Independence Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

PCNSE Questions and Answers

Question # 6

What are two characteristic types that can be defined for a variable? (Choose two )

A.

zone

B.

FQDN

C.

path group

D.

IP netmask

Full Access
Question # 7

As a best practice, which URL category should you target first for SSL decryption*?

A.

Online Storage and Backup

B.

High Risk

C.

Health and Medicine

D.

Financial Services

Full Access
Question # 8

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

A.

Add the policy in the shared device group as a pre-rule

B.

Reference the targeted device's templates in the target device group

C.

Add the policy to the target device group and apply a master device to the device group

D.

Clone the security policy and add it to the other device groups

Full Access
Question # 9

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

A.

variables

B.

template stacks

C.

collector groups

D.

virtual systems

Full Access
Question # 10

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A.

Disable HA

B.

Disable the HA2 link

C.

Disable config sync

D.

Set the passive link state to 'shutdown.-

Full Access
Question # 11

Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.

Which method can capture IP-to-user mapping information for users on the Linux machines?

A.

You can configure Captive Portal with an authentication policy.

B.

IP-to-user mapping for Linux users can only be learned if the machine is joined to the domain.

C.

You can set up a group-based security policy to restrict internet access based on group membership

D.

You can deploy the User-ID agent on the Linux desktop machines

Full Access
Question # 12

Which statement is true regarding a Best Practice Assessment?

A.

It shows how your current configuration compares to Palo Alto Networks recommendations

B.

It runs only on firewalls

C.

When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.

D.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

Full Access
Question # 13

in a template you can configure which two objects? (Choose two.)

A.

SD WAN path quality profile

B.

application group

C.

IPsec tunnel

D.

Monitor profile

Full Access
Question # 14

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

A.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured

B.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

D.

A User-ID Certificate profile must be configured on Panorama

Full Access
Question # 15

An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.

Which server OS platforms can be used for server monitoring with User-ID?

A.

Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory

B.

Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange

C.

Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

D.

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

Full Access
Question # 16

An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

A.

Automatically include users as members without having to manually create and commit policy or group changes

B.

DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall

C.

It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies

D.

Schedule commits at a regular intervals to update the DUG with new users matching the tags specified

Full Access
Question # 17

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

An end-user visits the untrusted website https //www firewall-do-not-trust-website com

Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

A.

Forward-Untrust-Certificate

B.

Forward-Trust-Certificate

C.

Firewall-CA

D.

Firewall-Trusted-Root-CA

Full Access
Question # 18

While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

A.

show system setting ssl-decrypt certs

B.

show systea setting ssl-decrypt certificate-cache

C.

show systen setting ssl-decrypt certificate

D.

debug dataplane show ssl-decrypt ssl-stats

Full Access
Question # 19

Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?

A.

15,000

B.

10,000

C.

75,00

D.

5,000

Full Access
Question # 20

An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.

What is the expected verdict from WildFire?

A.

Grayware

B.

Malware

C.

Spyware

D.

Phishing

Full Access
Question # 21

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

A.

port mapping

B.

server monitoring

C.

client probing

D.

XFF headers

Full Access
Question # 22

Which rule type controls end user SSL traffic to external websites?

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSL Inbound Inspection

D.

SSH Proxy

Full Access
Question # 23

An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.

Which configuration step needs to be configured to enable QoS?

A.

Enable QoS Data Filtering Profile

B.

Enable QoS monitor

C.

Enable Qos interface

D.

Enable Qos in the interface Management Profile.

Full Access
Question # 24

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

A.

the website matches a category that is not allowed for most users

B.

the website matches a high-risk category

C.

the web server requires mutual authentication

D.

the website matches a sensitive category

Full Access
Question # 25

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

A.

no install on the route

B.

duplicate static route

C.

path monitoring on the static route

D.

disabling of the static route

Full Access
Question # 26

A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.

Where would you configure this setting?

A.

Path Quality profile

B.

ECMP setting on virtual router

C.

Traffic Dtstnbution profile

D.

SD-WAN Interface profile

Full Access
Question # 27

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

A.

Configure a remote network on PAN-OS

B.

Upgrade to a PAN-OS SD-WAN subscription

C.

Deploy Prisma SD-WAN with Prisma Access

D.

Configure policy-based forwarding

Full Access
Question # 28

: 4

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infrastructure?

A.

To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Full Access
Question # 29

A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

A.

Enable packet buffer protection on the Zone Protection Profile.

B.

Apply an Anti-Spyware Profile with DNS sinkholing.

C.

Use the DNS App-ID with application-default.

D.

Apply a classified DoS Protection Profile.

Full Access
Question # 30

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

A.

Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow

B.

Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow

C.

Rule # 1: application: ssl; service: application-default; action: allow

Rule #2: application: web-browsing; service: application-default; action: allow

D.

Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Full Access
Question # 31

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A.

Load named configuration snapshot

B.

Load configuration version

C.

Save candidate config

D.

Export device state

Full Access
Question # 32

A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.

Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

A.

application: web-browsing; service: application-default

B.

application: web-browsing; service: service-https

C.

application: ssl; service: any

D.

application: web-browsing; service: (custom with destination TCP port 8080)

Full Access
Question # 33

What is the purpose of the firewall decryption broker?

A.

Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools

B.

Force decryption of previously unknown cipher suites

C.

Inspection traffic within IPsec tunnel

D.

Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools

Full Access
Question # 34

An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

A.

WildFire updates

B.

NAT

C.

NTP

D.

antivirus

E.

File blocking

Full Access
Question # 35

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

A.

Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096″ in the "Tag Allowed" field of the V-Wire object.

B.

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

C.

Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.

D.

Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

Full Access
Question # 36

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

A.

XML API

B.

Port Mapping

C.

Client Probing

D.

Server Monitoring

Full Access
Question # 37

An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

A.

Create an Application Override policy and a custom threat signature for the application

B.

Create an Application Override policy

C.

Create a custom App-ID and use the "ordered conditions" check box

D.

Create a custom App ID and enable scanning on the advanced tab

Full Access
Question # 38

Which feature can be configured on VM-Series firewalls?

A.

aggregate interfaces

B.

machine learning

C.

multiple virtual systems

D.

GlobalProtect

Full Access
Question # 39

SAML SLO is supported for which two firewall features? (Choose two.)

A.

GlobalProtect Portal

B.

CaptivePortal

C.

WebUI

D.

CLI

Full Access
Question # 40

An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task.

Which option describes deployment of a bootstrap package in an on-premise virtual environment?

A.

Use config-drive on a USB stick.

B.

Use an S3 bucket with an ISO.

C.

Create and attach a virtual hard disk (VHD).

D.

Use a virtual CD-ROM with an ISO.

Full Access
Question # 41

Which method will dynamically register tags on the Palo Alto Networks NGFW?

A.

Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)

B.

Restful API or the VMware API on the firewall or on the User-ID agent

C.

XML-API or the VMware API on the firewall or on the User-ID agent or the CLI

D.

XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Full Access
Question # 42

Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)

A.

Short message service

B.

Push

C.

User logon

D.

Voice

E.

SSH key

F.

One-Time Password

Full Access
Question # 43

A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.

How should this be accomplished?

A.

Create a Template with the appropriate IKE Gateway settings

B.

Create a Template with the appropriate IPSec tunnel settings

C.

Create a Device Group with the appropriate IKE Gateway settings

D.

Create a Device Group with the appropriate IPSec tunnel settings

Full Access
Question # 44

How is the Forward Untrust Certificate used?

A.

It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/

B.

It is used when web servers request a client certificate.

C.

It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.

D.

It is used for Captive Portal to identify unknown users.

Full Access
Question # 45

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

A.

ms.log

B.

traffic.log

C.

system.log

D.

dp-monitor.log

E.

authd.log

Full Access
Question # 46

A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

A.

Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.

B.

Traffic will be forced to operate over UDP Port 16384.

C.

Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".

D.

Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Full Access
Question # 47

Support for which authentication method was added in PAN-OS 8.0?

A.

RADIUS

B.

LDAP

C.

Diameter

D.

TACACS+

Full Access
Question # 48

A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com

goes to http://www company com

How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

A.

Create and add a monitor profile with an action of fail over in the PBF rule in question

B.

Create and add a monitor profile with an action of wait recover in the PBF rule in question

C.

Configure path monitoring for the next hop gateway on the default route in the virtual router

D.

Enable and configure a link monitoring profile for the external interface of the firewall

Full Access
Question # 49

The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.

Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

A.

QoS Statistics

B.

Applications Report

C.

Application Command Center (ACC)

D.

QoS Log

Full Access
Question # 50

A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.

Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)

A.

Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.

B.

Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.

C.

Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.

D.

Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.

E.

Download and install PAN-OS 8.0.4 directly on each firewall.

F.

Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Full Access
Question # 51

The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.

Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

A.

test panoramas-connect 10.10.10.5

B.

show panoramas-status

C.

show arp all I match 10.10.10.5

D.

topdump filter "host 10.10.10.5

E.

debug dataplane packet-diag set capture on

Full Access
Question # 52

People are having intermittent quality issues during a live meeting via web application.

A.

Use QoS profile to define QoS Classes

B.

Use QoS Classes to define QoS Profile

C.

Use QoS Profile to define QoS Classes and a QoS Policy

D.

Use QoS Classes to define QoS Profile and a QoS Policy

Full Access
Question # 53

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

A.

Panorama Log Settings

B.

Panorama Log Templates

C.

Panorama Device Group Log Forwarding

D.

Collector Log Forwarding for Collector Groups

Full Access
Question # 54

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

What can be done to simplify the NAT policy?

A.

Configure ECMP to handle matching NAT traffic

B.

Configure a NAT Policy rule with Dynamic IP and Port

C.

Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

D.

Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Full Access
Question # 55

A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall

Which part of files needs to be imported back into the replacement firewall that is using Panorama?

A.

Device state and license files

B.

Configuration and serial number files

C.

Configuration and statistics files

D.

Configuration and Large Scale VPN (LSVPN) setups file

Full Access
Question # 56

An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:

less mp-log ikemgr.log:

What could be the cause of this problem?

A.

The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.

B.

The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.

C.

The shared secerts do not match between the Palo Alto firewall and the ASA

D.

The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Full Access
Question # 57

Which operation will impact performance of the management plane?

A.

DoS protection

B.

WildFire submissions

C.

generating a SaaS Application report

D.

decrypting SSL sessions

Full Access
Question # 58

Only two Trust to Untrust allow rules have been created in the Security policy

Rule1 allows google-base

Rule2 allows youtube-base

The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.

Which action will allow youtube.com display in the browser correctly?

A.

Add SSL App-ID to Rule1

B.

Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it

C.

Add the DNS App-ID to Rule2

D.

Add the Web-browsing App-ID to Rule2

Full Access
Question # 59

Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?

A.

Authentication

B.

Globalprotect

C.

Configuration

D.

System

Full Access
Question # 60

A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

A.

Blocked Activity

B.

Bandwidth Activity

C.

Threat Activity

D.

Network Activity

Full Access
Question # 61

What are three valid method of user mapping? (Choose three)

A.

Syslog

B.

XML API

C.

802.1X

D.

WildFire

E.

Server Monitoring

Full Access
Question # 62

Which CLI command displays the current management plan memory utilization?

A.

> show system info

B.

> show system resources

C.

> debug management-server show

D.

> show running resource-monitor

Full Access
Question # 63

A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.

  • Users outside the company are in the "Untrust-L3" zone
  • The web server physically resides in the "Trust-L3" zone.
  • Web server public IP address: 23.54.6.10
  • Web server private IP address: 192.168.1.10

Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

A.

Untrust-L3 for both Source and Destination zone

B.

Destination IP of 192.168.1.10

C.

Untrust-L3 for Source Zone and Trust-L3 for Destination Zone

D.

Destination IP of 23.54.6.10

Full Access
Question # 64

A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.

What action will bring the VPN up and allow traffic to start passing between the sites?

A.

Change the Site-B IKE Gateway profile version to match Site-A,

B.

Change the Site-A IKE Gateway profile exchange mode to aggressive mode.

C.

Enable NAT Traversal on the Site-A IKE Gateway profile.

D.

Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Full Access
Question # 65

Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

A.

Vulnerability Object

B.

DoS Protection Profile

C.

Data Filtering Profile

D.

Zone Protection Profile

Full Access
Question # 66

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

A.

All public cloud deployments require the /plugins folder to support proper firewall native integrations

B.

The /content folder is missing from the bootstrap package

C.

The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing

D.

The /config or /software folders were missing mandatory files to successfully bootstrap

Full Access
Question # 67

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

A.

configure a device block list

B.

rename a vsys on a multi-vsys firewall

C.

enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

D.

add administrator accounts

E.

change the firewall management IP address

Full Access
Question # 68

Which three authentication factors does PAN-OS® software support for MFA (Choose three.)

A.

Push

B.

Pull

C.

Okta Adaptive

D.

Voice

E.

SMS

Full Access