Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Paloalto Networks > Palo Alto Certifications and Accreditations > PCNSE

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Question and Answers

Question # 4

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

A.

Multiple external gateways

B.

Single or multiple internal gateways

C.

Split DNS and HIP checks

D.

IPv6 for internal gateways

Full Access
Question # 5

Which two are required by IPSec in transport mode? (Choose two.)

A.

Auto generated key

B.

NAT Traversal

C.

IKEv1

D.

DH-group 20 (ECP-384 bits)

Full Access
Question # 6

Why would a traffic log list an application as "not-applicable”?

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Full Access
Question # 7

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?

A.

The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user.

B.

The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

C.

The priority assigned to the Authentication profile defines the order of the sequence.

D.

If the authentication times cut for the firs: Authentication profile in the authentication sequence, no further authentication attempts will be made.

Full Access
Question # 8

Which statement applies to HA timer settings?

A.

Use the Critical profile for faster failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings

D.

Use the Recommended profile for typical failover timer settings

Full Access
Question # 9

An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level?

A.

"Managed Devices > Device Association"

B.

PDF Export under "Panorama > Templates"

C.

Variable CSV export under "Panorama > Templates"

D.

Manage variables under "Panorama > Templates"

Full Access
Question # 10

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

A.

Upload the image to Panorama > Software menu, and deploy it to the firewalls. *

B.

Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

C.

Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

D.

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Full Access
Question # 11

What must be taken into consideration when preparing a log forwarding design for all of a customer’s deployed Palo Alto Networks firewalls?

A.

The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected

B.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules

C.

App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected

D.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings"

Full Access
Question # 12

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Full Access
Question # 13

What is the best definition of the Heartbeat Interval?

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Full Access
Question # 14

Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?

A.

The forward untrust certificate has not been signed by the self-singed root CA certificate.

B.

The forward trust certificate has not been installed in client systems.

C.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

D.

The forward trust certificate has not been signed by the self-singed root CA certificate.

Full Access
Question # 15

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Full Access
Question # 16

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Full Access
Question # 17

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)

A.

HTTP

B.

LDAP

C.

Log Ingestion

D.

Log Forwarding

Full Access
Question # 18

Which statement regarding HA timer settings is true?

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Full Access
Question # 19

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Full Access
Question # 20

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Full Access
Question # 21

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Full Access
Question # 22

Which three sessions are created by a NGFW for web proxy? (Choose three.)

A.

A session for DNS proxy to DNS servers

B.

A session for proxy to web server

C.

A session for client to proxy

D.

A session for proxy to authentication server

E.

A session for web server to client

Full Access
Question # 23

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

A.

debug dataplane internal vif route 255

B.

show routing route type management

C.

debug dataplane internal vif route 250

D.

show routing route type service-route

Full Access
Question # 24

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)

A.

Low

B.

High

C.

Critical

D.

Informational

E.

Medium

Full Access
Question # 25

What can the Log Forwarding built-in action with tagging be used to accomplish?

A.

Block the source zones of selected unwanted traffic.

B.

Block the destination IP addresses of selected unwanted traffic.

C.

Forward selected logs to the Azure Security Center.

D.

Block the destination zones of selected unwanted traffic.

Full Access
Question # 26

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

A.

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

B.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

C.

The firewall rejects the pushed configuration, and the commit fails.

D.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Full Access
Question # 27

Which log type is supported in the Log Forwarding profile?

A.

Configuration

B.

GlobalProtect

C.

Tunnel

D.

User-ID

Full Access
Question # 28

What happens when the log forwarding built-in action with tagging is used?

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Full Access
Question # 29

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?

A.

Confirm the file types and direction are configured correctly in the WildFire analysis profile

B.

Configure the appropriate actions in the Antivirus security profile

C.

Configure the appropriate actions in the File Blocking profile

D.

Confirm the file size limits are configured correctly in the WildFire general settings

Full Access
Question # 30

In a template, which two objects can be configured? (Choose two.)

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Full Access
Question # 31

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Full Access
Question # 32

What must be configured to apply tags automatically based on User-ID logs?

A.

Device ID

B.

Log Forwarding profile

C.

Group mapping

D.

Log settings

Full Access
Question # 33

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What can the administrator do to correct this issue?

A.

Specify the target device as the master device in the device group

B.

Add the template as a reference template in the device group

C.

Add a firewall to both the device group and the template

D.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

Full Access
Question # 34

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Full Access
Question # 35

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?

A.

Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

B.

Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

C.

Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

D.

Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

Full Access
Question # 36

Which CLI command displays the physical media that are connected to ethernet1/8?

A.

> show system state filter-pretty sys.si. p8. stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show system state filter-pretty sys.sl.p8.med

D.

> show interface ethernet1/8

Full Access
Question # 37

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Full Access
Question # 38

Review the screenshots.

What is the most likely reason for this decryption error log?

A.

The Certificate fingerprint could not be found.

B.

The client expected a certificate from a different CA than the one provided.

C.

The client received a CA certificate that has expired or is not valid.

D.

Entrust is not a trusted root certificate authority (CA).

Full Access
Question # 39

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?

A.

An Enterprise Root CA certificate

B.

The same certificate as the Forward Trust certificate

C.

A Public Root CA certificate

D.

The same certificate as the Forward Untrust certificate

Full Access
Question # 40

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)

A.

Custom application

B.

Source interface

C.

Schedule

D.

Source device

Full Access
Question # 41

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)

A.

Ps1

B.

Perl

C.

Python

D.

VBS

Full Access
Question # 42

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

A.

Export the log database.

B.

Use the import option to pull logs.

C.

Use the scp logdb export command.

D.

Use the ACC to consolidate the logs.

Full Access
Question # 43

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Full Access
Question # 44

What are three prerequisites for credential phishing prevention to function? (Choose three.)

A.

In the URL filtering profile, use the drop-down list to enable user credential detection.

B.

Enable Device-ID in the zone.

C.

Select the action for Site Access for each category.

D.

Add the URL filtering profile to one or more Security policy rules.

E.

Set phishing category to block in the URL Filtering profile.

Full Access
Question # 45

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Full Access
Question # 46

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

A.

Set up high availability (HA) and increase the IPsec rekey interval to reduce the likelihood of tunnel disruptions

B.

Set up a backup tunnel and reduce the tunnel monitoring interval and threshold to detect failures quickly

C.

Set up high availability (HA) and disable tunnel monitoring to prevent unnecessary failovers due to temporary connectivity issues

D.

Set up a backup tunnel and change the tunnel monitoring profile from "Wait Recover" to "Fail Over"

Full Access
Question # 47

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)

A.

Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.

B.

Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

C.

Select the action "download-only" when configuring an Applications and Threats update schedule.

D.

Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours

Full Access
Question # 48

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

A.

Log Ingestion

B.

HTTP

C.

Log Forwarding

D.

LDAP

Full Access
Question # 49

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

A.

Perform a commit force from the CLI of the firewall.

B.

Perform a template commit push from Panorama using the "Force Template Values" option.

C.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.

Reload the running configuration and perform a Firewall local commit.

Full Access
Question # 50

‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

A.

Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user systems in the user and local computer stores:

B.

Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the configuration.

Full Access
Question # 51

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

A.

None

B.

Outside

C.

DMZ

D.

Inside

Full Access
Question # 52

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

A.

A User-ID Certificate profile must be configured on Panorama.

B.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings.

D.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

Full Access
Question # 53

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Full Access
Question # 54

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

A.

Source IP address

B.

Dynamic tags

C.

Static tags

D.

Ldap attributes

Full Access
Question # 55

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

A.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

B.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

C.

A User-ID Certificate profile must be configured on Panorama

D.

N/A

Full Access
Question # 56

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?

A.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. * Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source HIP profile. Enable GlobalProtect Gateway Agent for HIP Notification.

B.

Create Security Profiles for Antivirus and Anti-Spyware.Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.

C.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Portal Agent for HIP Notification.

D.

Create Security Profiles for Antivirus and Anti-Spyware.Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification.

Full Access
Question # 57

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Full Access
Question # 58

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

A.

shared pre-rulesDATACENTER DG pre rulesrules configured locally on the firewallshared post-rulesDATACENTER_DG post-rulesDATACENTER.DG default rules

B.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallshared post-rulesDATACENTER.DG post-rulesshared default rules

C.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesshared default rules

D.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesDATACENTER_DG default rules

Full Access
Question # 59

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Full Access
Question # 60

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?

A.

South

B.

West

C.

East

D.

Central

Full Access
Question # 61

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Full Access
Question # 62

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Full Access
Question # 63

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)

A.

DNS Proxy

B.

SSL/TLS profiles

C.

address groups

D.

URL Filtering profiles

Full Access
Question # 64

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

A.

OSPFV3

B.

ECMP

C.

ASBR

D.

OSBF

Full Access
Question # 65

A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?

A.

Configure a Layer 3 interface for segment X on the firewall

B.

Configure the TAP interface for segment X on the firewall.

C.

Configure a new vsys for segment X on the firewall

D.

Configure vwire interfaces for segment X on the firewall.

Full Access
Question # 66

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

A.

Use the "import device configuration to Panorama" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

B.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

C.

Use the "import device configuration to Panorama" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

D.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

Full Access
Question # 67

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Full Access
Question # 68

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Full Access
Question # 69

Which log type would provide information about traffic blocked by a Zone Protection profile?

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Full Access
Question # 70

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

A.

With the relevant configuration log filter inside Device > Log Settings

B.

With the relevant system log filter inside Objects > Log Forwarding

C.

With the relevant system log filter inside Device > Log Settings

D.

With the relevant configuration log filter inside Objects > Log Forwarding

Full Access
Question # 71

Exhibit.

Given the screenshot, how did the firewall handle the traffic?

A.

Traffic was allowed by profile but denied by policy as a threat.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by policy but denied by profile as encrypted.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Full Access
Question # 72

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Full Access
Question # 73

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Full Access
Question # 74

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Full Access
Question # 75

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

A.

Resource Protection

B.

TCP Port Scan Protection

C.

Packet Based Attack Protection

D.

Packet Buffer Protection

Full Access
Question # 76

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Full Access
Question # 77

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?

A.

Initial

B.

Passive

C.

Active

D.

Active-primary

Full Access
Question # 78

Which translated port number should be used when configuring a NAT rule for a transparent proxy?

A.

80

B.

443

C.

8080

D.

4443

Full Access
Question # 79

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

A.

Apply DOS profile to security rules allow traffic from outside.

B.

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

C.

Enable packet buffer protection for the affected zones.

D.

Add a Zone Protection profile to the affected zones.

Full Access
Question # 80

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

A.

Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

B.

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

D.

Create the appropriate rules with a Block action and apply them at the top of the Default Rules.

Full Access
Question # 81

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

A.

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

B.

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

C.

Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

D.

Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Full Access
Question # 82

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

A.

Captive portal

B.

Standalone User-ID agent

C.

Syslog listener

D.

Agentless User-ID with redistribution

Full Access
Question # 83

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

A.

Data Filtering

B.

Configuration

C.

Threat

D.

Traffic

Full Access
Question # 84

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: Static IP / 172.16.15.1Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 172.16.15.10 -Application: ssh

B.

NAT Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP / 172.16.15.10Security Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

C.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP /172.16.15.10Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

D.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: dynamic-ip-and-port / ethernet1/4Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

Full Access
Question # 85

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.Required: Download PAN-OS 10.2.0.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Full Access
Question # 86

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Full Access
Question # 87

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Full Access
Question # 88

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

A.

By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

B.

By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'

C.

By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"

D.

By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"

Full Access
Question # 89

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Full Access
Question # 90

PBF can address which two scenarios? (Choose two.)

A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Full Access
Question # 91

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

A.

Configure the decryption profile.

B.

Define a Forward Trust Certificate.

C.

Configure SSL decryption rules.

D.

Configure a SSL/TLS service profile.

Full Access
Question # 92

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Full Access
Question # 93

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?

A.

certificates

B.

profiles

C.

link state

D.

stateful firewall connection

Full Access
Question # 94

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

A.

The PAN-OS integrated User-ID agent must be a member of the Active Directory domain

B.

The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW’s management CPU

C.

The standalone User-ID agent consumes fewer resources on the NGFW’s management CPU

D.

The standalone User-ID agent must run directly on the domain controller server

Full Access
Question # 95

A firewall engineer needs to patch the company’s Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?

A.

Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before updating the firewalls

B.

Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.

C.

Panorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.

D.

Only Panorama must be patched to the PAN-OS version before updating the firewalls

Full Access
Question # 96

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?

A.

Add service accounts running on that machine to the "Ignore User List" in the User-ID agent setup

B.

Remove the identity redistribution rules synced from Cloud Identity Engine from the User-ID agent configuration

C.

Remove the rate-limiting rule that is assigned to User A access from the User-ID agent configuration

D.

Add the subnets of both the user machine and the resource to the "Include List" in the User-ID agent configuration

Full Access
Question # 97

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Full Access
Question # 98

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Full Access
Question # 99

The UDP-4501 protocol-port is to between which two GlobalProtect components?

A.

GlobalProtect app and GiobalProtect satellite

B.

GlobalRrotect app and GlobalProtect gateway

C.

GlobalProtect portal and GlobalProtect gateway

D.

GlobalProtect app and GlobalProtect portal

Full Access
Question # 100

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

A.

debug ike stat

B.

test vpn ipsec-sa tunnel

C.

show vpn ipsec-sa tunnel

D.

test vpn ike-sa gateway

Full Access
Question # 101

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Full Access
Question # 102

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Full Access
Question # 103

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?

A.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet.1 and $permitted-subnet-2.

B.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

Full Access