Special Summer Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Paloalto Networks > Palo Alto Certifications and Accreditations > PCNSE

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Question and Answers

Question # 4

Which operation will impact the performance of the management plane?

A.

Decrypting SSL sessions

B.

Generating a SaaS Application report

C.

Enabling DoS protection

D.

Enabling packet buffer protection

Full Access
Question # 5

Which protocol is natively supported by GlobalProtect Clientless VPN?

A.

HTP

B.

SSH

C.

HTTPS

D.

RDP

Full Access
Question # 6

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Full Access
Question # 7

What type of NAT is required to configure transparent proxy?

A.

Source translation with Dynamic IP and Port

B.

Destination translation with Static IP

C.

Source translation with Static IP

D.

Destination translation with Dynamic IP

Full Access
Question # 8

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

A.

An SSL/TLS Service profile with a certificate assigned.

B.

An Interface Management profile with HTTP and HTTPS enabled.

C.

A Certificate profile with a trusted root CA.

D.

An Authentication profile with the allow list of users.

Full Access
Question # 9

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

A.

DoS Protection profile

B.

Data Filtering profile

C.

Vulnerability Protection profile

D.

URL Filtering profile

Full Access
Question # 10

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

A.

Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

B.

Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

C.

Navigate to Objects > Security Profiles > Vulnerability Protection

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable

Commit

D.

Navigate to Objects > Security Profiles > Anti-Spyware

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable Commit

Full Access
Question # 11

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Full Access
Question # 12

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Full Access
Question # 13

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

A.

debug dataplane Internal vif route 250

B.

show routing route type service-route

C.

show routing route type management

D.

debug dataplane internal vif route 255

Full Access
Question # 14

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows

A.

Deploy the GlobalProtect as a lee data hub.

B.

Deploy Window User 0 agents on each domain controller.

C.

Deploys AILS integrated Use 10 agent on each vsys.

D.

Deploy a M.200 as a Users-ID collector.

Full Access
Question # 15

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)

A.

Configure resource limits for the NGFW system

B.

Commit changes made to the candidate configuration of the assigned vsys

C.

Create and edit Security policies and security profiles for only the assigned vsys

D.

Configure interfaces and subinterfaces that exist in the assigned vsys

Full Access
Question # 16

Which source is the most reliable for collecting User-ID user mapping?

A.

Syslog Listener

B.

Microsoft Exchange

C.

Microsoft Active Directory

D.

GlobalProtect

Full Access
Question # 17

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Full Access
Question # 18

An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level?

A.

"Managed Devices > Device Association"

B.

PDF Export under "Panorama > Templates"

C.

Variable CSV export under "Panorama > Templates"

D.

Manage variables under "Panorama > Templates"

Full Access
Question # 19

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

A.

A User-ID Certificate profile must be configured on Panorama.

B.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings.

D.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

Full Access
Question # 20

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?

A.

GlobalProtect agent version

B.

Outdated plugins

C.

Management-only mode

D.

Expired certificates

Full Access
Question # 21

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Full Access
Question # 22

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

A.

With the relevant configuration log filter inside Device > Log Settings

B.

With the relevant system log filter inside Objects > Log Forwarding

C.

With the relevant system log filter inside Device > Log Settings

D.

With the relevant configuration log filter inside Objects > Log Forwarding

Full Access
Question # 23

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Full Access
Question # 24

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Full Access
Question # 25

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

A.

Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

B.

Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

C.

Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes

D.

Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices

Full Access
Question # 26

Which three statements accurately describe Decryption Mirror? (Choose three.)

A.

Decryption Mirror requires a tap interface on the firewall

B.

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

C.

Only management consent is required to use the Decryption Mirror feature.

D.

Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.

E.

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Full Access
Question # 27

What are three prerequisites for credential phishing prevention to function? (Choose three.)

A.

In the URL filtering profile, use the drop-down list to enable user credential detection.

B.

Enable Device-ID in the zone.

C.

Select the action for Site Access for each category.

D.

Add the URL filtering profile to one or more Security policy rules.

E.

Set phishing category to block in the URL Filtering profile.

Full Access
Question # 28

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

A.

/content

B.

/software

C.

/piugins

D.

/license

E.

/opt

Full Access
Question # 29

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Full Access
Question # 30

If a URL is in multiple custom URL categories with different actions, which action will take priority?

A.

Allow

B.

Override

C.

Block

D.

Alert

Full Access
Question # 31

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

A.

Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

B.

Use the highest TLS protocol version to maximize security.

C.

Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

D.

Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

Full Access
Question # 32

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

A.

> show counter global filter packet-filter yes delta yes

B.

> show counter global filter severity drop

C.

> debug dataplane packet-diag set capture stage drop

D.

> show counter global filter delta yes I match 10.1.1-1

Full Access
Question # 33

An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

A.

Highlight Unused Rules will highlight all rules.

B.

Highlight Unused Rules will highlight zero rules.

C.

Rule Usage Hit counter will not be reset

D.

Rule Usage Hit counter will reset

Full Access
Question # 34

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

A.

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

B.

Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

C.

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

D.

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Full Access
Question # 35

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

A.

The firewall template will show that it is out of sync within Panorama.

B.

The modification will not be visible in Panorama.

C.

Only Panorama can revert the override.

D.

Panorama will update the template with the overridden value.

Full Access
Question # 36

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

A.

Command line > debug dataplane packet-diag clear filter-marked-session all

B.

In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

C.

Command line> debug dataplane packet-diag clear filter all

D.

In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

Full Access
Question # 37

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Full Access
Question # 38

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Full Access
Question # 39

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

A.

IPSec Tunnel settings

B.

IKE Crypto profile

C.

IPSec Crypto profile

D.

IKE Gateway profile

Full Access
Question # 40

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

A.

Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate

B.

External zones with the virtual systems added

C.

Route added with next hop next-vr by using the VR configured in the virtual system

D.

Layer 3 zones for the virtual systems that need to communicate

Full Access
Question # 41

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

A.

Application Groups

B.

Policy Optimizer

C.

Test Policy Match

D.

Config Audit

Full Access
Question # 42

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?

A.

Managed Devices Health

B.

Test Policy Match

C.

Preview Changes

D.

Policy Optimizer

Full Access
Question # 43

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

A.

SSL/TLS Service

B.

HTTP Server

C.

Decryption

D.

Interface Management

Full Access
Question # 44

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Full Access
Question # 45

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)

A.

collector groups

B.

template stacks

C.

virtual systems

D.

variables

Full Access
Question # 46

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

A.

Tunnel

B.

Ethernet

C.

VLAN

D.

Lookback

Full Access
Question # 47

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

A.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

B.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C.

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

D.

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Full Access
Question # 48

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

A.

No client configuration is required for explicit proxy, which simplifies the deployment complexity.

B.

Explicit proxy supports interception of traffic using non-standard HTTPS ports.

C.

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

D.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Full Access
Question # 49

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?

A.

Create a Device Group and Template Admin

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Dynamic Read-only Superuser

D.

Create a Custom Panorama Admin

Full Access
Question # 50

Which tool can gather information about the application patterns when defining a signature for a custom application?

A.

Policy Optimizer

B.

Data Filtering Log

C.

Wireshark

D.

Expedition

Full Access
Question # 51

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Full Access
Question # 52

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.

Required: Download PAN-OS 10.2.0.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.

Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Full Access
Question # 53

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

A.

Hello Interval

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Monitor Fail Hold Up Time

Full Access
Question # 54

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?

A.

Create a Group Mapping with 800 groups in the Group Include List.

B.

Create two Group Include Lists, each with 400 Active Directory groups.

C.

Create a Group Include List with the 800 Active Directory groups.

D.

Create two Group Mappings, each with 400 groups in the Group Include List.

Full Access
Question # 55

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Full Access
Question # 56

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Full Access
Question # 57

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

A.

Specify the target device as the master device in the device group

B.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

C.

Add the template as a reference template in the device group

D.

Add a firewall to both the device group and the template

Full Access
Question # 58

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Full Access
Question # 59

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Full Access
Question # 60

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Full Access
Question # 61

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

A.

Encryption algorithm

B.

Number of security zones in decryption policies

C.

TLS protocol version

D.

Number of blocked sessions

Full Access
Question # 62

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Full Access
Question # 63

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

A.

Minimum TLS version

B.

Certificate

C.

Encryption Algorithm

D.

Maximum TLS version

E.

Authentication Algorithm

Full Access
Question # 64

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Full Access
Question # 65

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

A.

Monitor > Logs > System

B.

Objects > Log Forwarding

C.

Panorama > Managed Devices

D.

Device > Log Settings

Full Access
Question # 66

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Full Access
Question # 67

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

A.

Lower the interface MTU value below 1500.

B.

Enable the Ignore IPv4 Don't Fragment (DF) setting.

C.

Change the subnet mask from /23 to /24.

D.

Adjust the TCP maximum segment size (MSS) value.

Full Access
Question # 68

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

A.

Check dependencies

B.

Schedules

C.

Verify

D.

Revert content

E.

Install

Full Access
Question # 69

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

A.

Contact the site administrator with the expired certificate to request updates or renewal.

B.

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Full Access
Question # 70

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?

A.

Dedicated Service Account

B.

System Account

C.

Domain Administrator

D.

Enterprise Administrator

Full Access
Question # 71

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

A.

Ensure Force Template Values is checked when pushing configuration.

B.

Push the Template first, then push Device Group to the newly managed firewall.

C.

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.

Push the Device Group first, then push Template to the newly managed firewall

Full Access
Question # 72

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?

A.

HA1

B.

HA3

C.

HA2

D.

HA4

Full Access
Question # 73

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)

A.

External zones with the virtual systems added.

B.

Layer 3 zones for the virtual systems that need to communicate.

C.

Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate.

D.

Add a route with next hop next-vr by using the VR configured in the virtual system.

E.

Ensure the virtual systems are visible to one another.

Full Access
Question # 74

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Full Access
Question # 75

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?

A.

It automatically pushes the configuration to Panorama after strengthening the overall security posture

B.

It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama

C.

The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment

D.

The AIOps plugin in Panorama retroactively checks the policy changes during the commits

Full Access
Question # 76

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

A.

Configure a URL profile to block the phishing category.

B.

Create a URL filtering profile

C.

Enable User-ID.

D.

Create an anti-virus profile.

E.

Create a decryption policy rule.

Full Access
Question # 77

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Full Access
Question # 78

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

A.

Management plane CPU

B.

Dataplane CPU

C.

Packet buffers

D.

On-chip packet descriptors

Full Access
Question # 79

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?

A.

Enable SSL tunnel within the GlobalProtect gateway remote user's settings.

B.

Modify the user's client to prioritize UDP traffic for GlobalProtect.

C.

Enable SSL tunnel over TCP in a new agent configuration for the specific user.

D.

Increase the user's VPN bandwidth allocation in the GlobalProtect settings.

Full Access
Question # 80

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

A.

Log Collector

B.

Panorama

C.

Legacy

D.

Management Only

Full Access
Question # 81

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

A.

Click Session Browser and review the session details.

B.

Click Traffic view and review the information in the detailed log view.

C.

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.

Click App Scope > Network Monitor and filter the report for NAT rules.

Full Access
Question # 82

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?

A.

Enable certificate revocation checking to deny access to sites with revoked certificates

B.

Add the certificate CN to the SSL Decryption Exclusion List to allow traffic without decryption

C.

Check for expired certificates and take appropriate actions to block or allow access based on business needs

D.

Contact the site administrator with the expired certificate to request updates or renewal

Full Access
Question # 83

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Full Access
Question # 84

Given the following snippet of a WildFire submission log, did the end user successfully download a file?

A.

No, because the URL generated an alert.

B.

Yes, because both the web-browsing application and the flash file have the 'alert" action.

C.

Yes, because the final action is set to "allow.''

D.

No, because the action for the wildfire-virus is "reset-both."

Full Access
Question # 85

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

A.

Any configuration on an M-500 would address the insufficient bandwidth concerns

B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

C.

Configure log compression and optimization features on all remote firewalls

D.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Full Access
Question # 86

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Full Access
Question # 87

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

A.

High availability (HA)

B.

Layer 3

C.

Layer 2

D.

Tap

E.

Virtual Wire

Full Access
Question # 88

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

A.

Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

B.

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

D.

Create the appropriate rules with a Block action and apply them at the top of the Default Rules.

Full Access
Question # 89

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

A.

ECDSA

B.

ECDHE

C.

RSA

D.

DHE

Full Access
Question # 90

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

A.

Configure the DNS server locally on the firewall.

B.

Change the DNS server on the global template.

C.

Override the DNS server on the template stack.

D.

Configure a service route for DNS on a different interface.

Full Access
Question # 91

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

A.

the 'Shared' device group

B.

template stacks

C.

a device group

D.

template variables

Full Access
Question # 92

Which CLI command displays the physical media that are connected to ethernet1/8?

A.

> show system state filter-pretty sys.si. p8. stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show system state filter-pretty sys.sl.p8.med

D.

> show interface ethernet1/8

Full Access
Question # 93

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Full Access
Question # 94

Why would a traffic log list an application as "not-applicable”?

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Full Access
Question # 95

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

A.

Threat

B.

HIP Match

C.

Traffic

D.

Configuration

Full Access
Question # 96

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?

A.

Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.

B.

Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls

C.

Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.

D.

Create custom vulnerability signatures manually in Panorama, and push them to the firewalls

Full Access
Question # 97

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Full Access
Question # 98

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Full Access
Question # 99

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

A.

To allow traffic between zones in different virtual systems without the traffic leaving the appliance

B.

To allow traffic between zones in different virtual systems while the traffic is leaving the appliance

C.

External zones are required because the same external zone can be used on different virtual systems

D.

Multiple external zones are required in each virtual system to allow the communications between virtual systems

Full Access
Question # 100

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?

A.

Outdated plugins

B.

Global Protect agent version

C.

Expired certificates

D.

Management only mode

Full Access