Month End Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Exam Practice Test

Page: 1 / 24
Total 243 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Questions and Answers

Question 1

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Question 2

An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.

/software

B.

/opt

C.

/license

D.

/content

E.

/plugins

Question 3

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

Options:

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Question 4

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

Options:

A.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured

B.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

D.

A User-ID Certificate profile must be configured on Panorama

Question 5

Where is information about packet buffer protection logged?

Options:

A.

Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

B.

All entries are in the System log

C.

Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

D.

All entries are in the Alarms log

Question 6

An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two )

Options:

A.

DNS Proxy

B.

Address groups

C.

SSL/TLS roles

D.

URL Filtering profiles

Question 7

The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?

Options:

A.

action 'reset-both' and packet capture 'extended-capture'

B.

action 'default' and packet capture 'single-packet'

C.

action 'reset-both' and packet capture 'single-packet'

D.

action 'reset-server' and packet capture 'disable'

Question 8

Review the screenshot of the Certificates page.

Question # 8

An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate

Options:

A.

The forward trust certificate has not been signed by the set-singed root CA certificate

B.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates

C.

The forward untrust certificate has not been signed by the self-singed root CA certificate

D.

The forward trust certificate has not been installed in client systems

Question 9

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

Options:

A.

It applies to existing sessions and is not global

B.

It applies to new sessions and is global

C.

It applies to new sessions and is not global

D.

It applies to existing sessions and is global

Question 10

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?

Options:

A.

Rule #1 application: web-browsing; service application-default; action: allow Rule #2- application: ssl; service: application-default; action: allow

B.

Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application: ssl; service: application-default, action: allow

C.

Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

D.

Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; web-browsing; service application-default; action: allow

Question 11

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Options:

A.

One-time password

B.

User certificate

C.

Voice

D.

SMS

E.

Fingerprint

Question 12

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Options:

A.

Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

B.

Configure a security policy rule to allow new App-IDs that might have network-wide impact

C.

Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

D.

Study the release notes and install new App-IDs if they are determined to have low impact

Question 13

Question # 13

Review the images. A firewall policy that permits web traffic includes the

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

Options:

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Question 14

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

Options:

A.

SSL/TLS Service profile

B.

Certificate profile

C.

SCEP

D.

OCSP Responder

Question 15

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

Options:

A.

90Mbps

B.

300 Mbps

C.

75Mbps

D.

50Mbps

Question 16

In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

Options:

A.

Threat logs

B.

Traffic togs

C.

System logs

D.

WildFire logs

Question 17

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

Options:

A.

SSUTLS Service

B.

HTTP Server

C.

Decryption

D.

Interface Management

Question 18

An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

Options:

A.

Ethernet SGT Protection

B.

Protocol Protection

C.

DoS Protection

D.

Reconnaissance Protection

E.

Resource Protection

Question 19

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Question 20

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Options:

A.

Syslog listener

B.

agentless User-ID with redistribution

C.

standalone User-ID agent

D.

captive portal

Question 21

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Question # 21

Options:

Question 22

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

Options:

A.

The client sent a TCP segment with the PUSH flag set.

B.

The TCP connection was terminated without identifying any application data.

C.

There is insufficient application data after the TCP connection was established.

D.

The TCP connection did not fully establish.

Question 23

What is a key step in implementing WildFire best practices?

Options:

A.

In a mission-critical network, increase the WildFire size limits to the maximum value.

B.

Configure the firewall to retrieve content updates every minute.

C.

In a security-first network, set the WildFire size limits to the minimum value.

D.

Ensure that a Threat Prevention subscription is active.

Question 24

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

Options:

A.

set deviceconfig setting tcp asymmetric-path drop

B.

set deviceconfig setting session tcp-reject-non-syn no

C.

set session tcp-reject-non-syn yes

D.

set deviceconfig setting tcp asymmetric-path bypass

Question 25

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)

Options:

A.

Virtual router

B.

Security zone

C.

ARP entries

D.

Netflow Profile

Question 26

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Options:

A.

the website matches a category that is not allowed for most users

B.

the website matches a high-risk category

C.

the web server requires mutual authentication

D.

the website matches a sensitive category

Question 27

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Options:

A.

the website is not present in English

B.

unsupported ciphers

C.

certificate pinning

D.

unsupported browser version

E.

mutual authentication

Question 28

Which statement best describes the Automated Commit Recovery feature?

Options:

A.

It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails.

B.

It restores the running configuration on a firewall and Panorama if the last configuration commit fails.

C.

It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.

D.

It restores the running configuration on a firewall if the last configuration commit fails.

Question 29

What is the function of a service route?

Options:

A.

The service route is the method required to use the firewall's management plane to provide services to applications

B.

The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address

C.

The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address

D.

Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal

Question 30

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

What should the administrator do to allow the tool to scan through the firewall?

Options:

A.

Remove the Zone Protection profile from the zone setting.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.

C.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

D.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

Question 31

What is the best definition of the Heartbeat Interval?

Options:

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Question 32

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Options:

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Add the HTTP, SSL, and Evernote applications to the same Security policy

C.

Add only the Evernote application to the Security policy rule.

D.

Create an Application Override using TCP ports 443 and 80.

Question 33

Place the steps in the WildFire process workflow in their correct order.

Question # 33

Options:

Question 34

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

Options:

A.

Windows User-ID agent

B.

GlobalProtect

C.

XMLAPI

D.

External dynamic list

E.

Dynamic user groups

Question 35

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.

Question # 35

Options:

Question 36

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Options:

A.

Phase 2 SAs are synchronized over HA2 links

B.

Phase 1 and Phase 2 SAs are synchronized over HA2 links

C.

Phase 1 SAs are synchronized over HA1 links

D.

Phase 1 and Phase 2 SAs are synchronized over HA3 links

Page: 1 / 24
Total 243 questions