Month End Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Exam Practice Test

Page: 1 / 9
Total 89 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Questions and Answers

Question 1

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

Options:

A.

Browser-supported cipher documentation

B.

Cipher documentation supported by the endpoint operating system

C.

URL risk-based category distinctions

D.

Legal compliance regulations and acceptable usage policies

Question 2

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Question 3

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Question 4

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:

A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Question 5

Which two statements correctly describe Session 380280? (Choose two.)

Question # 5

Options:

A.

The session went through SSL decryption processing.

B.

The session has ended with the end-reason unknown.

C.

The application has been identified as web-browsing.

D.

The session did not go through SSL decryption processing.

Question 6

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

. No client configuration is required for explicit proxy, which simplifies the deployment complexity.

B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.

C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Options:

Question 7

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

Options:

A.

Specify the target device as the master device in the device group

B.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

C.

Add the template as a reference template in the device group

D.

Add a firewall to both the device group and the template

Question 8

What is the best definition of the Heartbeat Interval?

Options:

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Question 9

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Question # 9

Options:

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Question 10

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Question 11

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.

1 to 4 hours

B.

6 to 12 hours

C.

24 hours

D.

36 hours

Question 12

Question # 12

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Question 13

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.

Perform a commit force from the CLI of the firewall.

B.

Perform a template commit push from Panorama using the "Force Template Values" option.

C.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.

Reload the running configuration and perform a Firewall local commit.

Question 14

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

Options:

A.

A subject alternative name

B.

A private key

C.

A server certificate

D.

A certificate authority (CA) certificate

Question 15

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Question 16

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

Options:

A.

Click Session Browser and review the session details.

B.

Click Traffic view and review the information in the detailed log view.

C.

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.

Click App Scope > Network Monitor and filter the report for NAT rules.

Question 17

Which three authentication types can be used to authenticate users? (Choose three.)

Options:

A.

Local database authentication

B.

PingID

C.

Kerberos single sign-on

D.

GlobalProtect client

E.

Cloud authentication service

Question 18

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.

Tunnel mode

B.

Satellite mode

C.

IPSec mode

D.

No Direct Access to local networks

Question 19

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

Options:

A.

High availability (HA)

B.

Layer 3

C.

Layer 2

D.

Tap

E.

Virtual Wire

Question 20

Match the terms to their corresponding definitions

Question # 20

Options:

Question 21

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Question 22

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

Options:

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Question 23

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

Options:

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Question 24

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Question 25

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Question 26

Which protocol is supported by GlobalProtect Clientless VPN?

Options:

A.

FTP

B.

RDP

C.

SSH

D.

HTTPS

Page: 1 / 9
Total 89 questions