Special Black Friday Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Exam Practice Test

Page: 1 / 37
Total 369 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Questions and Answers

Question 1

Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.

Which is the next hop IP address for the HTTPS traffic from Will's PC?

Options:

A.

172.20.30.1

B.

172.20.40.1

C.

172.20.20.1

D.

172.20.10.1

Question 2

Only two Trust to Untrust allow rules have been created in the Security policy

Rule1 allows google-base

Rule2 allows youtube-base

The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.

Which action will allow youtube.com display in the browser correctly?

Options:

A.

Add SSL App-ID to Rule1

B.

Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it

C.

Add the DNS App-ID to Rule2

D.

Add the Web-browsing App-ID to Rule2

Question 3

Panorama provides which two SD_WAN functions? (Choose two.)

Options:

A.

data plane

B.

physical network links

C.

network monitoring

D.

control plane

Question 4

ION NO: 63

Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

Options:

A.

Virtual Wire

B.

Loopback

C.

Layer 3

D.

Tunnel

Question 5

A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?

Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Options:

A.

A report can be created that identifies unclassified traffic on the network.

B.

Different security profiles can be applied to traffic matching rules 2 and 3.

C.

Rule 2 and 3 apply to traffic on different ports.

D.

Separate Log Forwarding profiles can be applied to rules 2 and 3.

Question 6

Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?

Options:

A.

Authentication

B.

Globalprotect

C.

Configuration

D.

System

Question 7

Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.

What would be the administrator's next step?

Options:

A.

Right-Click on the bittorrent link and select Value from the context menu

B.

Create a global filter for bittorrent traffic and then view Traffic logs.

C.

Create local filter for bittorrent traffic and then view Traffic logs.

D.

Click on the bittorrent application link to view network activity

Question 8

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Options:

A.

Master

B.

Universal

C.

Shared

D.

Global

Question 9

A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.

Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)

Options:

A.

Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.

B.

Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.

C.

Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.

D.

Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.

E.

Download and install PAN-OS 8.0.4 directly on each firewall.

F.

Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Question 10

How are IPV6 DNS queries configured to user interface ethernet1/3?

Options:

A.

Network > Virtual Router > DNS Interface

B.

Objects > CustomerObjects > DNS

C.

Network > Interface Mgrnt

D.

Device > Setup > Services > Service Route Configuration

Question 11

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.

Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

Options:

A.

Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

B.

File Blocking profiles applied to outbound security policies with action set to alert

C.

Vulnerability Protection profiles applied to outbound security policies with action set to block

D.

Antivirus profiles applied to outbound security policies with action set to alert

Question 12

The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

Options:

A.

A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application

B.

A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.

C.

A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.

D.

A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Question 13

In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.

Which authentication method must be used?

Options:

A.

LDAP

B.

Kerberos

C.

Certification based authentication

D.

RADIUS with Vendor-Specific Attributes

Question 14

Which three log-forwarding destinations require a server profile to be configured? (Choose three)

Options:

A.

SNMP Trap

B.

Email

C.

RADIUS

D.

Kerberos

E.

Panorama

F.

Syslog

Question 15

Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Options:

A.

The devices are pre-configured with a virtual wire pair out the first two interfaces.

B.

The devices are licensed and ready for deployment.

C.

The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.

D.

A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.

E.

The interface are pingable.

Question 16

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

Options:

A.

link requirements

B.

the name of the ISP

C.

IP Addresses

D.

branch and hub locations

Question 17

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

Options:

A.

Panorama Log Settings

B.

Panorama Log Templates

C.

Panorama Device Group Log Forwarding

D.

Collector Log Forwarding for Collector Groups

Question 18

A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.

Which CLI command syntax will display the rule that matches the test?

Options:

A.

test security -policy- match source destination destination port protocol

B.

show security rule source destination destination port protocol

C.

test security rule source destination destination port protocol

D.

show security-policy-match source destination destination port protocol

test security-policy-match source

Question 19

Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.)

Options:

A.

On the App Dependency tab in the Commit Status window

B.

On the Application tab in the Security Policy Rule creation window

C.

On the Objects > Applications browsers pages

D.

On the Policy Optimizer's Rule Usage page

Question 20

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

Options:

A.

port mapping

B.

server monitoring

C.

client probing

D.

XFF headers

Question 21

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Options:

A.

Deny application facebook-chat before allowing application facebook

B.

Deny application facebook on top

C.

Allow application facebook on top

D.

Allow application facebook before denying application facebook-chat

Question 22

An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Options:

A.

Admin Role

B.

WebUI

C.

Authentication

D.

Authorization

Question 23

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

Options:

A.

set deviceconfig interface speed-duplex 1Gbps-full-duplex

B.

set deviceconfig system speed-duplex 1Gbps-duplex

C.

set deviceconfig system speed-duplex 1Gbps-full-duplex

D.

set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Question 24

Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”

Options:

A.

Descendant objects will take precedence over other descendant objects.

B.

Descendant objects will take precedence over ancestor objects.

C.

Ancestor objects will have precedence over descendant objects.

D.

Ancestor objects will have precedence over other ancestor objects.

Question 25

In which two types of deployment is active/active HA configuration supported? (Choose two.)

Options:

A.

TAP mode

B.

Layer 2 mode

C.

Virtual Wire mode

D.

Layer 3 mode

Question 26

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

Options:

A.

Anti-Spyware

B.

WildFire

C.

Vulnerability Protection

D.

Antivirus

Question 27

If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

Options:

A.

TLS Bidirectional Inspection

B.

SSL Inbound Inspection

C.

SSH Forward Proxy

D.

SMTP Inbound Decryption

Question 28

Which event will happen if an administrator uses an Application Override Policy?

Options:

A.

Threat-ID processing time is decreased.

B.

The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

C.

The application name assigned to the traffic by the security rule is written to the Traffic log.

D.

App-ID processing time is increased.

Question 29

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

Options:

A.

Red Hat Enterprise Virtualization (RHEV)

B.

Kernel Virtualization Module (KVM)

C.

Boot Strap Virtualization Module (BSVM)

D.

Microsoft Hyper-V

Question 30

Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

Options:

A.

Content-ID

B.

User-ID

C.

Applications and Threats

D.

Antivirus

Question 31

Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

Options:

A.

debug system details

B.

show session info

C.

show system info

D.

show system details

Question 32

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Load named configuration snapshot

B.

Load configuration version

C.

Save candidate config

D.

Export device state

Question 33

VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Options:

A.

Zone Protection

B.

DoS Protection

C.

Web Application

D.

Replay

Question 34

How can a candidate or running configuration be copied to a host external from Panorama?

Options:

A.

Commit a running configuration.

B.

Save a configuration snapshot.

C.

Save a candidate configuration.

D.

Export a named configuration snapshot.

Question 35

Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Options:

A.

Certificate from Default Trust Certificate Authorities

B.

Domain Sub-CA

C.

Forward_Trust

D.

Domain-Root-Cert

Question 36

Which feature can provide NGFWs with User-ID mapping information?

Options:

A.

Web Captcha

B.

Native 802.1q authentication

C.

GlobalProtect

D.

Native 802.1x authentication

Question 37

Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

Options:

A.

Palo Alto Networks > Symantec > VeriSign

B.

Symantec > VeriSign > Palo Alto Networks

C.

VeriSign > Palo Alto Networks > Symantec

D.

VeriSign > Symantec > Palo Alto Networks

Question 38

Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Options:

A.

web-browsing and 443

B.

SSL and 80

C.

SSL and 443

D.

web-browsing and 80

Question 39

A security engineer needs firewall management access on a Inside interface When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

Options:

A.

Maximum TLS version

B.

Minimum TLV version

C.

Encryption Algorithm

D.

Certificate

E.

Authentication Algorithm

Question 40

in URL filtering, which component matches URL patterns?

Options:

A.

live URL feeds on the management plane

B.

security processing on the data plane

C.

signature matching on the data plane

D.

single-pass pattern matching on the data plane

Question 41

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

Options:

A.

Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile

B.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy

C.

Configure a Captive Portal authentication policy that uses an authentication sequence

D.

Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns

Question 42

A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table

Which two configurations should you check on the firewall'? (Choose two )

Options:

A.

Within the redistribution profile ensure that Redist is selected

B.

In the redistribution profile check that the source type is set to "ospf"

C.

In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section

D.

Ensure that the OSPF neighbor state is "2-Way"

Question 43

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

Options:

A.

performing a local firewall commit

B.

removing the firewall as a managed device in Panorama

C.

performing a factory reset of the firewall

D.

removing the Panorama serial number from the ZTP service

Question 44

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed

Which Panorama tool can help this organization?

Options:

A.

Config Audit

B.

Policy Optimizer

C.

Application Groups

D.

Test Policy Match

Question 45

What is a key step in implementing WildFire best practices?

Options:

A.

In a mission-critical network, increase the WildFire size limits to the maximum value

B.

In a security-first network set the WildFire size limits to the minimum value

C.

Configure the firewall to retrieve content updates every minute

D.

Ensure that a Threat Prevention subscription is active

Question 46

A remote administrator needs firewall access on an untrusted interface Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

Options:

A.

client certificate

B.

certificate profile

C.

certificate authority (CA) certificate

D.

server certificate

Question 47

An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

Options:

A.

System logs

B.

Traffic logs

C.

WridFire logs

D.

Threat logs

Question 48

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

Options:

A.

IPsec tunnels using IKEv2

B.

PPTP tunnels

C.

GlobalProtect satellite

D.

GlobalProtect client

Question 49

With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

Options:

A.

incomplete

B.

unknown-tcp

C.

insufficient-data

D.

unknown-udp

Question 50

An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the devce-oroup hierarchy Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Policy Optimizer

B.

Test Policy Match

C.

Preview Changes

D.

Managed Devices Health

Question 51

A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

Options:

A.

HTTP

B.

User-ID

C.

SSH

D.

HTTPS

E.

Permitted IP Addresses

Question 52

Match each type of DoS attack to an example of that type of attack

Options:

Question 53

The UDP-4501 protocol-port is used between which two GlobalProtect components?

Options:

A.

GlobalProtect app and GlobalProtect gateway

B.

GlobalProtect portal and GlobalProtect gateway

C.

GlobalProtect app and GlobalProtect satellite

D.

GlobalProtect app and GlobalProtect portal

Question 54

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

Options:

A.

Destination Zone

B.

App-ID

C.

Custom URL Category

D.

User-ID

E.

Source Interface

Question 55

An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Page: 1 / 37
Total 369 questions