Special Summer Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Exam Practice Test

Page: 1 / 46
Total 455 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Questions and Answers

Question 1

Which three options are available when creating a security profile? (Choose three)

Options:

A.

Anti-Malware

B.

File Blocking

C.

Url Filtering

D.

IDS/ISP

E.

Threat Prevention

F.

Antivirus

Question 2

A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com

goes to http://www company com

How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

Options:

A.

Create and add a monitor profile with an action of fail over in the PBF rule in question

B.

Create and add a monitor profile with an action of wait recover in the PBF rule in question

C.

Configure path monitoring for the next hop gateway on the default route in the virtual router

D.

Enable and configure a link monitoring profile for the external interface of the firewall

Question 3

Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.

How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Options:

A.

Enable on Site-A only

B.

Enable on Site-B only

C.

Enable on Site-B only with passive mode

D.

Enable on Site-A and Site-B

Question 4

When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Options:

A.

When configuring Certificate Profiles

B.

When configuring GlobalProtect portal

C.

When configuring User Activity Reports

D.

When configuring Antivirus Dynamic Updates

Question 5

In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.

Which authentication method must be used?

Options:

A.

LDAP

B.

Kerberos

C.

Certification based authentication

D.

RADIUS with Vendor-Specific Attributes

Question 6

Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

Options:

A.

Virtual Wire

B.

Loopback

C.

Layer 3

D.

Tunnel

Question 7

A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.

What should be done next?

Options:

A.

Click the simple-critical rule and then click the Action drop-down list.

B.

Click the Exceptions tab and then click show all signatures.

C.

View the default actions displayed in the Action column.

D.

Click the Rules tab and then look for rules with "default" in the Action column.

Question 8

Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

Options:

A.

KVM

B.

VMware ESX

C.

VMware NSX

D.

AWS

Question 9

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Options:

A.

pattern based application identification

B.

application changed from content inspection

C.

session application identified

D.

application override policy match

Question 10

Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

Options:

A.

Configuring the administrative Distance for RIP to be lower than that of OSPF Int.

B.

Configuring the metric for RIP to be higher than that of OSPF Int.

C.

Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.

D.

Configuring the metric for RIP to be lower than that OSPF Ext.

Question 11

Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

Options:

A.

Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions

B.

Enable User-ID on the zone object for the destination zone

C.

Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions

D.

Enable User-ID on the zone object for the source zone

E.

Configure a RADIUS server profile to point to a domain controller

Question 12

Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.

What would be the administrator's next step?

Options:

A.

Right-Click on the bittorrent link and select Value from the context menu

B.

Create a global filter for bittorrent traffic and then view Traffic logs.

C.

Create local filter for bittorrent traffic and then view Traffic logs.

D.

Click on the bittorrent application link to view network activity

Question 13

Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.

Which is the next hop IP address for the HTTPS traffic from Will's PC?

Options:

A.

172.20.30.1

B.

172.20.40.1

C.

172.20.20.1

D.

172.20.10.1

Question 14

Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

Options:

A.

On the App Dependency tab in the Commit Status window

B.

On the Application tab in the Security Policy Rule creation window

C.

On the Objects > Applications browsers pages

D.

On the Policy Optimizer's Rule Usage page

Question 15

Which operation will impact performance of the management plane?

Options:

A.

DoS protection

B.

WildFire submissions

C.

generating a SaaS Application report

D.

decrypting SSL sessions

Question 16

What will be the source address in the ICMP packet?

Options:

A.

10.30.0.93

B.

10.46.72.93

C.

10.46.64.94

D.

192.168.93.1

Question 17

Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.

Which step is required to accomplish this goal?

Options:

A.

Assign an IP address on each tunnel interface at each site

B.

Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0

C.

Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces

D.

Create new VPN zones at each site to terminate each VPN connection

Question 18

YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:

* ethernet1/1, Zone: Untrust (Internet-facing)

* ethernet1/2, Zone: Trust (client-facing)

A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.

Which setting for class 6 with throttle YouTube traffic?

Options:

A.

Outbound profile with Guaranteed Ingress

B.

Outbound profile with Maximum Ingress

C.

Inbound profile with Guaranteed Egress

D.

Inbound profile with Maximum Egress

Question 19

Which field is optional when creating a new Security Policy rule?

Options:

A.

Name

B.

Description

C.

Source Zone

D.

Destination Zone

E.

Action

Question 20

A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?

Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Options:

A.

A report can be created that identifies unclassified traffic on the network.

B.

Different security profiles can be applied to traffic matching rules 2 and 3.

C.

Rule 2 and 3 apply to traffic on different ports.

D.

Separate Log Forwarding profiles can be applied to rules 2 and 3.

Question 21

Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?

Options:

A.

Authentication

B.

Globalprotect

C.

Configuration

D.

System

Question 22

Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Options:

A.

The devices are pre-configured with a virtual wire pair out the first two interfaces.

B.

The devices are licensed and ready for deployment.

C.

The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.

D.

A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.

E.

The interface are pingable.

Question 23

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.

Given the following zone information:

•DMZ zone: DMZ-L3

•Public zone: Untrust-L3

•Guest zone: Guest-L3

•Web server zone: Trust-L3

•Public IP address (Untrust-L3): 1.1.1.1

•Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Options:

A.

Untrust-L3

B.

DMZ-L3

C.

Guest-L3

D.

Trust-L3

Question 24

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

Options:

A.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.

C.

Configure log compression and optimization features on all remote firewalls.

D.

Any configuration on an M-500 would address the insufficient bandwidth concerns.

Question 25

An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:

•Firewall has Internet connectivity through e1/1.

•Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

•Service route is configured, sourcing update traffic from e1/1.

•A communication error appears in the System logs when updates are performed.

•Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

Options:

A.

DNS settings for the firewall to use for resolution

B.

scheduler for timed downloads of PAN-OS software

C.

static route pointing application PaloAlto-updates to the update servers

D.

Security policy rule allowing PaloAlto-updates as the application

Question 26

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Options:

A.

Anti-Spyware

B.

WildFire

C.

Vulnerability Protection

D.

Antivirus

Question 27

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Options:

A.

View Runtime Stats in the virtual router.

B.

View System logs.

C.

Add a redistribution profile to forward as BGP updates.

D.

Perform a traffic pcap at the routing stage.

Question 28

Which feature can be configured on VM-Series firewalls?

Options:

A.

aggregate interfaces

B.

machine learning

C.

multiple virtual systems

D.

GlobalProtect

Question 29

When is the content inspection performed in the packet flow process?

Options:

A.

after the application has been identified

B.

before session lookup

C.

before the packet forwarding process

D.

after the SSL Proxy re-encrypts the packet

Question 30

Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

Options:

A.

HA1 IP Address

B.

Network Interface Type

C.

Master Key

D.

Zone Protection Profile

Question 31

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Options:

A.

set deviceconfig interface speed-duplex 1Gbps-full-duplex

B.

set deviceconfig system speed-duplex 1Gbps-duplex

C.

set deviceconfig system speed-duplex 1Gbps-full-duplex

D.

set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Question 32

A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

Options:

A.

The three-way TCP handshake was observed, but the application could not be identified.

B.

The three-way TCP handshake did not complete.

C.

The traffic is coming across UDP, and the application could not be identified.

D.

Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Question 33

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Options:

A.

Create a no-decrypt Decryption Policy rule.

B.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

C.

Create a Dynamic Address Group for untrusted sites

D.

Create a Security Policy rule with vulnerability Security Profile attached.

E.

Enable the “Block sessions with untrusted issuers” setting.

Question 34

How can a candidate or running configuration be copied to a host external from Panorama?

Options:

A.

Commit a running configuration.

B.

Save a configuration snapshot.

C.

Save a candidate configuration.

D.

Export a named configuration snapshot.

Question 35

If the firewall has the link monitoring configuration, what will cause a failover?

Options:

A.

ethernet1/3 and ethernet1/6 going down

B.

ethernet1/3 going down

C.

ethernet1/3 or Ethernet1/6 going down

D.

ethernet1/6 going down

Question 36

Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)

Options:

A.

Short message service

B.

Push

C.

User logon

D.

Voice

E.

SSH key

F.

One-Time Password

Question 37

An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 38

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?

Options:

A.

The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

B.

Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

C.

The firewalls do not use floating IPs in active/active HA.

D.

The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Question 39

How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

Options:

A.

by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device

B.

by using security policies, log forwarding profiles, and log settings.

C.

by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook

D.

There is no native auto-quarantine feature so a custom script would need to be leveraged.

Question 40

Which option is part of the content inspection process?

Options:

A.

Packet forwarding process

B.

SSL Proxy re-encrypt

C.

IPsec tunnel encryption

D.

Packet egress process

Question 41

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Options:

A.

Deny application facebook-chat before allowing application facebook

B.

Deny application facebook on top

C.

Allow application facebook on top

D.

Allow application facebook before denying application facebook-chat

Question 42

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

Options:

A.

The firewall is in multi-vsys mode.

B.

The traffic is offloaded.

C.

The traffic does not match the packet capture filter.

D.

The firewall’s DP CPU is higher than 50%.

Question 43

Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

Options:

A.

Content-ID

B.

User-ID

C.

Applications and Threats

D.

Antivirus

Question 44

Based on the image, what caused the commit warning?

Options:

A.

The CA certificate for FWDtrust has not been imported into the firewall.

B.

The FWDtrust certificate has not been flagged as Trusted Root CA.

C.

SSL Forward Proxy requires a public certificate to be imported into the firewall.

D.

The FWDtrust certificate does not have a certificate chain.

Question 45

Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 46

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

Options:

A.

Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from themanagement interfaced destined for the update servers goes out of the interface acting as your internet connection.

B.

Configure a security policy rule to allow all traffic to and from the update servers.

C.

Download and install application updates cannot be done automatically if the MGT port cannot reach the internet.

D.

Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.

Question 47

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

Options:

A.

review the configuration logs on the Monitor tab

B.

click Preview Changes under Push Scope

C.

use Test Policy Match to review the policies in Panorama

D.

context-switch to the affected firewall and use the configuration audit tool

Question 48

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Options:

A.

It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS

D.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS

Question 49

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

Options:

A.

All public cloud deployments require the /plugins folder to support proper firewall native integrations

B.

The /content folder is missing from the bootstrap package

C.

The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing

D.

The /config or /software folders were missing mandatory files to successfully bootstrap

Question 50

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Options:

A.

Add the policy in the shared device group as a pre-rule

B.

Reference the targeted device's templates in the target device group

C.

Add the policy to the target device group and apply a master device to the device group

D.

Clone the security policy and add it to the other device groups

Question 51

Which rule type controls end user SSL traffic to external websites?

Options:

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSL Inbound Inspection

D.

SSH Proxy

Question 52

Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Options:

A.

inherit address-objects from templates

B.

define a common standard template configuration for firewalls

C.

standardize server profiles and authentication configuration across all stacks

D.

standardize log-forwarding profiles for security polices across all stacks

Question 53

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Options:

Question 54

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Question 55

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

Options:

A.

not-applicable

B.

incomplete

C.

unknown-ip

D.

unknown-udp

Question 56

When overriding a template configuration locally on a firewall, what should you consider?

Options:

A.

Only Panorama can revert the override

B.

Panorama will lose visibility into the overridden configuration

C.

Panorama will update the template with the overridden value

D.

The firewall template will show that it is out of sync within Panorama

Question 57

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

Options:

A.

variables

B.

template stacks

C.

collector groups

D.

virtual systems

Question 58

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information

However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD

How can portaes based on group mapping be learned and enforced in Prisma Access?

Options:

A.

Configure Prisma Access to learn group mapping via SAML assertion

B.

Assign a master device in Panorama through which Prisma Access learns groups

C.

Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access

D.

Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers

Question 59

An administrator device-group commit push is tailing due to a new URL category

How should the administrator correct this issue?

Options:

A.

verify that the URL seed Tile has been downloaded and activated on the firewall

B.

change the new category action to alert" and push the configuration again

C.

update the Firewall Apps and Threat version to match the version of Panorama

D.

ensure that the firewall can communicate with the URL cloud

Question 60

An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane

Which CLI command should the administrator use to obtain the packet capture for validating the configuration^

Options:

A.

> ftp export mgmt-pcap from mgmt.pcap to

B.

> scp export mgmt-pcap from mgmt.pcap to {usernameQhost:path>

C.

> scp export pcap-mgmt from pcap.mgmt to (username@host:path)

D.

> scp export pcap from pcap to (usernameQhost:path)

Question 61

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

Options:

A.

configure a device block list

B.

rename a vsys on a multi-vsys firewall

C.

enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

D.

add administrator accounts

E.

change the firewall management IP address

Question 62

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Options:

A.

the website is not present in English

B.

unsupported ciphers

C.

certificate pinning

D.

unsupported browser version

E.

mutual authentication

Question 63

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.

Which configuration is necessary to retrieve groups from Panorama?

Options:

A.

Configure an LDAP Server profile and enable the User-ID service on the management interface.

B.

Configure a group mapping profile to retrieve the groups in the target template.

C.

Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.

D.

Configure a master device within the device groups.

Question 64

Please match the terms to their corresponding definitions.

Options:

Question 65

Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three )

Options:

A.

The environment requires real, full-time redundancy from both firewalls at all times

B.

The environment requires Layer 2 interfaces in the deployment

C.

The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence

D.

The environment requires that all configuration must be fully synchronized between both members of the HA pair

E.

The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes

Question 66

What is the best description of the HA4 Keep-Alive Threshold (ms)?

Options:

A.

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

D.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Question 67

Match each type of DoS attack to an example of that type of attack

Options:

Page: 1 / 46
Total 455 questions