Rule Usage> Port-based Rules

D. Policies> Security> Rule Usage> Unused Apps

Question #67 Topic 1

Which two components are utilized within the Single-Pass Parallel Processing architecture on a Palo Alto Networks Firewall? (Choose two.)

A. Layer-ID

B. User-ID

C. QoS-ID

D. App-ID

Question #68 Topic 1

Which path is used to save and load a configuration with a Palo Alto Networks firewall?

A. Device>Setup>Services

B. Device>Setup>Management

C. Device>Setup>Operations

D. Device>Setup>Interfaces

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 22/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #69 Topic 1

DRAG DROP -

Match the network device with the correct User-ID technology.

Select and Place:

Question #70 Topic 1

Which action related to App-ID updates will enable a security administrator to view the existing security policy rule that matches new application

signatures?

A. Review Policies

B. Review Apps

C. Pre-analyze

D. Review App Matches

Question #71 Topic 1

How do you reset the hit count on a Security policy rule?

A. Select a Security policy rule, and then select Hit Count > Reset.

B. Reboot the data-plane.

C. First disable and then re-enable the rule.

D. Type the CLI command reset hitcount <POLICY-NAME>.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 23/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #72 Topic 1

Given the topology, which zone type should you configure for firewall interface E1/1?

A. Tap

B. Tunnel

C. Virtual Wire

D. Layer3

Question #73 Topic 1

Which interface type is part of a Layer 3 zone with a Palo Alto Networks firewall?

A. Management

B. High Availability

C. Aggregate

D. Aggregation

Question #74 Topic 1

Which security policy rule would be needed to match traffic that passes between the Outside zone and Inside zone, but does not match traffic that

passes within the zones?

A. intrazone

B. interzone

C. universal

D. global

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 24/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #75 Topic 1

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same

URL then which choice would be the last to block access to the URL?

A. EDL in URL Filtering Profile

B. Custom URL category in URL Filtering Profile

C. Custom URL category in Security policy rule

D. PAN-DB URL category in URL Filtering Profile

Question #76 Topic 1

Which data flow direction is protected in a zero-trust firewall deployment that is not protected in a perimeter-only firewall deployment?

A. north-south

B. inbound

C. outbound

D. east-west

Question #77 Topic 1

Which protocol is used to map usernames to user groups when User-ID is configured?

A. TACACS+

B. SAML

C. LDAP

D. RADIUS

Question #78 Topic 1

Which definition describes the guiding principle of the zero-trust architecture?

A. trust, but verify

B. always connect and verify

C. never trust, never connect

D. never trust, always verify

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 25/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #79 Topic 1

All users from the internal zone must be allowed only Telnet access to a server in the DMZ zone.

Complete the two empty fields in the Security policy rules that permits only this type of access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: _________?

Service: ____________?

Action: allow -

(Choose two.)

A. Service = ‫ג‬€application-default‫ג‬€

B. Service = ‫ג‬€service-telnet‫ג‬€

C. Application = ‫ג‬€Telnet‫ג‬€

D. Application = ‫ג‬€any‫ג‬€

Question #80 Topic 1

In which profile should you configure the DNS Security feature?

A. Anti-Spyware Profile

B. Zone Protection Profile

C. Antivirus Profile

D. URL Filtering Profile

Question #81 Topic 1

Which two statements are true for the DNS Security service introduced in PAN-OS version 9.0? (Choose two.)

A. It is automatically enabled and configured.

B. It eliminates the need for dynamic DNS updates.

C. It functions like PAN-DB and requires activation through the app portal.

D. It removes the 100K limit for DNS entries for the downloaded DNS updates.

Question #82 Topic 1

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A. GlobalProtect agent

B. XML API

C. User-ID Windows-based agent

D. log forwarding auto-tagging

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 26/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #83 Topic 1

The CFO found a malware infected USB drive in the parking lot, which when inserted infected their corporate laptop. The malware contacted a

known command- and-control server, which caused the infected laptop to begin exfiltrating corporate data.

Which security profile feature could have been used to prevent the communication with the command-and-control server?

A. Create an anti-spyware profile and enable DNS Sinkhole feature.

B. Create an antivirus profile and enable its DNS Sinkhole feature.

C. Create a URL filtering profile and block the DNS Sinkhole URL category

D. Create a Data Filtering Profiles and enable its DNS Sinkhole feature.

Question #84 Topic 1

You must configure which firewall feature to enable a data-plane interface to submit DNS queries on behalf of the control plane?

A. virtual router

B. Admin Role profile

C. DNS proxy

D. service route

Question #85 Topic 1

Which component provides network security for mobile endpoints by inspecting traffic routed through gateways?

A. Prisma SaaS

B. GlobalProtect

C. AutoFocus

D. Panorama

Question #86 Topic 1

For the firewall to use Active Directory to authenticate users, which Server Profile is required in the Authentication Profile?

A. TACACS+

B. RADIUS

C. LDAP

D. SAML

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 27/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #87 Topic 1

Which operations are allowed when working with App-ID application tags?

A. Predefined tags may be deleted.

B. Predefined tags may be augmented by custom tags.

C. Predefined tags may be modified.

D. Predefined tags may be updated by WildFire dynamic updates.

Question #88 Topic 1

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's

management plane is only slightly utilized.

Which User-ID agent is sufficient in your network?

A. Windows-based agent deployed on each domain controller

B. PAN-OS integrated agent deployed on the firewall

C. Citrix terminal server agent deployed on the network

D. Windows-based agent deployed on the internal network a domain member

Question #89 Topic 1

Which type of administrative role must you assign to a firewall administrator account, if the account must include a custom set of firewall

permissions?

A. Role-based

B. Multi-Factor Authentication

C. Dynamic

D. SAML

Question #90 Topic 1

Which statement is true regarding a Heatmap report?

A. When guided by authorized sales engineer, it helps determine the areas of greatest security risk

B. It runs only on firewalls.

C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

D. It provides a percentage of adoption for each assessment area.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 28/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #91 Topic 1

Based on the screenshot presented, which column contains the link that when clicked, opens a window to display all applications matched to the

policy rule?

A. Apps Allowed

B. Service

C. Name

D. Apps Seen

Question #92 Topic 1

Access to which feature requires the PAN-OS Filtering license?

A. PAN-DB database

B. DNS Security

C. Custom URL categories

D. URL external dynamic lists

Question #93 Topic 1

Based on the screenshot, what is the purpose of the Included Groups?

A. They are groups that are imported from RADIUS authentication servers.

B. They are the only groups visible based on the firewall's credentials.

C. They contain only the users you allow to manage the firewall.

D. They are used to map users to groups.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 29/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #94 Topic 1

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

A. The User-ID agent is connected to a domain controller labeled lab-client.

B. The host lab-client has been found by the User-ID agent.

C. The host lab-client has been found by a domain controller.

D. The User-ID agent is connected to the firewall labeled lab-client.

Question #95 Topic 1

Which action results in the firewall blocking network traffic without notifying the sender?

A. Drop

B. Deny

C. Reset Server

D. Reset Client

Question #96 Topic 1

What do Dynamic User Groups help you to do?

A. create a policy that provides auto-remediation for anomalous user behavior and malicious activity

B. create a dynamic list of firewall administrators

C. create a QoS policy that provides auto-remediation for anomalous user behavior and malicious activity

D. create a policy that provides auto-sizing for anomalous user behavior and malicious activity

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 30/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #97 Topic 1

Which type of security policy rule will match traffic that flows between the Outside zone and inside zone, but would not match traffic that flows

within the zones?

A. global

B. intrazone

C. interzone

D. universal

Question #98 Topic 1

You notice that protection is needed for traffic within the network due to malicious lateral movement activity. Based on the image shown, which

traffic would you need to monitor and block to mitigate the malicious activity?

A. branch office traffic

B. north-south traffic

C. perimeter traffic

D. east-west traffic

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 31/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #99 Topic 1

DRAG DROP -

Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Select and Place:

Question #100 Topic 1

Which type of administrator account cannot be used to authenticate user traffic flowing through the firewall's data plane?

A. Kerberos user

B. SAML user

C. local database user

D. local user

Question #101 Topic 1

How frequently can WildFire updates be made available to firewalls?

A. every 15 minutes

B. every 30 minutes

C. every 60 minutes

D. every 5 minutes

Question #102 Topic 1

Starting with PAN-OS version 9.1, which new type of object is supported for use within the User field of a Security policy rule?

A. remote username

B. dynamic user group

C. static user group

D. local username

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 32/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #103 Topic 1

Which link in the web interface enables a security administrator to view the Security policy rules that match new application signatures?

A. Review App Matches

B. Review Apps

C. Pre-analyze

D. Review Policies

Question #104 Topic 1

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?

A. interzone-default

B. internal-inside-dmz

C. inside-portal

D. egress-outside

Question #105 Topic 1

Which type of firewall configuration contains in-progress configuration changes?

A. backup

B. candidate

C. running

D. committed

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 33/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #106 Topic 1

Which three configuration settings are required on a Palo Alto Network firewall management interface? (Choose three.)

A. hostname

B. netmask

C. default gateway

D. auto-negotiation

E. IP address

Question #107 Topic 1

What is an advantage for using application tags?

A. They are helpful during the creation of new zones.

B. They help content updates automate policy updates.

C. They help with the creation of interfaces.

D. They help with the design of IP address allocations in DHCP.

Question #108 Topic 1

At which point in the App-ID update process can you determine if an existing policy rule is affected by an App-ID update?

A. after clicking Check Now in the Dynamic Update window

B. after committing the firewall configuration

C. after installing the update

D. after downloading the update

Question #109 Topic 1

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact a command-and-

control server.

Which Security Profile detects and prevents this threat from establishing a command-and-control connection?

A. Vulnerability Protection Profile applied to outbound Security policy rules.

B. Anti-Spyware Profile applied to outbound security policies.

C. Antivirus Profile applied to outbound Security policy rules

D. Data Filtering Profile applied to outbound Security policy rules.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 34/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #110 Topic 1

Which statement is true regarding a Best Practice Assessment?

A. It runs only on firewalls.

B. It shows how current configuration compares to Palo Alto Networks recommendations.

C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.

D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

Question #111 Topic 1

The PowerBall Lottery has reached an unusually high value this week. Your company has decided to raise morale by allowing employees to access

the PowerBall

Lottery website (www.powerball.com) for just this week. However, the company does not want employees to access any other websites also

listed in the URL filtering `gambling` category.

Which method allows the employees to access the PowerBall Lottery website but without unblocking access to the `gambling` URL category?

A. Add just the URL www.powerball.com to a Security policy allow rule.

B. Manually remove powerball.com from the gambling URL category.

C. Add *.powerball.com to the URL Filtering allow list.

D. Create a custom URL category, add *.powerball.com to it and allow it in the Security Profile.

Question #112 Topic 1

Which Palo Alto Networks service protects cloud-based applications such as Dropbox and Salesforce by monitoring permissions and shares and

scanning files for sensitive information?

A. Prisma SaaS

B. AutoFocus

C. Panorama

D. GlobalProtect

Question #113 Topic 1

In a Security policy, what is the quickest way to reset all policy rule hit counters to zero?

A. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules

B. Reboot the firewall

C. Use the Reset Rule Hit Counter > All Rules option

D. Use the CLI enter the command reset rules all

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 35/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #114 Topic 1

Based on the Security policy rules shown, SSH will be allowed on which port?

A. the default port

B. only ephemeral ports

C. any port

D. same port as ssl and snmpv3

Question #115 Topic 1

You receive notification about new malware that is being used to attack hosts. The malware exploits a software bug in common application.

Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?

A. Data Filtering Profile applied to outbound Security policy rules

B. Antivirus Profile applied to outbound Security policy rules

C. Data Filtering Profile applied to inbound Security policy rules

D. Vulnerability Protection Profile applied to inbound Security policy rules

Question #116 Topic 1

Palo Alto Networks firewall architecture accelerates content inspection performance while minimizing latency using which two components?

(Choose two.)

A. Network Processing Engine

B. Policy Engine

C. Parallel Processing Hardware

D. Single Stream-based Engine

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 36/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #117 Topic 1

An administrator is reviewing another administrator's Security policy log settings.

Which log setting configuration is consistent with best practices for normal traffic?

A. Log at Session Start and Log at Session End both enabled

B. Log at Session Start enabled, Log at Session End disabled

C. Log at Session Start disabled, Log at Session End enabled

D. Log at Session Start and Log at Session End both disabled

Question #118 Topic 1

Which Security profile would you apply to identify infected hosts on the protected network using DNS traffic?

A. URL filtering

B. vulnerability protection

C. anti-spyware

D. antivirus

Question #119 Topic 1

Given the topology, which zone type should zone A and zone B to be configured with?

A. Layer3

B. Ethernet

C. Layer2

D. Virtual Wire

Question #120 Topic 1

Assume a custom URL Category Object of `NO-FILES` has been created to identify a specific website.

How can file uploading/downloading be restricted for the website while permitting general browsing access to that website?

A. Create a Security policy with a URL Filtering profile that references the site access setting of block to NO-FILES.

B. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate File Blocking profile.

C. Create a Security policy with a URL Filtering profile that references the site access setting of continue to NO-FILES.

D. Create a Security policy that references NO-FILES as a URL Category qualifier with an appropriate Data Filtering profile.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 37/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #121 Topic 1

Which URL Filtering profile action would you set to allow users the option to access a site only if they provide a URL admin password?

A. authorization

B. continue

C. authentication

D. override

Question #122 Topic 1

How are Application Filters or Application Groups used in firewall policy?

A. An Application Group is a static way of grouping applications and cannot be configured as a nested member of Application Group.

B. An Application Group is a dynamic way of grouping applications and can be configured as a nested member of an Application Group.

C. An Application Filter is a dynamic way to group applications and can be configured as a nested member of an Application Group.

D. An Application Filter is a static way of grouping applications and can be configured as a nested member of an Application Group.

Question #123 Topic 1

Which tab would an administrator click to create an address object?

A. Objects

B. Monitor

C. Device

D. Policies

Question #124 Topic 1

An administrator wishes to follow best practices for logging traffic that traverses the firewall.

Which log setting is correct?

A. Enable Log at Session Start

B. Disable all logging

C. Enable Log at both Session Start and End

D. Enable Log at Session End

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 38/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #125 Topic 1

Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two.)

A. QoS profile

B. DoS Protection profile

C. Zone Protection profile

D. DoS Protection policy

Question #126 Topic 1

An administrator would like to see the traffic that matches the interzone-default rule in the traffic logs.

What is the correct process to enable this logging?

A. Select the interzone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.

B. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.

C. Select the interzone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.

D. This rule has traffic logging enabled by default; no further action is required.

Question #127 Topic 1

The Palo Alto Networks NGFW was configured with a single virtual router named VR-1.

What changes are required on VR-1 to route traffic between two interfaces on the NGFW?

A. Add static routes to route between the two interfaces

B. Add interfaces to the virtual router

C. Add zones attached to interfaces to the virtual router

D. Enable the redistribution profile to redistribute connected routes

Question #128 Topic 1

An administrator wants to prevent users from submitting corporate credentials in a phishing attack.

Which Security profile should be applied?

A. antivirus

B. anti-spyware

C. URL-filtering

D. vulnerability protection

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 39/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #129 Topic 1

Which two rule types allow the administrator to modify the destination zone? (Choose two.)

A. interzone

B. shadowed

C. intrazone

D. universal

Question #130 Topic 1

What is the main function of Policy Optimizer?

A. reduce load on the management plane by highlighting combinable security rules

B. migrate other firewall vendors' security rules to Palo Alto Networks configuration

C. eliminate ‫ג‬€Log at Session Start‫ג‬€ security rules

D. convert port-based security rules to application-based security rules

Question #131 Topic 1

Based on the screenshot, what is the purpose of the group in User labelled `it`?

A. Allows ‫ג‬€any‫ג‬€ users to access servers in the DMZ zone.

B. Allows users to access IT applications on all ports.

C. Allow users in group ‫ג‬€it‫ג‬€ to access IT applications.

D. Allow users in group ‫ג‬€DMZ‫ג‬€ to access IT applications.

Question #132 Topic 1

Which action results in the firewall blocking network traffic without notifying the sender?

A. Drop

B. Deny

C. No notification

D. Reset Client

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 40/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #133 Topic 1

Assume that traffic matches a Security policy rule but the attached Security Profiles is configured to block matching traffic.

Which statement accurately describes how the firewall will apply an action to matching traffic?

A. If it is a block rule, then Security Profile action is applied last.

B. If it is an allow rule, then the Security policy rule is applied last.

C. If it is a block rule, then the Security policy rule action is applied last.

D. If it is an allowed rule, then the Security Profile action is applied last.

Question #134 Topic 1

Which Security profile can you apply to protect against malware such as worms and Trojans?

A. antivirus

B. data filtering

C. vulnerability protection

D. anti-spyware

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 41/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #135 Topic 1

Given the network diagram, traffic should be permitted for both Trusted and Guest users to access general Internet and DMZ servers using SSH,

web-browsing and SSL applications.

Which policy achieves the desired results?

A.

B.

C.

D.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 42/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #136 Topic 1

Which license is required to use the Palo Alto Networks built-in IP address EDLs?

A. DNS Security

B. Threat Prevention

C. WildFire

D. SD-Wan

Question #137 Topic 1

Which statement is true about Panorama managed devices?

A. Panorama automatically removes local configuration locks after a commit from Panorama.

B. Local configuration locks prohibit Security policy changes for a Panorama managed device.

C. Security policy rules configured on local firewalls always take precedence.

D. Local configuration locks can be manually unlocked from Panorama.

Question #138 Topic 1

A Security Profile can block or allow traffic at which point?

A. on either the data plane or the management plane

B. after it is matched to a Security policy rule that allows or blocks traffic

C. after it is matched to a Security policy rule that allows traffic

D. before it is matched to a Security policy rule

Question #139 Topic 1

DRAG DROP -

Place the following steps in the packet processing order of operations from first to last.

Select and Place:

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 43/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #140 Topic 1

Which type of address object is `10.5.1.1/0.127.248.2`?

A. IP netmask

B. IP subnet

C. IP wildcard mask

D. IP range

Question #141 Topic 1

Which component is a building block in a Security policy rule?

A. decryption profile

B. destination interface

C. timeout (min)

D. application

Question #142 Topic 1

You have been tasked to configure access to a new web server located in the DMZ.

Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10.1.1.0/24 network to

192.168.1.0/24?

A. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2.

B. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.10

C. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2.

D. Add a route with the destination of 192.168.1.0/24 using interface Eth 1/3 with a next-hop of 192.168.1.254.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 44/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #143 Topic 1

An administrator would like to use App-ID's deny action for an application and would like that action updated with dynamic updates as new

content becomes available.

Which security policy action causes this?

A. Reset server

B. Reset both

C. Deny

D. Drop

Question #144 Topic 1

Selecting the option to revert firewall changes will replace what settings?

A. the candidate configuration with settings from the running configuration

B. dynamic update scheduler settings

C. the running configuration with settings from the candidate configuration

D. the device state with settings from another configuration

Question #145 Topic 1

An administrator has configured a Security policy where the matching condition includes a single application, and the action is drop.

If the application's default deny action is reset-both, what action does the firewall take?

A. It silently drops the traffic.

B. It silently drops the traffic and sends an ICMP unreachable code.

C. It sends a TCP reset to the server-side device.

D. It sends a TCP reset to the client-side and server-side devices.

Question #146 Topic 1

Which three types of authentication services can be used to authenticate user traffic flowing through the firewall's data plane? (Choose three.)

A. SAML 2.0

B. Kerberos

C. TACACS

D. TACACS+

E. SAML 1.0

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 45/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #147 Topic 1

Which objects would be useful for combining several services that are often defined together?

A. application filters

B. service groups

C. shared service objects

D. application groups

Question #148 Topic 1

Given the screenshot, what two types of route is the administrator configuring? (Choose two.)

A. BGP

B. static route

C. default route

D. OSPF

Question #149 Topic 1

Which rule type is appropriate for matching traffic both within and between the source and destination zones?

A. interzone

B. shadowed

C. intrazone

D. universal

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 46/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #150 Topic 1

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic and send the

ICMP code

`communication with the destination is administratively prohibited`.

Which security policy action causes this?

A. Drop

B. Drop, send ICMP Unreachable

C. Reset both

D. Reset server

Question #151 Topic 1

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall's threat signature database?

A. URL Filtering profile applied to inbound Security policy rules.

B. Data Filtering profile applied to outbound Security policy rules.

C. Antivirus profile applied to inbound Security policy rules.

D. Vulnerability Protection profile applied to outbound Security policy rules.

Question #152 Topic 1

An administrator wants to prevent access to media content websites that are risky.

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

A. recreation-and-hobbies

B. streaming-media

C. known-risk

D. high-risk

Question #153 Topic 1

Which dynamic update type includes updated anti-spyware signatures?

A. PAN-DB

B. Applications and Threats

C. GlobalProtect Data File

D. Antivirus

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 47/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #154 Topic 1

An administrator would like to silently drop traffic from the internet to a ftp server.

Which Security policy action should the administrator select?

A. Drop

B. Deny

C. Block

D. Reset-server

Question #155 Topic 1

Which object would an administrator create to block access to all high-risk applications?

A. HIP profile

B. Vulnerability Protection profile

C. application group

D. application filter

Question #156 Topic 1

Which option is part of the content inspection process?

A. Packet forwarding process

B. IPsec tunnel encryption

C. SSL Proxy re-encrypt

D. Packet egress process

Question #157 Topic 1

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of

time?

A. Disable automatic updates during weekdays

B. Automatically ‫ג‬€download and install‫ג‬€ but with the ‫ג‬€disable new applications‫ג‬€ option used

C. Automatically ‫ג‬€download only‫ג‬€ and then install Applications and Threats later, after the administrator approves the update

D. Configure the option for ‫ג‬€Threshold‫ג‬€

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 48/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #158 Topic 1

What must be considered with regards to content updates deployed from Panorama?

A. Content update schedulers need to be configured separately per device group.

B. Panorama can only install up to five content versions of the same type for potential rollback scenarios.

C. A PAN-OS upgrade resets all scheduler configurations for content updates.

D. Panorama can only download one content update at a time for content updates of the same type.

Question #159 Topic 1

During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. pattern based application identification

B. application override policy match

C. session application identified

D. application changed from content inspection

Question #160 Topic 1

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

A. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow

B. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow

C. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow

D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 49/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #161 Topic 1

What does an administrator use to validate whether a session is matching an expected NAT policy?

A. system log

B. test command

C. threat log

D. config audit

Question #162 Topic 1

What is the purpose of the automated commit recovery feature?

A. It reverts the Panorama configuration.

B. It causes HA synchronization to occur automatically between the HA peers after a push from Panorama.

C. It reverts the firewall configuration if the firewall recognizes a loss of connectivity to Panorama after the change.

D. It generates a config log after the Panorama configuration successfully reverts to the last running configuration.

Question #163 Topic 1

According to the best practices for mission critical devices, what is the recommended interval for antivirus updates?

A. by minute

B. hourly

C. daily

D. weekly

Question #164 Topic 1

DRAG DROP -

Place the steps in the correct packet-processing order of operations.

Select and Place:

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 50/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #165 Topic 1

Which Security policy match condition would an administrator use to block traffic from IP addresses on the Palo Alto Networks EDL of Known

Malicious IP

Addresses list?

A. destination address

B. source address

C. destination zone

D. source zone

Question #166 Topic 1

URL categories can be used as match criteria on which two policy types? (Choose two.)

A. authentication

B. decryption

C. application override

D. NAT

Question #167 Topic 1

Given the screenshot, what are two correct statements about the logged traffic? (Choose two.)

A. The web session was unsuccessfully decrypted.

B. The traffic was denied by security profile.

C. The traffic was denied by URL filtering.

D. The web session was decrypted.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 51/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #168 Topic 1

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server

based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow

B. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow

C. Untrust (Any) to Untrust (10.1.1.1), ssh - Allow

D. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing - Allow

E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

Question #169 Topic 1

Which type of profile must be applied to the Security policy rule to protect against buffer overflows, illegal code execution, and other attempts to

exploit system flaws?

A. URL filtering

B. vulnerability protection

C. file blocking

D. anti-spyware

Question #170 Topic 1

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A. on the App Dependency tab in the Commit Status window

B. on the Policy Optimizer's Rule Usage page

C. on the Application tab in the Security Policy Rule creation window

D. on the Objects > Applications browser pages

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 52/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #171 Topic 1

What action will inform end users when their access to Internet content is being restricted?

A. Create a custom ‫ג‬€URL Category‫ג‬€ object with notifications enabled.

B. Publish monitoring data for Security policy deny logs.

C. Ensure that the ‫ג‬€site access‫ג‬€ setting for all URL sites is set to ‫ג‬€alert‫ג‬€.

D. Enable ‫ג‬€Response Pages‫ג‬€ on the interface providing Internet access.

Question #172 Topic 1

What is a recommended consideration when deploying content updates to the firewall from Panorama?

A. Before deploying content updates, always check content release version compatibility.

B. Content updates for firewall A/P HA pairs can only be pushed to the active firewall.

C. Content updates for firewall A/A HA pairs need a defined master device.

D. After deploying content updates, perform a commit and push to Panorama.

Question #173 Topic 1

Which information is included in device state other than the local configuration?

A. uncommitted changes

B. audit logs to provide information of administrative account changes

C. system logs to provide information of PAN-OS changes

D. device group and template settings pushed from Panorama

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 53/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #174 Topic 1

Based on the graphic, what is the purpose of the SSL/TLS Service profile configuration option?

A. It defines the SSL/TLS encryption strength used to protect the management interface.

B. It defines the CA certificate used to verify the client's browser.

C. It defines the certificate to send to the client's browser from the management interface.

D. It defines the firewall's global SSL/TLS timeout values.

Question #175 Topic 1

An administrator is troubleshooting an issue with traffic that matches the intrazone-default rule, which is set to default configuration.

What should the administrator do?

A. change the logging action on the rule

B. review the System Log

C. refresh the Traffic Log

D. tune your Traffic Log filter to include the dates

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 54/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #176 Topic 1

When is the content inspection performed in the packet flow process?

A. after the application has been identified

B. after the SSL Proxy re-encrypts the packet

C. before the packet forwarding process

D. before session lookup

Question #177 Topic 1

During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?

A. check now

B. review policies

C. test policy match

D. download

Question #178 Topic 1

When creating a custom URL category object, which is a valid type?

A. domain match

B. host names

C. wildcard

D. category match

Question #179 Topic 1

When HTTPS for management and GlobalProtect are enabled on the same interface, which TCP port is used for management access?

A. 80

B. 8443

C. 4443

D. 443

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 55/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #180 Topic 1

What two authentication methods on the Palo Alto Networks firewalls support authentication and authorization for role-based access control

(RBAC)? (Choose two.)

A. SAML

B. TACACS+

C. LDAP

D. Kerberos

Question #181 Topic 1

Which administrative management services can be configured to access a management interface?

A. HTTPS, HTTP, CLI, API

B. HTTPS, SSH, telnet, SNMP

C. SSH, telnet, HTTP, HTTPS

D. HTTP, CLI, SNMP, HTTPS

Question #182 Topic 1

Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content whose services are frequently

used by attackers to distribute illegal or unethical material?

A. Palo Alto Networks C&G IP Addresses

B. Palo Alto Networks High Risk IP Addresses

C. Palo Alto Networks Known Malicious IP Addresses

D. Palo Alto Networks Bulletproof IP Addresses

Question #183 Topic 1

Which security policy match condition would an administrator use to block traffic to IP addresses on the Palo Alto Networks Bulletproof IP

Addresses list?

A. source address

B. destination address

C. source zone

D. destination zone

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 56/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #184 Topic 1

Which three filter columns are available when setting up an Application Filter? (Choose three.)

A. Parent App

B. Category

C. Risk

D. Standard Ports

E. Subcategory

Question #185 Topic 1

Which stage of the cyber attack lifecycle makes it important to provide ongoing education to users on spear phishing links, unknown emails, and

risky websites?

A. reconnaissance

B. delivery

C. installation

D. exploitation

Question #186 Topic 1

A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown

malware The malware caused the laptop to begin infiltrating corporate data.

Which Security Profile feature could have been used to detect the malware on the laptop?

A. DNS Sinkhole

B. WildFire Analysis

C. Antivirus

D. DoS Protection

Question #187 Topic 1

What must be configured before setting up Credential Phishing Prevention?

A. Threat Prevention

B. Anti Phishing Block Page

C. User-ID

D. Anti Phishing profiles

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 57/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #188 Topic 1

Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?

A. block

B. sinkhole

C. allow

D. alert

Question #189 Topic 1

Which statement best describes a common use of Policy Optimizer?

A. Policy Optimizer can be used on a schedule to automatically create a disabled Layer 7 App ID Security policy for every Layer 4 policy that

exist. Admins can then manually enable policies they want to keep and delete ones they want to remove.

B. Policy Optimizer can display which Security policies have not been used in the last 90 days.

C. Policy Optimizer on aVM-50 firewall can display which Layer 7 App-ID Security policies have unused applications.

D. Policy Optimizer can add or change a Log Forwarding profile for each Security policy selected.

Question #190 Topic 1

Which two statements are correct regarding multiple static default routes when they are configured as shown in the image? (Choose two.)

A. The route with lowest metric is used.

B. The route with the highest administrative distance is used.

C. The virtual router would load balance across the two routes.

D. Path monitoring determines whether a route is usable.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 58/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #191 Topic 1

An address object of type IP Wildcard Mask can be referenced in which part of the configuration?

A. Security policy rule

B. ACC global fitter

C. NAT address pool

D. external dynamic list

Question #192 Topic 1

You receive notification about a new malware that infects hosts. An infection results in the infected host attempting to contact command-and-

control server.

Which Security Profile, when applied to outbound Security policy rules, detects and prevents this threat from establishing a command-and-control

connection?

A. Anti-Spyware Profile

B. Data Filtering Profile

C. Antivirus Profile

D. Vulnerability Protection Profile

Question #193 Topic 1

Which Palo Alto Networks component provides consolidated policy creation?

A. Policy Optimizer

B. Prisma SaaS

C. GlobalProtect

D. Panorama

Question #194 Topic 1

An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within

the DMZ zone.

The administrator does not want to allow traffic between the DMZ and LAN zones.

Which Security policy rule type should they use?

A. interzone

B. intrazone

C. default

D. universal

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 59/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #195 Topic 1

According to best practices, how frequently should WildFire updates he made to perimeter firewalls?

A. every 10 minutes

B. every minute

C. every 5 minutes

D. in real time

Question #196 Topic 1

Given the topology, which interface type should you configure for firewall interface E1/1?

A. Layer 2

B. virtual wire

C. tap

D. mirror port

Question #197 Topic 1

Which solution is a viable option to capture user identification when Active Directory is not in use?

A. Cloud identity Engine

B. Directory Sync Service

C. group mapping

D. Authentication Portal

Question #198 Topic 1

What allows a security administrator to preview the Security policy rules that match new application signatures?

A. Policy Optimizer--New App Viewer

B. Dynamic Updates--Review App

C. Review Release Notes

D. Dynamic Updates--Review Policies

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 60/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #199 Topic 1

If using group mapping with Active Directory Universal Groups, what must you do when configuring the User ID?

A. Configure a Primary Employee ID number for user-based Security policies.

B. Create a RADIUS Server profile to connect to the domain controllers using LDAPS on port 636 or 389.

C. Create an LDAP Server profile to connect to the root domain of the Global Catalog server on port 3268 or 3269 for SSL.

D. Configure a frequency schedule to clear group mapping cache.

Question #200 Topic 1

An administrator needs to add capability to perform real time signature lookups to block or sinkhole all known malware domains.

Which type of single, unified engine will get this result?

A. Content ID

B. App-ID

C. Security Processing Engine

D. User-ID

Question #201 Topic 1

Which action would an administrator take to ensure that a service object will be available only to the selected device group?

A. ensure that disable override is selected

B. uncheck the shared option

C. ensure that disable override is cleared

D. create the service object in the specific template

Question #202 Topic 1

Which built-in IP address EDL would be useful for preventing traffic from IP addresses that are verified as unsafe based on WildFire analysis, Unit

42 research, and data gathered from telemetry?

A. Palo Alto Networks High-Risk IP Addresses

B. Palo Alto Networks Known Malicious IP Addresses

C. Palo Alto Networks C&C IP Addresses

D. Palo Alto Networks Bulletproof IP Addresses

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 61/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #203 Topic 1

An administrator would like to determine the default deny action for the application dns-over-https.

Which action would yield the information?

A. View the application details in beacon.paloaltonetworks.com

B. Check the action for the Security policy matching that traffic

C. Check the action for the decoder in the antivirus profile

D. View the application details in Objects > Applications

Question #204 Topic 1

Access to which feature requires a URL Filtering license?

A. PAN-DB database

B. External dynamic lists

C. DNS Security

D. Custom URL categories

Question #205 Topic 1

What is the main function of the Test Policy Match function?

A. ensure that policy rules are not shadowing other policy rules

B. confirm that rules meet or exceed the Best Practice Assessment recommendations

C. confirm that policy rules in the configuration are allowing donning the correct traffic

D. verify that policy rules from Expedition are valid

Question #206 Topic 1

Which attribute can a dynamic address group use as a filtering condition to determine its membership?

A. subnet mask

B. tag

C. IP address

D. wildcard mask

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 62/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #207 Topic 1

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and

Untrust/Internet zones from each of the IOT/Guest and Trust Zones?

A.

B.

C.

D.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 63/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #208 Topic 1

What are the three DNS Security categories available to control DNS traffic? (Choose three.)

A. Parked Domains

B. Spyware Domains

C. Vulnerability Domains

D. Phishing Domains

E. Malware Domains

Question #209 Topic 1

What are three valid information sources that can be used when tagging users to dynamic user groups? (Choose three.)

A. firewall logs

B. custom API scripts

C. Security Information and Event Management Systems (SIEMS), such as Splunk

D. biometric scanning results from iOS devices

E. DNS Security service

Question #210 Topic 1

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is

configured with two zones:

1. trust for internal networks

2. untrust to the internet

Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this

request? (Choose two.)

A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive

characteristic

B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application

C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application

D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

Question #211 Topic 1

Which object would an administrator create to enable access to all applications in the office-programs subcategory?

A. HIP profile

B. URL category

C. application group

D. application filter

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 64/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #212 Topic 1

Given the detailed log information above, what was the result of the firewall traffic inspection?

A. It was blocked by the Vulnerability Protection profile action

B. It was blocked by the Security policy action

C. It was blocked by the Anti-Virus Security profile action

D. It was blocked by the Anti-Spyware Profile action

Question #213 Topic 1

An administrator wants to create a No-NAT rule to exempt a flow from the default NAT rule.

What is the best way to do this?

A. Create a static NAT rule translating to the destination interface.

B. Create a static NAT rule with an application override.

C. Create a Security policy rule to allow the traffic.

D. Create a new NAT rule with the correct parameters and leave the translation type as None.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 65/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #214 Topic 1

What can be achieved by selecting a policy target prior to pushing policy rules from Panorama? *

A. You can specify the location as pre- or post-rules to push policy rules

B. You can specify the firewalls in a device group to which to push policy rules

C. Doing so provides audit information prior to making changes for selected policy rules

D. Doing so limits the templates that receive the policy rules

Question #215 Topic 1

When an ethernet interface is configured with an IPv4 address, which type of zone is it a member of?

A. Layer 3

B. Virtual Wire

C. Tap

D. Tunnel

Question #216 Topic 1

An administrator would like to create a URL Filtering log entry when users browse to any gambling website.

What combination of Security policy and Security profile actions is correct?

A. Security policy = deny, Gambling category in URL profile = block

B. Security policy = drop, Gambling category in URL profile = allow

C. Security policy = allow, Gambling category in URL profile = alert

D. Security policy = allow, Gambling category in URL profile = allow

Question #217 Topic 1

An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.

Which two fields could help in determining if this is normal? (Choose two.)

A. IP Protocol

B. Packets sent/received

C. Decrypted

D. Action

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 66/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #218 Topic 1

What are three characteristics of the Palo Alto Networks DNS Security service? (Choose three.)

A. It requires an active subscription to a third-party DNS Security service

B. It requires a valid URL Filtering license

C. It uses techniques such as DGA/DNS tunneling detection and machine learning

D. It requires a valid Threat Prevention license

E. It enables users to access real-time protections using advanced predictive analytics

Question #219 Topic 1

After making multiple changes to the candidate configuration of a firewall, the administrator would like to start over with a candidate configuration

that matches the running configuration.

Which command in Device > Setup > Operations would provide the most operationally efficient way to accomplish this?

A. Revert to running configuration

B. Load named configuration snapshot

C. Revert to last saved configuration

D. Import named config snapshot

Question #220 Topic 1

What are three valid ways to map an IP address to a username? (Choose three.)

A. a user connecting into a GlobalProtect gateway using a GlobalProtect Agent

B. WildFire verdict reports

C. DHCP Relay logs

D. using the XML API

E. usernames inserted inside HTTP Headers

Question #221 Topic 1

How is an address object of type IP range correctly defined?

A. 192.168.40.1-192.168.40.255

B. 192.168.40.1-255

C. 192.168.40.1, 192.168.40.255

D. 192.168.40.1/24

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 67/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #222 Topic 1

An administrator is troubleshooting traffic that should match the interzone-default rule. However, the administrator doesn't see this traffic in the

traffic logs on the firewall. The interzone-default was never changed from its default configuration.

Why doesn't the administrator see the traffic?

A. The interzone-default policy is disabled by default.

B. Traffic is being denied on the interzone-default policy.

C. Logging on the interzone-default policy is disabled.

D. The Log Forwarding profile is not configured on the policy.

Question #223 Topic 1

What do you configure if you want to set up a group of objects based on their ports alone?

A. address groups

B. custom objects

C. application groups

D. service groups

Question #224 Topic 1

What are two valid selections within a Vulnerability Protection profile? (Choose two.)

A. deny

B. drop

C. default

D. sinkhole

Question #225 Topic 1

Which three interface deployment methods can be used to block traffic flowing through the Palo Alto Networks firewall? (Choose three.)

A. Tap

B. HA

C. Layer 3

D. Layer 2

E. Virtual Wire

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 68/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #226 Topic 1

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.

Which security policy action causes this?

A. Drop

B. Drop, send ICMP Unreachable

C. Reset both

D. Reset server

Question #227 Topic 1

When creating an Admin Role profile, if no changes are made, which two administrative methods will you have full access to? (Choose two.)

A. web UI

B. XML API

C. command line

D. RESTAPI

Question #228 Topic 1

An administrator would like to apply a more restrictive Security profile to traffic for file sharing applications. The administrator does not want to

update the Security policy or object when new applications are released.

Which object should the administrator use as a match condition in the Security policy?

A. the Online Storage and Backup URL category

B. the Content Delivery Networks URL category

C. an application group containing all of the file-sharing App-IDs reported in the traffic logs

D. an application filter for applications whose subcategory is file-sharing

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 69/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #229 Topic 1

Which list of actions properly defines the order of steps needed to add a local database user account and create a new group to which this user

will be assigned?

A. 1. Navigate to Device > Local User Database > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash.

4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the group.

7. Add the user to the group and click OK.

B. 1. Navigate to Device > Authentication Profile > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or

Hash. 4. Enable the account and click OK. 5. Navigate to Device > Local User Database > User Groups and click Add. 6. Enter a Name for the

group. 7. Add the user to the group and click OK.

C. 1. Navigate to Device > Users and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the account

and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click OK.

D. 1. Navigate to Device > Admins and click Add. 2. Enter a Name for the user. 3. Enter and Confirm a Password or Hash. 4. Enable the

account and click OK. 5. Navigate to Device > User Groups and click Add. 6. Enter a Name for the group. 7. Add the user to the group and click

OK.

Question #230 Topic 1

When creating a Panorama administrator type of Device Group and Template Admin, which two things must you create first? (Choose two.)

A. server profile

B. admin role

C. password profile

D. access domain

Question #231 Topic 1

An administrator is configuring a NAT rule.

At a minimum, which three forms of information are required? (Choose three.)

A. source zone

B. name

C. destination interface

D. destination zone

E. destination address

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 70/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #232 Topic 1

An administrator wants to prevent hacking attacks through DNS queries to malicious domains.

Which two DNS policy actions can the administrator choose in the Anti-Spyware Security Profile? (Choose two.)

A. deny

B. block

C. sinkhole

D. override

Question #233 Topic 1

An administrator is creating a NAT policy.

Which combination of address and zone are used as match conditions? (Choose two.)

A. Pre-NAT address

B. Pre-NAT zone

C. Post-NAT address

D. Post-NAT zone

Question #234 Topic 1

A network administrator is required to use a dynamic routing protocol for network connectivity.

Which three dynamic routing protocols are supported by the NGFW Virtual Router for this purpose? (Choose three.)

A. OSPF

B. EIGRP

C. IS-IS

D. BGP

E. RIP

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 71/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #235 Topic 1

Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition,

traffic should be permitted from the SERVER zone to the DMZ on SSH only.

Which rule group enables the required traffic?

A.

B.

C.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 72/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

D.

Question #236 Topic 1

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the

management interface?

A. service route

B. dynamic updates

C. SNMP setup

D. data redistribution

Question #237 Topic 1

In order to fulfill the corporate requirement to backup the configuration of Panorama and the Panorama-managed firewalls securely, which

protocol should you select when adding a new scheduled config export?

A. HTTPS

B. SMB v3

C. SCP

D. FTP

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 73/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #238 Topic 1

All users from the internal zone must be allowed only HTTP access to a server in the DMZ zone.

Complete the empty field in the Security policy using an application object to permit only this type of access.

Source Zone: Internal -

Destination Zone: DMZ Zone -

Application: __________

Service: application-default -

Action: allow

A. Application = "any"

B. Application = "web-browsing"

C. Application = "ssl"

D. Application = "http"

Question #239 Topic 1

An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established

connections to remote systems.

From the Pre-defined Categories tab within the URL Filtering profile, what is the right configuration to prevent such connections?

A. Set the hacking category to continue.

B. Set the phishing category to override.

C. Set the malware category to block.

D. Set the Command and Control category to block.

Question #240 Topic 1

An administrator would like to follow the best-practice approach to log the traffic that traverses the firewall.

What action should they take?

A. Enable both Log at Session Start and Log at Session End.

B. Enable Log at Session End.

C. Enable Log at Session Start.

D. Disable all logging options.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 74/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #241 Topic 1

Which two protocols are available on a Palo Alto Networks Firewall Interface Management Profile? (Choose two.)

A. HTTPS

B. RDP

C. SCP

D. SSH

Question #242 Topic 1

A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT. Finance, and HR.

Which two types of traffic will the rule apply to? (Choose two)

A. traffic between zone IT and zone Finance

B. traffic between zone Finance and zone HR

C. traffic within zone IT

D. traffic within zone HR

Question #243 Topic 1

You receive notification about new malware that infects hosts through malicious files transferred by FTP.

Which Security profile detects and protects your internal networks from this threat after you update your firewall’s threat signature database?

A. Data Filtering profile applied to outbound Security policy rules.

B. Vulnerability Protection profile applied to outbound Security policy rules.

C. URL Filtering profile applied to inbound Security policy rules.

D. Antivirus profile applied to inbound Security policy rules.

Question #244 Topic 1

An administrator would like to override the default deny action for a given application, and instead would like to block the traffic.

Which security policy action causes this?

A. Drop

B. Drop, send ICMP Unreachable

C. Reset both

D. Reset client

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 75/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #245 Topic 1

What does an application filter help you to do?

A. It dynamically shapes defined application traffic based on active sessions and bandwidth usage.

B. It dynamically filters applications based on critical, high, medium, low, or informational severity.

C. It dynamically groups applications based on application attributes such as category and subcategory.

D. It dynamically provides application statistics based on network, threat, and blocked activity.

Question #246 Topic 1

Which action can be set in a URL Filtering Security profile to provide users temporary access to all websites in a given category using a provided

password?

A. continue

B. override

C. hold

D. exclude

Question #247 Topic 1

Which type of address object is www.paloaltonetworks.com?

A. named address

B. IP range

C. FQDN

D. IP netmask

Question #248 Topic 1

What are the requirements for using Palo Alto Networks EDL Hosting Service?

A. an additional paid subscription

B. any supported Palo Alto Networks firewall or Prisma Access firewall

C. a firewall device running with a minimum version of PAN-OS 10.1

D. an additional subscription free of charge

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 76/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #249 Topic 1

What are two valid selections within an Antivirus profile? (Choose two.)

A. deny

B. drop

C. block-ip

D. default

Question #250 Topic 1

Your company is highly concerned with their intellectual property being accessed by unauthorized resources. There is a mature process to store

and include metadata tags for all confidential documents.

Which Security profile can further ensure that these documents do not exit the corporate network?

A. File Blocking

B. Data Filtering

C. Anti-Spyware

D. URL Filtering

Question #251 Topic 1

An administrator is reviewing the Security policy rules shown in the screenshot below.

Which statement is correct about the information displayed?

A. Highlight Unused Rules is checked.

B. There are seven Security policy rules on this firewall.

C. The view Rulebase as Groups is checked.

D. Eleven rules use the “Infrastructure” tag.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 77/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #252 Topic 1

Prior to a maintenance-window activity, the administrator would like to make a backup of only the running configuration to an external location.

What command in Device > Setup > Operations would provide the most operationally efficient way to achieve this outcome?

A. export named configuration snapshot

B. save named configuration snapshot

C. export device state

D. save candidate config

Question #253 Topic 1

DRAG DROP

Match each rule type with its example.

Question #254 Topic 1

What are the two default behaviors for the intrazone-default policy? (Choose two.)

A. Allow

B. Log at Session End

C. Deny

D. Logging disabled

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 78/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #255 Topic 1

Which statement is true regarding NAT rules?

A. Translation of the IP address and port occurs before security processing.

B. Firewall supports NAT on Layer 3 interfaces only.

C. Static NAT rules have precedence over other forms of NAT.

D. NAT rules are processed in order from top to bottom.

Question #256 Topic 1

An administrator would like to block access to a web server, while also preserving resources and minimizing half-open sockets.

What are two security policy actions the administrator can select? (Choose two.)

A. Reset server

B. Deny

C. Drop

D. Reset both

Question #257 Topic 1

An administrator wants to create a NAT policy to allow multiple source IP addresses to be translated to the same public IP address.

What is the most appropriate NAT policy to achieve this?

A. Static IP

B. Destination

C. Dynamic IP and Port

D. Dynamic IP

Question #258 Topic 1

What are three Palo Alto Networks best practices when implementing the DNS Security Service? (Choose three.)

A. Configure a URL Filtering profile

B. Train your staff to be security aware.

C. Plan for mobile-employee risk.

D. Rely on a DNS resolver.

E. Implement a threat intel program.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 79/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #259 Topic 1

An administrator would like to see the traffic that matches the intrazone-default rule in the traffic logs.

What is the correct process to enable this logging?

A. Select the intrazone-default rule and click Override; on the Actions tab, select Log at Session End and click OK.

B. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session End and click OK.

C. Select the intrazone-default rule and edit the rule; on the Actions tab, select Log at Session Start and click OK.

D. This rule has traffic logging enabled by default; no further action is required.

Question #260 Topic 1

What is a function of application tags?

A. automated referenced applications in a policy

B. application prioritization

C. IP address allocations in DHCP

D. creation of new zones

Question #261 Topic 1

An administrator wants to filter access to www.paloaltonetworks.com via a custom URL category.

Which syntax would match this?

A. https://paloaltonetworks.com

B. #.paloaltonetworks.com

C. http://paloaltonetworks.com

D. *.paloaltonetworks.com

Question #262 Topic 1

What are two valid selections within an Anti-Spyware profile? (Choose two.)

A. Random early drop

B. Drop

C. Deny

D. Default

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 80/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #263 Topic 1

What is a prerequisite before enabling an administrative account which relies on a local firewall user database?

A. Configure an authentication profile.

B. Configure an authentication sequence.

C. Isolate the management interface on a dedicated management VLAN.

D. Configure an authentication policy.

Question #264 Topic 1

Which Security policy set should be used to ensure that a policy is applied first?

A. Local firewall policy

B. Shared pre-rulebase

C. Parent device-group pre-rulebase

D. Child device-group pre-rulebase

Question #265 Topic 1

An administrator is trying to implement an exception to an external dynamic list manually. Some entries are shown underlined in red.

What would cause this error?

A. Entries contain symbols.

B. Entries are wildcards.

C. Entries contain regular expressions.

D. Entries are duplicated.

Question #266 Topic 1

What can be achieved by disabling the Share Unused Address and Service Objects with Devices setting on Panorama?

A. Increase the per-firewall capacity for address and service objects

B. Reduce the configuration and session synchronization time between HA pairs

C. Increase the backup capacity for configuration backups per firewall

D. Reduce the number of objects pushed to a firewall

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 81/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #267 Topic 1

Which Security profile can be used to detect and block compromised hosts from trying to communicate with external command-and-control (C2)

servers?

A. URL Filtering

B. Antivirus

C. Vulnerability

D. Anti-Spyware

Question #268 Topic 1

An administrator is trying to enforce policy on some (but not all) of the entries in an external dynamic list.

What is the maximum number of entries that they can be excluded?

A. 50

B. 100

C. 200

D. 1,000

Question #269 Topic 1

A website is unexpectedly allowed due to miscategorization.

What are two ways to resolve this issue for a proper response? (Choose two.)

A. Create a URL category and assign the affected URL.

Update the active URL Filtering profile site access setting for the custom URL category to block.

B. Review the categorization of the website on https://urlfiltering paloaltonetworks.com.

Submit for "request change", identifying the appropriate categorization, and wait for confirmation before testing again.

C. Identify the URL category being assigned to the website.

Edit the active URL Filtering profile and update that category's site access settings to block.

D. Create a URL category and assign the affected URL.

Add a Security policy with a URL category qualifier of the custom URL category below the original policy.

Set the policy action to Deny.

Question #270 Topic 1

If the firewall interface E1/1 is connected to a SPAN or mirror port, which interface type should E1/1 be configured as?

A. Tap

B. Virtual Wire

C. Layer 2

D. Layer 3

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 82/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #271 Topic 1

An administrator manages a network with 300 addresses that require translation. The administrator configured NAT with an address pool of 240

addresses and found that connections from addresses that needed new translations were being dropped.

Which type of NAT was configured?

A. Dynamic IP

B. Static IP

C. Dynamic IP and Port

D. Destination NAT

Question #272 Topic 1

The NetSec Manager asked to create a new EMEA Regional Panorama Administrator profile with customized privileges. In particular, the new

EMEA Regional Panorama Administrator should be able to:

Access only EMEA-Regional device groups with read-only privileges

Access only EMEA-Regional templates with read-only privileges

What is the correct configuration for the new EMEA Regional Panorama Administrator profile?

A. Administrator Type = Device Group and Template Admin

Admin Role = EMEA_Regional_Admin_read_only

Access Domain = EMEA-Regional

B. Administrator Type = Dynamic -

Admin Role = Superuser (read-only)

C. Administrator Type = Dynamic -

Admin Role = Panorama Administrator

D. Administrator Type = Custom Panorama Admin

Profile = EMEA Regional Admin_read_only

Question #273 Topic 1

An administrator would like to reference the same address object in Security policies on 100 Panorama managed firewalls, across 10 devices

groups and five templates.

Which configuration action should the administrator take when creating the address object?

A. Ensure that Disable Override is cleared.

B. Ensure that the Shared option is cleared.

C. Ensure that the Shared option is checked.

D. Tag the address object with the Global tag.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 83/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #274 Topic 1

Which type of policy allows an administrator to both enforce rules and take action?

A. Authentication

B. Security

C. NAT

D. Decryption

Question #275 Topic 1

With the DNS Security subscription, when will the cloud-based signature database provide users access to newly added DNS signatures?

A. Within five minutes, after downloading updates

B. Instantly, after downloading updates

C. Within five minutes, without downloading updates

D. Instantly, without downloading updates

Question #276 Topic 1

Why should a company have a File Blocking profile that is attached to a Security policy?

A. To block uploading and downloading of any type of files

B. To block uploading and downloading of specific types of files

C. To detonate files in a sandbox environment

D. To analyze file types

Question #277 Topic 1

What can be used as match criteria for creating a dynamic address group?

A. MAC addresses

B. IP addresses

C. Usernames

D. Tags

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 84/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #278 Topic 1

An administrator is reviewing packet captures to troubleshoot a problem with an application, and they observe TCP resets to the client and the

server.

Which security policy action causes this?

A. Drop

B. Reset server

C. Reset client

D. Reset both

Question #279 Topic 1

An administrator would like to protect against inbound threats such as buffer overflows and illegal code execution.

Which Security profile should be used?

A. Vulnerability protection

B. Anti-spyware

C. URL filtering

D. Antivirus

Question #280 Topic 1

An organization has some applications that are restricted for access by the Human Resources Department only, and other applications that are

available for any known user in the organization.

What object is best suited for this configuration?

A. Application Group

B. Tag

C. External Dynamic List

D. Application Filter

Question #281 Topic 1

Which two configurations does an administrator need to compare in order to see differences between the active configuration and potential

changes if committed? (Choose two.)

A. Device state

B. Active

C. Candidate

D. Running

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 85/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #282 Topic 1

An administrator configured a Security policy rule where the matching condition includes a single application and the action is set to deny.

What deny action will the firewall perform?

A. Discard the session’s packets and send a TCP reset packet to let the client know the session has been terminated

B. Drop the traffic silently

C. Perform the default deny action as defined in the App-ID database for the application

D. Send a TCP reset packet to the client- and server-side devices

Question #283 Topic 1

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

A. Source Zone: Trusted -

Destination Zone: DMZ -

Services: SSH -

Applications: Any -

Action: Allow

B. Source Zone: Trusted -

Destination Zone: DMZ -

Services: Application-Default -

Applications: SSH -

Action: Allow

C. Source Zone: Trusted -

Destination Zone: DMZ -

Services: Application-Default -

Applications: SSH -

Action: Deny

D. Source Zone: Trusted -

Destination Zone: DMZ -

Services: SSH -

Applications: Any -

Action: Deny

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 86/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #284 Topic 1

An administrator configured a Security policy rule with an Antivirus Security profile. The administrator did not change the action for the profile.

If a virus gets detected, how will the firewall handle the traffic?

A. It allows the traffic but generates an entry in the Threat logs.

B. It drops the traffic because the profile was not set to explicitly allow the traffic.

C. It allows the traffic because the profile was not set the explicitly deny the traffic.

D. It uses the default action assigned to the virus signature.

Question #285 Topic 1

An administrator needs to allow users to use only certain email applications.

How should the administrator configure the firewall to restrict users to specific email applications?

A. Create an application filter and filter it on the collaboration category.

B. Create an application filter and filter it on the collaboration category, email subcategory.

C. Create an application group and add the email applications to it.

D. Create an application group and add the email category to it.

Question #286 Topic 1

DNS exceptions can be set under which Security profile?

A. Data Filtering

B. URL Filtering

C. Anti-Spyware

D. Antivirus

Question #287 Topic 1

An administrator is troubleshooting an issue with an accounts payable application.

Which log setting could be temporarily configured to improve visibility?

A. Log at Session Start and Log at Session End both enabled

B. Log at Session Start and Log at Session End both disabled

C. Log at Session Start enabled, Log at Session End disabled

D. Log at Session Start disabled, Log at Session End enabled

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 87/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #288 Topic 1

By default, which action is assigned to the interzone-default rule?

A. Allow

B. Deny

C. Reset-client

D. Reset-server

Question #289 Topic 1

What is the maximum volume of concurrent administrative account sessions?

A. 2

B. Unlimited

C. 10

D. 1

Question #290 Topic 1

An administrator is updating Security policy to align with best practices.

Which Policy Optimizer feature is shown in the screenshot below?

A. Rules without App Controls

B. New App Viewer

C. Rule Usage – Unused

D. Unused Apps

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 88/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #291 Topic 1

Where within the firewall GUI can all existing tags be viewed?

A. Policies > Tags

B. Network > Tags

C. Objects > Tags

D. Monitor > Tags

Question #292 Topic 1

What is the Anti-Spyware Security profile default action?

A. Sinkhole

B. Reset-client

C. Drop

D. Reset-both

Question #293 Topic 1

To enable DNS sinkholing, which two addresses should be reserved? (Choose two.)

A. MAC

B. IPv6

C. Email

D. IPv4

Question #294 Topic 1

A NetSec manager was asked to create a new firewall administrator profile with customized privileges. The new firewall administrator must be

able to download TSF File and Starts Dump File but must not be able to reboot the device.

Where does the NetSec manager go to configure the new firewall administrator role profile?

A. Device > Admin Roles > Add > XML API > Configuration

B. Device > Admin Roles > Add > XML API > Operational Request

C. Device > Admin Roles > Add > Web UI > Support

D. Device > Admin Roles > Add > Web UI > Operations

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 89/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #295 Topic 1

What must exist in order for the firewall to route traffic between Layer 3 interfaces?

A. Virtual router

B. Virtual wires

C. Traffic Distribution profile

D. VLANs

Question #296 Topic 1

Which path in PAN-OS 10.2 is used to schedule a content update to managed devices using Panorama?

A. Panorama > Device Deployment > Dynamic Updates > Schedules > Add

B. Panorama > Device Deployment > Content Updates > Schedules > Add

C. Panorama > Dynamic Updates > Device Deployment > Schedules > Add

D. Panorama > Content Updates > Device Deployment > Schedules > Add

Question #297 Topic 1

In which threat profile object would you configure the DNS Security service?

A. Antivirus

B. Anti-Spyware

C. WildFire

D. URL Filtering

Question #298 Topic 1

Which rule type is appropriate for matching traffic occurring within a specified zone?

A. Universal

B. Shadowed

C. Intrazone

D. Interzone

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 90/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #299 Topic 1

Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)

A. Pre-NAT address

B. Post-NAT address

C. Pre-NAT zone

D. Post-NAT zone

Question #300 Topic 1

If a universal security rule was created for source zones A & B and destination zones A & B, to which traffic would the rule apply?

A. Some traffic between A & B

B. Some traffic within A

C. All traffic within zones A & B

D. Some traffic within B

Question #301 Topic 1

Which interface type requires no routing or switching but applies Security or NAT policy rules before passing allowed traffic?

A. Tap

B. Virtual Wire

C. Layer 2

D. Layer 3

Question #302 Topic 1

What is a valid Security Zone type in PAN-OS?

A. Management

B. Logical

C. Transparent

D. Tap

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 91/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #303 Topic 1

An administrator is creating a Security policy rule and sees that the destination zone is grayed out.

While creating the rule, which option was selected to cause this?

A. Interzone

B. Source zone

C. Universal (default)

D. Intrazone

Question #304 Topic 1

How many levels can there be in a device-group hierarchy, below the shared level?

A. 2

B. 3

C. 4

D. 5

Question #305 Topic 1

Where in Panorama would Zone Protection profiles be configured?

A. Templates

B. Device Groups

C. Shared

D. Panorama tab

Question #306 Topic 1

Which parameter is used to view the Security policy rulebase as groups?

A. Tags

B. Service

C. Type

D. Action

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 92/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #307 Topic 1

When a security rule is configured as Intrazone, which field cannot be changed?

A. Destination Zone

B. Actions

C. Source Zone

D. Application

Question #308 Topic 1

An administrator is trying to understand which NAT policy is being matched.

In what order does the firewall evaluate NAT policies?

A. Dynamic IP and Port first, then Static, and finally Dynamic IP

B. From top to bottom

C. Static NAT rules first, then lop down

D. Static NAT rules first, then Dynamic

Question #309 Topic 1

Which policy set should be used to ensure that a policy is applied just before the default security rules?

A. Shared post-rulebase

B. Local firewall policy

C. Parent device-group post-rulebase

D. Child device-group post-rulebase

Question #310 Topic 1

Which rule type is appropriate for matching traffic occurring within a specified zone?

How should the administrator configure the firewall to restrict users to specific email applications?

A. Create an application filter and filter it on the collaboration category.

B. Create an application filter and filter it on the collaboration category, email subcategory.

C. Create an application group and add the email applications to it.

D. Create an application group and add the email category to it.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 93/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #311 Topic 1

Review the screenshot below. Based on the information it contains, which protocol decoder will detect a machine-learning match, create a Threat

log entry, and permit the traffic?

A. smb

B. imap

C. ftp

D. http2

Question #312 Topic 1

An interface can belong to how many Security Zones?

A. 1

B. 2

C. 3

D. 4

Question #313 Topic 1

What are the two types of Administrator accounts? (Choose two.)

A. Role Based

B. Superuser

C. Dynamic

D. Local

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 94/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #314 Topic 1

The Net Sec Manager asked to create a new Firewall Operator profile with customized privileges.

In particular, the new firewall operator should be able to:

Check the configuration with read-only privilege for LDAP, RADIUS, TACACS+, and SAML as Server profiles to be used inside an Authentication

profile.

The firewall operator should not be able to access anything else.

What is the right path m order to configure the new firewall Administrator Profile?

A. Device > Admin Roles > Add > Web UI > Device > Server Profiles

Device > Admin Roles > Add > Web UI > disable access to everything else

B. Device > Admin Roles > Add > Web UI > Objects > Server Profiles

Device > Admin Roles > Add > Web UI > disable access to everything else

C. Device > Admin Roles > Add >Web UI > Objects > Authentication Profile

Device > Admin Roles > Add > Web UI > disable access to everything else

D. Device > Admin Roles > Add > Web UI > Device > Authentication Profile

Device > Admin Roles > Add > Web UI > disable access to everything else

Question #315 Topic 1

Within the WildFire Analysis profile, which three items are configurable? (Choose three.)

A. FileType

B. Direction

C. Service

D. Application

E. Objects

Question #316 Topic 1

Which Security profile can be used to configure sinkhole IPs m the DNS Sinkhole settings?

A. Vulnerability Protection

B. Anti-Spyware

C. Antivirus

D. URL Filtering

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 95/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #317 Topic 1

Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto

Networks firewall? (Choose three.)

A. NTP

B. IP address

C. MTU

D. DNS server

E. service routes

Question #318 Topic 1

How does the Policy Optimizer policy view differ from the Security policy view?

A. It provides sorting options that do not affect rule order

B. It specifies applications seen by rules

C. It displays rule utilization

D. It details associated zones

Question #319 Topic 1

An administrator creates a new Security policy rule to allow DNS traffic from the LAN to the DMZ zones. The administrator does not change the

rule type from its default value.

What type of Security policy rule is created?

A. Intrazone

B. Interzone

C. Universal

D. Tagged

Question #320 Topic 1

What do application filters help provide access to?

A. Applications that are explicitly sanctioned for use within a company

B. Applications that are not explicitly sanctioned and that a company wants users to be able to access

C. Applications that are explicitly unsanctioned for use within a company

D. Applications that are not explicitly unsanctioned and that a company wants users to be able to access

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 96/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #321 Topic 1

What is the function of an application group object?

A. It contains applications that you want to treat similarly in policy

B. It groups applications dynamically based on application attributes that you define

C. It represents specific ports and protocols for an application

D. It identifies the purpose of a rule or configuration object and helps you better organize your rulebase

Question #322 Topic 1

How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?

A. The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".

B. The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "application-default".

C. The admin creates a custom service object named "tcp-4422" with port tcp/4422.

The admin also creates a custom service object named "tcp-22" with port tcp/22.

The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "tcp-22".

D. The admin creates a Security policy allowing application "ssh" and service "application-default".

Question #323 Topic 1

Which type of DNS signatures are used by the firewall to identify malicious and command-and-control domains?

A. DNS Malicious signatures

B. DNS Security signatures

C. DNS Malware signatures

D. DNS Block signatures

Question #324 Topic 1

Which Security policy action will message a user's browser that their web session has been terminated?

A. Reset client

B. Deny

C. Drop

D. Reset server

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 97/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #325 Topic 1

In order to protect users against exploit kits that exploit a vulnerability and then automatically download malicious payloads, which Security profile

should be configured?

A. Anti-Spyware

B. WildFire

C. Vulnerability Protection

D. Antivirus

Question #326 Topic 1

Which verdict may be assigned to a WildFire sample?

A. Phishing

B. Spyware

C. PUP

D. Malware

Question #327 Topic 1

To protect against illegal code execution, which Security profile should be applied?

A. Antivirus profile on allowed traffic

B. Antivirus profile on denied traffic

C. Vulnerability Protection profile on allowed traffic

D. Vulnerability Protection profile on denied traffic

Question #328 Topic 1

Which three types of entries can be excluded from an external dynamic list? (Choose three.)

A. IP addresses

B. Applications

C. User-ID

D. Domains

E. URLs

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 98/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #329 Topic 1

Within a WildFire Analysis Profile, what match criteria can be defined to forward samples for analysis?

A. File Size

B. Application Category

C. Direction

D. Source

Question #330 Topic 1

By default, which action is assigned to the intrazone-default rule?

A. Reset-client

B. Reset-server

C. Deny

D. Allow

Question #331 Topic 1

A Panorama administrator would like to create an address object for the DNS server located in the New York City office, but does not want this

object added to the other Panorama managed firewalls.

Which configuration action should the administrator take when creating the address object?

A. Tag the address object with the New York Office tag.

B. Ensure that Disable Override is cleared.

C. Ensure that the Shared option is checked.

D. Ensure that the Shared option is cleared.

Question #332 Topic 1

An administrator is troubleshooting an issue with traffic that matches the interzone-default rule, which is set to default configuration.

What should the administrator do?

A. Change the logging action on the rule

B. Tune your Traffic Log filter to include the dates

C. Refresh the Traffic Log

D. Review the System Log

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 99/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #333 Topic 1

What is the default action for the SYN Flood option within the DoS Protection profile?

A. Reset-client

B. Alert

C. Sinkhole

D. Random Early Drop

Question #334 Topic 1

Application groups enable access to what?

A. Applications that are explicitly unsanctioned for use within a company

B. Applications that are not explicitly unsanctioned and that an administrator wants users to be able to access

C. Applications that are explicitly sanctioned for use within a company

D. Applications that are not explicitly sanctioned and that an administrator wants users to be able to access

Question #335 Topic 1

Where does a user assign a tag group to a policy rule in the policy creation window?

A. General tab

B. Usage tab

C. Application tab

D. Actions tab

Question #336 Topic 1

What is used to monitor Security policy applications and usage?

A. Security profile

B. App-ID

C. Policy-based forwarding

D. Policy Optimizer

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 100/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #337 Topic 1

What is considered best practice with regards to committing configuration changes?

A. Wait until all running and pending jobs are finished before committing.

B. Export configuration after each single configuration change performed.

C. Validate configuration changes prior to committing.

D. Disable the automatic commit feature that prioritizes content database installations before committing.

Question #338 Topic 1

Which Security profile generates an alert based on a threshold when the action is set to Alert?

A. Vulnerability Protection

B. Antivirus

C. DoS protection

D. Anti-Spyware

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 101/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #339 Topic 1

Given the network diagram, which two statements are true about traffic between the User and Server networks? (Choose two.)

A. Traffic is permitted through the default Intrazone “allow” rule.

B. Traffic restrictions are not possible because the networks are in the same zone.

C. Traffic is permitted through the default Interzone “allow” rule.

D. Traffic restrictions are possible by modifying Intrazone rules.

Question #340 Topic 1

Which setting is available to edit when a tag is created on the local firewall?

A. Color

B. Location

C. Order

D. Priority

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 102/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #341 Topic 1

With the PAN-OS 11.0 Nova release, which two attack options can new inline deep learning analysis engines detect and prevent? (Choose two.)

A. Command injection attacks

B. SSL attacks

C. SQL injection attacks

D. HTTP attacks

Question #342 Topic 1

Which profile must be applied to the Security policy rule to block spyware on compromised hosts from trying to phone-home or beacon out to

external command-and-control (C2) servers?

A. Anti-spyware

B. File blocking

C. WildFire

D. URL filtering

Question #343 Topic 1

Which feature dynamically analyzes and detects malicious content by evaluating various web page details using a series of machine learning (ML)

models?

A. Antivirus Inline ML

B. URL Filtering Inline ML

C. Anti-Spyware Inline ML

D. WildFire Inline ML

Question #344 Topic 1

An administrator is troubleshooting an issue with Office365 and expects that this traffic traverses the firewall.

When reviewing Traffic Log entries, there are no logs matching traffic from the test workstation.

What might cause this issue?

A. Office365 traffic is logged in the System Log.

B. Office365 traffic is logged in the Authentication Log.

C. Traffic matches the interzone-default rule, which does not log traffic by default.

D. The firewall is blocking the traffic, and all blocked traffic is in the Threat Log.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 103/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #345 Topic 1

When creating an address object, which option is available to select from the Type drop-down menu?

A. IPv6 Address

B. IP Netmask

C. IPv4 Address

D. IP Address Class

Question #346 Topic 1

Ethernet 2/1 has an IP Address of 10.0 1 2 in Zone ‘trust’ (LAN).

If both interfaces are connected to the same virtual router, which IP address information will an administrator need to enter in the Destination field

to access the internet?

A. 0.0.0.0

B. 10.0.2.1/32

C. 10.0.1.254/32

D. 0.0.0.0/0

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 104/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #347 Topic 1

Where within the URL Filtering security profile must a user configure the action to prevent credential submissions?

A. URL Filtering > Categories

B. URL Filtering > URL Filtering Settings

C. URL Filtering > Inline Categorization

D. URL Filtering > HTTP Header Insertion

Question #348 Topic 1

Which Security profile must be added to Security policies to enable DNS Signatures to be checked?

A. URL Filtering

B. Vulnerability Protection

C. Anti-Spyware

D. Antivirus

Question #349 Topic 1

Which two Security profile actions can only be applied to DoS Protection profiles? (Choose two.)

A. Reset-server

B. Reset-both

C. SYN cookies

D. Random Early Drop

Question #350 Topic 1

Where can you apply URL Filtering policy in a Security policy rule?

A. Within the applications selection

B. Within a destination address

C. Within a service type

D. Within the actions tab

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 105/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #351 Topic 1

Which interface types are assigned to IEEE 802.1Q VLANs?

A. Tunnel interfaces

B. Layer 2 subinterfaces

C. Layer 3 subinterfaces

D. Loopback interfaces

Question #352 Topic 1

Which three factors can be used to create malware based on domain generation algorithms? (Choose three.)

A. Time of day

B. URL custom categories

C. Other unique values

D. Cryptographic keys

E. IP address

Question #353 Topic 1

Which action column is available to edit in the Action tab of an Antivirus security profile?

A. Virus

B. Signature

C. Spyware

D. Trojan

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 106/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #354 Topic 1

Given the detailed log information above, what was the result of the firewall traffic inspection?

A. It denied the category DNS phishing.

B. It denied the traffic because of unauthorized attempts.

C. It was blocked by the Anti-Virus Security profile action.

D. It was blocked by the Anti-Spyware Profile action.

Question #355 Topic 1

When configuring a security policy, what is a best practice for User-ID?

A. Use only one method for mapping IP addresses to usernames.

B. Allow the User-ID agent in zones where agents are not monitoring services.

C. Limit User-ID to users registered in an Active Directory server.

D. Deny WMI traffic from the User-ID agent to any external zone.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 107/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #356 Topic 1

What are three DNS policy actions? (Choose three.)

A. Block

B. Allow

C. Strict

D. Sinkhole

E. Alert

Question #357 Topic 1

Which System log severity level would be displayed as a result of a user password change?

A. Low

B. Medium

C. High

D. Critical

Question #358 Topic 1

An administrator would like to block traffic to all high risk audio streaming applications, including new App-IDs introduced with content updates.

Which filter should the administrator configure in the application filter object?

A. The category is media, and the characteristic includes Evasive.

B. The subcategory is audio-streaming, and the risk is 1.

C. The subcategory is audio-streaming, and the risk is 5.

D. The category is media, and the tag is high risk.

Question #359 Topic 1

An administrator receives a notification about new malware that is being used to attack hosts. The malware exploits a software bug in a common

application.

Which Security Profile will detect and block access to this threat after the administrator updates the firewall's threat signature database?

A. Vulnerability Profile applied to inbound Security policy rules

B. Antivirus Profile applied to outbound Security policy rules

C. Data Filtering Profile applied to outbound Security policy rules

D. Data Filtering Profile applied to inbound Security policy rules

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 108/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #360 Topic 1

The NetSec Manager asked to create a new firewall Local Administrator profile with customized privileges named New_Admin. This new

administrator has to authenticate without inserting any username or password to access the WebUI.

What steps should the administrator follow to create the New_Admin Administrator profile?

A. 1. Set the Authentication profile to Local.

2. Select the "Use only client certificate authentication" check box.

3. Set Role to Role Based.

B. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Dynamic.

3. Issue to the Client a Certificate with Certificate Name = New Admin

C. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Dynamic.

3. Issue to the Client a Certificate with Common Name = New_Admin

D. 1. Select the "Use only client certificate authentication" check box.

2. Set Role to Role Based.

3. Issue to the Client a Certificate with Common Name = New Admin

Question #361 Topic 1

Which Security profile prevents users from submitting valid corporate credentials online?

A. WildFire

B. URL filtering

C. Advanced threat prevention

D. SSL decryption

Question #362 Topic 1

Which two statements apply to an Advanced Threat Prevention subscription? (Choose two.)

A. It contains all the features already in a Threat Prevention subscription.

B. It provides the ability to identify evasive and previously unseen command-and-control (C2) threats.

C. When it is active, a WildFire profile is no longer needed.

D. Due to its more advanced signatures, it provides the ability to identify new threats.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 109/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #363 Topic 1

With the PAN-OS 11.0 release, which tab becomes newly available within the Vulnerability security profile?

A. Vulnerability Exceptions

B. Advanced Rules

C. Inline Cloud Analysis

D. WildFire Inline ML

Question #364 Topic 1

DRAG DROP

Drag the steps into the correct order to create a static route.

Question #365 Topic 1

What are the two ways to implement an exception to an external dynamic list? (Choose two.)

A. Edit the external dynamic list by removing the entries to exclude.

B. Select the entries to exclude from the List Entries list.

C. Manually add an entry to the Manual Exceptions list.

D. Edit the external dynamic list by adding the “-“ symbol before the entries to exclude.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 110/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #366 Topic 1

An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ

or Untrust zones.

The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where

the source and destination zones are VPN.

Which Security policy rule type should they use?

A. Interzone

B. Universal

C. Intrazone

D. Default

Question #367 Topic 1

An administrator is reviewing the Security policy rules shown in the screenshot.

Why are the two fields in the Security policy EDL-Deny highlighted in red?

A. Because antivirus inspection is enabled for this policy

B. Because the destination zone, address, and device are all "any"

C. Because the action is Deny

D. Because the Security-EDL tag has been assigned the red color

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 111/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #368 Topic 1

What are two differences between an application group and an application filter? (Choose two.)

A. Application groups enable access to sanctioned applications explicitly, while application filters enable access to sanctioned applications

implicitly.

B. Application groups are static, while application filters are dynamic.

C. Application groups dynamically group applications based on attributes, while application filters contain applications that are statically

grouped.

D. Application groups can be added to application filters, while application filters cannot be added to application groups.

Question #369 Topic 1

An administrator reads through the following Applications and Threats Content Release Notes before an update:

Which rule would continue to allow the file upload to confluence after the update?

A.

B.

C.

D.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 112/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #370 Topic 1

Which two events can be found in data-filtering logs? (Choose two.)

A. Specific users attempting to authenticate

B. Sensitive information attempting to exit the network

C. An unsuccessful attempt to establish a TLS session

D. A download attempt of a blocked file type

Question #371 Topic 1

Which statement applies to the Intrazone Security policy rule?

A. The traffic within the same security zone will not be allowed.

B. It requires a Zone Protection profile to be applied.

C. It applies regardless of whether it is from the same security zone or a different one.

D. It applies to all matching traffic within the specified source security zones.

Question #372 Topic 1

Review the screenshot below. Which statement is correct about the information it contains?

A. Highlight Unused Rules is checked.

B. Tunnel Traffic has the High Risk tag applied.

C. There are six Security policy rules on this firewall.

D. View Rulebase as Groups is checked.

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 113/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #373 Topic 1

An administrator wants to enable users to access retail websites that are considered minimum risk.

Which two URL categories should be combined in a custom URL category to accomplish this goal? (Choose two.)

A. e-commerce

B. known-good

C. shopping

D. low-risk

Question #374 Topic 1

What are three advantages of user-to-group mapping? (Choose three.)

A. It does not require additional objects to be configured.

B. It does not require a Server profile.

C. It simplifies user administration.

D. It automatically adds new users to the appropriate group.

E. It allows an administrator to write more granular policies.

Question #375 Topic 1

Which situation is recorded as a system log?

A. A connection with an authentication server has been dropped.

B. A file that has been analyzed is potentially dangerous for the system.

C. An attempt to access a spoofed website has been blocked.

D. A new asset has been discovered on the network.

Question #376 Topic 1

Within an Anti-Spyware security profile, which tab is used to enable machine learning based engines?

A. Signature Policies

B. Signature Exceptions

C. Machine Learning Policies

D. Inline Cloud Analysis

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 114/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #377 Topic 1

Which two statements correctly describe how pre-rules and local device rules are viewed and modified? (Choose two.)

A. Pre-rules can be modified by the local administrator or by a Panorama administrator who has switched to a local firewall.

B. Pre-rules and local device rules can be modified in Panorama.

C. Pre-rules can be viewed on managed firewalls.

D. Pre-rules are modified in Panorama only, and local device rules are modified on local firewalls only.

Question #378 Topic 1

The administrator profile "SYS01 Admin" is configured with authentication profile "Authentication Sequence SYS01," and the authentication

sequence SYS01 has a profile list with four authentication profiles:

• Auth Profile LDAP

• Auth Profile Radius

• Auth Profile Local

• Auth Profile TACACS

After a network outage, the LDAP server is no longer reachable. The RADIUS server is still reachable but has lost the "SYS01 Admin" username and

password.

What is the "SYS01 Admin" login capability after the outage?

A. Auth KO because RADIUS server lost user and password for SYS01 Admin

B. Auth OK because of the Auth Profile TACACS

C. Auth OK because of the Auth Profile Local

D. Auth KO because LDAP server is not reachable

Question #379 Topic 1

Which three types of Source NAT are available to users inside a NGFW? (Choose three.)

A. Static Port

B. Dynamic IP and Port (DIPP)

C. Dynamic IP

D. Static IP and Port (SIPP)

E. Static IP

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 115/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #380 Topic 1

What are the two main reasons a custom application is created? (Choose two.)

A. To change the default categorization of an application

B. To visually group similar applications

C. To correctly identify an internal application in the traffic log

D. To reduce unidentified traffic on a network

Question #381 Topic 1

By default, what is the maximum number of templates that can be added to a template stack?

A. 6

B. 8

C. 10

D. 12

Question #382 Topic 1

What does rule shadowing in Security policies do?

A. It shows rules with the same Source Zones and Destination Zones.

B. It indicates that a broader rule matching the criteria is configured above a more specific rule.

C. It indicates rules with App-ID that are not configured as port-based.

D. It shows rules that are missing Security profile configurations.

Question #383 Topic 1

Which two types of profiles are needed to create an authentication sequence? (Choose two.)

A. Security profile

B. Authentication profile

C. Server profile

D. Interface Management profile

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 116/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #384 Topic 1

Which order of steps is the correct way to create a static route?

A. 1) Enter the route and netmask

2) Specify the outgoing interface for packets to use to go to the next hop

3) Enter the IP address for the specific next hop

4) Add an IPv4 or IPv6 route by name

B. 1) Enter the IP address for the specific next hop

2) Add an IPv4 or IPv6 route by name

3) Enter the route and netmask

4) Specify the outgoing interface for packets to use to go to the next hop

C. 1) Enter the route and netmask

2) Enter the IP address for the specific next hop

3) Specify the outgoing interface for packets to use to go to the next hop

4) Add an IPv4 or IPv6 route by name

D. 1) Enter the IP address for the specific next hop

2) Enter the route and netmask

3) Add an IPv4 or IPv6 route by name

4) Specify the outgoing interface for packets to use to go to the next hop

Question #385 Topic 1

Which two actions are needed for an administrator to get real-time WildFire signatures? (Choose two.)

A. Enable Dynamic Updates.

B. Obtain a Threat Prevention subscription.

C. Obtain a WildFire subscription.

D. Move within the WildFire public cloud region.

Question #386 Topic 1

Which two features implement one-to-one translation of a source IP address while allowing the source port to change? (Choose two.)

A. Dynamic IP

B. Dynamic IP and Port (DIPP)

C. Static IP

D. Dynamic IP / Port Fallback

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 117/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #387 Topic 1

What are three ways application characteristics are used? (Choose three.)

A. As a setting to define a new custom application

B. As a global filter in the Application Command Center (ACC)

C. As an attribute to define an application group

D. As an object to define Security policies

E. As an attribute to define an application filter

Question #388 Topic 1

In which two Security Profiles can an action equal to the block IP feature be configured? (Choose two.)

A. Antivirus

B. URL Filtering

C. Vulnerability Protection

D. Anti-spyware

Question #389 Topic 1

When is an event displayed under threat logs?

A. When traffic matches a corresponding Security Profile

B. When traffic matches any Security policy

C. Every time a session is blocked

D. Every time the firewall drops a connection

Question #390 Topic 1

In which section of the PAN-OS GUI does an administrator configure URL Filtering profiles?

A. Network

B. Policies

C. Objects

D. Device

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 118/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #391 Topic 1

Which profile should be used to obtain a verdict regarding analyzed files?

A. Advanced threat prevention

B. Vulnerability profile

C. WildFire analysis

D. Content-ID

Question #392 Topic 1

In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)

A. Objects tab > Applications

B. Objects tab > Application Groups

C. Objects tab > Application Filters

D. ACC tab > Global Filters

E. Policies tab > Security

Question #393 Topic 1

Where within the firewall GUI can an administrator create a local user database?

A. Device > Local User Database > Guests

B. Device > Local User Database > End Users

C. Device > Local User Database > Admins

D. Device > Local User Database > Users

Question #394 Topic 1

How are service routes used in PAN-OS?

A. By the OSPF protocol, as part of Dijkstra's algorithm, to give access to the various services offered in the network

B. To statically route subnets so they are joinable from, and have access to, the Palo Alto Networks external services

C. For routing, because they are the shortest path selected by the BGP routing protocol

D. To route management plane services through data interfaces rather than the management interface

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 119/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #395 Topic 1

How can a complete overview of the logs be displayed to an administrator who has permission in the system to view them?

A. Select the unified log entry in the side menu.

B. Modify the number of columns visible on the page.

C. Modify the number of logs visible on each page.

D. Select the system logs entry in the side menu.

Question #396 Topic 1

Which User Credential Detection method should be applied within a URL Filtering Security profile to check for the submission of a valid corporate

username and the associated password?

A. Group Mapping

B. Domain Credential

C. Valid Username Detected Log Severity

D. IP User

Question #397 Topic 1

Which step is mandatory to create a static route in PAN-OS?

A. Apply the autonomous system number.

B. Specify the outgoing interface.

C. Select the dynamic routing protocol.

D. Select the virtual router.

Question #398 Topic 1

Which security profile should be used to classify malicious web content?

A. URL Filtering

B. Web Content

C. Antivirus

D. Vulnerability Protection

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 120/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #399 Topic 1

A systems administrator momentarily loses track of which is the test environment firewall and which is the production firewall. The administrator

makes changes to the candidate configuration of the production firewall, but does not commit the changes. In addition the configuration was not

saved prior to making the changes.

Which action will allow the administrator to undo the changes?

A. Revert to running configuration.

B. Load named configuration snapshot, and choose the first item on the list.

C. Revert to last saved configuration.

D. Load configuration version, and choose the first item on the list.

Question #400 Topic 1

An administrator is implementing an exception to an external dynamic list by adding an entry to the list manually. The administrator wants to save

the changes, but the OK button is grayed out.

What are two possible reasons the OK button is grayed out? (Choose two.)

A. The entry matches a list entry.

B. The entry doesn't match a list entry.

C. The entry contains wildcards.

D. The entry is duplicated.

Question #401 Topic 1

Which three Ethernet interface types are configurable on the Palo Alto Networks firewall? (Choose three.)

A. Static

B. Tap

C. Dynamic

D. Layer 3

E. Virtual Wire

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 121/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #402 Topic 1

A network security manager is asked to save a configuration to be used after a firewall reboot.

When the configuration is ready, how should it be saved so that the changes are not lost?

A. Save named configuration snapshot.

B. Load named configuration snapshot.

C. Revert to last saved configuration.

D. Save candidate configuration.

Question #403 Topic 1

Which action should be taken to identify threats that have been detected by using inline cloud analysis?

A. Filter Threat logs by Type

B. Filter Threat logs by Application

C. Filter Threat logs by Action

D. Filter Threat logs by Threat Category

Question #404 Topic 1

What are three valid source or D=destination conditions available as Security policy qualifiers? (Choose three.)

A. Zone

B. Service

C. User

D. Application

E. Address

Question #405 Topic 1

Which path in PAN-OS 11.x would you follow to see how new and modified App-IDs impact a Security policy?

A. Device > Dynamic Updates > Review App-IDs

B. Objects > Dynamic Updates > Review App-IDs

C. Objects > Dynamic Updates > Review Policies

D. Device > Dynamic Updates > Review Policies

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 122/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #406 Topic 1

What are three configurable interface types for a data-plane ethernet interface? (Choose three.)

A. VWire

B. Layer 2

C. Management

D. HSCI

E. Layer 3

Question #407 Topic 1

An administrator wants to enable access to www.paloaltonetworks.com while denying access to all other sites in the same category.

Which object should the administrator create to use as a match condition for the security policy rule that allows access to

www.paloaltonetworks.com?

A. Service

B. Address

C. URL category

D. Application group

Question #408 Topic 1

Which Security profile should be applied in order to protect against illegal code execution?

A. Vulnerability Protection profile on allowed traffic

B. Vulnerability Protection profile on denied traffic

C. Antivirus profile on denied traffic

D. Antivirus profile on allowed traffic

Question #409 Topic 1

Which CLI command will help confirm if FQDN objects are resolved in the event there is a shadow rule?

A. >request show system fqdn

B. >show system fqdn

C. >request fqdn show system

D. >request system fqdn show

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 123/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #410 Topic 1

An administrator should filter NGFW traffic logs by which attribute column to determine if the entry is for the start or end of the session?

A. Source

B. Type

C. Receive Time

D. Destination

Question #411 Topic 1

What is a default setting for NAT Translated Packets when the destination NAT translation is selected as Dynamic IP (with session distribution)?

A. IP Hash

B. Round Robin

C. Least Sessions

D. Source IP Hash

Question #412 Topic 1

Which two options does the firewall use to dynamically populate address group members? (Choose two.)

A. Tag-based filters

B. MAC Addresses

C. IP Addresses

D. Tags

Question #413 Topic 1

Which feature enables an administrator to review the Security policy rule base for unused rules?

A. Test Policy Match

B. View Rulebase as Groups

C. Security policy tags

D. Policy Optimizer

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 124/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #414 Topic 1

In the PAN-OS Web Interface, which is a session distribution method offered under NAT Translated Packet Tab to choose how the firewall assigns

sessions?

A. Max Sessions

B. IP Modulo

C. Destination IP Hash

D. Concurrent Sessions

Question #415 Topic 1

Which administrative role type allows a custom set of firewall permissions to be configured for administrators?

A. Superuser

B. Role based

C. Device administrator

D. Virtual system administrator

Question #416 Topic 1

Which table for NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings is available only on Panorama?

A. NAT Policies General Tab

B. NAT Active/Active HA Binding Tab

C. NAT Target Tab

D. NAT Translated Packet Tab

Question #417 Topic 1

Which log type would be used to find commit entries for a firewall?

A. Config

B. Alarms

C. Correlation

D. System

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 125/126
1/8/25, 8:57 PM PCNSA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #418 Topic 1

What must first be created on the firewall for SAML authentication to be configured?

A. Server Profile

B. Server Policy

C. Server Location

D. Server Group

Question #419 Topic 1

Where in the PAN-OS GUI can an administrator monitor the rule usage for a specified period of time?

A. Monitor > Packet Capture

B. Objects > Schedules

C. Policies > Policy Optimizer

D. Monitor > Reports

Question #420 Topic 1

What two actions can be taken when Implementing an exception to an External Dynamic List? (Choose two.)

A. Exclude a URL entry by making use of wildcards

B. Exclude a URL entry by making use of regular expressions

C. Exclude an IP address by making use of wildcards

D. Exclude an IP address by making use of regular expressions

Browse atleast 50% to increase passing rate

Viewing page 1 out of 1 pages.

Viewing questions 1-420 out of 420 questions

https://www.examtopics.com/exams/palo-alto-networks/pcnsa/custom-view/ 126/126