View NetSec-Analyst Exam Questions

Q: 1

DRAG DROP Match the Palo Alto Networks Security Operating Platform architecture to its description.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Threat Intelligence Cloud
Next-Generation Firewall
Advanced Endpoint Protection

Correct Answer:

Answer Area Identifies and inspects all traffic to block known threats.: B. Next-Generation Firewall Gathers, analyzes, correlates, and disseminates threats to and from the network and endpoints located within the network.: A. Threat Intelligence Cloud Inspects processes and files to prevent known and unknown exploits.: C. Advanced Endpoint Protection

Explanation

The Palo Alto Networks Security Operating Platform architecture is defined by three core pillars that work together to prevent cyberattacks:

Next-Generation Firewall (Network): Its primary function is to provide visibility and control over network traffic. It identifies and inspects all traffic (using App-ID and Content-ID) to block known threats regardless of port or protocol.
Advanced Endpoint Protection (Endpoint): Historically referred to as Traps (now part of Cortex XDR), this component runs on the host. It inspects processes and files to prevent both known and unknown exploits and malware execution on the endpoint itself.
Threat Intelligence Cloud (Cloud): This layer (exemplified by services like WildFire) gathers, analyzes, correlates, and disseminates threat intelligence. It aggregates data from the network and endpoints, analyzes it for zero-day threats, and automatically pushes protections back to the enforcement points.

References

Palo Alto Networks. (2019). The Security Operating Platform: Preventing Successful Cyberattacks. Official Whitepaper. (Defines the three pillars: Network Security, Advanced Endpoint Protection, and Cloud Security/Threat Intelligence, specifically mapping the "gathers, analyzes, correlates" function to the Cloud layer).

Palo Alto Networks. (n.d.). Next-Generation Firewall Overview. Official Documentation. (States the firewall's role to "inspect all traffic, including encrypted traffic" and identify applications and threats).

Palo Alto Networks. (2018). Traps: Advanced Endpoint Protection. Datasheet. (Describes the technology's method to "monitor processes and files" to prevent exploits).

Palo Alto Networks Education. PCNSA Study Guide. (The specific definitions used in this drag-and-drop exercise are verbatim from the "Security Operating Platform" section of the official PCNSA/PCNSE certification courseware).

Q: 2

DRAG DROP Place the steps in the correct packet-processing order of operations.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Security profile enforcement
decryption
zone protection
App-ID

Q: 3

Which two statements are correct about App-ID content updates? (Choose two.)

Options

Correct Answer:

A, D

Explanation

App-ID content updates from Palo Alto Networks provide the firewall with the latest application signatures. When an update is installed, new applications are automatically identified and classified based on the new signatures provided. This can directly impact how existing Security policy rules are enforced. For instance, traffic that was previously unidentified and permitted might now be identified as a specific application and blocked by an existing rule, or an application's category might change, causing it to match a different policy rule.

Why Incorrect

B. After an application content update, new applications must be manually classified prior to use

This is incorrect. The core purpose of App-ID content updates is to deliver pre-classified application signatures, enabling the firewall to automatically identify and classify new applications.

C. Existing security policy rules are not affected by application content updates

This is incorrect. Updates can re-categorize existing applications or identify previously unknown traffic, which can directly alter how existing Security policy rules enforce traffic control.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0 (Nova)

Chapter: Content Updates

Section: Manage New App-IDs Introduced in Content Releases.

Supporting A & C: The guide states

"New and modified App-IDs can change how your firewall enforces your existing Security policy. For example

a new App-ID might be for an application that was previously unidentified and allowed by a liberal security rule. After the update

the firewall will identify the application and block it if you have a security rule that blocks that application." This confirms that updates can change enforcement and directly affect existing rules.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0 (Nova)

Chapter: Content Updates

Section: App-ID and Threat Content Updates.

Supporting D & B: This section explains that Palo Alto Networks constantly develops new application signatures and makes them available for download. It states

"The firewall uses the latest application and threat signatures (content) to secure your network." This highlights the automatic nature of identification and classification provided by the updates

negating the need for manual classification of new apps.

Q: 4

Which object would an administrator create to block access to all high-risk applications?

Options

Correct Answer:

Explanation

An application filter is a dynamic object used to group applications based on their attributes, such as category, subcategory, technology, and risk factor. To block all high-risk applications, an administrator would create an application filter that matches applications with a risk level of 4 (high) and 5 (critical). This filter can then be referenced in a Security policy rule with a "deny" action. This approach is superior to a static group because the filter automatically updates to include new applications that Palo Alto Networks identifies as high-risk in subsequent content updates, ensuring the policy remains effective without manual intervention.

Why Incorrect

A. A HIP profile is used with GlobalProtect to assess the security status of an endpoint and grant network access based on compliance, not to classify applications.

C. An application group is a static, manually defined list of applications. It would not automatically include new applications identified as high-risk in the future.

D. A Vulnerability Protection profile is a security profile used to detect and prevent exploits targeting software vulnerabilities within allowed traffic, not to block applications based on risk.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: In the section "Objects > Application Filters

" it states

"Create application filters to dynamically group applications by application attribute... For example

you can create a filter that includes all applications that have a high risk factor and then use that filter to block access to those applications." This directly supports the use of an application filter for the described task.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The section "Objects > Application Groups" describes them as "static groups of applications that you can use in policies

" which contrasts with the dynamic nature required to block all high-risk applications

including future ones.

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The chapter on "Security Profiles" explains that a "Vulnerability Protection" profile "protects your network from attacks that target system vulnerabilities." This confirms its purpose is exploit prevention

not application control by risk category.

Q: 5

Based on the show security policy rule would match all FTP traffic from the inside zone to the outside zone?

Options

Discussion

Jack Mar 3, 2026 9:30 pm

My pick: B, saw a similar question on a practice test and engress outside matched inside to outside FTP traffic.

Ravi F. Feb 19, 2026 1:29 pm

Anyone double-checked if "engress outside" (B) is actually first in policy order? Remember from a mock that ordering matters, since firewall applies rules top to bottom. Just want to confirm we're all reading the zones right.

Olivia Feb 26, 2026 2:47 pm

Matches what I'd expect too. B lines up since it's specifically for inside to outside traffic, and the application set to any means FTP gets included. I think that's the clear match, unless there's a hidden catch.

Sanjay Y. Feb 25, 2026 3:30 am

B imo. The rule name 'engress outside' is the only one that lines up with source zone inside and destination outside. Plus, application is any which covers FTP. Pretty sure that's what Palo expects, unless another rule above it gets there first but don't see one in the screenshot.

Ravi Mar 10, 2026 6:10 am

Option B. Not A, that one's for inside to DMZ, which is a common trap answer on these. For FTP from inside to outside, engress outside fits the zone pairing. Pretty sure that's what the exam goes for here.

Liam I. Feb 27, 2026 3:53 pm

Has anyone tried checking the official study guide or using the lab for rules matching?

Priya Mar 9, 2026 11:37 am

That fits with what I'm seeing. B

Drew I. Feb 24, 2026 7:19 pm

B , matches FTP from inside to outside since the rule uses those exact source and destination zones. Also, the app/service fields are set to 'any' and 'application-default', so FTP gets covered. I think this is right unless something above overrides it.

Sam P. Feb 23, 2026 1:37 pm

B tbh, unless there's a policy with a more specific app/service match above it that would take precedence.

Ivy Feb 25, 2026 1:56 am

Not C, A. Antivirus and Vulnerability Protection only scan traffic that's actually permitted by the rule.

Be respectful. No spam.

Correct Answer:

Explanation

The question requires identifying the security policy rule that matches FTP traffic from the inside zone to the outside zone. The firewall evaluates rules from top to bottom. The rule named engress outside is the first rule in the list that matches the required traffic flow criteria:

Source Zone (from): inside

Destination Zone (to): outside

Application: any (which includes FTP)

Service: application-default (which allows the firewall to identify applications on their standard ports, including FTP)

This combination ensures that FTP traffic originating from the inside zone and destined for the outside zone will be matched and processed by this rule.

Why Incorrect

A. internal-inside-dmz: This rule's destination zone is dmz, not outside, so it will not match the specified traffic flow.

C. inside-portal: This rule's destination zone is also dmz, not outside, and therefore does not match the traffic.

D. intercone-default: This is an intrazone rule for traffic where both the source and destination zone are inside.

References

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Security Policy." In the section "Components of a Security Policy Rule

" the guide specifies that traffic is matched based on criteria including Source Zone and Destination Zone. The engress outside rule is the only one with the correct from (inside) and to (outside) zones.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Security Policy." The section "Security Policy Rule Optimization" explains that the firewall evaluates rules in order (top-down) and applies the first rule that matches the traffic.

3. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Objects > Services." The documentation explains that the application-default service keyword allows the firewall to use the standard ports associated with the application identified by App-ID

which would include the standard ports for FTP.

Q: 6

What are two valid selections within an Anti-Spyware profile? (Choose two.)

Options

Discussion

Taylor Mar 8, 2026 1:27 am

A and D, that's it. Both show up in actual Anti-Spyware profile action lists from what I've seen.

Robin P. Feb 26, 2026 11:16 am

Probably A and B here. MPLS and broadband are standard SD-WAN choices. USB tethering isn't typical for enterprise links.

Piya V. Feb 25, 2026 10:14 pm

Yeah, A and B here. MPLS and broadband internet are the usual SD-WAN transports you see for path selection. USB tethering and loopbacks aren’t really used in real deployments for this purpose. Pretty sure that's what they're after here, but let me know if I'm missing something obvious.

Piya M. Mar 6, 2026 5:57 pm

A B. Seen similar questions in official guides and practice exams, always lists MPLS and broadband internet as typical SD-WAN path options.

SeasonedConsultant4458 Mar 6, 2026 1:24 pm

Ravi Q. Mar 1, 2026 10:38 pm

D . Drop is definitely selectable in Anti-Spyware profiles, but Deny (B) is a common trap since it's not an action there. Pretty sure A fits too, but I could see some confusion.

Zoe Mar 8, 2026 2:25 am

A and D imo. Had something like this in a mock, and Default plus Drop were valid actions for Anti-Spyware profiles. Pretty sure B and C aren’t actual options in that context, but happy to hear counterpoints.

Taylor I. Mar 6, 2026 4:29 am

Its A and C. USB tethering sometimes gets mentioned as a WAN link so I’d pick it over broadband.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

Within a Palo Alto Networks Anti-Spyware profile, administrators configure actions to be taken when a threat is detected. The "Default" action instructs the firewall to use the predefined action recommended by Palo Alto Networks for the specific threat signature, which varies based on severity. The "Drop" action is a specific instruction to silently discard the packet(s) identified as malicious, effectively preventing the threat from reaching its destination without notifying the source. Both "Default" and "Drop" are standard, configurable action choices within the rules of an Anti-Spyware profile.

Why Incorrect

B. Deny: "Deny" is a terminal action for a Security Policy rule that stops traffic matching the rule, but it is not an available action within an Anti-Spyware Security Profile itself.

C. Random early drop: This is a Quality of Service (QoS) congestion-avoidance mechanism used to manage network traffic queues; it is not a security action for threat prevention.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2 (2021). In the section "Anti-Spyware Profile Actions

" the guide lists the available actions for threats. It explicitly includes "default" and "drop." The "default" action uses the predefined action for each signature. The "drop" action is defined as dropping the traffic. (Reference: Chapter: "Objects > Security Profiles > Anti-Spyware"

Section: "Anti-Spyware Profile Actions").

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2 (2021). The section on "Security Policy" describes the available actions for policy rules

which include "allow" and "deny." This confirms that "Deny" is an action at the policy level

not within the Anti-Spyware profile. (Reference: Chapter: "Policies > Security"

Section: "Security Policy Actions").

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2 (2021). The section on Quality of Service (QoS) details congestion avoidance mechanisms. It describes Random Early Detection (RED) and Weighted Random Early Detection (WRED)

which aligns with the concept of "Random early drop

" confirming it is a QoS feature

not a threat profile action. (Reference: Chapter: "Network > QoS"

Section: "QoS Concepts").

Q: 7

What are the two main reasons a custom application is created? (Choose two.)

Options

Discussion

Robin T. Feb 22, 2026 5:55 am

B . I feel like changing the default categorization (B) makes sense since customizing apps often lets you set a different category if the built-in one doesn’t match your usage. A is tempting but for me B and maybe D fit better. Disagree?

Ethan Y. Mar 7, 2026 9:20 am

A and D for sure. You create a custom app to spot your own internal stuff in the traffic logs, plus it helps get rid of all the unknown traffic entries that App-ID can't figure out. Pretty standard use case from what I've seen, but open if anyone's got another take.

Riley O. Mar 10, 2026 1:37 am

B here. Had something like this in a mock, and the recategorization bit seemed correct there. I thought changing the app's default categorization was a main use for custom apps, not just reducing unknowns. Might be missing something though.

Adam Mar 4, 2026 11:42 pm

A/D? If the built-in App-ID already has a signature but you tweak category, that's not really making a custom app per se, it's more like just adjusting attributes. Custom apps mainly fix unknown/unique internal traffic cases. Pretty sure, but open to correction.

SteadySec3115 Mar 9, 2026 1:18 pm

I get why most people say A and D, but I’m still drawn to B. If you want to recategorize how an app appears in traffic logs, creating a custom application seems like the move-especially if default categorization isn’t suitable. Maybe I’m off, but isn’t customizing for policy mapping also common? Could be a trap though if Palo Alto expects "main reasons" to mean just identification and unknown traffic.

Owen Feb 19, 2026 5:21 pm

Isn't B also valid if you want to adjust how an application is classified? Custom apps could be used for recategorizing, not just identifying internal stuff or reducing unknowns. Or am I missing something about default PAN behavior?

Vikram K. Feb 23, 2026 11:14 pm

A and D make sense here. Custom apps in PAN firewalls are really about making sure you can identify internal apps that App-ID doesn't recognize (A), plus cutting down on unknown traffic entries in the logs (D). B is more about app categorization, not the main use. Pretty sure this is right, but happy to discuss if anyone disagrees.

Ishaan G. Feb 25, 2026 1:49 am

D imo. If App-ID already knows the app but logs it as "unknown," you'd make a custom app to ID it properly. Not actually about recategorizing built-ins, it's about that edge case where standard signatures fail.

Noah N. Feb 19, 2026 2:45 am

Don't think B is right here. The real purpose of custom applications in PAN-OS is to properly identify internal or proprietary traffic (that's A), and also to cut down on all the unknown-tcp/udp noise (that's D). B looks like a trap since recategorizing isn't the main use case. Anyone else see it this way?

Riley Mar 2, 2026 2:24 am

Probably A and D. Custom apps are key for spotting internal or proprietary traffic that default signatures miss, plus they help classify those unknown-tcp/udp logs so you're not blind to what’s on the wire. B and C might sound useful, but they aren't the main drivers for building a custom app in PAN-OS. Let me know if you see it differently.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

The primary purpose of creating a custom application in Palo Alto Networks firewalls is to enhance visibility and control over traffic that is not recognized by the standard App-ID database. This is crucial for two main reasons:

1. Identifying Proprietary/Internal Applications: Organizations often use custom-developed applications for internal operations. Creating a custom application signature allows the firewall to correctly identify, log, and apply specific security policies to this traffic, which would otherwise be unclassified.

2. Reducing Unidentified Traffic: When App-ID cannot identify an application, the traffic is often logged as "unknown-tcp" or "unknown-udp." By creating a custom application for this traffic, administrators can properly classify it, thereby reducing the amount of unidentified traffic on the network and improving the overall security posture and reporting accuracy.

Why Incorrect

B. To change the default categorization of an application: This is the function of an Application Override policy, which re-classifies traffic already identified by App-ID, not the creation of a new custom application signature.

C. To visually group similar applications: This is accomplished by creating Application Groups or Application Filters, which are used to bundle multiple applications (standard or custom) for easier policy management.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Create a Custom Application" section:

"If you have a custom application running on your network for which an App-ID does not exist

you can create a custom application signature... Creating a custom application enables you to... more accurately control the application and reduce the security risk associated with unknown TCP/UDP traffic." This statement directly supports options A and D.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Application Override" section:

"Application override policies allow you to override the normal identification of traffic... For example

you can create a policy to classify your custom accounting application that runs on TCP port 3400 as 'my-accounting-app' instead of as 'unknown-tcp'." This clarifies that Application Override is for re-classifying traffic

distinguishing it from the initial identification purpose of a custom application

thus invalidating option B.

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Objects > Application Groups" section:

"Application groups are a way to group applications so that they can be used in policies." This confirms that grouping applications is the specific function of Application Groups

making option C incorrect.

Q: 8

DRAG DROP Place the following steps in the packet processing order of operations from first to last.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

content inspection
QOS shaping applied
Security policy lookup
DoS protection

Q: 9

What do you configure if you want to set up a group of objects based on their ports alone?

Options

Correct Answer:

Explanation

In the Palo Alto Networks PAN-OS, a "Service" object explicitly defines a protocol (like TCP or UDP) and its associated port number or a range of ports. To create a logical collection of these port-based definitions, you configure a "Service Group." This allows you to bundle multiple Service objects together, such as services for HTTP (TCP/80), HTTPS (TCP/443), and DNS (UDP/53), into a single, reusable object. This Service Group can then be applied to Security policy rules to simplify administration and improve readability, as you reference one group instead of many individual services.

Why Incorrect

A. Application groups: These are collections of application signatures (e.g., web-browsing, ssl), which are identified by more than just port numbers.

C. Address groups: These are collections of IP address objects, such as hosts, subnets, or IP ranges, not port definitions.

D. Custom objects: This is a generic term. The specific and correct object type for grouping port-based services is a Service Group.

References

1. Palo Alto Networks. (2023). PAN-OS® 11.0 Administrator's Guide. Objects > Services. The guide states

"A service is a combination of a transport protocol (such as TCP or UDP) and one or more port numbers." This establishes the base object.

2. Palo Alto Networks. (2023). PAN-OS® 11.0 Administrator's Guide. Objects > Service Groups. The documentation defines this object type: "A service group is a collection of services that you can use in policies instead of entering each service individually." This directly answers the question about grouping.

3. Palo Alto Networks. (2021). PAN-OS® 10.1 Administrator's Guide. Objects > Address Groups. This section clarifies that Address Groups are used to "group multiple IP addresses so that you can apply policy to all of them at once

" distinguishing them from port-based objects.

4. Palo Alto Networks. (2021). PAN-OS® 10.1 Administrator's Guide. Objects > Application Groups. This section defines Application Groups as a way to "group applications so that you can use the group in policy rules

" differentiating them from Service Groups.

Q: 10

DRAG DROP Match each feature to the DoS Protection Policy or the DoS Protection Profile.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Threat Intelligence Cloud
Next-Generation Firewall
Advanced Endpoint Protection

Discussion

Nina M. Mar 5, 2026 3:28 am

Next-Generation Firewall → Identifies and inspects all traffic, Threat Intelligence Cloud → Gathers/analyzes/correlates/disseminates threats, Advanced Endpoint Protection → Inspects processes/files. Swapped Threat Intelligence Cloud and Endpoint since I thought the cloud does more analysis directly on files. Pretty sure this fits Palo's descriptions but not 100%.

Ethan T. Feb 24, 2026 5:36 am

Next-Generation Firewall -> Identifies/inspects all traffic, Threat Intelligence Cloud -> Analyzes/correlates/threat data, Advanced Endpoint Protection -> Inspects processes and files. I matched threat intelligence with process inspection since it does a lot of dynamic analysis in the cloud, but maybe that's supposed to be endpoint. Correct me if off.

Ivy D. Feb 21, 2026 8:10 am

Yeah this is the right mapping: Next-Gen Firewall blocks traffic at the network layer, Threat Intelligence Cloud does the analytics correlation part, Advanced Endpoint Protection handles stuff on endpoints. Pretty sure this matches how Palo separates features, but correct me if I'm off.

AishaQ Feb 20, 2026 2:33 am

Next-Generation Firewall → Identifies and inspects all traffic, Threat Intelligence Cloud → Gathers/analyzes/correlates/disseminates threats, Advanced Endpoint Protection → Inspects processes/files. I think that's right based on how Palo Alto splits it, but kind of easy to overthink if you focus on sandboxing.

Ivy X. Feb 25, 2026 2:57 pm

Actually, I'd map "Inspects processes and files..." to Threat Intelligence Cloud instead of Endpoint Protection. Feels like this is a common trap, since the cloud does tons of analysis too. Pretty sure that's how they split it, but could be wrong.

PracticalMentor420 Mar 3, 2026 10:57 pm

Option A and B, not C. Usernames/passwords trip people up but they're not predefined patterns for Data Filtering.

Sean O. Mar 6, 2026 9:28 pm

Don’t think it’s C. A and B

DirectLearner7814 Feb 20, 2026 4:52 am

A and B tbh. Credit card numbers and SSNs are both built-in data patterns, but usernames/passwords aren’t part of the predefined filters. D trips people up-it’s more for threat prevention, not data filtering.

Kevin Feb 26, 2026 9:37 am

Its A and C. Official guide and the practice exams help with questions like this.

Be respectful. No spam.

Correct Answer:

Explanation

This architecture aligns with the Palo Alto Networks Security Operating Platform. The Next-Generation Firewall (NGFW) is responsible for network visibility, identifying applications, and inspecting traffic content to block threats at the perimeter or internal segments. The Threat Intelligence Cloud acts as the central analytics hub (e.g., WildFire), where threat data is gathered from global sensors, analyzed, correlated, and then disseminated back to enforcement points as protections. Advanced Endpoint Protection (e.g., Cortex XDR/Traps) sits on the individual device, inspecting local processes and files to prevent exploits and malware execution that might bypass network controls.

References

Palo Alto Networks. (2021). Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET) Study Guide. "Chapter 3: The Connected Globe - The Security Operating Platform."

Context: Defines the three pillars: Network Security (NGFW), Advanced Endpoint Protection, and Cloud Security/Threat Intelligence.

Palo Alto Networks. (n.d.). What is a Next-Generation Firewall? Retrieved from official documentation.

Quote: "Classifies all traffic, including encrypted traffic, based on application, application function, user, and content."

Palo Alto Networks. (n.d.). Cortex XDR (formerly Traps) Documentation.

Context: Describes the function of endpoint protection in preventing known and unknown exploits by monitoring processes and files.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE