New Year Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

PCNSE Questions and Answers

Question # 6

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended

Where would you find this in Panorama or firewall logs?

A.

Traffic Logs

B.

System Logs

C.

Session Browser

D.

You cannot find failover details on closed sessions

Full Access
Question # 7

Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

A.

show session all ssI-decrypt yes count yes

B.

show session filter ssl-decryption yes total-count yes

C.

show session all filter ssl-decrypt yes count yes

D.

show session all filter ssl-decryption yes total-count yes

Full Access
Question # 8

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A.

The interface must be used for traffic to the required services

B.

You must enable DoS and zone protection

C.

You must set the interface to Layer 2 Layer 3. or virtual wire

D.

You must use a static IP address

Full Access
Question # 9

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A.

wildcard server certificate

B.

enterprise CA certificate

C.

client certificate

D.

server certificate

E.

self-signed CA certificate

Full Access
Question # 10

A variable name must start with which symbol?

A.

$

B.

&

C.

!

D.

#

Full Access
Question # 11

An engines must configure the Decryption Broker feature To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

A.

a virtual router that has no additional interfaces for passing data-plane traffic and no other configured routes than those used in for the security chain

B.

the virtual router that routes the traffic that the Decryption Broker security chain inspects

C.

a virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB

D.

the default virtual router (If there is no default virtual router the engineer must create one during setup)

Full Access
Question # 12

Which benefit do policy rule UUIDs provide?

A.

functionality for scheduling policy actions

B.

the use of user IP mapping and groups in policies

C.

cloning of policies between device-groups

D.

an audit trail across a policy's lifespan

Full Access
Question # 13

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

A.

review the configuration logs on the Monitor tab

B.

click Preview Changes under Push Scope

C.

use Test Policy Match to review the policies in Panorama

D.

context-switch to the affected firewall and use the configuration audit tool

Full Access
Question # 14

The following objects and policies are defined in a device group hierarchy

A)

B)

C)

Address Objects

-Shared Address 1

-Branch Address2

Policies -Shared Polic1

l -Branch Policyl

D)

Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 15

An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

A.

System logs

B.

Traffic logs

C.

WridFire logs

D.

Threat logs

Full Access
Question # 16

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Full Access
Question # 17

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

A.

certificate authority (CA) certificate

B.

client certificate

C.

machine certificate

D.

server certificate

Full Access
Question # 18

A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

A.

Create a Dynamic Admin with the Panorama Administrator role

B.

Create a Custom Panorama Admin

C.

Create a Device Group and Template Admin

D.

Create a Dynamic Read only superuser

Full Access
Question # 19

When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

A.

When configuring Certificate Profiles

B.

When configuring GlobalProtect portal

C.

When configuring User Activity Reports

D.

When configuring Antivirus Dynamic Updates

Full Access
Question # 20

Which two events trigger the operation of automatic commit recovery? (Choose two.)

A.

when an aggregate Ethernet interface component fails

B.

when Panorama pushes a configuration

C.

when a firewall HA pair fails over

D.

when a firewall performs a local commit

Full Access
Question # 21

A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall

Which part of files needs to be imported back into the replacement firewall that is using Panorama?

A.

Device state and license files

B.

Configuration and serial number files

C.

Configuration and statistics files

D.

Configuration and Large Scale VPN (LSVPN) setups file

Full Access
Question # 22

Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

A.

Vulnerability Object

B.

DoS Protection Profile

C.

Data Filtering Profile

D.

Zone Protection Profile

Full Access
Question # 23

In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.

Which authentication method must be used?

A.

LDAP

B.

Kerberos

C.

Certification based authentication

D.

RADIUS with Vendor-Specific Attributes

Full Access
Question # 24

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

A.

Master

B.

Universal

C.

Shared

D.

Global

Full Access
Question # 25

A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.

What should be done first?

A.

Remove the cable from the management interface, reload the log Collector and then re-connect that cable

B.

Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments

C.

remove the device from the Collector Group

D.

Revert to a previous configuration

Full Access
Question # 26

A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.

What should be done next?

A.

Click the simple-critical rule and then click the Action drop-down list.

B.

Click the Exceptions tab and then click show all signatures.

C.

View the default actions displayed in the Action column.

D.

Click the Rules tab and then look for rules with "default" in the Action column.

Full Access
Question # 27

Firewall administrators cannot authenticate to a firewall GUI.

Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

A.

ms log

B.

authd log

C.

System log

D.

Traffic log

E.

dp-monitor .log

Full Access
Question # 28

A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.

How should this be accomplished?

A.

Create a Template with the appropriate IKE Gateway settings

B.

Create a Template with the appropriate IPSec tunnel settings

C.

Create a Device Group with the appropriate IKE Gateway settings

D.

Create a Device Group with the appropriate IPSec tunnel settings

Full Access
Question # 29

When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.

Answer options may be used more than once or not at all.

Full Access
Question # 30

Only two Trust to Untrust allow rules have been created in the Security policy

Rule1 allows google-base

Rule2 allows youtube-base

The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.

Which action will allow youtube.com display in the browser correctly?

A.

Add SSL App-ID to Rule1

B.

Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it

C.

Add the DNS App-ID to Rule2

D.

Add the Web-browsing App-ID to Rule2

Full Access
Question # 31

What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

A.

The firewalls must have the same set of licenses.

B.

The management interfaces must to be on the same network.

C.

The peer HA1 IP address must be the same on both firewalls.

D.

HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Full Access
Question # 32

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.

Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

A.

Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

B.

File Blocking profiles applied to outbound security policies with action set to alert

C.

Vulnerability Protection profiles applied to outbound security policies with action set to block

D.

Antivirus profiles applied to outbound security policies with action set to alert

Full Access
Question # 33

Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

A.

Configuring the administrative Distance for RIP to be lower than that of OSPF Int.

B.

Configuring the metric for RIP to be higher than that of OSPF Int.

C.

Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.

D.

Configuring the metric for RIP to be lower than that OSPF Ext.

Full Access
Question # 34

What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)

A.

Clean

B.

Bengin

C.

Adware

D.

Suspicious

E.

Grayware

F.

Malware

Full Access
Question # 35

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

What can be done to simplify the NAT policy?

A.

Configure ECMP to handle matching NAT traffic

B.

Configure a NAT Policy rule with Dynamic IP and Port

C.

Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

D.

Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option

Full Access
Question # 36

Which operation will impact performance of the management plane?

A.

DoS protection

B.

WildFire submissions

C.

generating a SaaS Application report

D.

decrypting SSL sessions

Full Access
Question # 37

What must be used in Security Policy Rule that contain addresses where NAT policy applies?

A.

Pre-NAT addresse and Pre-NAT zones

B.

Post-NAT addresse and Post-Nat zones

C.

Pre-NAT addresse and Post-Nat zones

D.

Post-Nat addresses and Pre-NAT zones

Full Access
Question # 38

Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.

Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

A.

Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.

B.

Wait until an official Application signature is provided from Palo Alto Networks.

C.

Modify the session timer settings on the closest referanced application to meet the needs of the in-house application

D.

Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Full Access
Question # 39

What is exchanged through the HA2 link?

A.

hello heartbeats

B.

User-ID information

C.

session synchronization

D.

HA state information

Full Access
Question # 40

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

A.

TACACS+

B.

Kerberos

C.

PAP

D.

LDAP

E.

SAML

F.

RADIUS

Full Access
Question # 41

Which three authentication factors does PAN-OS® software support for MFA (Choose three.)

A.

Push

B.

Pull

C.

Okta Adaptive

D.

Voice

E.

SMS

Full Access
Question # 42

Exhibit:

What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

A.

ethernet1/7

B.

ethernet1/5

C.

ethernet1/6

D.

ethernet1/3

Full Access
Question # 43

VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

A.

Zone Protection

B.

Replay

C.

Web Application

D.

DoS Protection

Full Access
Question # 44

What are the differences between using a service versus using an application for Security Policy match?

A.

Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification

B.

Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used.

C.

There are no differences between "service" or "application” Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers.

D.

Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action it the port being used is a member of the application standardport list

Full Access
Question # 45

A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

A.

Enable packet buffer protection on the Zone Protection Profile.

B.

Apply an Anti-Spyware Profile with DNS sinkholing.

C.

Use the DNS App-ID with application-default.

D.

Apply a classified DoS Protection Profile.

Full Access
Question # 46

Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

A.

Content-ID

B.

User-ID

C.

Applications and Threats

D.

Antivirus

Full Access
Question # 47

Which protection feature is available only in a Zone Protection Profile?

A.

SYN Flood Protection using SYN Flood Cookies

B.

ICMP Flood Protection

C.

Port Scan Protection

D.

UDP Flood Protections

Full Access
Question # 48

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.

A.

BGP (Border Gateway Protocol)

B.

PBP (Packet Buffer Protection)

C.

PGP (Packet Gateway Protocol)

D.

PBP (Protocol Based Protection)

Full Access
Question # 49

Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

A.

Dynamic

B.

Custom Panorama Admin

C.

Role Based

D.

Device Group

E.

Template Admin

Full Access
Question # 50

Based on the image, what caused the commit warning?

A.

The CA certificate for FWDtrust has not been imported into the firewall.

B.

The FWDtrust certificate has not been flagged as Trusted Root CA.

C.

SSL Forward Proxy requires a public certificate to be imported into the firewall.

D.

The FWDtrust certificate does not have a certificate chain.

Full Access
Question # 51

View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

A.

It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.

B.

It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.

C.

It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.

D.

It forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server.

Full Access
Question # 52

Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

A.

web-browsing and 443

B.

SSL and 80

C.

SSL and 443

D.

web-browsing and 80

Full Access
Question # 53

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

A.

equal-cost multipath

B.

ingress processing errors

C.

rule match with action "allow"

D.

rule match with action "deny"

Full Access
Question # 54

Which Captive Portal mode must be configured to support MFA authentication?

A.

NTLM

B.

Redirect

C.

Single Sign-On

D.

Transparent

Full Access
Question # 55

In the following image from Panorama, why are some values shown in red?

A.

sg2 session count is the lowest compared to the other managed devices.

B.

us3 has a logging rate that deviates from the administrator-configured thresholds.

C.

uk3 has a logging rate that deviates from the seven-day calculated baseline.

D.

sg2 has misconfigured session thresholds.

Full Access
Question # 56

An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.

Which configuration step needs to be configured to enable QoS?

A.

Enable QoS Data Filtering Profile

B.

Enable QoS monitor

C.

Enable Qos interface

D.

Enable Qos in the interface Management Profile.

Full Access
Question # 57

SAML SLO is supported for which two firewall features? (Choose two.)

A.

GlobalProtect Portal

B.

CaptivePortal

C.

WebUI

D.

CLI

Full Access
Question # 58

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

A.

The firewall is in multi-vsys mode.

B.

The traffic is offloaded.

C.

The traffic does not match the packet capture filter.

D.

The firewall’s DP CPU is higher than 50%.

Full Access
Question # 59

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.

It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS

D.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS

Full Access
Question # 60

A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

A.

HTTP

B.

User-ID

C.

SSH

D.

HTTPS

E.

Permitted IP Addresses

Full Access