Add to collection(s) Add to saved
  1. No category
Uploaded by Sunate Havichit

1272594469 PassLeader.PaloAltoNetworks.PCNSE.Dumps 583.QAs

advertisement 
Vendor: Palo Alto Networks
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer
(PCNSE) PAN-OS 10.0
Version: 22.101
QUESTION 1
A company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override
policy? (Choose two)
A.
B.
C.
D.
Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
Traffic will be forced to operate over UDP Port 16384.
Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.
Answer: CD
Explanation:
An application override policy is changes how the Palo Alto Networks firewall classifies network
traffic into applications. An application override with a custom application prevents the session from
being processed by the App-ID engine, which is a Layer-7 inspection.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-ApplicationOverride-Policy/ta-p/60044
QUESTION 2
Which three fields can be included in a pcap filter? (Choose three)
A.
B.
C.
D.
E.
Egress interface
Source IP
Rule number
Destination IP
Ingress interface
Answer: BDE
Explanation:
https://knowledgebase.paloaltonetworks.com/servlet/rtaImage?eid=ka10g000000U0KT&feoid=00
N0g000003VPSv&refid=0EM0g000001Ja97
QUESTION 3
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
2
A.
B.
C.
D.
E.
F.
Clean
Bengin
Adware
Suspicious
Grayware
Malware
Answer: BEF
Explanation:
The WildFire verdicts are: Benign, Grayware, Malware.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/log-severitylevels-and-wildfire-verdicts
QUESTION 4
A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)
A.
B.
C.
D.
Panorama virtual appliance on ESX(i) only
M-500
M-100 with Panorama installed
M-100
Answer: BD
QUESTION 5
What are three valid method of user mapping? (Choose three)
A.
B.
C.
D.
E.
Syslog
XML API
802.1X
WildFire
Server Monitoring
Answer: ABE
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-tousers.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
QUESTION 6
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to
ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to
ethernet1/4. What can be the cause of the problem?
A.
B.
C.
D.
DHCP has been set to Auto.
Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
DNS has not been properly configured on the firewall
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
3
Explanation:
In a Layer 2 deployment, the firewall provides switching between two or more interfaces. Each
group of interfaces must be assigned to a VLAN object in order for the firewall to switch between
them.
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned
to each interface and a virtual router must be defined to route the traffic. Choose this option when
routing is required.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/getting-started/basicinterface-deployments
QUESTION 7
The IT department has received complaints abou VoIP call jitter when the sales staff is making or
receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the
rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user
reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?
A.
B.
C.
D.
QoS Statistics
Applications Report
Application Command Center (ACC)
QoS Log
Answer: C
Explanation:
Network Activity
Displays an overview of traffic and user activity on your network including:
Top applications in use
Top users who generate traffic (with a drill down into the bytes, content, threats or URLs accessed
by the user)
Most used security rules against which traffic matches occur
In addition, you can also view network activity by source or destination zone, region, or IP address,
ingress or egress interfaces, and GlobalProtect host information such as the operating systems of
the devices most commonly used on the network.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-the-applicationcommand-center/ acc-tabs.html#id36db6852-3120-48bd-9887-2d370c01f8d5
QUESTION 8
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC
provides the information needed to create the report?
A.
B.
C.
D.
Blocked Activity
Bandwidth Activity
Threat Activity
Network Activity
Answer: D
Explanation:
The Network Activity tab of the Application Command Center (ACC) displays an overview of traffic
and user activity on your network including:
Top applications in use
Top users who generate traffic (with a drill down into the bytes, content, threats or URLs accessed
by the user)
Most used security rules against which traffic matches occur
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
4
In addition, you can also view network activity by source or destination zone, region, or IP address,
ingress or egress interfaces, and GlobalProtect host information such as the operating systems of
the devices most commonly used on the network.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/acc-tabs.html
QUESTION 9
Which three options does the WF-500 appliance support for local analysis? (Choose three)
A.
B.
C.
D.
E.
E-mail links
APK files
jar files
PNG files
Portable Executable (PE) files
Answer: ACE
Explanation:
QUESTION 10
Company.com has an in-house application that the Palo Alto Networks device doesn't identify
correctly. A Threat Management Team member has mentioned that this in-house application is
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
5
very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks
device?
A. Create a custom Application without signatures, then create an Application Override policy that
includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.
C. Modify the session timer settings on the closest referanced application to meet the needs of the inhouse application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application
traffic
Answer: D
Explanation:
Create a Custom Application with a signature and attach it to a security policy, or create a custom
application and define an application override policy--A custom application allows you to customize
the definition of the internal application--its characteristics, category and sub-category, risk, port,
timeout--and exercise granular policy control in order to minimize the range of unidentified traffic
on your network. Creating a custom application also allows you to correctly identify the application
in the ACC and traffic logs and is useful in auditing/reporting on the applications on your network.
For a custom application you can specify a signature and a pattern that uniquely identifies the
application and attach it to a security policy that allows or denies the application.
Alternatively, if you would like the firewall to process the custom application using fast path (Layer4 inspection instead of using App-ID for Layer-7 inspection), you can reference the custom
application in an application override policy rule. An application override with a custom application
will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection.
Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer4, and thereby saves application processing time.
For example, if you build a custom application that triggers on a host header www.mywebsite.com,
the packets are first identified as web-browsing and then are matched as your custom application
(whose parent application is web-browsing). Because the parent application is web-browsing, the
custom application is inspected at Layer-7 and scanned for content and vulnerabilities.
If you define an application override, the firewall stops processing at Layer-4. The custom
application name is assigned to the session to help identify it in the logs, and the traffic is not
scanned for threats.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-custom-orunknown-applications.html#id74b58a78-164f-4dc5-aa4e-31ce62f2af0d
QUESTION 11
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator
notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could
be the problem?
A.
B.
C.
D.
A Server Profile has not been configured for logging to this Panorama device.
Panorama is not licensed to receive logs from this particular firewall.
The firewall is not licensed for logging to this Panorama device.
None of the firewall's policies have been assigned a Log Forwarding profile
Answer: D
Explanation:
In order to see entries in the Panorama Monitor > Traffic or Monitor > Log screens, a profile must
be created on the Palo Alto Networks device (or pushed from Panorama) to forward log traffic to
Panorama.
Steps:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
6
1. Go to Policies > Security and open the Options for a rule.
2. Under Log Setting, select New for Log Forwarding to create a new forwarding profile:
Etc.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-a-Profile-to-ForwardLogs-to-Panorama/ta-p/54038
QUESTION 12
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is
very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used
to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy
Decryption is not enabled.
Which component once enabled on a perimeter firewall will allow the identification of existing
infected hosts in an environment?
A.
B.
C.
D.
Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
File Blocking profiles applied to outbound security policies with action set to alert
Vulnerability Protection profiles applied to outbound security policies with action set to block
Antivirus profiles applied to outbound security policies with action set to alert
Answer: A
Explanation:
Starting with PAN-OS 6.0, DNS sinkhole is an action that can be enabled in Anti-Spyware profiles.
A DNS sinkhole can be used to identify infected hosts on a protected network using DNS traffic in
environments where the firewall can see the DNS query to a malicious URL.
The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for
a known malicious domain/URL and causes the malicious domain name to resolve to a definable
IP address (fake IP) that is given to the client. If the client attempts to access the fake IP address
and there is a security rule in place that blocks traffic to this IP, the information is recorded in the
logs.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
7
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/tap/58891
QUESTION 13
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs?
(Choose two)
A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
B. The devices are licensed and ready for deployment.
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS
connections.
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
E. The interfaces are pingable.
Answer: AC
Explanation:
https://popravak.wordpress.com/2014/07/31/initial-setup-of-palo-alto-networks-next-generationfirewall/
QUESTION 14
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a
firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?
A.
B.
C.
D.
Device state and license files
Configuration and serial number files
Configuration and statistics files
Configuration and Large Scale VPN (LSVPN) setups file
Answer: A
QUESTION 15
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the
firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?
A.
B.
C.
D.
test routing fib virtual-router vr1
show routing route type static destination 98.139.183.24
test routing fib-lookup ip 98.139.183.24 virtual-router vr1
show routing interface
Answer: C
Explanation:
This document explains how to perform a fib lookup for a particular destination within a particular
virtual router on a Palo Alto Networks firewall.
1. Select the desired virtual router from the list of virtual routers configured with the command:
> test routing fib-lookup virtual-router <value>
2. Specify a destination IP address:
> test routing fib-lookup virtual-router default ip <ip address>
https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Perform-FIB-Lookup-for-aParticular-Destination/ta-p/52188
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
8
QUESTION 16
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA)
pair? (Choose two)
A.
B.
C.
D.
E.
F.
Configure the management interface as HA3 Backup
Configure Ethernet 1/1 as HA1 Backup
Configure Ethernet 1/1 as HA2 Backup
Configure the management interface as HA2 Backup
Configure the management interface as HA1 Backup
Configure ethernet1/1 as HA3 Backup
Answer: BE
Explanation:
E: For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the
backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both
firewalls.
Use the management port for the HA1 link and ensure that the management ports can connect to
each other across your network.
B:
1. In Device > High Availability > General, edit the Control Link (HA1) section.
2. Select the interface that you have cabled for use as the HA1 link in the Port drop down menu.
Set the IP address and netmask. Enter a Gateway IP address only if the HA1 interfaces are on
separate subnets. Do not add a gateway if the devices are directly connected.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/high-availability/configureactive-passive-ha
QUESTION 17
What are three valid actions in a File Blocking Profile? (Choose three)
A.
B.
C.
D.
E.
F.
Forward
Block
Alret
Upload
Reset-both
Continue
Answer: BCF
Explanation:
You can configure a file blocking profile with the following actions:
Forward - When the specified file type is detected, the file is sent to WildFire for analysis. A log
is also generated in the data filtering log.
Block - When the specified file type is detected, the file is blocked and a customizable block
page is presented to the user. A log is also generated in the data filtering log.
Alert - When the specified file type is detected, a log is generated in the data filtering log.
Continue - When the specified file type is detected, a customizable response page is presented
to the user. The user can click through the page to download the file. A log is also generated in
the data filtering log. Because this type of forwarding action requires user interaction, it is only
applicable for web traffic.
Continue-and-forward - When the specified file type is detected, a customizable continuation
page is presented to the user. The user can click through the page to download the file. If the
user clicks through the continue page to download the file, the file is sent to WildFire for analysis.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
9
A log is also generated in the data filtering log.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/file-blockingprofiles.html
QUESTION 18
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and
experiencing issues completing the connection. The following is th output from the command:
What could be the cause of this problem?
A.
B.
C.
D.
The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
The shared secrets do not match between the Palo Alto firewall and the ASA
The deed peer detection settings do not match between the Palo Alto Networks Firewall and the
ASA
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/vpns/interpret-vpn-errormessages
QUESTION 19
Which interface configuration will accept specific VLAN IDs?
A.
B.
C.
D.
Tab Mode
Subinterface
Access Interface
Trunk Interface
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
10
Answer: B
Explanation:
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each
subinterface must have a VLAN ID before it can pass traffic.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.htm
l
QUESTION 20
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)
A.
B.
C.
D.
Brute-force signatures
BrightCloud Url Filtering
PAN-DB URL Filtering
DNS-based command-and-control signatures
Answer: CD
Explanation:
C: PAN-DB categorizes URLs based on their content at the domain, file and page level, and
receives updates from WildFire cloud-based malware analysis environment every 30 minutes to
make sure that, when web content changes, so do categorizations. This continuous feedback loop
enables you to keep pace with the rapidly changing nature of the web, automatically.
D: DNS is a very necessary and ubiquitous application, as such, it is a very commonly abused
protocol for command-and-control and data exfiltration. This tech brief summarizes the DNS
classification, inspection and protection capabilities supported by our next-generation security
platform, which includes:
1. Malformed DNS messages (symptomatic of vulnerability exploitation attack).
2. DNS responses with suspicious composition (abused query types, DNS-based denial of service
attacks).
3. DNS queries for known malicious domains. Our ability to prevent threats from hiding within DNS
The passive DNS network feature allows you to opt-in to share anonymized DNS query and
response data with our global passive DNS network. The data is continuously mined to discover
malicious domains that are then added to the PAN-OS DNS signature set that is delivered daily,
enabling timely detection of compromised hosts within the network and the disruption of commandand-control channels that rely on name resolution.
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/e
n_US/resources/techbriefs/dns-protection
QUESTION 21
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose
two)
A.
B.
C.
D.
Vulnerability Object
DoS Protection Profile
Data Filtering Profile
Zone Protection Profile
Answer: BD
Explanation:
B: There are two DoS protection mechanisms that the Palo Alto Networks firewalls support.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
11
* Flood Protection - Detects and prevents attacks where the network is flooded with packets
resulting in too many half-open sessions and/or services being unable to respond to each request.
In this case the source address of the attack is usually spoofed.
* Resource Protection - Detects and prevent session exhaustion attacks. In this type of attack, a
large number of hosts (bots) are used to establish as many fully established sessions as possible
to consume all of a system’s resources.
You can enable both types of protection mechanisms in a single DoS protection profile.
D: Provides additional protection between specific network zones in order to protect the zones
against attack. The profile must be applied to the entire zone, so it is important to carefully test the
profiles in order to prevent issues that may arise with the normal traffic traversing the zones. When
defining packets per second (pps) thresholds limits for zone protection profiles, the threshold is
based on the packets per second that do not match a previously established session.
Incorrect Answers:
A: Vulnerability protection stops attempts to exploit system flaws or gain unauthorized access to
systems. For example, this feature will protect against buffer overflows, illegal code execution, and
other attempts to exploit system vulnerabilities.
C: Data Filtering helps to prevent sensitive information such as credit card or social security
numbers from leaving a protected network.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/aboutsecurity-profiles
QUESTION 22
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard
shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7
and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A
default route is properly configured.
What can be the cause of this problem?
A.
B.
C.
D.
No Zone has been configured on Ethernet 1/4.
Interface Ethernet 1/1 is in Virtual Wire Mode.
DNS has not been properly configured on the firewall.
DNS has not been properly configured on the host.
Answer: A
QUESTION 23
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log
of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?
A.
B.
C.
D.
Change the Site-B IKE Gateway profile version to match Site-A,
Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
Enable NAT Traversal on the Site-A IKE Gateway profile.
Change the pre-shared key of Site-B to match the pre-shared key of Site-A
Answer: D
QUESTION 24
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto
Networks firewall. Which method shows the global counters associated with the traffic after
configuring the appropriate packet filters?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
12
A.
B.
C.
D.
From the CLI, issue the show counter global filter pcap yes command.
From the CLI, issue the show counter global filter packet-filter yes command.
From the GUI, select show global counters under the monitor tab.
From the CLI, issue the show counter interface command for the ingress interface.
Answer: B
Explanation:
You can check global counters for a specific source and destination IP addresses by setting a
packet filter. We recommend that you use the global counter command with a packet filter to get
specific traffic outputs. These outputs will help isolate the issue between two peers.
Use the following CLI command to show when traffic is passing through the Palo Alto Networks
firewall from that source to destination.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 20.220 seconds
name value rate severity category aspect description
-------------------------------------------------------------------------------pkt_recv 6387398 4 info packet pktproc Packets received
pkt_recv_zero 370391 0 info packet pktproc Packets received from QoS 0
Etc.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-aspecific-source-and/ta-p/65794
QUESTION 25
A network security engineer has been asked to analyze Wildfire activity.
However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?
A.
B.
C.
D.
The firewall does not have an active WildFire subscription.
The engineer's account does not have permission to view WildFire Submissions.
A policy is blocking WildFire Submission traffic.
Though WildFire is working, there are currently no WildFire Submissions log entries.
Answer: B
QUESTION 26
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A.
B.
C.
D.
VM-100
VM-200
VM-1000-HV
VM-300
Answer: C
Explanation:
Licenses for the VM-Series NSX Edition Firewall
In order to automate the provisioning and licensing of the VM-Series NSX Edition firewall in the
VMware integrated NSX solution, two license bundles are available:
One bundle includes the VM-Series capacity license (VM-1000-HV only), Threat Prevention license
and a premium support entitlement.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
13
Another bundle includes the VM-Series capacity license (VM-1000-HV only) with the complete suite
of licenses that include Threat Prevention, GlobalProtect, WildFire, PAN-DB URL Filtering, and a
premium support entitlement.
https://www.paloaltonetworks.com/documentation/70/virtualization/virtualization/about-the-vmseries-firewall/license-types-vm-series-firewalls.html
QUESTION 27
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive
mode. Which statement is true about this deployment?
A.
B.
C.
D.
The two devices must share a routable floating IP address
The two devices may be different models within the PA-5000 series
The HA1 IP address from each peer must be on a different subnet
The management port may be used for a backup control connection
Answer: D
Explanation:
Set up the backup control link connection.
1. In Device > High Availability > General, edit the Control Link (HA1 Backup) section.
2. Select the HA1 backup interface and set the IPv4/IPv6 Address and Netmask.
Note: Use the management port for the HA1 link.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-availability/configureactive-passive-ha
QUESTION 28
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
A.
B.
C.
D.
Pre-NAT addresse and Pre-NAT zones
Post-NAT addresse and Post-Nat zones
Pre-NAT addresse and Post-Nat zones
Post-Nat addresses and Pre-NAT zones
Answer: C
Explanation:
NAT Policy Rule Functionality
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress
interface and zone. Then the firewall determines if the packet matches one of the NAT rules that
have been defined, based on source and/or destination zone. It then evaluates and applies any
security policies that match the packet based on the original (pre-NAT) source and destination
addresses, but the post-NAT zones.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules
QUESTION 29
A company has a policy that denies all applications it classifies as bad and permits only application
it classifies as good. The firewall administrator created the following security policy on the
company's firewall.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
14
Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)
A.
B.
C.
D.
A report can be created that identifies unclassified traffic on the network.
Different security profiles can be applied to traffic matching rules 2 and 3.
Rule 2 and 3 apply to traffic on different ports.
Separate Log Forwarding profiles can be applied to rules 2 and 3.
Answer: AD
QUESTION 30
How are IPV6 DNS queries configured to user interface ethernet1/3?
A.
B.
C.
D.
Network > Virtual Router > DNS Interface
Objects > CustomerObjects > DNS
Network > Interface Mgrnt
Device > Setup > Services > Service Route Configuration
Answer: D
Explanation:
Configure the service routes.
1. Select Device > Setup > Services > Global and click Service Route Configuration.
Note: For the purposes of activating your licenses and getting the most recent content and software
updates, you will want to change the service route for DNS, Palo Alto Updates, URL Updates,
WildFire, and AutoFocus.
2. Click the Customize radio button, and select one of the following:
For a predefined service, select IPv4 or IPv6 and click the link for the service for which you want to
modify the Source Interface and select the interface you just configured.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/set-upnetwork-access-for-external-services
QUESTION 31
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded
with tens thousands of bogus UDP connections per second to a single destination IP address and
post.
Which option when enabled with the correction threshold would mitigate this attack without
dropping legitirnate traffic to other hosts insides the network?
A.
B.
C.
D.
Zone Protection Policy with UDP Flood Protection
QoS Policy to throttle traffic below maximum limit
Security Policy rule to deny trafic to the IP address and port that is under attack
Classified DoS Protection Policy using destination IP only with a Protect action
Answer: D
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
15
Step 1: Configure a DoS Protection profile for flood protection.
1. Select Objects > Security Profiles > DoS Protection and Add a profile Name.
2. Select Classified as the Type.
3. For Flood Protection, select the check boxes for all of the following types of flood protection:
SYN Flood
UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
Step 2: Configure a DoS Protection policy rule that specifies the criteria for matching the incoming
traffic.
This step include: (Optional) For Destination Address, select Any or enter the IP address of the
device you want to protect.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/configure-dosprotection-against-flooding-of-new-sessions
QUESTION 32
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of
server-to-client flows only?
A.
B.
C.
D.
Disable Server Response Inspection
Apply an Application Override
Disable HIP Profile
Add server IP Security Policy exception
Answer: A
Explanation:
In the Other Settings section, select the option to Disable Server Response Inspection. This setting
disables the antivirus and anti-spyware scanning on the server-side responses, and thus reduces
the load on the firewall.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basicsecurity-policies
QUESTION 33
Which three options are available when creating a security profile? (Choose three)
A.
B.
C.
D.
E.
F.
Anti-Malware
File Blocking
Url Filtering
IDS/ISP
Threat Prevention
Antivirus
Answer: BCF
Explanation:
Using the URL Category as match criteria allows you to customize security profiles (antivirus, antispyware, vulnerability, file-blocking, Data Filtering, and DoS) on a per-URL-category basis.
QUESTION 34
Given the following table. Which configuration change on the firewall would cause it to use
10.66.24.88 as the next hop for the 192.168.93.0/30 network?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
16
A.
B.
C.
D.
Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
Configuring the metric for RIP to be higher than that of OSPF Int.
Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
Configuring the metric for RIP to be lower than that OSPF Ext.
Answer: A
Explanation:
The best route is then selected among them based on Administrative Distance (AD) value of routing
protocols which routes came from and that route is marked with flag A, stating that it is the Active
route.
Administrative distance (AD) is an arbitrary numerical value assigned to dynamic routes, static
routes and directly-connected routes. The value is used by vendor-specific routers to rank routes
from most preferred to least preferred. When multiple paths to the same destination are available,
the router uses the route with the lowest administrative distance and inserts the preferred route into
its routing table.
https://live.paloaltonetworks.com/t5/Management-Articles/Routing-Table-has-Multiple-Prefixesfor-the-Same-Route/ta-p/54781
QUESTION 35
A company hosts a publically accessible web server behind a Palo Alto Networks next generation
firewall with the following configuration information.
- Users outside the company are in the "Untrust-L3" zone
- The web server physically resides in the "Trust-L3" zone.
- Web server public IP address: 23.54.6.10
- Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the
web server? (Choose two)
A.
B.
C.
D.
Untrust-L3 for both Source and Destination zone
Destination IP of 192.168.1.10
Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
Destination IP of 23.54.6.10
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
17
Answer: AD
Explanation:
Before configuring the NAT rules, consider the sequence of events for this scenario.
Host 192.0.2.250 sends an ARP request for the address 192.0.2.100 (the public address of the
destination server).
The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1
interface and processes the request. The firewall responds to the ARP request with its own MAC
address because of the destination NAT rule configured.
The NAT rules are evaluated for a match. For the destination IP address to be translated, a
destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the
destination IP of 192.0.2.100 to 10.1.1.100.
After determining the translated address, the firewall performs a route lookup for destination
10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2
in zone DMZ.
The firewall performs a security policy lookup to see if the traffic is permitted from zone Untrust-L3
to DMZ.
The direction of the policy matches the ingress zone and the zone where the server is physically
located.
The security policy refers to the IP address in the original packet, which has a destination address
of 192.0.2.100.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-configurationexamples/
destination-nat-exampleone-to-one-mapping.html#ide8f6a4b3-f875-4855-acb55fd9ad918d04
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
18
QUESTION 36
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)
A.
B.
C.
D.
Virtual Wire
Loopback
Layer 3
Tunnel
Answer: BC
Explanation:
GlobalProtect portal requires a Layer 3 or loopback interface for GlobalProtect clients to connect
to.
https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/setup-the-globalprotect-infrastructure/create-interfaces-and-zones-for-globalprotect
QUESTION 37
What can missing SSL packets when performing a packet capture on dataplane interfaces?
A.
B.
C.
D.
The packets are hardware offloaded to the offloaded processor on the dataplane
The missing packets are offloaded to the management plane CPU
The packets are not captured because they are encrypted
There is a hardware problem with offloading FPGA on the management plane
Answer: A
QUESTION 38
A network Administrator needs to view the default action for a specific spyware signature. The
administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and
select default profile.
What should be done next?
A.
B.
C.
D.
Click the simple-critical rule and then click the Action drop-down list.
Click the Exceptions tab and then click show all signatures.
View the default actions displayed in the Action column.
Click the Rules tab and then look for rules with "default" in the Action column.
Answer: B
Explanation:
All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto
Networks. You can view the default action by navigating to Objects > Security Profiles > AntiSpyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click
the Exceptions tab and then click Show all signatures and you will see a list of the signatures with
the default action in the Action column. To change the default action, you must create a new profile
and then create rules with a non-default action, and/or add individual signature exceptions to
Exceptions in the profile.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-upantivirus-anti-spyware-and-vulnerability-protection.html
QUESTION 39
How does Panorama handle incoming logs when it reaches the maximum storage capacity?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
19
A.
B.
C.
D.
Panorama discards incoming logs when storage capacity full.
Panorama stops accepting logs until licenses for additional storage space are applied
Panorama stops accepting logs until a reboot to clean storage space.
Panorama automatically deletes older logs to create space for new ones.
Answer: D
Explanation:
When Panorama reaches the maximum capacity, it automatically deletes older logs to create space
for new ones.
https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/set-uppanorama/determine-panorama-log-storage-requirements
QUESTION 40
Which three function are found on the dataplane of a PA-5050? (Choose three)
A.
B.
C.
D.
E.
Protocol Decoder
Dynamic routing
Management
Network Processing
Signature Match
Answer: BDE
Explanation:
In these devices, dataplane zero, or dp0 for short, functions as the master dataplane and
determines which dataplane will be used as the session owner that is responsible for processing
and inspection.
The data plane provides all data processing and security detection and enforcement, including:
* (B) All networking connectivity, packet forwarding, switching, routing, and network address
translation
* Application identification, using the content of the applications, not just port or protocol
* SSL forward proxy, including decryption and re-encryption
* Policy lookups to determine what security policy to enforce and what actions to take, including
scanning for threats, logging, and packet marking
* Application decoding, threat scanning for all types of threats and threat prevention
* Logging, with all logs sent to the control plane for processing and storage
E: The following diagram depicts both the hardware and software architecture of the nextgeneration firewall
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
20
Incorrect Answers:
C: Management is done in the control plane.
https://www.niap-ccevs.org/st/st_vid10392-st.pdf
QUESTION 41
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a
site that has be decrypted/
B. It is used when web servers request a client certificate.
C. It is presented to clients when the server they are connecting to is signed by a certificate authority
that is not trusted by firewall.
D. It is used for Captive Portal to identify unknown users.
Answer: C
Explanation:
Though a single certificate can be used for both Forward Trust and Forward Untrust, creating a
separate certificate specifically for Untrust (which must be generated as a CA) allows for easy
differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure
session.
Verify the CA to be blocked, keeping in mind that doing so blocks access to all sites issued by this
CA.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Prevent-Access-to-EncryptedWebsites-Based-on-Certificate/ta-p/57585
QUESTION 42
A firewall administrator has completed most of the steps required to provision a standalone Palo
Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
21
security policies.
Which CLI command syntax will display the rule that matches the test?
A. test security -policy- match source <ip_address> destination <IP_address> destination port <port
number> protocol <protocol number
B. show security rule source <ip_address> destination <IP_address> destination port <port number>
protocol <protocol number>
C. test security rule source <ip_address> destination <IP_address> destination port <port number>
protocol <protocol number>
D. show security-policy-match source <ip_address> destination <IP_address> destination port <port
number> protocol <protocol number>
test security-policy-match source
Answer: A
Explanation:
If you know the source or destination IP address, the test command from the CLI will search the
security policies and display the best match:
Example:
> test security-policy-match source <source IP> destination <destination IP> protocol <protocol
number>
The output will show which policy rule will be applied to this traffic match based on the source and
destination IP addresses.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-PolicyApplies-to-a-Traffic-Flow/ta-p/53693
QUESTION 43
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web
server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to
translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)
A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3
zone using web-browsing application
B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone
using service-http service.
C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone
using service-http service.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
22
D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3
zone using web-browsing application.
Answer: CD
Explanation:
The direction of the policy matches the ingress zone and the zone where the server is physically
located.
The security policy refers to the IP address in the original packet, which has a destination address
of 192.0.2.100.
The firewall forwards the packet to the server out egress interface Ethernet1/2. The destination
address is changed to 10.1.1.100 as the packet leaves the firewall.
For this example, address objects are configured for webserver-private (10.1.1.100) and
Webserver-public (192.0.2.100). The configured NAT rule would look like this:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-configurationexamples/destination-nat-exampleone-to-one-mapping.html#ide8f6a4b3-f875-4855-acb55fd9ad918d04
QUESTION 44
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High
Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?
A.
B.
C.
D.
From the CLI issue use the show System log
Apply the filter subtype eq ha to the System log
Apply the filter subtype eq ha to the configuration log
Check the status of the High Availability widget on the Dashboard of the GUI
Answer: B
QUESTION 45
A network administrator uses Panorama to push security polices to managed firewalls at branch
offices. Which policy type should be configured on Panorama if the administrators at the branch
office sites to override these products?
A.
B.
C.
D.
Pre Rules
Post Rules
Explicit Rules
Implicit Rules
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
23
Explanation:
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/
Panorama-Design-Planning.pdf
QUESTION 46
Which client software can be used to connect remote Linux client into a Palo Alto Networks
Infrastructure without sacrificing the ability to scan traffic and protect against threats?
A.
B.
C.
D.
X-Auth IPsec VPN
GlobalProtect Apple IOS
GlobalProtect SSL
GlobalProtect Linux
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkiCAC
QUESTION 47
Only two Trust to Untrust allow rules have been created in the Security policy
- Rule1 allows google-base
- Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly
uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser,
they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?
A.
B.
C.
D.
Add SSL App-ID to Rule1
Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
Add the DNS App-ID to Rule2
Add the Web-browsing App-ID to Rule2
Answer: C
QUESTION 48
The GlobalProtect Portal interface and IP address have been configured. Which other value needs
to be defined to complete the network settings configuration of GlobalPortect Portal?
A.
B.
C.
D.
Server Certificate
Client Certificate
Authentication Profile
Certificate Profile
Answer: A
Explanation:
Specify the network settings to enable agents to connect to the portal.
If you have not yet created the network interface for the portal, see Create Interfaces and Zones
for GlobalProtect for instructions. If you haven’t yet created an SSL/TLS service profile for the portal,
see Deploy Server Certificates to the GlobalProtect Components.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
24
https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/setup-the-globalprotect-infrastructure/set-up-access-to-the-globalprotect-portal#47470
QUESTION 49
Which command can be used to validate a Captive Portal policy?
A.
B.
C.
D.
eval captive-portal policy <criteria>
request cp-policy-eval <criteria>
test authentication-policy-match <criteria>
debug cp-policy <criteria>
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/test-theconfiguration/test-policy-matches
QUESTION 50
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the
enterprise? (Choose three)
A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually
uploading.
B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB
drive is inserted in the firewall.
C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.
D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one
firewall.
E. Download and install PAN-OS 7.0.4 directly on each firewall.
F. Download and push PAN-OS 7.0.4 from Panorama to each firewall.
Answer: AEF
QUESTION 51
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when
the Connect Method is set to pre-logon?
A.
B.
C.
D.
Certificate revocation list
Trusted root certificate
Machine certificate
Online Certificate Status Protocol
Answer: C
Explanation:
The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to
authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a preinstalled machine certificate before the user has logged in.
https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_60/globalprotect-quick-configs/remote-access-vpn-with-pre-logon
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
25
QUESTION 52
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently
deployed. The firewall's dedicated management port is being used to connect to the management
network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall?
(Choose two)
A.
B.
C.
D.
E.
test panoramas-connect 10.10.10.5
show panoramas-status
show arp all I match 10.10.10.5
topdump filter "host 10.10.10.5
debug dataplane packet-diag set capture on
Answer: BD
Explanation:
B: The show panorama-status command shows the Panorama connection status.
Sample Output
The following command shows information about the Panorama connection.
username@hostname> show panorama-status
Panorama Server 1 : 10.1.7.90
State : Unknown
username@hostname>
D: Issue
The Managed Devices show not connected to Panorama and are not able to establish a new
connection to Panorama.
The Packet Capture on Panorama Management Interface shows SYN packets received from
devices on port 3978, but no SYN ACK is sent from Panorama.
> tcpdump filter "port 3978"
> view-pcap mgmt-pcap mgmt.pcap
https://live.paloaltonetworks.com/t5/Management-Articles/Managed-Devices-Unable-to-EstablishConnections-to-Panorama/ta-p/53248
https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-com/en_US/assets/pdf/technicaldocumentation/pan-os-5x/CLI_Reference_Guide-Panorama-5.1_PAN-OS-5.0.pdf
QUESTION 53
Which three log-forwarding destinations require a server profile to be configured? (Choose three)
A.
B.
C.
D.
E.
F.
SNMP Trap
Email
RADIUS
Kerberos
Panorama
Syslog
Answer: ABF
Explanation:
Enable a Log Forwarding Profile (see step 4 below).
1. Select Objects > Log Forwarding Profile and Add a new security profile group.
2. Give the profile group a descriptive Name to help identify it when adding the profile to security
policies or security zones.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
26
3. If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual
systems.
4. Add settings for the Traffic logs, Threat logs, and WildFire logs:
Select the Panorama check box for the severity of the Traffic, Threat, or WildFire logs that you
want to be forwarded to Panorama.
Specify logs that you want to forward to additional destinations: SNMP Trap destinations, Email
servers, or Syslog servers.
5. Click OK to save the log forwarding profile.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/logforwarding-profiles.html
QUESTION 54
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a
source IP address?
A. Set the type to Aggregate, clear the sessions box and set the Maximum concurrent Sessions
4000.
B. Set the type to Classified, clear the sessions box and set the Maximum concurrent Sessions
4000.
C. Set the type to Classified, check the Sessions box and set the Maximum concurrent Sessions
4000.
D. Set the type to Aggregate, check the Sessions box and set the Maximum concurrent Sessions
4000.
Answer: C
QUESTION 55
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to
make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT
Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?
A.
B.
C.
D.
Untrust-L3
DMZ-L3
Guest-L3
Trust-L3
Answer: A
Explanation:
Create the NAT policy.
1. Select Policies > NAT and click Add.
2. Enter a descriptive Name for the policy.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
27
to
to
to
to
3. On the Original Packet tab, select the zone you created for your internal network in the Source
Zone section (click Add and then select the zone) and the zone you created for the external
network from the Destination Zone drop down.
4. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop-down
in the Source Address Translation section of the screen and then click Add. Select the address
object you just created.
5. Click OK to save the NAT policy.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-natpolicies
QUESTION 56
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose
two)
A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
B. Enter the command request system system-mode logger then enter Y to confirm the change to Log
Collector mode.
C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.
E. Log in the Panorama CLI of the dedicated Log Collector
Answer: BE
Explanation:
Step 1 (E): Access the Command Line Interface (CLI) on the M-100 appliance.
When prompted, log in to the appliance.
Step 2 (B): Switch from Panorama Mode to Log Collector Mode.
1. To switch to Log Collector mode, enter the following command:
request system logger-mode logger
2. Enter Yes to confirm the change to Log Collector mode. The appliance will reboot. If you see a
CMS Login prompt, press Enter without typing a username or password. When the Panorama login
prompt appears, enter the default admin account and the password assigned during initial
configuration.
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-uppanorama/set-up-the-m-100-appliance#91340
QUESTION 57
Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity.
The administrator wants to determine where the traffic is going on the company.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
28
What would be the administrator's next step?
A.
B.
C.
D.
Right-Click on the bittorrent link and select Value from the context menu
Create a global filter for bittorrent traffic and then view Traffic logs.
Create local filter for bittorrent traffic and then view Traffic logs.
Click on the bittorrent application link to view network activity
Answer: D
Explanation:
The application filter is a dynamic item that is created by selecting filter options (Category,
Subcategory, Technology) in the application browser. Any new applications coming to PAN-OS in
a content update that match the same filters, the set will automatically be added to the Application
Filter created. For example, when a 'peer-to-peer' is selected as a Technology Filter, that filter will
automatically update if a new application gets added to that category in the latest content package.
https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Block-Traffic-Based-on-ApplicationFilters-with-an/ta-p/59965
QUESTION 58
Support for which authentication method was added in PAN-OS 7.0?
A.
B.
C.
D.
RADIUS
LDAP
Diameter
TACACS+
Answer: D
Explanation:
Devices now support Terminal Access Controller Access-Control System Plus ( TACACS+)
protocol for authenticating administrative users. TACACS+ provides greater security than RADIUS
insofar as it encrypts usernames and passwords (instead of just passwords), and is also more
reliable (it uses TCP instead of UDP).
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0release-information/authentication-features#91847
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
29
QUESTION 59
Refer to Exhibit. A firewall has three PBF rules and a default route with a next hop of 172.20.10.1
that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.
He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?
A.
B.
C.
D.
172.20.30.1
172.20.40.1
172.20.20.1
172.20.10.1
Answer: C
QUESTION 60
A company has started utilizing WildFire in its network.
Which three file types are supported? (Choose three.)
A.
B.
C.
D.
E.
JARs
PSTs
PDFs
JPGs
EXEs
Answer: ACE
Explanation:
https://www.paloaltonetworks.com/documentation/70/wildfire/wf_admin/wildfire-overview/ wildfireconcepts.html
QUESTION 61
What is the name of the debug save file for IPSec VPN tunnels?
A.
B.
C.
D.
set vpn all up
test vpn ike-sa
request vpn IPsec-sa test
Ikemgr.pcap
Answer: D
QUESTION 62
What will the user experience when browsing a Blocked hacking website such as www.2600.com
via Google Translator?
A. The URL filtering policy to Block is enforced
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
30
B. It will be translated successfully
C. It will be redirected to www.2600.com
D. User will get "HTTP Error 503 -Service unavailable" message
Answer: A
QUESTION 63
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A.
B.
C.
D.
VLAN
Vwire
Security Profile
Virtual Router
Answer: D
QUESTION 64
Wildfire may be used for identifying which of the following types of traffic?
A.
B.
C.
D.
Malware
DNS
DHCP
URL Content
Answer: A
QUESTION 65
What is the URL for the full list of applications recognized by Palo Alto Networks?
A.
B.
C.
D.
http://www.Applipedia.com
http://www.MyApplipedia.com
http://applipedia.paloaltonetworks.com
http://applications.paloaltonetworks.com
Answer: C
QUESTION 66
What does App-ID inspect to identify an application?
A.
B.
C.
D.
E.
F.
Source IP
Source Port
TTL
Data Payload
Hash
Encryption Key
Answer: D
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
31
QUESTION 67
If malware is detected on the internet perimeter, what other places in the network might be affected?
A.
B.
C.
D.
E.
Cloud
Endpoints
Branch Offices
All of the above
Data Center
Answer: D
QUESTION 68
What are the major families of file types now supported by Wildfire in PAN-OS 7.0?
A.
B.
C.
D.
All executable files and all files with a MIME type
All executable files, PDF files, Microsft Office files and Adobe Flash applets
PE files, Microsoft Office, PDF, Java applets, APK, and Flash
All executable files, PDF files and Microsft Office files
Answer: C
QUESTION 69
Which of the following are critical features of a Next Generation Firewall that provide Breach
prevention? Choose two.
A.
B.
C.
D.
E.
Alarm generation of known threats traversing the device
Application Visibility and URL Categorization
Endpoint and server scanning for known malware
Processing all traffic across all ports & protocols, in both directions
Centralized or distributed log collectors
Answer: BD
QUESTION 70
True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can
be scanned as it crosses the firewall with minimum amount of buffering, which in turn can allow
advanced features like virus/malware scanning without effecting firewall performance
A. True
B. False
Answer: A
QUESTION 71
Which hardware platform should I consider if the customer needs at least 1 Gbps of Threat
Prevention throughput and the ability to handle at least 250K sessions?
A. Any PA-5000 or PA-7000 series firewall
B. Only the PA-3060 firewall and higher
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
32
C. Any PA-3000, PA-5000, or PA-7000 series firewall
D. Only the PA-3050 firewall and higher
Answer: C
QUESTION 72
True or False: DSRI degrades the performance of a firewall?
A. True
B. False
Answer: B
QUESTION 73
How quickly are Wildfire updates about previously unknown files now being delivered from the
cloud to customers with a WildFire subscription (as of version 6.1)?
A.
B.
C.
D.
E.
15 minutes
30 minutes
1 day
5 minutes
60 minutes
Answer: D
QUESTION 74
Which of the following are valid Subscriptions for the Next Generation Platform? [Select All that
apply]
A.
B.
C.
D.
E.
F.
G.
URL Filtering
Support
User ID
Content ID
SSL Decryption
Threat Prevention
App ID
Answer: ABF
QUESTION 75
Which hardware firewall platforms include both built-in front-to-back airflow and redundant power
supplies?
A.
B.
C.
D.
All PA-5000 and PA-7000 series firewall platforms
All Palo Alto Networks hardware firewall platforms
The PA-3060 firewall platform
The PA-7000 series firewall platforms
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
33
QUESTION 76
Select all the platform components that Wildfire automatically updates after finding malicious
activity in previously unknown files, URLs and APKs?
A.
B.
C.
D.
E.
F.
G.
Decrypt (Port-Mirroring)
Mobile (Global Protect)
Anti-Virus (Threat)
Content/Web Filtering (Pan-DB)
Anti-Malware signatures (WildFire)
Management (Panorama)
Anti Command & Control signatures (Threat)
Answer: CDG
QUESTION 77
What are five benefits of Palo Alto Networks NGFWs (Next Generation Firewalls)? (Select the five
correct answers.)
A.
B.
C.
D.
E.
F.
Convenient configuration Wizard
Comprehensive security platform designed to scale functionality over time
Predictable throughput
Easy-to-use GUI which is the same on all models
Seemless integration with the Threat Intelligence Cloud
Identical security subscriptions on all models
Answer: BCDEF
QUESTION 78
What are the three key components of a successful Three Tab Demo? (Select the three correct
answers.)
A. Providing visibility into recently occurring threats and showing how to block those threats
B. Showing how Palo Alto Networks' firewalls provide visibility into applications and control of those
applications
C. Presenting the information in the Network and Device tabs
D. After setting match criteria in the Object tab showing how that data is presented in the logs
E. Showing which users are running which applications and provide a method for controlling
application access on a by user
Answer: ABE
QUESTION 79
What are the main benefits of WildFire? (Select the three correct answers.)
A. WildFire gathers information from possible threats detected by both NGFWs and Endpoints.
B. It's a sandboxing environment that can detect malware by observing the behavior of unknown files.
C. By using Palo Alto Networks' proprietary cloud-based architecture, quarantine holds on suspicious
files are typically reduced to less than 30 seconds.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
34
D. By collecting and distributing malware signatures from every major anti-virus vendor, WildFire can
provide comprehensive protection.
E. Signatures for identified malware are quickly distributed globally to all Palo Alto Networks'
customers' firewalls.
Answer: BDE
QUESTION 80
The automated Correlation Engine uses correlation objects to analyze the logs for patterns. When
a match occurs:
A.
B.
C.
D.
The Correlation Engine blocks the connection
The Correlation Engine generates a correlation event
The Correlation Engine displays a warning message to the end user
The Correlation Engine dumps the alarm log
Answer: B
QUESTION 81
Which one of these is not a factor impacting sizing decisions?
A.
B.
C.
D.
E.
F.
Decryption
Sessions
Redundancy
Number of applications
Performance
Number of rules
Answer: D
QUESTION 82
TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation
Firewalls) just to gain previously unavailable levels of visibility into their traffic flows.
A. TRUE
B. FALSE
Answer: A
QUESTION 83
A spike in dangerous traffic is observed. Which of the following PanOS tabs would an administrator
utilize to identify culpable users.
A.
B.
C.
D.
E.
F.
ACC
Monitor
Objects
Network
Policies
Device
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
35
Answer: A
QUESTION 84
True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire
threat cloud.
A. True
B. False
Answer: A
QUESTION 85
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in
troubleshooting this issue? (Choose two.)
A.
B.
C.
D.
E.
ms log
authd log
System log
Traffic log
dp-monitor log
Answer: CD
QUESTION 86
Which option is an IPv6 routing protocol?
A.
B.
C.
D.
RIPv3
OSPFv3
OSPv3
BGP NG
Answer: B
QUESTION 87
A network security engineer has a requirement to allow an external server to access an internal
web server.
The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?
A. Configure ECMP to handle matching NAT traffic
B. Configure a NAT Policy rule with Dynamic IP and Port
C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional
option
D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bidirectional option
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
36
Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configurationexamples
QUESTION 88
A network design change requires an existing firewall to start accessing Palo Alto Updates from a
data plane interface address instead of the management interface.
Which configuration setting needs to be modified?
A.
B.
C.
D.
Service route
Default route
Management profile
Authentication profile
Answer: A
QUESTION 89
A Network Administrator wants to deploy a Large Scale VPN solution.
The Network Administrator has chosen a GlobalProtect Satellite solution.
This configuration needs to be deployed to multiple remote offices and the Network Administrator
decides to use Panorama to deploy the configurations.
How should this be accomplished?
A.
B.
C.
D.
Create a Template with the appropriate IKE Gateway settings
Create a Template with the appropriate IPSec tunnel settings
Create a Device Group with the appropriate IKE Gateway settings
Create a Device Group with the appropriate IPSec tunnel settings
Answer: B
QUESTION 90
Which CLI command displays the current management plan memory utilization?
A.
B.
C.
D.
> show system info
> show system resources
> debug management-server show
> show running resource-monitor
Answer: B
Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-CommandDisplays-CPU-Utilization-of-9999/ta-p/58149
QUESTION 91
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A. Log
B. Alert
C. Allow
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
37
D. Default
Answer: B
Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-filteringprofile-actions
QUESTION 92
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A.
B.
C.
D.
when an aggregate Ethernet interface component fails
when Panorama pushes a configuration
when a firewall performs a local commit
when a firewall HA pair fails over
Answer: BC
QUESTION 93
Which three rule types are available when defining policies in Panorama? (Choose three.)
A.
B.
C.
D.
E.
Pre Rules
Post Rules
Default Rules
Stealth Rules
Clean Up Rules
Answer: ABC
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-webinterface/defining-policies-on-panorama
QUESTION 94
A network design calls for a "router on a stick" implementation with a PA-5060 performing interVLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk
interface
Which interface type and configuration setting will support this design?
A.
B.
C.
D.
Trunk interface type with specified tag
Layer 3 interface type with specified tag
Layer 2 interface type with a VLAN assigned
Layer 3 subinterface type with specified tag
Answer: D
QUESTION 95
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external
Security Information and Event Management(SIEM) system?
A. Panorama Log Settings
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
38
B. Panorama Log Templates
C. Panorama Device Group Log Forwarding
D. Collector Log Forwarding for Collector Groups
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managelog-collection/enable-log-forwarding-from-panorama-to-external-destinations
QUESTION 96
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?
A.
B.
C.
D.
Log
Alert
Allow
Default
Answer: B
QUESTION 97
What are the differences between using a service versus using an application for Security Policy
match?
A. Use of a "service" enables the firewall to take immediate action with the first observed packet based
on port numbers. Use of an "application" allows the firewall to take immediate action if the port
being used is a member of the application standard port list.
B. There are no differences between "service" or "application". Use of an "application" simplifies
configuration by allowing use of a friendly application name instead of port numbers
C. Use of a "service" enables the firewall to take immediate action with the first observed packet based
on port numbers. Use of an "application" allows the firewall to take action after enough packets
allow for App-ID identification regardless of the ports being used
D. Use of a "service" enables the firewall to take action after enough packets allow for App-ID
identification
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/app-id-overview
QUESTION 98
Which authentication source requires the installation of Palo Alto Networks software, other than
PAN-OS 7x, to obtain a username-to-IP-address mapping?
A.
B.
C.
D.
Microsoft Active Directory
Microsoft Terminal Services
Aerohive Wireless Access Point
Palo Alto Networks Captive Portal
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
39
QUESTION 99
Several offices are connected with VPNs using static IPv4 routes.
An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?
A.
B.
C.
D.
Assign an IP address on each tunnel interface at each site
Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
Create new VPN zones at each site to terminate each VPN connection
Answer: C
QUESTION 100
People are having intermittent quality issues during a live meeting via web application.
A.
B.
C.
D.
Use QoS profile to define QoS Classes
Use QoS Classes to define QoS Profile
Use QoS Profile to define QoS Classes and a QoS Policy
Use QoS Classes to define QoS Profile and a QoS Policy
Answer: C
QUESTION 101
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?
A.
B.
C.
D.
When configuring Certificate Profiles
When configuring GlobalProtect portal
When configuring User Activity Reports
When configuring Antivirus Dynamic Updates
Answer: D
QUESTION 102
A network design change requires an existing firewall to start accessing Palo Alto Updates from a
dataplane interface address instead of the management interface.
Which configuration setting needs to be modified?
A.
B.
C.
D.
Authentication profile
Default route
Service route
Management profile
Answer: C
Explanation:
The firewall uses the management (MGT) interface by default to access external services, such as
DNS servers, external authentication servers, Palo Alto Networks services such as software, URL
updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data
port (a regular interface) to access these services. The path from the interface to the service on a
server is known as a service route. The service packets exit the firewall on the port assigned for
the external service and the server sends its response to the configured source interface and
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
40
source IP address.
You can configure service routes globally for the firewall or Customize Service Routes for a Virtual
System on a firewall enabled for multiple virtual systems so that you have the flexibility to use
interfaces associated with a virtual system.
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/service-routes
QUESTION 103
A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two.)
A.
B.
C.
D.
Static Route
BGP
OSPFv3
RIP
Answer: AC
Explanation:
C: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it
provides support for IPv6 addresses and prefixes.
A: How to Set Default Route for IPv6 Traffic
Steps
1. Go to Network > Virtual Router
2. Add a Virtual Router and go to Static Routes > IPv6.
3. Add a Static Route:
E. Set destination (example, IPV4 0.0.0.0/0) as ::0/
F. Select the Interface
G. Set the Next Hop IP address
https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/networkingfeatures/ospf-v3-support
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-Default-Route-for-IPv6Traffic/ta-p/52731
QUESTION 104
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator
has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple
remote offices and the Network Administrator decides to use Panorama to deploy the
configurations.
How should this be accomplished?
A.
B.
C.
D.
Create a Template with the appropriate lKE Gateway settings.
Create a Device Group with the appropriate lPSec tunnel settings.
Create a Device Group with the appropriate IKE Gateway settings.
Create a Template with the appropriate lPSec tunnel settings.
Answer: D
Explanation:
Note: The administrator of the satellite must enter the credentials when the satellite connects to the
portal.
This is done on the satellite by navigating to Network > IPSec Tunnels and choosing "gateway info"
and then clicking on "Enter Credentials".
QUESTION 105
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
41
People are having intermittent quality issues during a live meeting via a web application.
How can the performance of this application be improved?
A.
B.
C.
D.
Use QoS Profile to define QoS Classes and a QoS Policy
Use QoS Classes to define QoS Profile
Use QoS Classes to define QoS Profile and QoS Policy
Use QoS Profile to define QoS Classes
Answer: A
QUESTION 106
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?
A.
B.
C.
D.
When configuring GlobalProtect portal
When configuring User Activity Reports
When configuring Certificate Profiles
When configuring Antivirus Dynamic Updates
Answer: D
QUESTION 107
A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?
A.
B.
C.
D.
Block all unauthorized applications using a security policy.
Block all known internal custom applications.
Create a File Blocking Profile that blocks Layer 4 and Layer 7 attacks.
Create a WildFire Analysis Profile that blocks Layer4 and Layer 7 attacks.
Answer: C
Explanation:
The firewall uses file blocking profiles two ways: to forward files to WildFire for analysis or to block
specified file types over specified applications and in the specified session flow direction
(inbound/outbound/both).
You can set the profile to alert or block on upload and/or download and you can specify which
applications will be subject to the file blocking profile. You can also configure custom block pages
that will appear when a user attempts to download the specified file type. This allows the user to
take a moment to consider whether or not they want to download a file.
Incorrect Answers:
D: Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for
WildFire analysis. Specify files to be forwarded for analysis based on application, file type, and
transmission direction (upload or download).
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/file-blocking-profiles
QUESTION 108
YouTube videos are consuming too much bandwidth on the network, causing delays in missioncritical traffic. The administrator wants to throttle YouTube traffic.
The following interfaces and zones are in use on the firewall:
- ethernet 1/1, Zone: Untrust (Internet-facing)
- ethernet 1/2, Zone: Trust (client-facing)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
42
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists
to put the YouTube application into QoS class 6. Interface Ethernet 1/1 has a QoS profile called
Outbound, and interface Ethernet 1/21 has a QoS profile called Inbound.
Which setting for Class 6 will throttle YouTube traffic?
A.
B.
C.
D.
Outbound profile with Guaranteed Ingress
Inbound profile with Maximum Egress
Inbound profile with Guaranteed Egress
Outbound profile with Maximum Ingress
Answer: B
Explanation:
Identify the egress interface for applications that you identified as needing QoS treatment.
The egress interface for traffic depends on the traffic flow. If you are shaping incoming traffic, the
egress interface is the internal-facing interface. If you are shaping outgoing traffic, the egress
interface is the external-facing interface.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configureqos
QUESTION 109
Which field is optional when creating a new Security Police rule?
A.
B.
C.
D.
E.
Description
Destination Zone
Action
Name
Source Zone
Answer: A
Explanation:
The optional fields are: Description, Tag, Source IP Address and Destionation IP Address.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/components-of-asecurity-policy-rule#_43864
QUESTION 110
When using the predefined default antivirus profile, the policy will inspect for viruses on the
decoders.
Match each decoder with its default action. Answer options may be used more than once or not at
all. (select four)
A.
B.
C.
D.
E.
F.
G.
H.
IMAP - Alert
IMAP - Reset-both
HTTP - Alert
HTTP - Reset-both
FTP, SMB - Alert
FTP, SMB - Reset-both
POP3, SMTP - Alert
POP3, SMTP - Reset-both
Answer: ADFG
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
43
Explanation:
The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for
SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/antivirus-profiles
QUESTION 111
When a malware-infected host attempts to resolve a known command-and-control server, the traffic
matches a security policy with DNS sinkhole enabled, generating a traffic log.
What will be the destination IP address in that log entry?
A.
B.
C.
D.
The IP address specified in the sinkhole configuration.
The IP address of the command-and-control server.
The IP address of sinkhole.paloaltonetworks.com
The IP address of one of the external DNS servers identified in the anti-spyware database.
Answer: A
Explanation:
Change the "Action on DNS queries" to 'sinkhole'.
Click in the Sinkhole IPv4 field and type in the fake IP. The example here shows using 1.1.1.1 for
simplicity, but as long as this fake IP is not used inside of the network, then it should be Ok.
Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP
(71.19.152.112).
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/tap/58891
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
44
QUESTION 112
How can a Palo Alto Networks firewall be configured to send syslog messages in a format
compatible with non-standard syslog servers?
A.
B.
C.
D.
Select a non-standard syslog server profile
Check the custom-format check box in the syslog server profile.
Enable support for non-standard syslog messages under device management.
Create a custom log format under the syslog server profile.
Answer: D
Explanation:
To customize the format of the syslog messages that the firewall sends, select the Custom Log
Format tab.
For details on how to create custom formats for the various log types, refer to the Common Event
Format Configuration Guide.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/configure-syslogmonitoring.html
QUESTION 113
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive
High Availability (HA) pair? (Choose two.)
A.
B.
C.
D.
The management interfaces must be on the same network.
The firewalls must have the same set of licenses.
The peer HA1 IP address must be the same on both firewalls.
HA1 should be connected to HA1, either directly or with an intermediate Layer 2 device.
Answer: BD
Explanation:
To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that
meet the following requirements:
The same set of licenses --Licenses are unique to each firewall and cannot be shared between the
firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an
identical set of licenses, they cannot synchronize configuration information and maintain parity for
a seamless failover.
The same type of interfaces --Dedicated HA links, or a combination of the management port and
in-band ports that are set to interface type HA.
Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP
address for both peers must be on the same subnet if they are directly connected or are connected
to the same switch.
Etc.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/highavailability/prerequisites-for-active-passive-ha#_74574
QUESTION 114
Which device Group option is assigned by default in Panorama whenever a new device group is
created to manage a Firewall?
A.
B.
C.
D.
Universal
Master
Global
Shared
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
45
Answer: D
Explanation:
Select the Parent Device Group (default is Shared) that will be just above the device group you are
creating in the device group hierarchy.
https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/managefirewalls/add-a-device-group#_26700
QUESTION 115
When performing the "ping" test shown in this CLI output:
What will be the source address in the ICMP packet?
A. 10.46.64.94
B. 10.30.0.93
C. 192.168.93.1
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
46
D. 10.46.72.93
Answer: A
QUESTION 116
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically
create the routes between the sites. The OSPF configuration in Site-A is configured properly, but
the route for the tunnel is not being established. The Site-B interfaces in the graphic are using a
broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is
using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error?
A.
B.
C.
D.
Set ethernet1/21 to p2p
Set tunnel.10 to p2p
Set tunnel.10 to p2mp
Set ethernet1/21 to p2mp
Answer: B
Explanation:
We need to reconfigure the tunnel with the p2p link type.
Note: Link type -Choose Broadcast if you want all neighbors that are accessible through the
interface to be discovered automatically by multicasting OSPF hello messages, such as an
Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor.
Choose p2mp (point-to-multipoint) when neighbors must be defined manually. Defining neighbors
manually is allowed only for p2mp mode.
References:
https://www.paloaltonetworks.com/documentaiion/7l/pan-os/pan-os/vons/site-to-site-vpn-with-ospf
QUESTION 117
A network design calls for a "router on a stick" implementation with a PA-5060 performing interVLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk
interface.
Which interface type and configuration setting will support this design?
A. Layer 3 subinterface type with specified tag
B. Layer 3 interface type with specified tag
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
47
C. Trunk interface type with specified lag
D. Layer 2 interface type with a VLAN assigned
Answer: A
Explanation:
The interface ethernet1/15 is configured as a layer 3 interface. Subinterfaces corresponding to
each one of the VLAN are created off of the parent interface Ethernet 1/15. Each subinterface is
assigned a VLAN tag and an IP address corresponding to the VLAN provides connectivity.
Note: Inter VLAN routing with each VLAN in a unique IP subnet In order for network devices in
different VLANs to communicate, a router must be used to route traffic between the VLANs. While
VLANs help to control local traffic, if a device in one VLAN needs to communicate with a device in
another VLAN, one or more routers must be used for inter VLAN communication. In this
configuration a Palo Alto networks firewall can used to securely route traffic within the VLAN. This
is also commonly called "one arm routing" or "router on a stick".
QUESTION 118
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.0?
(Choose two.)
A.
B.
C.
D.
VMware ESX
AWS
VMware NSX
KVM
Answer: AD
Explanation:
QUESTION 119
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external
Security Information and Event Management (SIEM) system?
A.
B.
C.
D.
Panorama Device Group Log Forwarding
Panorama Log Settings
Collector Log Forwarding for Collector Groups
Panorama Log Templates
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
48
Answer: B
Explanation:
To forward Panorama logs:
Panorama > Log Settings > System
Panorama > Log Settings > Config
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managelog-collection/enable-log-forwarding-from-panorama-to-external-destinations#_91682
QUESTION 120
In an enterprise deployment, a network security engineer wants to assign rights to a group of
administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?
A.
B.
C.
D.
Kerberos
RADlUS with Vendor-Specific Attributes
Certificate-based authentication
LDAP
Answer: C
Explanation:
As a more secure alternative to password-based authentication to the Panorama web interface,
you can configure certificate-based authentication for administrator accounts that are local to
Panorama. Certificate- based authentication involves the exchange and verification of a digital
signature instead of a password.
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/set-uppanorama/configure-a-panorama-administrator-with-certificate-based-authentication-for-the-webinterface
QUESTION 121
Which option is an IPv6 routing protocol?
A.
B.
C.
D.
OSPFv3
BGP NG
OSPFv2
RIPv3
Answer: A
Explanation:
OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it
provides support for IPv6 addresses and prefixes.
https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/networkingfeatures/ospf- v3-support
QUESTION 122
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A.
B.
C.
D.
Allow
Log
Default
Alert
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
49
Answer: D
Explanation:
The website is allowed and a log entry is generated in the URL filtering log.
Incorrect Answers:
A: Allow: The website is allowed and no log entry is generated.
B: There is no URL Filtering Security Profile action named log.
C: There is no URL Filtering Security Profile action named default.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-filteringprofile-actions
QUESTION 123
Which authentication source requires the installation of Palo Alto Networks software, other than
PAN-OS 7x, to obtain username-to-IP-address mapping?
A.
B.
C.
D.
Aerohive Wireless Access Point
Microsoft Terminal Services
Palo Alto Networks Captive Portal
Microsoft Active Directory
Answer: B
Explanation:
Configure User Mapping for Terminal Server Users
Individual terminal server users appear to have the same IP address and therefore an IP address
to username mapping is not sufficient to identify a specific user. To enable identification of specific
users on Windows-based terminal servers, the Palo Alto Networks Terminal Services agent (TS
agent) allocates a port range to each user. It then notifies every connected firewall about the
allocated port range, which allows the firewall to create an IP address-port-user mapping table and
enable user- and group-based security policy enforcement.
Incorrect Answers:
A: If you want to integrate Aerohive with Palo Alto the suggested route is to run a script on a Kiwi
Syslog Server which parses the Aerohive log and then updates the Palo Alto with Username/IP
address mapping.
A working VB script for Kiwi is provided below.
Etc.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/user-id/configure-usermapping-for-terminal-server-users
QUESTION 124
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic
log? (Choose two.)
A.
B.
C.
D.
E.
Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions
Configure a RADIUS server profile to point to a domain controller
Enable User-ID on the zone object for the source zone
Enable User-ID on the zone object for the destination zone
Run the User-ID Agent using an Active Directory account that has "domain administrator"
permissions
Answer: AC
QUESTION 125
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
50
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in
troubleshooting this issue? (Choose two.)
A.
B.
C.
D.
E.
dp-monitor.log
Traffic log
ms.log
authd.log
System log
Answer: BE
QUESTION 126
An administrator has left a firewall to use the data of port for all management service which there
functions are performed by the data face? (Choose three.)
A.
B.
C.
D.
E.
NTP
Antivirus
Wildfire updates
NAT
File tracking
Answer: ACD
QUESTION 127
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked
with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?
A.
B.
C.
D.
Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
Create new VPN zones at each site to terminate each VPN connection.
Assign an IP address on each tunnel interface at each site.
Assign OSPF Area 0.0.0.0 to all Ethernet and tunnel interfaces.
Answer: D
Explanation:
OSPF Area Types include the Backbone Area, Area 0, is the core of an OSPF network. The
backbone has the reserved area ID of 0.0.0.0. All other areas are connected to it and all traffic
between areas must traverse it. All routing between areas is distributed through the backbone area.
While all other OSPF areas must connect to the backbone area, this connection doesn't need to
be direct and can be made through a virtual link.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/networking/configure-ospf
QUESTION 128
Which CLI command displays the current management plane memory utilization?
A.
B.
C.
D.
> show system info
> show system resources
> show running resource-monitor
> debug management-server show
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
51
Answer: B
Explanation:
When running show system resources from the PAN-OS CLI, the top process in the output shows
9999% CPU utilization.
The following is an example output:
> show system resources
https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-ResourceCommandDisplays-CPU-Utilization-of-9999/ta-p/58149
QUESTION 129
A distributed log collection deployment has dedicated Log Collectors. A developer needs a device
to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first?
A.
B.
C.
D.
Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
Revert to a previous configuration
Remove the device from the Collector Group
Remove the cable from the management interface. reload the Log Collector and then re-connect
that cable
Answer: C
Explanation:
In a distributed log collection deployment, where you have dedicated Log Collectors, if you need a
device to send logs to Panorama instead of sending logs to the Collector Group, you must remove
the device from the Collector group.
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/managelog-collection/remove-a-firewall-from-a-collector-group#_24966
QUESTION 130
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the
internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect
to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
52
Site-A and Site-B?
A.
B.
C.
D.
Enable on Site-A only
Enable on Site-B only with Passive Mode
Enable on Site-A and Site-B
Enable on Site-B only
Answer: C
Explanation:
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device
that sits between the two gateways. A gateway can see only the public (globally routable) IP
address of the NAT device.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpnconcepts
QUESTION 131
A network security engineer has a requirement to allow an external server to access an internal
web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?
A. Configure ECMP to handle matching NAT traffic
B. Configure a NAT Policy rule with Dynamic IP and Port
C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional
option
D. Create a new Destination NAT Policy rule that marches the existing traffic and enable the Bidirectional option
Answer: C
Explanation:
https://live.paloaltonetworks.com/t5/Learning-Articles/What-does-the-Bi-directional-NAT-FeatureProvide/ta-p/60593
QUESTION 132
What happens when the traffic log shows an internal host attempting to open a session to a properly
configured sinkhole address?
A.
B.
C.
D.
The internal host tried to resolve a DNS query by connecting to a rogue DNS server.
A malicious domain tried to contact an internal DNS server.
A rogue DNS server used the sinkhole address to direct traffic to a known malicious domain.
The internal host attempted to use DNS to resolve a known malicious domain into an IP address.
Answer: D
QUESTION 133
PAS-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates
correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?
A. Threat Prevention
B. Application Center
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
53
C. GlobalProtect
D. URL Filtering
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/automatedcorrelation-engine-concepts
QUESTION 134
Starting with PAN-OS version 9.1, application dependency information is now reported in which
two new locations? (Choose two.)
A.
B.
C.
D.
on the App Dependency tab in the Commit Status window
on the Policy Optimizer's Rule Usage page
on the Application tab in the Security Policy Rule creation window
on the Objects > Applications browser pages
Answer: AC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/use-application-objects-inpolicy/resolve-application-dependencies
QUESTION 135
A network security engineer for a large company has just installed a PA-5060 Firewall to isolate
the company's PCI environment from its production network. The company's network engineers
made configuration changes to the switches on both network segments, and connected them to
the new firewall.
Soon after the cutover, however, users began to complain about latency and some servers stopped
communicating. There are no security policies that deny traffic between the two network segments.
You suspect that there is an interface misconfiguration on ethernet1/1.
Which two commands should be used to troubleshoot the issue? (Choose two.)
A.
B.
C.
D.
show interface management
show interface ethernet1/1
show interface logical
show interface hardware
Answer: BC
QUESTION 136
On March 10, 2016, between 11:00 am and 11:30 am, users reported that web-browsing traffic to
the IP address 1.1.1.1 failed.
Which filter can be applied to the traffic logs to show how many users were affected during this
time frame?
A. ( time_generated leq `2016/03/10 11:30:00') and ( app is web-browsing )
B. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and
( addr.dst in 1.1.1.1)
C. ( time_generated leq `2016/03/10 11:00:00') and ( time_generated geq `2016/03/10 11:30:00') and
( app eq web-browsing )
D. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
54
( app neq web-browsing )
Answer: B
QUESTION 137
Server Message Block (SMB), a common file-sharing application, is slow when passing through a
Palo Alto Networks firewall. The Network Security Administrator created an application override
policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?
A.
B.
C.
D.
Security policy assignment is being done more efficiently.
Zone Protection is no longer being applied.
Layer 7 processing has been disabled for SMB traffic.
Layer 4 processing has been disabled for the SMB traffic.
Answer: C
QUESTION 138
What are three valid options when creating a new security policy? (Choose three.)
A.
B.
C.
D.
E.
F.
G.
Reset All
Reset client
Block
Deny All
Alert
Deny
Allow
Answer: BFG
Explanation:
QUESTION 139
The Network Security Administrator discovers that the company's NAT-aware SIP phone system
is not working properly through the Palo Alto Networks firewall, even though SIP traffic is being
allowed by policy.
Which configuration change can resolve this issue?
A. Disable ALG within the security policy that permits SIP traffic
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
55
B. Create an application override policy to assign all traffic to and from SIP phones to the sip
application
C. Create a security policy that allows any traffic to and from SIP phones.
D. Disable ALG within the SIP application
Answer: D
Explanation:
QUESTION 140
Which two statements accurately describe how DoS Protection Profiles and Policies mitigate
attacks? (Choose two.)
A. They mitigate against volumetric attacks by leveraging known vulnerabilities, brute force methods,
amplification, spoofing, and other vulnerabilities.
B. They mitigate against attacks on a zone basis by providing reconnaissance protection against TCP/
UDP port scans and host sweeps.
C. They mitigate against attacks by providing resource protection by limiting the number of sessions
that can be used.
D. They mitigate against attacks by utilizing "random early drop".
Answer: CD
Explanation:
DOS
In addition to flood protection, we also offer resources protection. This type of protection enforces
a quota for your hosts. It restricts the maximum number of sessions allowed for a particular source
IP address, destination IP address or IP source-destination pair.
ZONE PROTECTION
Zone protection policies allow the use of flood protection and have the ability to protect against port
scanning\sweeps and packet based attacks. A few examples are IP spoofing, fragments,
overlapping segments, reject tcp-non-syn.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
56
QUESTION 141
Given these tables:
SVR1 is a webserver hosted in the DMZ zone. The FQDN of www.myserver.com is registered to
an external DNS provider and resolves to 203.1.200.123 in the Untrust-L3 zone. Users in the TrustL3 zone use the external FQDN to access SVR1.
Which NAT rule will process traffic sourced from the Trust-L3 zone destined for SVR1?
A.
B.
C.
D.
NAT2
NAT4
NAT1
NAT3
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln3CAC
QUESTION 142
What are the three Security Policy Rule Type classifications supported in PAN-OS 7.0? (Choose
three.)
A.
B.
C.
D.
E.
F.
Default
Global
Interzone
Intrazone
Universal
ExternalZone
Answer: CDE
Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-andInterzone-Rules/ta-p/57491
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
57
QUESTION 143
What is the default behavior when a Certificate Profile is configured to use both CRL and OCSP?
A.
B.
C.
D.
CRL will be preferred
The option will the lower timeout value will be preferred.
The firewall will use the first profile to respond.
OCSP will be preferred.
Answer: D
Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/certificatemanagement/configure-a-certificate-profile
QUESTION 144
Ethernet1/1 has been configured with the following subinterfaces:
The following security policy rule is applied:
The Interface Management Profile permits the following:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
58
A customer is trying to ping 10.10.10.1 from VLAN 799 IP 10.10.10.2/24.
What will be the result of this ping?
A. The ping will not be successful because there is no management profile attached to
ethernet1/1.799.
B. The ping will not successful because the management profile applied to ethernet1/1 allows ping.
C. The ping will not be successful because the security policy does not apply to VLAN 799.
D. The ping will not be successful because the virtual router is different from the other subinterfaces.
E. The ping will not successful because the security policy permits this traffic.
Answer: A
QUESTION 145
Given the following diagram:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
59
A VPN connection has been created to allow traffic from the Trust-L3 zone of Site A to reach the
Trust-L3 zone of Site B. Each site is using tunnel.1 in the Untrust-L3 zone for the VPN connection.
A static route needs to be added to the default virtual router in the Site A firewall to enable traffic
from Site A to reach all workstations in Site B.
Which static route configuration will satisfy the requirement?
A. Name: Route-to-Site-B
Destination: 172.16.20.0/24
Interface: tunnel.1
Next Hop: None
B. Name: Route-to-Site-B
Destination: 172.16.20.0/24
Interface: none
Next Hop: 192.0.0.2
C. Name: Route-to-Site-B
Destination: 172.16.20.1/24
Interface: tunnel.1
Next Hop: None
D. Name: Route-to-Site-B
Destination: 172.16.20.0/24
Interface: ethernet1/1
Next Hop: 192.0.0.1
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpn-withstatic-routing
QUESTION 146
For which two functions is the management plane responsible? (Choose two.)
A.
B.
C.
D.
Protocol decoding
Reassembling packets
Forwarding logs
Answering HTTP requests
Answer: CD
QUESTION 147
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
60
Refer to exhibit. An organization has Palo Alto Networks NGFWs that send logs to remote
monitoring and security management platforms. The network team has reported excessive traffic
on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining
support for all existing monitoring platforms?
A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to
the NGFW.
C. Configure log compression and optimization features on all remote firewalls.
D. Any configuration on an M-500 would address the insufficient bandwidth concerns.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-logcollection/configure-syslog-forwarding-to-external-destinations.html#idb02b17f9-7dfc-40fd-919cbe699845ebdc
QUESTION 148
Which Captive Portal mode must be configured to support MFA authentication?
A.
B.
C.
D.
NTLM
Redirect
Single Sign-On
Transparent
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-multifactor-authentication.html
QUESTION 149
Which protection feature is available only in a Zone Protection Profile?
A. SYN Flood Protection using SYN Flood Cookies
B. ICMP Flood Protection
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
61
C. Port Scan Protection
D. UDP Flood Protections
Answer: C
Explanation:
SYN Flood Cookies is also available on DoS Protection Profile, the answer refers to ONLY.
DoS Protection profiles protect specific devices (classified profiles) and groups of devices
(aggregate profiles) against SYN, UDP, ICMP, ICMPv6, and Other IP flood attacks.
QUESTION 150
Which User-ID method maps IP addresses to usernames for users connecting through an
802.1x-enabled wireless network device that has no native integration with PAN-OS?software?
A.
B.
C.
D.
XML API
Port Mapping
Client Probing
Server Monitoring
Answer: D
Explanation:
To obtain user mappings from existing network services that authenticate users--such as wireless
controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access
Control (NAC) mechanisms--Configure User-ID to Monitor Syslog Senders for User Mapping.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-tousers.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
QUESTION 151
How does an administrator schedule an Applications and Threats dynamic update while delaying
installation of the update for a certain amount of time?
A. Configure the option for "Threshold".
B. Disable automatic updates during weekdays.
C. Automatically "download only" and then install Applications and Threats later, after the administrator
approves the update.
D. Automatically "download and install" but with the "disable new applications" option used.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/set-up-antivirusanti-spyware-and-vulnerability-protection.html#ide9a94a55-0498-4b2e-806b-6e95899510ac
(Optional)
Define a Threshold
to indicate the minimum number of hours after an update becomes available before the firewall will
download it.
For example, setting the Threshold to 10 means the firewall will not download an update until it is
at least 10 hours old regardless of the schedule.
QUESTION 152
An administrator needs to determine why users on the trust zone cannot reach certain websites.
The only information available is shown on the following image.
Which configuration change should the administrator make?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
62
A.
B.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
63
C.
D.
E.
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
64
QUESTION 153
An administrator has users accessing network resources through Citrix XenApp 7 x.
Which User-ID mapping solution will map multiple users who are using Citrix to connect to the
network and access resources?
A.
B.
C.
D.
Client Probing
Terminal Services agent
GlobalProtect
Syslog Monitoring
Answer: B
Explanation:
If you have clients running multi-user systems in a Windows environment, such as Microsoft
Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto
Networks Terminal Server (TS) Agent for User Mapping. For a multi-user system that doesn't run
on Windows, you can Retrieve User Mappings from a Terminal Server Using the PAN-OS XML
API.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-tousers.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
QUESTION 154
An administrator creates a custom application containing Layer 7 signatures. The latest application
and threat dynamic update is downloaded to the same NGFW. The update contains an application
that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?
A.
B.
C.
D.
Custom application
System logs show an application error and neither signature is used.
Downloaded application
Custom and downloaded application signature files are merged and both are used
Answer: A
Explanation:
Create a Custom Application with a signature and attach it to a security policy, or create a custom
application and define an application override policy--A custom application allows you to customize
the definition of the internal application--its characteristics, category and sub-category, risk, port,
timeout--and exercise granular policy control in order to minimize the range of unidentified traffic
on your network. Creating a custom application also allows you to correctly identify the application
in the ACC and traffic logs and is useful in auditing/reporting on the applications on your network.
For a custom application you can specify a signature and a pattern that uniquely identifies the
application and attach it to a security policy that allows or denies the application.
Alternatively, if you would like the firewall to process the custom application using fast path (Layer4 inspection instead of using App-ID for Layer-7 inspection), you can reference the custom
application in an application override policy rule. An application override with a custom application
will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection.
Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer4, and thereby saves application processing time.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-custom-orunknown-applications.html#id74b58a78-164f-4dc5-aa4e-31ce62f2af0d
QUESTION 155
How can a candidate or running configuration be copied to a host external from Panorama?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
65
A.
B.
C.
D.
Commit a running configuration.
Save a configuration snapshot.
Save a candidate configuration.
Export a named configuration snapshot.
Answer: D
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administerpanorama/manage-panorama-and-firewall-configuration-backups/save-and-export-panoramaand-firewall-configurations
QUESTION 156
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple
regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
A.
B.
C.
D.
Preconfigured GlobalProtect satellite
Preconfigured GlobalProtect client
Preconfigured PIsec tunnels
Preconfigured PPTP Tunnels
Answer: A
Explanation:
GlobalProtect Satellite
--A Palo Alto Networks firewall at a remote site that establishes IPSec tunnels with the gateway(s)
at your corporate office(s) for secure access to centralized resources. Configuration on the satellite
firewall is minimal, enabling you to quickly and easily scale your VPN as you add new sites.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale-vpn-lsvpn/lsvpnoverview.html
QUESTION 157
A global corporate office has a large-scale network with only one User-ID agent, which creates a
bottleneck near the User-ID agent server. Which solution in PAN-OS® software would help in this
case?
A.
B.
C.
D.
Application override
Redistribution of user mappings
Virtual Wire mode
Content inspection
Answer: B
Explanation:
A large-scale network can also have numerous firewalls that use the mapping information to
enforce policies.
You can reduce the resources that the firewalls and information sources use in the querying
process by configuring some firewalls to acquire mapping information through redistribution instead
of direct querying.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
66
Redistribution also enables the firewalls to enforce user-based policies when users rely on local
sources for authentication (such as regional directory services) but need access to remote services
and applications (such as global data center applications).
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/deploy-user-id-in-a-largescale-network.html#id73908ad1-63ee-440b-bb58-859ace1ce34d
QUESTION 158
Which CLI command is used to simulate traffic going through the firewall and determine which
Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A.
B.
C.
D.
check
find
test
sim
Answer: C
QUESTION 159
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter"
method, which login will be detected as credential theft?
A.
B.
C.
D.
Mapping to the IP address of the logged-in user.
First four letters of the username matching any valid corporate username.
Using the same user's corporate username and password.
Marching any valid corporate username.
Answer: C
Explanation:
The Windows-based User-ID agent is installed on a Read-Only Domain Controller (RODC). The
User-ID agent collects password hashes that correspond to users for which you want to enable
credential detection and sends these mappings to the firewall. The firewall then checks if the source
IP address of a session matches a username and if the password submitted to the webpage
belongs to that username. With this mode, the firewall blocks or alerts on the submission only when
the password submitted matches a user password.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/prevent-credentialphishing/methods-to-check-for-corporate-credential-submissions
QUESTION 160
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
A.
B.
C.
D.
Deny application facebook-chat before allowing application facebook
Deny application facebook on top
Allow application facebook on top
Allow application facebook before denying application facebook-chat
Answer: A
QUESTION 161
Which feature prevents the submission of corporate login information into website forms?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
67
A.
B.
C.
D.
Data filtering
User-ID
File blocking
Credential phishing prevention
Answer: D
Explanation:
Credential phishing prevention works by scanning username and password submissions to
websites and comparing those submissions against valid corporate credentials.
QUESTION 162
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)
A.
B.
C.
D.
E.
Disable SNMP on the management interface.
Application override of SSL application.
Disable logging at session start in Security policies.
Disable predefined reports.
Reduce the traffic being decrypted by the firewall.
Answer: ACD
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS
QUESTION 163
Which two virtualization platforms officially support the deployment of Palo Alto Networks VMSeries firewalls? (Choose two.)
A.
B.
C.
D.
Red Hat Enterprise Virtualization (RHEV)
Kernel Virtualization Module (KVM)
Boot Strap Virtualization Module (BSVM)
Microsoft Hyper-V
Answer: BD
Explanation:
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seriesfirewall/vm-series-models/vm-series-system-requirements
QUESTION 164
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
A.
B.
C.
D.
E.
Device>Setup>Services>AutoFocus
Device> Setup>Management >AutoFocus
AutoFocus is enabled by default on the Palo Alto Networks NGFW
Device>Setup>WildFire>AutoFocus
Device>Setup> Management> Logging and Reporting Settings
Answer: B
Explanation:
Once you have license enabled new option will show in Device>Setup>Management
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
68
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/learn-more-aboutand-assess-threats/assess-firewall-artifacts-with-autofocus/enable-autofocus-threatintelligence.html
QUESTION 165
Which event will happen if an administrator uses an Application Override Policy?
A.
B.
C.
D.
Threat-ID processing time is decreased.
The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
The application name assigned to the traffic by the security rule is written to the Traffic log.
App-ID processing time is increased.
Answer: B
Explanation:
If you define an application override, the firewall stops processing at Layer-4. The custom
application name is assigned to the session to help identify it in the logs, and the traffic is not
scanned for threats.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-custom-or-unknownapplications
QUESTION 166
An administrator wants multiple web servers in the DMZ to receive connections initiated from the
internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at
10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic
correctly?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
69
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
70
A.
B.
C.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
71
D.
Answer: C
Explanation:
You should distinguish questions for NAT and security rules (the only difference in destination zone
- Internet for NAT rules and DMZ for policy rules).
QUESTION 167
Which three options are supported in HA Lite? (Choose three.)
A.
B.
C.
D.
E.
Virtual link
Active/passive deployment
Synchronization of IPsec security associations
Configuration synchronization
Session synchronization
Answer: BCD
Explanation:
HA Lite is an active/passive deployment that provides configuration synchronization and some runtime data synchronization such as IPsec security associations. It does not support session
synchronization (HA2), and therefore does not offer stateful failover.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUzCAK
QUESTION 168
A session in the Traffic log is reporting the application as "incomplete."
What does "incomplete" mean?
A.
B.
C.
D.
The three-way TCP handshake was observed, but the application could not be identified.
The three-way TCP handshake did not complete.
The traffic is coming across USP, and the application could not be identified.
Data was received but was instantly discarded because of a Deny policy was applied before AppID could be applied.
Answer: B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
72
QUESTION 169
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all
devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls
to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
A.
B.
C.
D.
Use the import option to pull logs into Panorama.
A CLI command will forward the pre-existing logs to Panorama.
Use the ACC to consolidate pre-existing logs.
The log database will need to exported form the firewalls and manually imported into Panorama.
Answer: B
Explanation:
After you upgrade to a Panorama 8.0 or later release, Panorama Log Collectors use a new log
storage format.
Because Panorama cannot generate reports or ACC data from logs in the pre-8.0-release log
format after you upgrade, you must migrate the existing logs as soon as you upgrade Panorama
and its Log Collectors from a PAN-OS® 7.1 or earlier release to a PAN-OS 8.0 or later release and
you must do this before you upgrade your managed firewalls. Panorama will continue to collect
logs from managed devices during the log migration but will store the incoming logs in the new log
format after you upgrade to a PAN-OS 8.0 or later release. For this reason, you will see only partial
data in the ACC and in Reports until Panorama completes the log migration process.
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/installcontent-and-software-updates-for-panorama/migrate-panorama-logs-to-new-log-format.html
QUESTION 170
An administrator pushes a new configuration from Panorama to a pair of firewalls that are
configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?
A.
B.
C.
D.
The Passive firewall, which then synchronizes to the active firewall
The active firewall, which then synchronizes to the passive firewall
Both the active and passive firewalls, which then synchronize with each other
Both the active and passive firewalls independently, with no synchronization afterward
Answer: D
QUESTION 171
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire
service? (Choose three.)
A.
B.
C.
D.
E.
F.
.dll
.exe
.src
.apk
.pdf
.jar
Answer: ABC
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
73
The question is asking for the free basic Wildfire Service which only allows for PE (Portable
executables) files.
pe
Portable Executable (PE) files. PEs include executable files, object code, DLLs, FON (fonts), and
LNK files. A subscription is not required to forward PE files for WildFire analysis, but is required for
all other supported file types.
"With the basic WildFire service, the firewall can forward portable executable (PE) files for WildFire
analysis", look online for PE files and you will get:
.acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/wildfire-overview/wildfireconcepts/file-analysis.html
QUESTION 172
Which three firewall states are valid? (Choose three.)
A.
B.
C.
D.
E.
Active
Functional
Pending
Passive
Suspended
Answer: ADE
Explanation:
Active (A)
Passive (D)
Suspended (E)
Non-Functional
Initial
Tentative
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-firewall-states
QUESTION 173
An administrator encountered problems with inbound decryption. Which option should the
administrator investigate as part of triage?
A.
B.
C.
D.
Security policy rule allowing SSL to the target server
Firewall connectivity to a CRL
Root certificate imported into the firewall with "Trust" enabled
Importation of a certificate from an HSM
Answer: A
Explanation:
Inbound decryption is where you are decrypting traffic to your internal server. You don't use a Root
CA, you load that server's cert and private key. The Root cert is 'Optional'.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inboundinspection.html
QUESTION 174
Which Palo Alto Networks VM-Series firewall is valid?
A. VM-25
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
74
B. VM-800
C. VM-50
D. VM-400
Answer: C
Explanation:
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seriesfirewall/vm-series-models/vm-series-system-requirements#idb04eb16a-3824-4d10-ae652f440608f87b
QUESTION 175
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP
Routing between the two environments is required.
Which interface type would support this business requirement?
A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to
support LSVPN and EIGRP protocols)
D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router
Answer: A
Explanation:
PAs do not support EIGRP. So you would need to setup the PA in a vwire in order for the current
routing to work.
QUESTION 176
A network security engineer for a large company has just installed a PA-5060 Firewall to isolate
the company's PCI environment from its production network. The company's engineers made
configuration changes to the switches on both network segments, and connected them to the new
firewall.
Soon after the cutover, however, users began to complain about latency and some servicers
stopped communicating. There are no security policies that deny traffic between the two networks
segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)
A.
B.
C.
D.
show interface hardware
show interface management
show interface ethernet1/1
show interface logical
Answer: CD
QUESTION 177
After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between
a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
75
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?
A.
B.
C.
D.
Update- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2.
Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs
Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
Answer: D
QUESTION 178
Decrypted packets from the website https://www.microsoft.com will appear as which application
and service within the Traffic log?
A.
B.
C.
D.
web-browsing and 443
SSL and 80
SSL and 443
web-browsing and 80
Answer: A
Explanation:
After being decrypted, the traffic is web-browsing traffic / port 443.
Before being decrypted, the traffic is ssl traffic / port 443.
QUESTION 179
If a template stack is assigned to a device and the stack includes three templates with overlapping
settings, which settings are published to the device when the template stack is pushed?
A.
B.
C.
D.
The settings assigned to the template that is on top of the stack.
The administrator will be promoted to choose the settings for that chosen firewall.
All the settings configured in all templates.
Depending on the firewall location, Panorama decides with settings to send.
Answer: A
Explanation:
Panorama evaluates the templates listed in a stack configuration from top to bottom, with higher
templates having priority.
https://docs.paloaltonetworks.com/panorama/7-1/panorama-admin/panoramaoverview/templates-and-template-stacks
QUESTION 180
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections
only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone
need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to
thins server on tcp/8080.
A. application: web-browsing; service: application-default
B. application: web-browsing; service: service-https
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
76
C. application: ssl; service: any
D. application: web-browsing; service: (custom with destination TCP port 8080)
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/app-defaultstrict.html
Application default for web-browsing is port 80.
QUESTION 181
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The
administrator determines that these sessions are form external users accessing the company's
proprietary accounting application. The administrator wants to reliably identify this traffic as their
accounting application and to scan this traffic for threats.
Which option would achieve this result?
A.
B.
C.
D.
Create a custom App-ID and enable scanning on the advanced tab.
Create an Application Override policy.
Create a custom App-ID and use the "ordered conditions" check box.
Create an Application Override policy and custom threat signature for the application.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-custom-orunknown-applications.html
QUESTION 182
During the packet flow process, which two processes are performed in application identification?
(Choose two.)
A.
B.
C.
D.
Pattern based application identification
Application override policy match
Application changed from content inspection
Session application identified.
Answer: AB
Explanation:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
QUESTION 183
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing
the Policies tab. Which profile is the cause of the missing Policies tab?
A.
B.
C.
D.
Admin Role
WebUI
Authentication
Authorization
Answer: A
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
77
QUESTION 184
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
A.
B.
C.
D.
To enable Gateway authentication to the Portal
To enable Portal authentication to the Gateway
To enable user authentication to the Portal
To enable client machine authentication to the Portal
Answer: C
Explanation:
The additional options of Browser and Satellite enable you to specify the authentication profile to
use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate
a user accessing the portal from a web browser with the intent of downloading the GlobalProtect
agent (Windows and Mac). Select Satellite to specify the authentication profile to use to
authenticate the satellite.
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interfacehelp/globalprotect/network-globalprotect-portals
QUESTION 185
The certificate information displayed in the following image is for which type of certificate?
A.
B.
C.
D.
Forward Trust certificate
Self-Signed Root CA certificate
Web Server certificate
Public CA signed certificate
Answer: B
Explanation:
A CA self-signed only can be a RootCA. Issuer CN and Certificate CN are equal.
QUESTION 186
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
78
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks
NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
A.
B.
C.
D.
0
99
1
255
Answer: D
QUESTION 187
Which option is part of the content inspection process?
A.
B.
C.
D.
Packet forwarding process
SSL Proxy re-encrypt
IPsec tunnel encryption
Packet egress process
Answer: B
Explanation:
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
QUESTION 188
Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)
A.
B.
C.
D.
E.
Browser Toolbar
Trojans
Ransomeware
Potentially unwanted programs
Adware.
Answer: ADE
Explanation:
https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfirefeatures/wildfire-grayware-verdict
QUESTION 189
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and
the switch port which it connects.
How would an administrator configure the interface to 1Gbps?
A.
B.
C.
D.
set deviceconfig interface speed-duplex 1Gbps-full-duplex
set deviceconfig system speed-duplex 1Gbps-duplex
set deviceconfig system speed-duplex 1Gbps-full-duplex
set deviceconfig Interface speed-duplex 1Gbps-half-duplex
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
79
QUESTION 190
In a virtual router, which object contains all potential routes?
A.
B.
C.
D.
MIB
RIB
SIP
FIB
Answer: B
Explanation:
For a router, there is the Routing Information Base (RIB) and the Forwarding Information Base
(FIB). The difference between these two is that while the RIB contains all possible routes to various
destinations, even if, there are more than one to a specific destination, the FIB contains only the
best route to each destination.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/virtual-routers/virtualrouter-overview
QUESTION 191
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address.
Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100)
receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)
A.
B.
C.
D.
E.
Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
Untrust (Any) to DMZ (10.1.1.1), ssh -Allow
Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
Answer: CD
Explanation:
For firewall rules you should use DMZ zone but external IP. For NAT rules - External (untrust) zone
and external IP.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
80
QUESTION 192
A customer has an application that is being identified as unknown-top for one of their custom
PostgreSQL database connections. Which two configuration options can be used to correctly
categorize their custom database application? (Choose two.)
A.
B.
C.
D.
Application Override policy.
Security policy to identify the custom application.
Custom application.
Custom Service object.
Answer: AC
Explanation:
Best way - to create custom app. Alternatively you can create application override for fast path:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/manage-custom-orunknown-applications
Create a Custom Application with a signature and attach it to a security policy, or create a custom
application and define an application override policy.
QUESTION 193
Server Message Block (SMB), a common file-sharing application, is slow when passing through a
Palo Alto Networks firewall. The Network Security Administrator created an application override
policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?
A.
B.
C.
D.
Layer 7 processing has been disabled for SMB traffic.
Layer 4 processing has been disabled for the SMB traffic.
Zone protection is no longer being applied.
Security policy assignment is being done more efficiently.
Answer: A
QUESTION 194
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new
routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)
A.
B.
C.
D.
View Runtime Stats in the virtual router.
View System logs.
Add a redistribution profile to forward as BGP updates.
Perform a traffic pcap at the routing stage.
Answer: AB
QUESTION 195
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as
threats detected in the last 30 days?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
81
A.
B.
C.
D.
Session Browser
Application Command Center
TCP Dump
Packet Capture
Answer: B
Explanation:
The Application Command Center (ACC) page visually depicts trends and a historic view of traffic
on your network. It displays the overall risk level for all network traffic, the risk levels and number
of threats detected for the most active and highest-risk applications on your network, and the
number of threats detected from the busiest application categories and from all applications at each
risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time
frame.
QUESTION 196
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new
routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
A.
B.
C.
D.
View the System logs and look for the error messages about BGP.
Perform a traffic pcap on the NGFW to see any BGP problems.
View the Runtime Stats and look for problems with BGP configuration.
View the ACC tab to isolate routing issues.
Answer: BC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/networkvirtual-routers/more-runtime-stats-for-a-virtual-router/bgp-tab.html
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEWCA0
QUESTION 197
A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured
with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
A.
B.
C.
D.
Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
Enable and configure a Link Monitoring Profile for the external interface of the firewall.
Configure path monitoring for the next hop gateway on the default route in the virtual router.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/network/networknetwork-profiles-monitor#
QUESTION 198
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
82
A.
B.
C.
D.
URL Filtering profile
Zone Protection profile
Anti-Spyware profile
Vulnerability Protection profile
Answer: A
Explanation:
Phishing attack prevention extends the URL filtering capabilities to actively detect targeted
credential phishing attacks through a cloud-based analytics service as well as through heuristics
on the device itself.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credentialphishing/set-up-credential-phishing-prevention
QUESTION 199
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5- minute
window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?
A.
B.
C.
D.
More than 15 minutes
5 minutes
10 to 15 minutes
5 to 10 minutes
Answer: D
QUESTION 200
What are two benefits of nested device groups in Panorama? (Choose two.)
A.
B.
C.
D.
Reuse of the existing Security policy rules and objects
Requires configuring both function and location for every device
All device groups inherit settings form the Shared group
Overwrites local firewall configuration
Answer: AC
Explanation:
https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/device-groups/device-grouphierarchy#
QUESTION 201
PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates
correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?
A. Application Center
B. URL Filtering
C. GlobalProtect
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
83
D. Threat Prevention
Answer: D
QUESTION 202
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of
PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no
internet connectivity from the management interface. The Security policy has the default security
rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded?
A.
B.
C.
D.
Security policy rule
CRL
Service route
Scheduler
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
QUESTION 203
Which three settings are defined within the Templates object of Panorama? (Choose three.)
A.
B.
C.
D.
E.
Setup
Virtual Routers
Interfaces
Security
Application Override
Answer: ABC
QUESTION 204
An administrator has left a firewall to use the default port for all management services.
Which three functions are performed by the dataplane? (Choose three.)
A.
B.
C.
D.
E.
WildFire updates
NAT
NTP
antivirus
File blocking
Answer: BDE
Explanation:
Tasks related MGMT services, like, updates, NTP, user-id agent, are performed by control plane.
Tasks related to traffic, content-id, app-id, are performed by dataplane.
QUESTION 205
A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny".
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
84
Which action will this cause configuration on the matched traffic?
A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to
"Deny".
B. The configuration will allow the matched session unless a vulnerability is detected. The "Deny"
action will supersede the per-severity defined actions defined in the associated Vulnerability
Protection Profile.
C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will
be displayed during a commit.
D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured
Security Profiles have no effect if the Security policy rule action is set to "Deny."
Answer: D
Explanation:
“Security profiles are not used in the match criteria of a traffic flow. The security profile is applied
to scan traffic after the application or category is allowed by the security policy.”
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-profiles.html#
QUESTION 206
If the firewall has the link monitoring configuration, what will cause a failover?
A.
B.
C.
D.
ethernet1/3 and ethernet1/6 going down
ethernet1/3 going down
ethernet1/3 or Ethernet1/6 going down
ethernet1/6 going down
Answer: A
Explanation:
The "Group Failure Condition" in the image is "all". If it said "any", then losing link on either interface
would cause failover.
QUESTION 207
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection
against worms and trojans.
Which Security Profile type will protect against worms and trojans?
A. Anti-Spyware
B. Instruction Prevention
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
85
C. File Blocking
D. Antivirus
Answer: D
QUESTION 208
Refer to the exhibit.
An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama.
The configuration problem seems to be on the firewall side. Where is the best place on the Palo
Alto Networks NGFW to check whether the configuration is correct?
A.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
86
B.
C.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
87
D.
Answer: B
QUESTION 209
A client is concerned about resource exhaustion because of denial-of-service attacks against their
DNS servers.
Which option will protect the individual servers?
A.
B.
C.
D.
Enable packet buffer protection on the Zone Protection Profile.
Apply an Anti-Spyware Profile with DNS sinkholing.
Use the DNS App-ID with application-default.
Apply a classified DoS Protection Profile.
Answer: D
Explanation:
“Packet Buffer Protection” is indeed an way to protect against resource exhaustion but it is not
configured under “DOS Protection Profile”. It is directly enabled under ZONES.
QUESTION 210
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
88
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?
A.
B.
C.
D.
ethernet1/6
ethernet1/3
ethernet1/7
ethernet1/5
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configureinterfaces/virtual-wire-interfaces.html
QUESTION 211
Which PAN-OS?policy must you configure to force a user to provide additional credentials before
he is allowed to access an internal application that contains highly-sensitive business data?
A.
B.
C.
D.
Security policy
Decryption policy
Authentication policy
Application Override policy
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
89
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-policy
Authentication policy enables you to authenticate end users before they can access services and
applications. Whenever a user requests a service or application (such as by visiting a web page),
the firewall evaluates Authentication policy. Based on the matching Authentication policy rule, the
firewall then prompts the user to authenticate using one or more methods (factors), such as login
and password, Voice, SMS, Push, or One-time Password (OTP) authentication
QUESTION 212
How would an administrator monitor/capture traffic on the management interface of the Palo Alto
Networks NGFW?
A.
B.
C.
D.
Use the debug dataplane packet-diag set capture stage firewall file command.
Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
Use the debug dataplane packet-diag set capture stage management file command.
Use the tcpdump command.
Answer: D
Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-OnManagement-Interface/ta-p/55415
QUESTION 213
If an administrator does not possess a website's certificate, which SSL decryption mode will allow
the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?
A.
B.
C.
D.
SSL Forward Proxy
SSL Inbound Inspection
TLS Bidirectional proxy
SSL Outbound Inspection
Answer: A
Explanation:
https://live.paloaltonetworks.com/t5/Learning-Articles/Difference-Between-SSL-Forward-Proxyand-Inbound-Inspection/ta-p/55553
QUESTION 214
Which CLI command enables an administrator to view details about the firewall including uptime,
PAN-OS?version, and serial number?
A.
B.
C.
D.
debug system details
show session info
show system info
show system details
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK
QUESTION 215
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
90
An administrator has configured the Palo Alto Networks NGFW's management interface to connect
to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature
updates?
A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the
update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.
Answer: A
Explanation:
The MGMT interface does not use Security Policies. A Service Route is needed if you are using
interfaces other than the MGMT interface.
QUESTION 216
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A.
B.
C.
D.
Virtual router
Security zone
ARP entries
Netflow Profile
Answer: AB
Explanation:
VLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLAN
interface and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces
then attach VLAN interface to virtual router. Without VLAN interface you can pass traffic between
interfaces on the same network and with VLAN interface you can route traffic to other networks.
QUESTION 217
Which option would an administrator choose to define the certificate and protocol that Panorama
and its managed devices use for SSL/TLS services?
A.
B.
C.
D.
Configure a Decryption Profile and select SSL/TLS services.
Set up SSL/TLS under Polices > Service/URL Category>Service.
Set up Security policy rule to allow SSL communication.
Configure an SSL/TLS Profile.
Answer: D
Explanation:
SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for
firewall or Panorama services that use SSL/TLS (such as administrative access to the web
interface). By defining the protocol versions, the profiles enable you to restrict the cipher suites that
are available for securing communication with the client systems requesting the services.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/devicecertificate-management-ssltls-service-profile.html
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
91
QUESTION 218
VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously
intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious
behavior?
A.
B.
C.
D.
Zone Protection
DoS Protection
Web Application
Replay
Answer: D
Explanation:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/set-up-site-to-sitevpn/set-up-an-ipsec-tunnel
QUESTION 219
Which item enables a firewall administrator to see details about traffic that is currently active
through the NGFW?
A.
B.
C.
D.
ACC
System Logs
App Scope
Session Browser
Answer: D
QUESTION 220
An administrator needs to optimize traffic to prefer business-critical applications over non-critical
applications.
QoS natively integrates with which feature to provide service quality?
A.
B.
C.
D.
Port Inspection
Certificate revocation
Content-ID
App-ID
Answer: D
Explanation:
The Palo Alto Networks firewall provides this capability by integrating the features App-ID and UserID with the QoS configuration.
QUESTION 221
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator
also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs.
There are three entries. The first entry shows traffic dropped as application Unknown. The next two
entries show traffic allowed as application SSL.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
92
Which action will stop the second and subsequent encrypted BitTorrent connections from being
allowed as SSL?
A. Create a decryption rule matching the encrypted BitTorrent traffic with action "No- Decrypt," and
place the rule at the top of the Decryption policy.
B. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at
the top of the Security policy.
C. Disable the exclude cache option for the firewall.
D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the
decryption rule.
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK
QUESTION 222
Refer to the exhibit. Which certificates can be used as a Forwarded Trust certificate?
A.
B.
C.
D.
Certificate from Default Trust Certificate Authorities
Domain Sub-CA
Forward_Trust
Domain-Root-Cert
Answer: B
Explanation:
Domain Sub-CA as it is a CA and has a key which is required for a Forward Trust Certificate.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
QUESTION 223
Which method does an administrator use to integrate all non-native MFA platforms in PANOS?software?
A.
B.
C.
D.
Okta
DUO
RADIUS
PingID
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
93
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authenticationtypes/multi-factor-authentication
The firewall makes it easy to implement MFA in your network by integrating directly with several
MFA platforms (Duo v2, Okta Adaptive, PingID, and Okta Adaptive) and integrating through
RADIUS with all other MFA platforms.
QUESTION 224
Which CLI command can be used to export the tcpdump capture?
A.
B.
C.
D.
scp export tcpdump from mgmt.pcap to <username@host:path>
scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
scp export mgmt-pcap from mgmt.pcap to <username@host:path>
download mgmt.-pcap
Answer: C
Explanation:
admin@PAFW01> scp export mgmt-pcap
+ remote-port SSH port number on remote host
+ source-ip Set source address to specified interface address
* from from
* to Destination (username@host:path)
admin@PAFW01> scp export mgmt-pcap from
<No files available> Directory is empty
admin@PAFW01> scp export mgmt-pcap from test.pcap
* to Destination (username@host:path)
admin@PAFW01> scp export mgmt-pcap from test.pcap to test@test:dir <Enter> Finish input
QUESTION 225
Which three authentication services can administrator use to authenticate admins into the Palo Alto
Networks NGFW without defining a corresponding admin account on the local firewall? (Choose
three.)
A.
B.
C.
D.
E.
F.
Kerberos
PAP
SAML
TACACS+
RADIUS
LDAP
Answer: CDE
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/managefirewall-administrators/administrative-authentication
QUESTION 226
Which method will dynamically register tags on the Palo Alto Networks NGFW?
A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain
controller (RODC)
B. Restful API or the VMware API on the firewall or on the User-ID agent
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
94
C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent
Answer: D
Explanation:
To mitigate the challenges of scale, lack of flexibility, and performance, network architectures today
allow for virtual machines (VMs) and applications to be provisioned, changed, and deleted on
demand. This agility, though, poses a challenge for security administrators because they have
limited visibility into the IP addresses of the dynamically provisioned VMs and the plethora of
applications that can be enabled on these virtual resources. Firewalls (hardware-based and VMSeries models) support the ability to register IP addresses, IP sets (IP ranges and subnets), and
tags dynamically. The IP addresses and tags can be registered on the firewall directly or from
Panorama. You can also automatically remove tags on the source and destination IP addresses
included in a firewall log.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/register-ip-addresses-andtags-dynamically.html
QUESTION 227
Which feature can be configured on VM-Series firewalls?
A.
B.
C.
D.
aggregate interfaces
machine learning
multiple virtual systems
GlobalProtect
Answer: D
QUESTION 228
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
A.
B.
C.
D.
The firewall is in multi-vsys mode.
The traffic is offloaded.
The traffic does not match the packet capture filter.
The firewall's DP CPU is higher than 50%.
Answer: BC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/take-packetcaptures/disable-hardware-offload
QUESTION 229
What is exchanged through the HA2 link?
A.
B.
C.
D.
hello heartbeats
User-ID information
session synchronization
HA state information
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
95
QUESTION 230
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?
A. It configures the tunnel address of all internal clients to an IP address range starting at
192.168.10.1.
B. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an
internal client.
D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's
hostname and IP address to the DNS server.
Answer: C
Explanation:
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotectportals/define-the-globalprotect-app-configurations
QUESTION 231
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab
environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A.
B.
C.
D.
Use config-drive on a USB stick.
Use an S3 bucket with an ISO.
Create and attach a virtual hard disk (VHD).
Use a virtual CD-ROM with an ISO.
Answer: D
Explanation:
https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/bootstrap-the-vm-seriesfirewall/bootstrap-package
QUESTION 232
Which two subscriptions are available when configuring panorama to push dynamic updates to
connected devices? (Choose two.)
A. Content-ID
B. User-ID
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
96
C. Applications and Threats
D. Antivirus
Answer: CD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deployupdates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/supported-updates
QUESTION 233
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No
Decrypt" action? (Choose two.)
A.
B.
C.
D.
E.
Block sessions with expired certificates
Block sessions with client authentication
Block sessions with unsupported cipher suites
Block sessions with untrusted issuers
Block credential phishing
Answer: AD
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/nodecryption-decryption-profile
QUESTION 234
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A.
B.
C.
D.
show running resource-monitor
debug data-plane dp-cpu
show system resources
debug running resources
Answer: A
Explanation:
'show running resource-monitor' shows Dataplane CPU statistics
'show system resources [follow]' shows Management CPU statistics
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluDCAS
QUESTION 235
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL
decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
A.
B.
C.
D.
TLS Bidirectional Inspection
SSL Inbound Inspection
SSH Forward Proxy
SMTP Inbound Decryption
Answer: B
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
97
Use SSL Inbound Inspection to decrypt and inspect inbound SSL/TLS traffic from a client to a
targeted network server (any server you have the certificate for and can import it onto the firewall)
and block suspicious sessions.
For example, if an employee is remotely connected to a web server hosted on the company network
and is attempting to add restricted internal documents to his Dropbox folder (which uses SSL for
data transmission), SSL Inbound Inspection can ensure that the sensitive data does not move
outside the secure company network by blocking or restricting the session.
On the firewall, you must install the certificate and private key for each server for which you want
to perform SSL inbound inspection. You must also install the public key certificate as well as the
private key on each firewall that performs SSL inbound inspection. The way the firewall performs
SSL inbound inspection depends on the type of key negotiated, Rivest, Shamir, Adleman (RSA) or
Perfect Forward Secrecy (PFS).
For RSA keys, the firewall performs SSL inbound inspection without terminating the connection. As
the encrypted session flows through the firewall, the firewall transparently makes a copy of it and
decrypts it so that the firewall can apply the appropriate policy to the traffic.
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/sslinbound-inspection.html#id8e14546e-d8d9-485b-a936-64119ef7ad61
QUESTION 236
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection
against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?
A.
B.
C.
D.
Vulnerability Protection
Anti-Spyware
URL Filtering
Antivirus
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objectssecurity-profiles-vulnerability-protection
QUESTION 237
Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)
A.
B.
C.
D.
maximum file size
file types
application
direction
Answer: BCD
Explanation:
Define for the profile rule to match to unknown traffic and to forward samples for analysis based on:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
98
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/submit-files-for-wildfireanalysis/forward-files-for-wildfire-analysis.html
QUESTION 238
Which DoS protection mechanism detects and prevents session exhaustion attacks?
A.
B.
C.
D.
Packet Based Attack Protection
Flood Protection
Resource Protection
TCP Port Scan Protection
Answer: C
Explanation:
QUESTION 239
Which processing order will be enabled when a Panorama administrator selects the setting
"Objects defined in ancestors will take higher precedence?"
A.
B.
C.
D.
Descendant objects will take precedence over other descendant objects.
Descendant objects will take precedence over ancestor objects.
Ancestor objects will have precedence over descendant objects.
Ancestor objects will have precedence over other ancestor objects.
Answer: C
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/managedevice-groups/manage-precedence-of-inherited-objects
QUESTION 240
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
99
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW
to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?
A.
B.
C.
D.
Decryption Mirror interface with the Threat Analysis license
Virtual Wire interface with the Decryption Port Export license
Tap interface with the Decryption Port Mirror license
Decryption Mirror interface with the associated Decryption Port Mirror license
Answer: D
Explanation:
Decryption port mirroring allows you to copy decrypted traffic from a firewall and then send it to a
traffic collection tool, such as NetWitness or Solera. Decryption mirroring requires a Decryption
Port Mirror license. This license is free of change and you can activate it through the customer
support portal.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-decryptionport-mirroring
QUESTION 241
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual
authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
A.
B.
C.
D.
Use custom certificates
Enable LDAP or RADIUS integration
Set up multi-factor authentication
Configure strong password authentication
Answer: A
Explanation:
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-upauthentication-using-custom-certificates
QUESTION 242
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)
A.
B.
C.
D.
Create a custom application.
Create a custom object for the custom application server to identify the custom application.
Submit an Apple-ID request to Palo Alto Networks.
Create a Security policy to identify the custom application.
Answer: AC
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
100
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-custom-orunknown-applications
QUESTION 243
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
A.
B.
C.
D.
In the details of the Traffic log entries
Decryption log
Data Filtering log
In the details of the Threat log entries
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-andmonitor-decryption.html#ida09e44a8-fd80-41e8-8572-33e9b122ad22
QUESTION 244
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
A.
B.
C.
D.
E.
Verify AutoFocus status using CLI.
Check the WebUI Dashboard AutoFocus widget.
Check for WildFire forwarding logs.
Check the license
Verify AutoFocus is enabled below Device Management tab.
Answer: DE
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
101
QUESTION 245
When is the content inspection performed in the packet flow process?
A.
B.
C.
D.
after the application has been identified
before session lookup
before the packet forwarding process
after the SSL Proxy re-encrypts the packet
Answer: A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
QUESTION 246
Which User-ID method should be configured to map IP addresses to usernames for users
connected through a terminal server?
A.
B.
C.
D.
port mapping
server monitoring
client probing
XFF headers
Answer: A
Explanation:
In environments with multi-user systems--such as Microsoft Terminal Server or Citrix environments-many users share the same IP address. In this case, the user-to-IP address mapping process
requires knowledge of the source port of each client. To perform this type of mapping, you must
install the Palo Alto Networks Terminal Server Agent on the Windows/Citrix terminal server itself to
intermediate the assignment of source ports to the various user processes. For terminal servers
that do not support the Terminal Server agent, such as Linux terminal servers, you can use the
XML API to send user mapping information from login and logout events to User-ID. See Configure
User Mapping for Terminal Server Users for configuration details.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/usermapping/port-mapping.html
QUESTION 247
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
102
Which Security policy rule will allow traffic to flow to the web server?
A.
B.
C.
D.
Untrust (any) to Untrust (10.1.1.100), web browsing -Allow
Untrust (any) to Untrust (1.1.1.100), web browsing -Allow
Untrust (any) to DMZ (1.1.1.100), web browsing -Allow
Untrust (any) to DMZ (10.1.1.100), web browsing -Allow
Answer: C
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configurationexamples/
destination-nat-exampleone-to-one-mapping.html#ide8f6a4b3-f875-4855-acb55fd9ad918d04
QUESTION 248
In High Availability, which information is transferred via the HA data link?
A.
B.
C.
D.
session information
heartbeats
HA state information
User-ID information
Answer: A
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
103
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-concepts/halinks-and-backup-links.html
QUESTION 249
Which three authentication factors does PAN-OS@software support for MFA? (Choose three.)
A.
B.
C.
D.
E.
Push
Pull
Okta Adaptive
Voice
SMS
Answer: ADE
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authenticationtypes/multi-factor-authentication
QUESTION 250
A client has a sensitive application server in their data center and is particularly concerned about
resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against
resource exhaustion originating from multiple IP addresses (DDoS attack)?
A.
B.
C.
D.
Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
Add a Vulnerability Protection Profile to block the attack.
Add QoS Profiles to throttle incoming requests.
Add a DoS Protection Profile with defined session count.
Answer: D
QUESTION 251
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link
aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)
A.
B.
C.
D.
ae.8
aggregate.1
ae.1
aggregate.8
Answer: AC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/networkinterfaces/aggregate-ethernet-ae-interface-group
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
104
QUESTION 252
If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are
recorded in which log type?
A.
B.
C.
D.
Data Filtering
WildFire Submissions
Threat
Traffic
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/use-dns-queriesto-identify-infected-hosts-on-the-network/configure-dns-sinkholing
QUESTION 253
A web server is hosted in the DMZ and the server is configured to listen for incoming connections
on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone
needs to be configured to allow web-browsing access. The web server hosts its contents over
HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be
configured to allow cleartext web-browsing traffic to this server on tcp/443.
A. Rule #1: application: web-browsing; service: application-default; action: allow
Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-https; action: allow
Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow
Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-http; action: allow
Rule #2: application: ssl; service: application-default; action: allow
Answer: A
Explanation:
If decrypted traffic matches the web-browsing application. Then the firewall will log it as webbrowsing over ssl (443) and will never match if it is set to “application-default”.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEyCAK
QUESTION 254
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW
with both usernames and role names? (Choose three.)
A. TACACS+
B. Kerberos
C. PAP
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
105
D. LDAP
E. SAML
F. RADIUS
Answer: AEF
Explanation:
External service
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The
server performs both authentication and authorization. For authorization, you define VendorSpecific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML
server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and
virtual systems that you define on the firewall. For details, see:
Configure SAML Authentication
Configure TACACS+ Authentication
Configure RADIUS Authentication
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/managefirewall-administrators/administrative-authentication.html
QUESTION 255
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
A.
B.
C.
D.
Both SSH keys and SSL certificates must be generated.
No prerequisites are required.
SSH keys must be manually generated.
SSL certificates must be generated.
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-forwardproxy.html#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21
QUESTION 256
Which virtual router feature determines if a specific destination IP address is reachable?
A.
B.
C.
D.
Heartbeat Monitoring
Failover
Path Monitoring
Ping-Path
Answer: C
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
106
Path monitoring allows you to verify connectivity to an IP address so that the firewall can direct
traffic through an alternate route, when needed.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-basedforwarding/pbf/path-monitoring-for-pbf
QUESTION 257
Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone
to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT
policy in the Palo Alto Networks firewall.
A.
B.
C.
D.
Answer: B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
107
By default, all the traffic destined between two zones, regardless of being from the same zone or
different zone, this applies the rule to all matching interzone and intrazone traffic in the specified
source and destination zones.
QUESTION 258
An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum
allowable bandwidth for the YouTube application. However, YouTube is consuming more than the
maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
A.
B.
C.
D.
Enable QoS interface
Enable QoS in the Interface Management Profile
Enable QoS Data Filtering Profile
Enable QoS monitor
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/quality-of-service/configureqos.html
QUESTION 259
Which log file can be used to identify SSL decryption failures?
A.
B.
C.
D.
Traffic
ACC
Configuration
Threats
Answer: A
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
108
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/verify-decryption.html
QUESTION 260
A customer wants to set up a site-to-site VPN using tunnel interfaces?
Which two formats are correct for naming tunnel interfaces? (Choose two.)
A.
B.
C.
D.
tunnel.1
vpn-tunnel.1
tunnel.1025
vpn-tunnel.1024
Answer: AC
Explanation:
QUESTION 261
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
109
A.
B.
C.
D.
Palo Alto Networks > Symantec > VeriSign
VeriSign > Symantec > Palo Alto Networks
Symantec > VeriSign > Palo Alto Networks
VeriSign > Palo Alto Networks > Symantec
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
110
Answer: B
QUESTION 262
An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates
daily, so it is configured to use a scheduler for the application database. Unfortunately, they
required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates
automatically?
A. Download and install application updates cannot be done automatically if the MGT port cannot
reach the Internet.
B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that
can route traffic to the Internet, and create a Security policy rule to allow the traffic from that
interface to the update servers if necessary.
C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic
sourced from the management interfaced destined for the update servers goes out of the
interface acting as your Internet connection.
D. Configure a Security policy rule to allow all traffic to and from the update servers.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/serviceroutes-overview
QUESTION 263
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link.
They need to assign each VLAN to its own zone and assign untagged (native) traffic to its own
zone.
Which option differentiates multiple VLANs into separate zones?
A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag
Allowed" field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the
"Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID
of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual
router.
The physical Layer 3 interface would handle untagged traffic. Assign each
interface/subinterface to a unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each
interface/subinterface to a unique zone.
Answer: B
Explanation:
Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to
connect two interfaces and configure either interface to block or allow traffic based on the virtual
LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
You can also create multiple subinterfaces, add them into different zones, and then classify traffic
according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
111
subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific
source IP address, range, or subnet.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configureinterfaces/virtual-wire-interfaces/vlan-tagged-traffic.html
QUESTION 264
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow
best describes redistribution of user mappings?
A.
B.
C.
D.
User-ID agent to firewall
Domain Controller to User-ID agent
User-ID agent to Panorama
firewall to firewall
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/configure-firewalls-toredistribute-user-mapping-informatio
QUESTION 265
Where can an administrator see both the management plane and data plane CPU utilization in the
WebUI?
A.
B.
C.
D.
System Utilization log
System log
Resources widget
CPU Utilization widget
Answer: C
Explanation:
QUESTION 266
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
A.
B.
C.
D.
E.
F.
Short message service
Push
User logon
Voice
SSH key
One-Time Password
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
112
Answer: ABDF
Explanation:
"For example, the MFA service might prompt you to select the Voice, SMS, push, or PIN code
(OTP) authentication method"
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-multifactor-authentication.html
QUESTION 267
Which two features does PAN-OS® software use to identify applications? (Choose two.)
A.
B.
C.
D.
transaction characteristics
session number
pot number
application layer payload
Answer: AD
Explanation:
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls,
determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any
other evasive tactic used by the application. It applies multiple classification mechanisms-application signatures, application protocol decoding, and heuristics--to your network traffic stream
to accurately identify applications.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/app-idoverview.html#idf38e43a6-446e-49e2-b652-6b1817df22b5
QUESTION 268
An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.0.2. The firewall
is not a part of an HA pair.
What needs to be updated first?
A.
B.
C.
D.
Applications and Threats
XML Agent
WildFire
PAN-OS® Upgrade Agent
Answer: A
Explanation:
Ensure that the firewall is running the latest content release version.
Refer to the Release Notes for the minimum content release version you must install for a PANOS 10.0 release. Make sure to follow the Best Practices for Application and Threat Updates.
Select DeviceDynamic Updates and see which Applications or Applications and Threats content
release version is Currently Installed.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradethe-firewall-pan-os/upgrade-a-standalone-firewall.html
QUESTION 269
When backing up and saving configuration files, what is achieved using only the firewall and is not
available in Panorama?
A. Load configuration version
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
113
B. Save candidate config
C. Export device state
D. Load named configuration snapshot
Answer: C
Explanation:
"there is no "Export Device State" option available on the WebGUI of the Panorama"
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgKCAS
QUESTION 270
Which two settings can be configured only locally on the firewall and not pushed from a Panorama
template stack? (Choose two.)
A.
B.
C.
D.
HA1 IP Address
Master Key
Zone Protection Profile
Network Interface Type
Answer: AB
Explanation:
You can use Templates and Template Stacks to define a wide array of settings but you can perform
the following tasks only locally on each managed firewall:
Configure a device block list.
Clear logs.
Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode.
Configure the IP addresses of firewalls in an HA pair.
Configure a master key and diagnostics.
Compare configuration files (Config Audit).
Renaming a vsys on a multi-vsys firewall.
QUESTION 271
An administrator just submitted a newly found piece of spyware for WildFire analysis.
The spyware monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?
A.
B.
C.
D.
Malware
Grayware
Phishing
Spyware
Answer: B
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
114
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/wildfire-overview/wildfireconcepts/verdicts.html
QUESTION 272
When configuring the firewall for packet capture, what are the valid stage types?
A.
B.
C.
D.
receive, management, transmit, and non-syn
receive, management, transmit, and drop
receive, firewall, send, and non-syn
receive, firewall, transmit, and drop
Answer: D
Explanation:
You define the file name based on the stage (Drop, Firewall, Receive, or Transmit).
QUESTION 273
Which operation will impact performance of the management plane?
A.
B.
C.
D.
DoS protection
WildFire submissions
generating a SaaS Application report
decrypting SSL sessions
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
115
QUESTION 274
Which User-ID method maps IP addresses to usernames for users connecting through a web proxy
that has already authenticated the user?
A.
B.
C.
D.
syslog listening
server monitoring
client probing
port mapping
Answer: A
Explanation:
To obtain user mappings from existing network services that authenticate users--such as wireless
controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access
Control (NAC) mechanisms--Configure User-ID to Monitor Syslog Senders for User Mapping.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-tousers.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
QUESTION 275
The firewall determines if a packet is the first packet of a new session or if a packet is part of an
existing session using which kind of match?
A. 6-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source
Security Zone
B. 5-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol
C. 7-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL
Category, and Source Security Zone
D. 9-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source
Security Zone, Destination Security Zone, Application, and URL Category
Answer: A
QUESTION 276
Which GlobalProtect Client connect method requires the distribution and use of machine
certificates?
A.
B.
C.
D.
At-boot
Pre-logon
User-logon (Always on)
On-demand
Answer: B
QUESTION 277
Which feature can provide NGFWs with User-ID mapping information?
A. Web Captcha
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
116
B. Native 802.1q authentication
C. GlobalProtect
D. Native 802.1x authentication
Answer: C
QUESTION 278
Which Panorama administrator types require the configuration of at least one access domain?
(Choose two.)
A.
B.
C.
D.
E.
Role Based
Custom Panorama Admin
Device Group
Dynamic
Template Admin
Answer: CE
QUESTION 279
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and
Threat updates while applying only new content IDs to traffic?
A.
B.
C.
D.
Select download-and-install
Select download-only
Select download-and-install, with "Disable new apps in content update" selected
Select disable application updates and select "Install only Threat updates"
Answer: C
QUESTION 280
Which is the maximum number of samples that can be submitted to WildFire per day, based on a
WildFire subscription?
A.
B.
C.
D.
10,000
15,000
7,500
5,000
Answer: A
Explanation:
Reference:
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/wildfire-overview/wildfiresubscription.html
QUESTION 281
In which two types of deployment is active/active HA configuration supported? (Choose two.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
117
A.
B.
C.
D.
Layer 3 mode
TAP mode
Virtual Wire mode
Layer 2 mode
Answer: AC
QUESTION 282
For which two reasons would a firewall discard a packet as part of the packet flow sequence?
(Choose two.)
A.
B.
C.
D.
ingress processing errors
rule match with action "deny"
rule match with action "allow"
equal-cost multipath
Answer: AB
QUESTION 283
Which logs enable a firewall administrator to determine whether a session was decrypted?
A.
B.
C.
D.
Traffic
Security Policy
Decryption
Correlated Event
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-andmonitor-decryption.html#ida09e44a8-fd80-41e8-8572-33e9b122ad22
QUESTION 284
An administrator needs to upgrade an NGFW to the most current version of PAN-OS?software.
The following is occurring:
- Firewall has internet connectivity through e 1/1.
- Default security rules and security rules allowing all SSL and web-browsing traffic to and from any
zone.
- Service route is configured, sourcing update traffic from e1/1.
- A communication error appears in the System logs when updates are performed.
- Download does not complete.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
118
What must be configured to enable the firewall to download the current version of PAN-OS software?
A.
B.
C.
D.
Static route pointing application PaloAlto-updates to the update servers
Security policy rule allowing PaloAlto-updates as the application
Scheduler for timed downloads of PAN-OS software
DNS settings for the firewall to use for resolution
Answer: D
Explanation:
The Default security rules and security rules allowing all SSL and web-browsing traffic to and from
any zone.
QUESTION 285
A client has a sensitive application server in their data center and is particularly concerned about
session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against
session floods originating from a single IP address?
A.
B.
C.
D.
Add an Anti-Spyware Profile to block attacking IP address
Define a custom App-ID to ensure that only legitimate application traffic reaches the server
Add QoS Profiles to throttle incoming requests
Add a tuned DoS Protection Profile
Answer: D
Explanation:
Protection profiles and DoS Protection policy rules combine to protect specific groups of critical
resources and individual critical resources against session floods. Compared to Zone Protection
profiles, which protect entire zones from flood attacks, DoS protection provides granular defense
for specific systems, especially critical systems that users access from the internet and are often
attack targets, such as web servers and database servers. Apply both types of protection because
if you only apply a Zone Protection profile, then a DoS attack that targets a particular system in the
zone can succeed if the total connections-per-second (CPS) doesn't exceed the zone's Activate
and Maximum rates. DoS Protection is resource-intensive, so use it only for critical systems. Similar
to Zone Protection profiles, DoS Protection profiles specify flood thresholds. DoS Protection policy
rules determine the devices, users, zones, and services to which DoS Profiles apply.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dosprotection/zone-defense/dos-protection-profiles-and-policy-rules
QUESTION 286
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices
are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS?software?
A.
B.
C.
D.
Antivirus update package.
Applications and Threats update package.
User-ID agent.
WildFire update package.
Answer: B
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
119
Dependencies
Before you upgrade, make sure the firewall is running a version of app + threat (content version)
that meets the minimum requirement of the new PAN-OS (see release notes). We recommend
always running the latest version of content to ensure the most accurate and effective protections
are being applied.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK
QUESTION 287
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against
compromised hosts trying to phone-home or beacon out to external command-and-control (C2)
servers.
Which Security Profile type will prevent these behaviors?
A.
B.
C.
D.
Anti-Spyware
WildFire
Vulnerability Protection
Antivirus
Answer: A
Explanation:
Best Practice Internet Gateway Anti-Spyware Profile
Attach an Anti-Spyware profile to all allowed traffic to detect command and control traffic (C2)
initiated from malicious code running on a server or endpoint and prevent compromised systems
from establishing an outbound connection from your network. Clone the predefined strict AntiSpyware profile and edit it. To ensure availability for business-critical applications, follow the
Transition Anti-Spyware Profiles Safely to Best Practices advice as you move from your current
state to the best practice profile. Edit the profile to enable DNS sinkhole and packet capture to help
you track down the endpoint that attempted to resolve the malicious domain. The best practice
Anti-Spyware profile retains the default Action
to reset the connection when the firewall detects a medium, high, or critical severity threat, and
enables single packet capture (PCAP) for those threats.
https://docs.paloaltonetworks.com/best-practices/10-0/internet-gateway-best-practices/bestpractice-internet-gateway-security-policy/create-best-practice-security-profiles.html
QUESTION 288
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1
version?
A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or
template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1
state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template
stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-panos-81/upgradedowngrade-considerations
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
120
QUESTION 289
Which two methods can be configured to validate the revocation status of a certificate? (Choose
two.)
A.
B.
C.
D.
E.
CRL
CRT
OCSP
Cert-Validation-Profile
SSL/TLS Service Profile
Answer: AC
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-management/setup-verification-for-certificate-revocation-status
QUESTION 290
Which administrative authentication method supports authorization by an external service?
A.
B.
C.
D.
Certificates
LDAP
RADIUS
SSH keys
Answer: C
Explanation:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewalladministration/manage-firewall-administrators/administrative-authentication
QUESTION 291
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire
service? (Choose three.)
A.
B.
C.
D.
E.
F.
.dll
.exe
.fon
.apk
.pdf
.jar
Answer: ABC
Explanation:
as the question is asking for the file types can be forwarded to WildFire for analysis as a part of the
"basic WildFire service"
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfiresubscription.html the above page says: "The basic WildFire service is included as part of the Palo
Alto Networks next generation firewall and does not require a WildFire subscription. With the basic
WildFire service, the firewall can forward portable executable (PE) files for WildFire analysis"
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfireconcepts/file-analysis.html
the above page says what are the PE file types: "Portable Executable (PE) files. PEs include
executable files, object code, DLLs, FON (fonts), and LNK files, A subscription is not required to
forward PE files for WildFire analysis"
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
121
"With the basic WildFire service, the firewall can forward portable executable (PE) files for WildFire
analysis", look online for PE files and you will get:
.acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
QUESTION 292
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks
NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the
primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device
0 fails.
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ipaddress-and-virtual-mac-address
QUESTION 293
Which version of GlobalProtect supports split tunneling based on destination domain, client process,
and HTTP/HTTPS video streaming application?
A.
B.
C.
D.
GlobalProtect version 4.0 with PAN-OS 8.1
GlobalProtect version 4.1 with PAN-OS 8.1
GlobalProtect version 4.1 with PAN-OS 8.0
GlobalProtect version 4.0 with PAN-OS 8.0
Answer: B
Explanation:
https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-newfeatures/new-features-released-in-gp-agent-4_1/split-tunnel-for-public-applications
QUESTION 294
How does Panorama prompt VMWare NSX to quarantine an infected VM?
A.
B.
C.
D.
HTTP Server Profile
Syslog Server Profile
Email Server Profile
SNMP Server Profile
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vmseries-firewall-on-vmware-nsx/dynamically-quarantine-infected-guests
QUESTION 295
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
122
An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.)
A.
B.
C.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
123
D.
Answer: AD
Explanation:
No Decryption profile (Objects > Decryption > Profile > No Decryption) controls server verification
checks for traffic that you choose not to decrypt as defined in "No Decryption" Decryption policies
to which you attach the profile.
Server Certificate Verification
Block sessions with expired certificates
Block sessions with untrusted issuers
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/nodecryption-decryption-profile.html
QUESTION 296
Which two actions would be part of an automatic solution that would block sites with untrusted
certificates without enabling SSL Forward Proxy? (Choose two.)
A.
B.
C.
D.
E.
Create a no-decrypt Decryption Policy rule.
Configure an EDL to pull IP addresses of known sites resolved from a CRL.
Create a Dynamic Address Group for untrusted sites
Create a Security Policy rule with vulnerability Security Profile attached.
Enable the "Block sessions with untrusted issuers" setting.
Answer: AD
Explanation:
You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption
policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these options
to control server certificates for the session, though the firewall does not decrypt and inspect the
session traffic.
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objectsdecryption-profile
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
124
QUESTION 297
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against
resource exhaustion. When platform utilization is considered, which steps must the administrator
take to configure and apply packet buffer protection?
A. Enable and configure the Packet Buffer protection thresholds.
Enable Packet Buffer Protection per ingress zone.
B. Enable and then configure Packet Buffer thresholds
Enable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones.
Enable Packet Buffer Protection per ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones.
Enable Packet Buffer Protection pre egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.
Enable Zone Buffer Protection per zone.
Answer: A
Explanation:
You can configure Packet Buffer Protection at two levels: the device level (global) and if enabled
globally, you can also enable it at the zone level. Global packet buffer protection (Device > Setup >
Session) is to protect firewall resources and ensure that malicious traffic does not cause the firewall
to become non-responsive.
Packet buffer protection per ingress zone (Network > Zones) is a second layer of protection that
starts blocking the offending IP address if it continues to exceed the packet buffer protection
thresholds. The firewall can block all traffic from the offending source IP address. Keep in mind that
if the source IP address is a translated NAT IP address, many users can be using the same IP
address. If one abusive user triggers packet buffer protection and the ingress zone has packet
buffer protection enabled, all traffic from that offending source IP address (even from non-abusive
users) can be blocked when the firewall puts the IP address on its block list.
The most effective way to block DoS attacks against a service behind the firewall is to configure
packet buffer protection globally and per ingress zone. You can Enable Packet Buffer Protection
for a zone, but it is not active until you enable packet buffer protection globally and specify the
settings.
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dosprotection/configure-zone-protection-to-increase-network-security/configure-packet-bufferprotection
QUESTION 298
What is the purpose of the firewall decryption broker?
A.
B.
C.
D.
decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
force decryption of previously unknown cipher suites
reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
inspect traffic within IPsec tunnels
Answer: A
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
125
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryptionfeatures/decryption-broker
QUESTION 299
SAML SLO is supported for which two firewall features? (Choose two.)
A.
B.
C.
D.
GlobalProtect Portal
CaptivePortal
WebUI
CLI
Answer: AC
Explanation:
SSO= GlobalProtect Portal , CaptivePortal, WebUI
SLO= GlobalProtect Portal , WebUI
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/configure-samlauthentication
QUESTION 300
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit
counter when a firewall is rebooted? (Choose two.)
A.
B.
C.
D.
Rule Usage Hit counter will not be reset
Highlight Unused Rules will highlight all rules.
Highlight Unused Rules will highlight zero rules.
Rule Usage Hit counter will reset.
Answer: AB
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
126
QUESTION 301
Which is not a valid reason for receiving a decrypt-cert-validation error?
A.
B.
C.
D.
Unsupported HSM
Unknown certificate status
Client authentication
Untrusted issuer
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networkingfeatures/ssl-ssh-session-end-reasons
QUESTION 302
In the following image from Panorama, why are some values shown in red?
A.
B.
C.
D.
sg2 session count is the lowest compared to the other managed devices.
us3 has a logging rate that deviates from the administrator-configured thresholds.
uk3 has a logging rate that deviates from the seven-day calculated baseline.
sg2 has misconfigured session thresholds.
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-webinterface/panorama-managed-devices-summary/panorama-managed-devices-health
A metric health baseline is determined by averaging the health performance for a given metric over
seven days plus the standard deviation.
QUESTION 303
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely
is wrong?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
127
A.
B.
C.
D.
A Certificate Profile that contains the client certificate needs to be selected.
The source address supports only files hosted with an ftp://<address/file>.
External Dynamic Lists do not support SSL connections.
A Certificate Profile that contains the CA certificate needs to be selected.
Answer: D
Explanation:
If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication.
Select a Certificate Profile
or create a New Certificate Profile for authenticating the server that hosts the list. The certificate
profile you select must have root certificate authority (CA) and intermediate CA certificates that
match the certificates installed on the server you are authenticating.
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-usingExternal-Dynamic-Lists/ta-p/190414
QUESTION 304
Based on the image, what caused the commit warning?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
128
A.
B.
C.
D.
The CA certificate for FWDtrust has not been imported into the firewall.
The FWDtrust certificate has not been flagged as Trusted Root CA.
SSL Forward Proxy requires a public certificate to be imported into the firewall.
The FWDtrust certificate does not have a certificate chain.
Answer: A
Explanation:
The FWDtrust is a CA certificate type capable of signing other certificates.
That means either it's a Root Certificate or Intermediate certificate. If it was a Root Certificate, then
you wouldn't get that warning. That means the certificate is an intermediate and you need to import
its Root Certificate.
QUESTION 305
Which three split tunnel methods are supported by a GlobalProtect Gateway?
A.
B.
C.
D.
E.
F.
video streaming application
Client Application Process
Destination Domain
Source Domain
Destination user/group
URL Category
Answer: ABC
Explanation:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/globalprotectfeatures/split-tunnel-for-public-applications
QUESTION 306
Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?
A. Authentication
B. Globalprotect
C. Configuration
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
129
D. System
Answer: D
QUESTION 307
Starting with PAN-OS version 9.1, application dependency information is now reported in which
new locations? (Choose two.)
A.
B.
C.
D.
On the App Dependency tab in the Commit Status window
On the Application tab in the Security Policy Rule creation window
On the Objects > Applications browsers pages
On the Policy Optimizer's Rule Usage page
Answer: AB
QUESTION 308
Which three items are import considerations during SD-WAN configuration planning? (Choose
three.)
A.
B.
C.
D.
link requirements
the name of the ISP
IP Addresses
branch and hub locations
Answer: ACD
QUESTION 309
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A.
B.
C.
D.
when an aggregate Ethernet interface component fails
when Panorama pushes a configuration
when a firewall HA pair fails over
when a firewall performs a local commit
Answer: BD
Explanation:
Automated commit recovery is enabled by default, allowing the managed firewalls to locally test
the configuration pushed from Panorama to verify that the new changes do not break the
connection between Panorama and the managed firewall. If the committed configuration breaks
the connection between Panorama and a managed firewall then the firewall automatically fails the
commit and the configuration is reverted to the previous running configuration and the Shared
Policy or Template Status (Panorama Managed Devices Summary) gets out of sync depending on
which configuration objects were pushed. Additionally, the managed firewalls test their connection
to Panorama every 60 minutes and if a managed firewall detects that it can no longer successfully
connect to Panorama then it reverts its configuration to the previous running configuration.
QUESTION 310
Panorama provides which two SD-WAN functions? (Choose two.)
A. network monitoring
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
130
B. control plane
C. data plane
D. physical network links
Answer: AB
Explanation:
How Does SD-WAN Work?
Traditional WANs rely on physical routers to connect remote or branch users to applications hosted
on data centers. Each router has a [data plane], which holds the information, and a [control plane],
which tells the data where to go. Where data flows is typically determined by a network engineer
or administrator who writes rules and policies, often manually, for each router on the network – a
process that can be time-consuming and prone to errors.
SD-WAN separates the control and management processes from the underlying networking
hardware, making them available as software that can be easily configured and deployed. A
centralized control pane means network administrators can write new rules and policies, and then
configure and deploy them across an entire network at once.
https://www.paloaltonetworks.com/cyberpedia/what-is-a-sd-wan
QUESTION 311
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
A.
B.
C.
D.
Successful GlobalProtect Deployed Activity
GlobalProtect Deployment Activity
Successful GlobalProtect Connection Activity
GlobalProtect Quarantine Activity
Answer: BC
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
131
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-the-applicationcommand-center/ widget-descriptions.html
QUESTION 312
Which two features can be used to tag a username so that it is included in a dynamic user group?
(Choose two.)
A.
B.
C.
D.
log forwarding auto-tagging
XML API
GlobalProtect agent
User-ID Windows-based agent
Answer: AB
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/register-ip-addresses-andtags-dynamically
QUESTION 313
SD-WAN is designed to support which two network topology types? (Choose two.)
A.
B.
C.
D.
point-to-point
hub-and-spoke
full-mesh
ring
Answer: BC
Explanation:
SD-WAN supports a full mesh topology, in addition to the hub-spoke topology. The mesh can
consist of branches with or without hubs. Use full mesh when the branches need to communicate
with each other directly.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/sd-wan-features/sd-wan-fullmesh-vpn-cluster-with-ddns-service.html
QUESTION 314
Which option describes the operation of the automatic commit recovery feature?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
132
A. It enables a firewall to revert to the previous configuration if rule shadowing is detected.
B. It enables a firewall to revert to the previous configuration if application dependency errors are
found.
C. It enables a firewall to revert to the previous configuration if a commit causes HA partner
connectivity failure.
D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity
failure.
Answer: D
Explanation:
To ensure that broken configurations caused by configuration changes pushed from the
PanoramaTM management server to managed firewalls, or committed locally on the firewall,
enable Automated Commit Recovery to enable managed firewalls to test configuration changes for
each commit and to verify that the changes did not break the connection between Panorama and
the managed firewall.
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/administerpanorama/enable-automated-commit-recovery
QUESTION 315
Which three items are important considerations during SD-WAN configuration planning? (Choose
three.)
A.
B.
C.
D.
E.
branch and hub locations
link requirements
the name of the ISP
IP Addresses
connection throughput
Answer: ABD
Explanation:
Plan the complete topology of your SD-WAN-enabled branch and hub firewall interfaces so that
you can create PanoramaTM templates with CSV files and then push the configurations to the
firewalls.
Plan the branch and hub locations, link requirements, and IP addresses. From Panorama you will
export an empty SD-WAN device CSV and populate it with branch and hub information.
https://docs.paloaltonetworks.com/sd-wan/2-0/sd-wan-admin/sd-wan-overview/plan-sd-wanconfiguration.html
QUESTION 316
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from
192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
133
A.
B.
C.
D.
ethernet1/7
ethernet1/5
ethernet1/6
ethernet1/3
Answer: D
Explanation:
PBF + schedule for it, but current time is not within the schedule, so normal routing occurs.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
134
QUESTION 317
How can an administrator configure the NGFW to automatically quarantine a device using
GlobalProtect?
A. by adding the devices Host ID to a quarantine list and configure GlobalProtect to prevent users
from connecting to the GlobalProtect gateway from a quarantined device
B. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom
of the Device Quarantine page and leveraging the appropriate XSOAR playbook
C. by using security policies, log forwarding profiles, and log settings
D. there is no native auto-quarantine feature so a custom script would need to be leveraged
Answer: C
Explanation:
https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/hostinformation/quarantine-devices-using-host-information/automatically-quarantine-a-device
QUESTION 318
To protect your firewall and network from single source denial of service (DoS) attacks that can
overwhelm its packet buffer and cause legitimate traffic to drop, you can configure
A.
B.
C.
D.
PBP (Protocol Based Protection)
BGP (Border Gateway Protocol)
PGP (Packet Gateway Protocol)
PBP (Packet Buffer Protection)
Answer: D
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
135
QUESTION 319
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial
configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB
flash drive was formatted using file system FAT32 and the initial configuration is stored in a file
named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The
contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls USB port, and the firewall has been restarted
using command: > request restart system
Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:
A.
B.
C.
D.
E.
The bootstrap.xml file is a required file, but it is missing
Firewall must be in factory default state or have all private data deleted for bootstrapping
The hostname is a required parameter, but it is missing in init-cfg.txt
PAN-CS version must be 9.1.x at a minimum, but the firewall is running 10.0.x
The USB must be formatted using the ext3 file system. FAT32 is not supported
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
136
Answer: B
Explanation:
The firewall must be in a factory default state or must have all private data deleted.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/bootstrapthe-firewall/ bootstrap-a-firewall-using-a-usb-flash-drive
QUESTION 320
An Administrator is configuring Authentication Enforcement and they would like to create an
exemption rule to exempt a specific group from authentication. Which authentication enforcement
object should they select?
A.
B.
C.
D.
default-no-captive-portal
default-authentication-bypass
default-browser-challenge
default-web-form
Answer: A
Explanation:
Authentication Method
Select a method:
browser-challenge
--The firewall transparently obtains user authentication credentials. If you select this action, the
Authentication Profile
you select must have Kerberos SSO enabled.
web-form
--To authenticate users, the firewall uses the certificate profile you specified when configuring
Authentication Portal or the Authentication Profile
you select in the authentication enforcement object. If you select an Authentication Profile , the
firewall ignores any Kerberos SSO settings in the profile and presents an Authentication Portal
page for the user to enter authentication credentials.
no-captive-portal
--The firewall evaluates Security policy without authenticating users.
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objectsauthentication.html
QUESTION 321
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial
configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system
NTFS and the initial configuration is stored in a file named init-cfg.txt. The contents of init-cfg.txt in
the USB flash drive are as follows:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
137
The USB flash drive has been inserted in the firewalls USB port, and the firewall has been powered
on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused because:
A.
B.
C.
D.
the bootstrap.xml file is a required file, but it is missing
init-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
The USB must be formatted using the ext4 file system
There must be commas between the parameter names and their values instead of the equal
symbols
E. The USB drive has been formatted with an unsupported file system
Answer: E
Explanation:
The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support
one of the following:
File Allocation Table 32 (FAT32)
Third Extended File System (ext3)
The firewall can bootstrap from the following flash drives with USB2.0 or USB3.0 connectivity:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/bootstrapthe-firewall/usb-flash-drive-support.html#id3cfc3106-f7ab-4eee-82b7-1ca62ec5e997
QUESTION 322
To more easily reuse templates and template stacks, you can create template variables in place of
firewall-specific and appliance-specific IP literals in your configurations.
Which one is the correct configuration
A. &Panorama
B. @Panorama
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
138
C. $Panorama
D. #Panorama
Answer: C
Explanation:
Add the new variable.
A variable name must start with the dollar ( $ ) symbol.
Name the new variable. In this example, the variables are named $DNS-primary and $DNSsecondary
.
Select the variable Type
and enter the corresponding value for the selected variable type.
For this example, select IP Netmask
.
(Optional
) Enter a description for the variable.
Click OK
and Close
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/managetemplates-and-template-stacks/configure-template-or-template-stackvariables.html#id17B8D0PG0TA
QUESTION 323
On the NGFW, how can you generate and block a private key from export and thus harden your
security posture and prevent rogue administrators or other bad actors from misusing keys?
A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the
certificate 3.
Select Import Private key 4. Click Generate to generate the new certificate
B. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block
Private Key Export
C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the
certificate
3. Select Block Private Key Export 4. Click Generate to generate the new certificate
D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block
Private Key Export
Answer: C
Explanation:
To generate and block a private key from export:
Select Device
Certificate Management
Certificates
Device
Certificates
Generate the certificate.
Select Block Private Key Export
to generate the new certificate.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/blockexport-of-private-keys.html
QUESTION 324
What is the maximum number of samples that can be submitted to WildFire manually per day?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
139
A.
B.
C.
D.
1,000
2,000
5,000
15,000
Answer: A
Explanation:
All Palo Alto Networks customers with a support account can use the Palo Alto Networks WildFire
portal to manually submit up to five samples a day for WildFire analysis. If you have a WildFire
subscription, you can manually submit samples to the portal as part of your 1000 sample uploads
daily limit; however, keep in mind that the 1000 sample daily limit also includes WildFire API
submissions.
Reference:
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/submit-files-for-wildfireanalysis/manually-upload-files-to-the-wildfire-portal.html
QUESTION 325
What file type upload is supported as part of the basic WildFire service?
A.
B.
C.
D.
ELF
BAT
PE
VBS
Answer: C
Explanation:
WildFire Advanced File Type Support
--In addition to PEs, forward advanced file types for WildFire analysis, including APKs, Flash files,
PDFs, Microsoft Office files, Java Applets, Java files (.jar and .class), and HTTP/HTTPS email links
contained in SMTP and POP3 email messages. (WildFire private cloud analysis does not support
APK, Mac OS X, Linux (ELF), archive (RAR/7-Zip), and script (JS, BAT, VBS, Shell Script, PS1,
and HTA) files).
Reference:
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/wildfire-overview/wildfiresubscription.html
QUESTION 326
Updates to dynamic user group membership are automatic therefore using dynamic user groups
instead of static group objects allows you to:
A.
B.
C.
D.
respond to changes in user behaviour or potential threats using manual policy changes
respond to changes in user behaviour or potential threats without manual policy changes
respond to changes in user behaviour or potential threats without automatic policy changes
respond to changes in user behaviour and confirmed threats with manual policy changes
Answer: B
Explanation:
Dynamic user groups help you to create policy that provides auto-remediation for anomalous user
behavior and malicious activity while maintaining user visibility. After you create the group and
commit the changes, the firewall registers the users and associated tags then automatically
updates the dynamic user group's membership. Because updates to dynamic user group
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
140
membership are automatic, using dynamic user groups instead of static group objects allows you
to respond to changes in user behavior or potential threats without manual policy changes.
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-inpolicy.html
QUESTION 327
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an
email?
A.
B.
C.
D.
exploitation
IP command and control
delivery
reconnaissance
Answer: C
Explanation:
Delivery: This stage marks the transition from the attacker working outside of an organization’s
network to working within an organization’s network. Malware delivered during this stage is
designed to exploit existing software vulnerabilities. To deliver its initial malware, the attacker might
choose to embed malicious code within seemingly innocuous PDF or Word files, or within an email
message.
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcns
a-study-guide-latest.pdf
QUESTION 328
In a Panorama template which three types of objects are configurable? (Choose three)
A.
B.
C.
D.
E.
HIP objects
QoS profiles
interface management profiles
certificate profiles
security profiles
Answer: BCD
Explanation:
Anything under Network or device tabs is template.
A and E is under device-group.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
141
QUESTION 329
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
A.
B.
C.
D.
not-applicable
incomplete
unknown-ip
unknown-udp
Answer: D
Explanation:
To safely enable applications you must classify all traffic, across all ports, all the time. With App-ID,
the only applications that are typically classified as unknown traffic--tcp, udp or non-syn-tcp--in the
ACC and the Traffic logs are commercially available applications that have not yet been added to
App-ID, internal or custom applications on your network, or potential threats.
QUESTION 330
An engineer must configure the Decryption Broker feature.
Which Decryption Broker security chain supports bi-directional traffic flow?
A.
B.
C.
D.
Layer 2 security chain
Layer 3 security chain
Transparent Bridge security chain
Transparent Proxy security chain
Answer: B
Explanation:
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces.
Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your
security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or
bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security
chain, and which interface receives the traffic back from the security chain after it has undergone
additional enforcement.
QUESTION 331
An organization has recently migrated its infrastructure and configuration to NGFWs, for which
Panorama manages the devices.
The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying
policies that are no longer needed.
Which Panorama tool can help this organization?
A.
B.
C.
D.
Config Audit
Policy Optimizer
Application Groups
Test Policy Match
Answer: B
Explanation:
This new feature identifies port-based rules so you can convert them to application-based rules
that allow the traffic or add applications to existing rules without compromising application
availability.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
142
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policyoptimizer.html
QUESTION 332
Which statement accurately describes service routes and virtual systems?
A. Virtual systems can only use one interface for all global service and service routes of the firewall
B. The interface must be used for traffic to the required external services
C. Virtual systems that do not have specific service routes configured inherit the global service and
service route settings for the firewall
D. Virtual systems cannot have dedicated service routes configured: and virtual systems always use
the global service and service route settings for the firewall
Answer: A
Explanation:
"When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service
and service route settings." So you can define specific service routes if you want, but they start out
as inherited from the global settings.
QUESTION 333
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently
running PAN-OS 8.1.17.
Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
A.
B.
C.
D.
Upgrade directly to the target major version
Upgrade one major version at a time
Upgrade the HA pair to a base image
Upgrade two major versions at a time
Answer: B
Explanation:
When you upgrade from one PAN-OS feature release version to a later feature release, you cannot
skip the installation of any feature release versions in the path to your target release. In addition,
the recommended upgrade path includes installing the latest maintenance release in each release
version before you install the base image for the next feature release version.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-thefirewall-pan-os/determine-the-upgrade-path.html
QUESTION 334
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is
decrypted?
A.
B.
C.
D.
There must be a certificate with both the Forward Trust option and Forward Untrust option selected
A Decryption profile must be attached to the Decryption policy that the traffic matches
A Decryption profile must be attached to the Security policy that the traffic matches
There must be a certificate with only the Forward Trust option selected
Answer: B
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
143
"(Optional) Select a Decryption Profile to perform additional checks on traffic that matches the
policy rule."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-todecrypt/create-a-decryption-policy-rulet.
QUESTION 335
When you import the configuration of an HA pair into Panorama, how do you prevent the import
from affecting ongoing traffic?
A.
B.
C.
D.
Disable HA
Disable the HA2 link
Disable config sync
Set the passive link state to 'shutdown.-
Answer: C
Explanation:
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transitiona-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html
Step 2 is "Disable configuration synchronization between the HA peers."
QUESTION 336
Which configuration task is best for reducing load on the management plane?
A.
B.
C.
D.
Disable logging on the default deny rule
Enable session logging at start
Disable pre-defined reports
Set the URL filtering action to send alerts
Answer: C
QUESTION 337
Which Panorama objects restrict administrative access to specific device-groups?
A.
B.
C.
D.
templates
admin roles
access domains
authentication profiles
Answer: C
Explanation:
Access domains control administrative access to specific Device Groups and templates, and also
control the ability to switch context to the web interface of managed firewalls.
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/rolebased-access-control/access-domains.html
QUESTION 338
An administrator has 750 firewalls. The administrator's central-management Panorama instance
deploys dynamic updates to the firewalls.
The administrator notices that the dynamic updates from Panorama do not appear on some of the
firewalls.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
144
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the
configuration does not appear what is the root cause?
A.
B.
C.
D.
Panorama has no connection to Palo Alto Networks update servers
Panorama does not have valid licenses to push the dynamic updates
No service route is configured on the firewalls to Palo Alto Networks update servers
Locally-defined dynamic update settings take precedence over the settings that Panorama pushed
Answer: D
Explanation:
Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference
over the Panorama pushed setting.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0
QUESTION 339
Which rule type controls end user SSL traffic to external websites?
A.
B.
C.
D.
SSL Outbound Proxyless Inspection
SSL Forward Proxy
SSL Inbound Inspection
SSH Proxy
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/sslforward-proxy.html
QUESTION 340
Which two statements correctly identify the number of Decryption Broker security chains that are
supported on a pair of decryption-forwarding interfaces? (Choose two)
A.
B.
C.
D.
A single transparent bridge security chain is supported per pair of interfaces
L3 security chains support up to 32 security chains
L3 security chains support up to 64 security chains
A single transparent bridge security chain is supported per firewall
Answer: AD
QUESTION 341
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls
into their AWS tenant.
Which two statements are correct regarding the bootstrap package contents? (Choose two )
A. The /config /content and /software folders are mandatory while the /license and /plugin folders are
optional
B. The bootstrap package is stored on an AFS share or a discrete container file bucket
C. The directory structure must include a /config /content, /software and /license folders
D. The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder
E. The bootstrap.xml file allows for automated deployment of VM-Senes firewalls with full network and
policy configurations.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
145
Answer: CE
Explanation:
https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-seriesfirewall/bootstrap-the-vm-series-firewall-in-aws.html
QUESTION 342
Drag and Drop Question
Match each GlobalProtect component to the purpose of that component.
Answer:
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
146
Reference:
https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotectadmin/globalprotect-overview/about-the-globalprotect-components.html
QUESTION 343
A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?
A.
B.
C.
D.
certificate authority (CA) certificate
client certificate
machine certificate
server certificate
Answer: D
Explanation:
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configurean-ssltls-service-profile.html
QUESTION 344
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing?
(Choose two.)
A.
B.
C.
D.
E.
wildcard server certificate
enterprise CA certificate
client certificate
server certificate
self-signed CA certificate
Answer: BE
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forwardproxy.html
QUESTION 345
Use the image below If the firewall has the displayed link monitoring configuration what will cause
a failover?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
147
A.
B.
C.
D.
ethernet1/3 and ethernet1/6 going down
etheme!1/3 going down
ethernet1/6 going down
ethernet1/3 or ethernet1/6 going down
Answer: A
QUESTION 346
When overriding a template configuration locally on a firewall, what should you consider?
A.
B.
C.
D.
Only Panorama can revert the override
Panorama will lose visibility into the overridden configuration
Panorama will update the template with the overridden value
The firewall template will show that it is out of sync within Panorama
Answer: B
Explanation:
Based on my knowledge out-of-sync message appear on Panorama only was perform a commit to
Panorama but not pushed to the NGFW.
https://live.paloaltonetworks.com/t5/general-topics/reason-for-out-of-sync-message-inpanorama/td-p/328292
The override setting are not visible (known) by Panorama. The config are pushed only from
Panorama to NGFW.
QUESTION 347
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama
reports.
The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent
from the NGFW to Panorama?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
148
A.
B.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
149
C.
D.
Answer: A
Explanation:
Untill and unless log forwarding is not configured on security policy the logs will not Forwarded to
any external system (Panorama or external syslog server).
QUESTION 348
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the
neighbour is correct, but the route is not in the neighbour's routing table.
Which two configurations should you check on the firewall? (Choose two.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
150
A. Within the redistribution profile ensure that Redist is selected
B. In the redistribution profile check that the source type is set to "ospf"
C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF
Export Rules section
D. Ensure that the OSPF neighbor state is "2-Way"
Answer: AC
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGTCA0
QUESTION 349
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA)
certificates are installed on the firewall.
An end-user visits the untrusted website https //www firewall-do-not-trust-website com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
A.
B.
C.
D.
Forward-Untrust-Certificate
Forward-Trust-Certificate
Firewall-CA
Firewall-Trusted-Root-CA
Answer: B
Explanation:
Since Forward Trust Certificate isn't configured, then the Forward Trust Certificate will be used also
for untrusted webserver.
QUESTION 350
An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?
A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate
B. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate
C. Use an enterprise CA-signed certificate for the Forward Untrust certificate
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
151
D. Use the same Forward Trust certificate on all firewalls in the network
Answer: A
Explanation:
Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall
can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the
CA that signed the certificate of the destination server, the firewall can send a copy of the
destination server certificate to the client, signed by the enterprise CA. This is a best practice
because usually all network devices already trust the Enterprise CA (it is usually already installed
in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so
the rollout process is smoother.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forwardproxy.html
QUESTION 351
When you configure an active/active high availability pair which two links can you use? (Choose
two)
A.
B.
C.
D.
HA2 backup
HA3
Console Backup
HSCI-C
Answer: AB
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activeactiveha/configure-activeactive-ha.html
QUESTION 352
Which CLI command displays the physical media that are connected to ethernetl/8?
A.
B.
C.
D.
> show system state filter-pretty sys.si.p8.stats
> show interface ethernetl/8
> show system state filter-pretty sys.sl.p8.phy
> show system state filter-pretty sys.si.p8.med
Answer: C
Explanation:
Example output:
> show system state filter-pretty sys.s1.p1.phy
sys.s1.p1.phy: {
link-partner: { },
media: CAT5,
type: Ethernet,
}
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC
QUESTION 353
In a firewall, which three decryption methods are valid? (Choose three )
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
152
A.
B.
C.
D.
E.
SSL Inbound Inspection
SSL Outbound Proxyless Inspection
SSL Inbound Proxy
Decryption Mirror
SSH Proxy
Answer: ADE
Explanation:
You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party
solution for additional analysis and archiving.
Ref:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryptionoverview.html#idd71f8b4d-cd40-4c6c-905f-2f8c7fca6537
QUESTION 354
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A.
B.
C.
D.
GlobalProtect app and GlobalProtect gateway
GlobalProtect portal and GlobalProtect gateway
GlobalProtect app and GlobalProtect satellite
GlobalProtect app and GlobalProtect portal
Answer: A
Explanation:
UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/referenceport-number-usage/ports-used-for-globalprotect.html
QUESTION 355
Users within an enterprise have been given laptops that are joined to the corporate domain. In
some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information
Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet
access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines?
A. You can configure Captive Portal with an authentication policy.
B. IP-to-user mapping for Linux users can only be learned if the machine is joined to the domain.
C. You can set up a group-based security policy to restrict internet access based on group
membership
D. You can deploy the User-ID agent on the Linux desktop machines
Answer: D
QUESTION 356
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose
three)
A.
B.
C.
D.
configure a device block list
rename a vsys on a multi-vsys firewall
enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
add administrator accounts
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
153
E. change the firewall management IP address
Answer: ABC
QUESTION 357
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
preconfiguration.
Once deployed each firewall must establish secure tunnels back to multiple regional data centers
to include the future regional data centers.
Which VPN preconfigured configuration would adapt to changes when deployed to the future site?
A.
B.
C.
D.
IPsec tunnels using IKEv2
PPTP tunnels
GlobalProtect satellite
GlobalProtect client
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/networkglobalprotect-portals/globalprotect-portals-satellite-configuration-tab.html
QUESTION 358
PBF can address which two scenarios? (Select Two)
A.
B.
C.
D.
forwarding all traffic by using source port 78249 to a specific egress interface
providing application connectivity the primary circuit fails
enabling the firewall to bypass Layer 7 inspection
routing FTP to a backup ISP link to save bandwidth on the primary ISP link
Answer: BD
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/usecase-pbf-for-outbound-access-with-dual-isps
QUESTION 359
In a security-first network what is the recommended threshold value for content updates to be
dynamically updated?
A.
B.
C.
D.
1 to 4 hours
6 to 12 hours
24 hours
36 hours
Answer: B
Explanation:
Schedule content updates so that they download-and-install automatically. Then, set a Threshold
that determines the amount of time the firewall waits before installing the latest content. In a
security-first network, schedule a six to twelve hour threshold.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-forcontent-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
154
QUESTION 360
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise
certificate authorities (Cas):
i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in
the trusted store of the end-user browser and system )
ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate
iii. Enterprise-lntermediate-CA
iv. Enterprise-Root-CA which is verified only as Trusted Root CA
An end-user visits https //www example-website com/ with a server certificate Common Name (CN)
www example-website com
The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not
trusted by the firewall.
The end-user's browser will show that the certificate for www example-website com was issued by
which of the following?
A.
B.
C.
D.
Enterprise-Untrusted-CA which is a self-signed CA
Enterprise-Trusted-CA which is a self-signed CA
Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
Enterprise-Root-CA which is a self-signed CA
Answer: A
QUESTION 361
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world
Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises
Infrastructure.
The administrator wants to scale the configuration out quickly and wants all of the firewalls to use
the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
A.
B.
C.
D.
variables
template stacks
collector groups
virtual systems
Answer: AB
Explanation:
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/templates-and-templatestacks
QUESTION 362
A traffic log might list an application as "not-applicable" for which two reasons? (Choose two )
A. The firewall did not install the session
B. The TCP connection terminated without identifying any application data
C. The firewall dropped a TCP SYN packet
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
155
D. There was not enough application data after the TCP connection was established
Answer: AD
QUESTION 363
An administrator is considering upgrading the Palo Alto Networks NGFW and central management
Panorama version.
What is considered best practice for this scenario?
A.
B.
C.
D.
Perform the Panorama and firewall upgrades simultaneously
Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version
Upgrade Panorama to a version at or above the target firewall version
Export the device state perform the update, and then import the device state
Answer: C
Explanation:
Panorama should be running the same or a later version of a feature release than the firewall (more
than two feature versions is supported but not recommended).
QUESTION 364
Drag and Drop Question
Match each SD-WAN configuration element to the description of that element.
Answer:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
156
Explanation:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/sd-wanconfiguration-elements
QUESTION 365
When you configure a Layer 3 interface what is one mandatory step?
A.
B.
C.
D.
Configure Security profiles, which need to be attached to each Layer 3 interface
Configure Interface Management profiles which need to be attached to each Layer 3 interface
Configure virtual routers to route the traffic for each Layer 3 interface
Configure service routes to route the traffic for each Layer 3 interface
Answer: C
Explanation:
In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure
Layer 3 Interfaces, you must configure the Virtual Routers that you want the firewall to use to route
the traffic for each Layer 3 interface.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configureinterfaces/layer-3-interfaces.html
QUESTION 366
An administrator has a PA-820 firewall with an active Threat Prevention subscription.
The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?
A.
B.
C.
D.
Protection against unknown malware can be provided in near real-time
WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
After 24 hours WildFire signatures are included in the antivirus update
WildFire and Threat Prevention combine to minimize the attack surface
Answer: A
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
157
QUESTION 367
Which three statements accurately describe Decryption Mirror? (Choose three.)
A.
B.
C.
D.
Decryption Mirror requires a tap interface on the firewall
Decryption, storage, inspection and use of SSL traffic are regulated in certain countries
Only management consent is required to use the Decryption Mirror feature
You should consult with your corporate counsel before activating and using Decryption Mirror in a
production environment
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to
harvest sensitive information that is submitted via an encrypted channel
Answer: BDE
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryptionconcepts/decryption-mirroring.html
QUESTION 368
As a best practice, which URL category should you target first for SSL decryption?
A.
B.
C.
D.
Online Storage and Backup
High Risk
Health and Medicine
Financial Services
Answer: B
Explanation:
https://docs.paloaltonetworks.com/best-practices/8-1/decryption-best-practices/decryption-bestpractices/plan-ssl-decryption-best-practice-deployment.html
Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor
malicious traffic, such as gaming or high-risk)
QUESTION 369
An administrator wants to enable zone protection.
Before doing so, what must the administrator consider?
A.
B.
C.
D.
Activate a zone protection subscription.
To increase bandwidth no more than one firewall interface should be connected to a zone
Security policy rules do not prevent lateral movement of traffic between zones
The zone protection profile will apply to all interfaces within that zone
Answer: A
QUESTION 370
What are two characteristic types that can be defined for a variable? (Choose two)
A. zone
B. FQDN
C. path group
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
158
D. IP netmask
Answer: BD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-webinterface/panorama-templates/panorama-templates-template-variable.html
QUESTION 371
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )
A.
B.
C.
D.
E.
Destination Zone
App-ID
Custom URL Category
User-ID
Source Interface
Answer: ACD
Explanation:
Source interface and App ID option is not present into Decryption policy rule.
QUESTION 372
Given the following configuration, which route is used for destination 10.10.0.4?
A.
B.
C.
D.
Route 4
Route 2
Route 1
Route 3
Answer: B
Explanation:
set network virtual-router 2 routing-table ip static-route "Route 2" destination 10.10.0.0/24
Reference:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
159
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-virtualrouters/more-runtime-stats-for-a-virtual-router/ routing-tab.html
QUESTION 373
When an in-band data port is set up to provide access to required services, what is required for an
interface that is assigned to service routes?
A.
B.
C.
D.
The interface must be used for traffic to the required services
You must enable DoS and zone protection
You must set the interface to Layer 2 Layer 3, or virtual wire
You must use a static IP address
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
Decide which port you want to use for access to external services and connect it to your switch or
router port.
The interface you use must have a static IP address.
QUESTION 374
What does SSL decryption require to establish a firewall as a trusted third party and to establish
trust between a client and server to secure an SSL/TLS connection?
A.
B.
C.
D.
link state
stateful firewall connection
certificates
profiles
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-overview.html
QUESTION 375
When setting up a security profile which three items can you use? (Choose three )
A.
B.
C.
D.
E.
Wildfire analysis
anti-ransom ware
antivirus
URL filtering
decryption profile
Answer: ACD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-profiles.html
QUESTION 376
A variable name must start with which symbol?
A. $
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
160
B. &
C. !
D. #
Answer: A
Explanation:
All variable definition names must start with the dollar sign (“$”) character.
QUESTION 377
An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there
is an issue related to LDAP authentication. The administrator wants to create a packet capture on
the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the
configuration?
A.
B.
C.
D.
> ftp export mgmt-pcap from mgmt.pcap to <FTP host>
> scp export mgmt-pcap from mgmt.pcap to (username@host:path)
> scp export poap-mgmt from poap.mgmt to (username@host:path)
> scp export pcap from pcap to (usernameQhost:path)
Answer: B
Explanation:
Additionally, you can manually export the PCAP via SCP or TFTP, i.e.:
> scp export mgmt-pcap from mgmt.pcap to
<value> Destination (username@host:path)
Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
QUESTION 378
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption?
(Choose two.)
A.
B.
C.
D.
the website matches a category that is not allowed for most users
the website matches a high-risk category
the web server requires mutual authentication
the website matches a sensitive category
Answer: CD
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryptionexclusions/create-a-policy-based-decryption-exclusion
QUESTION 379
During SSL decryption which three factors affect resource consumption1? (Choose three )
A.
B.
C.
D.
E.
TLS protocol version
transaction size
key exchange algorithm
applications that use non-standard ports
certificate issuer
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
161
Answer: ABC
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploydecryption/size-the-decryption-firewall-deployment.html
QUESTION 380
An internal system is not functioning. The firewall administrator has determined that the incorrect
egress interface is being used.
After looking at the configuration, the administrator believes that the firewall is not using a static
route.
What are two reasons why the firewall might not use a static route? (Choose two.)
A.
B.
C.
D.
no install on the route
duplicate static route
path monitoring on the static route
disabling of the static route
Answer: AC
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-routeremoval-based-on-path-monitoring.html
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-astatic-route.html
QUESTION 381
Before you upgrade a Palo Alto Networks NGFW what must you do?
A. Make sure that the PAN-OS support contract is valid for at least another year
B. Export a device state of the firewall
C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that
support the licensed subscriptions.
D. Make sure that the firewall is running a supported version of the app + threat update
Answer: D
Explanation:
Before you upgrade, make sure the firewall is running a version of app + threat (content version)
that meets the minimum requirement of the new PAN-OS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK
QUESTION 382
Which User-ID mapping method should be used in a high-security environment where all IP
address-to-user mappings should always be explicitly known?
A.
B.
C.
D.
PAN-OS integrated User-ID agent
LDAP Server Profile configuration
GlobalProtect
Windows-based User-ID agent
Answer: C
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
162
Because GlobalProtect users must authenticate to gain access to the network, the IP address-tousername mapping is explicitly known.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/usermapping/globalprotect.html
QUESTION 383
Given the following snippet of a WildFire submission log. did the end-user get access to the
requested information and why or why not?
A.
B.
C.
D.
Yes. because the action is set to "allow''
No because WildFire categorized a file with the verdict "malicious"
Yes because the action is set to "alert"
No because WildFire classified the seventy as "high."
Answer: A
QUESTION 384
An administrator needs to gather information about the CPU utilization on both the management
plane and the data plane.
Where does the administrator view the desired data?
A.
B.
C.
D.
Monitor > Utilization
Resources Widget on the Dashboard
Support > Resources
Application Command and Control Center
Answer: B
QUESTION 385
Drag and Drop Question
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and
Panorama configuration. Place the steps in order.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
163
Answer:
Explanation:
https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa
QUESTION 386
An administrator is required to create an application-based Security policy rule to allow Evernote.
The Evernote application implicitly uses SSL and web browsing. What is the minimum the
administrator needs to configure in the Security rule to allow only Evernote?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
164
A. Add the Evernote application to the Security policy rule, then add a second Security policy rule
containing both HTTP and SSL.
B. Add the HTTP, SSL, and Evernote applications to the same Security policy
C. Add only the Evernote application to the Security policy rule.
D. Create an Application Override using TCP ports 443 and 80.
Answer: C
QUESTION 387
Your company occupies one floor in a single building. You have two Active Directory domain
controllers on a single network. The firewall's management-plane resources are lightly utilized.
Given the size of this environment, which User-ID collection method is sufficient?
A.
B.
C.
D.
Citrix terminal server agent deployed on the network
Windows-based agent deployed on each domain controller
PAN-OS integrated agent deployed on the firewall
a syslog listener
Answer: C
QUESTION 388
Drag and Drop Question
Please match the terms to their corresponding definitions.
Answer:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
165
Explanation:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcns
e-study-guide.pdf
QUESTION 389
Drag and Drop Question
Place the steps in the WildFire process workflow in their correct order.
Answer:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
166
Explanation:
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html
QUESTION 390
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to
be taken?
A. Create a zone protection profile with flood protection configured to defend an entire egress zone
against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
B. Add a WildFire subscription to activate DoS and zone protection features.
C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series
systems.
D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall
is properly sized to support DoS and zone protection.
Answer: D
Explanation
Check and monitor firewall dataplane CPU consumption to ensure that each firewall is properly
sized to support DoS and Zone Protection along with any other features that consume CPU cycles,
such as decryption.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html
QUESTION 391
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24
type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol
0 port 0."
How should the administrator identify the root cause of this error message?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
167
A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection
failure.
B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or
disabled on both VPN peers.
Answer: B
Explanation
The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo
Alto Networks firewall.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-sitevpn/interpret-vpn-error-messages.html
QUESTION 392
The following objects and policies are defined in a device group hierarchy.
Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYCFW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service
Objects" is enabled in Panorama?
A. Address Objects
- Shared Address1
- Branch Address1
Policies
- Shared Policy1
- Branch Policy1
B. Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
Policies
- Shared Policy1
- Shared Policy2
- Branch Policy1
C. Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
- DC Address1
Policies
- Shared Policy1
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
168
- Shared Policy2
- Branch Policy1
D. Address Objects
- Shared Address1
- Shared Address2
- Branch Address1
Policies
- Shared Policy1
- Branch Policy1
Answer: D
Explanation:
Panorama will not push anything from Data-Centers group. That rules out C.
Panorama will push all objects from "Shared", which rules out A.
Note that the target of "Shared Policy 2" is NYC-FW, so this policy won't get pushed to Dallas-FW.
This rules out B.
Thus, answer is D.
QUESTION 393
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?
A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts
independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.
Answer: C
Explanation
Each WildFire cloud—global (U.S.), regional, and private—analyzes samples and generates
WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private
cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide
database of threat data.
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfireconcepts/verdicts.html
QUESTION 394
What are three reasons for excluding a site from SSL decryption? (Choose three.)
A.
B.
C.
D.
E.
the website is not present in English
unsupported ciphers
certificate pinning
unsupported browser version
mutual authentication
Answer: BCE
Explanation
Reasons that sites break decryption technically include pinned certificates, client authentication,
incomplete certificate chains, and unsupported ciphers.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
169
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryptionexclusions/exclude-a-server-from-decryption.html
QUESTION 395
When setting up a security profile, which three items can you use? (Choose three.)
A.
B.
C.
D.
E.
Wildfire analysis
anti-ransomware
antivirus
URL filtering
decryption profile
Answer: ACD
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-profiles.html
QUESTION 396
What are three types of Decryption Policy rules? (Choose three.)
A.
B.
C.
D.
E.
SSL Inbound Inspection
SSH Proxy
SSL Forward Proxy
Decryption Broker
Decryption Mirror
Answer: ABC
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryptionoverview.html#:~:text=The%20firewall%20provides%20three%20types,to%20control%20tunnele
d%20SSH%20traffic
QUESTION 397
Which two features require another license on the NGFW? (Choose two.)
A.
B.
C.
D.
SSL Inbound Inspection
SSL Forward Proxy
Decryption Mirror
Decryption Broker
Answer: CD
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configuredecryption-port-mirroring.html
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-licenses.html
QUESTION 398
A remote administrator needs access to the firewall on an untrust interface. Which three options
would you configure on an Interface Management profile to secure management access? (Choose
three.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
170
A.
B.
C.
D.
E.
Permitted IP Addresses
SSH
https
User-ID
HTTP
Answer: ABC
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configureinterfaces/use-interface-management-profiles-to-restrict-access.html
QUESTION 399
A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected
as the replacement. During onboarding, the following options and licenses were selected and
enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are
connected to Prisma Access for Mobile Users.
Which two settings must the customer configure? (Choose two.)
A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the
Log
Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.
D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server.
Apply the Log Forwarding profile to all of the security policy rules in the
Mobile_User_Device_Group.
Answer: BC
Explanation:
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-gettingstarted/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslogserver.html
QUESTION 400
A network security engineer has applied a File Blocking profile to a rule with the action of Block.
The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is
being blocked by the firewall when trying to download a TAR file. The user is getting no error
response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file?
A. Threat log
B. Data Filtering log
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
171
C. WildFire Submissions log
D. URL Filtering log
Answer: B
Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ1CAK
QUESTION 401
In a device group, which two configuration objects are defined? (Choose two )
A.
B.
C.
D.
DNS Proxy
address groups
SSL/TLS profiles
URL Filtering profiles
Answer: BD
Explanation:
Objects are configuration elements that policy rules reference, for example: IP addresses, URL
categories, security profiles, users, services, and applications. Rules of any type (pre-rules, postrules, default rules, and rules locally defined on a firewall) and any rulebase (Security, NAT, QoS,
Policy Based Forwarding, Decryption, Application Override, Captive Portal, and DoS Protection)
can reference objects.
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/device-groups/device-groupobjects.html#id0fee714c-9e17-43a0-aac5-54e0c34f37e3
QUESTION 402
An enterprise Information Security team has deployed policies based on AD groups to restrict user
access to critical infrastructure systems. However, a recent phishing campaign against the
organization has prompted information Security to look for more controls that can secure access to
critical assets. For users that need to access these systems, Information Security wants to use
PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
B. Create an authentication profile and assign another authentication factor to be used by a Captive
Portal authentication policy.
C. Configure a Captive Portal authentication policy that uses an authentication sequence.
D. Configure a Captive Portal authentication policy that uses an authentication profile that references
a RADIUS profile.
Answer: D
Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configuremulti-factor-authentication.html#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214_idc4b47dbd-97774ec8-be70-c16ca0ea1756
QUESTION 403
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
172
Access for mobile users, which is managed by Panorama. The enterprise already uses
GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy
enforcement based on group mapping. Information Security uses on-premises Active Directory (AD)
but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?
A. Configure Prisma Access to learn group mapping via SAML assertion.
B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma
Access.
C. Assign a master device in Panorama through which Prisma Access learns groups.
D. Create a group mapping configuration that references an LDAP profile that points to on-premises
domain controllers.
Answer: C
Explanation:
Reference: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panoramaadmin/configure-user-based-policies-with-prisma-access/retrieve-user-idinformation.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7
QUESTION 404
What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?
A.
B.
C.
D.
Traffic is dropped because there is no matching SD-WAN policy to direct traffic.
Traffic matches a catch-all policy that is created through the SD-WAN plugin.
Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface
number (i.e., Eth1/1 over Eth1/3).
Answer: C
Explanation:
If there is no match to any SD-WAN policy rule in the list, the session matches an implied SD-WAN
policy rule at the end of the list that uses the round-robin method to distribute unmatched sessions
among all links in one SD-WAN interface, which is based on the route lookup.
QUESTION 405
A remote administrator needs firewall access on an untrusted interface.
Which two components are required on the firewall to configure certificate-based administrator
authentication to the web Ul? (Choose two.)
A.
B.
C.
D.
certificate authority (CA) certificate
server certificate
client certificate
certificate profile
Answer: AD
Explanation
Generate a certificate authority (CA) certificate on the firewall.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
173
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/managefirewall-administrators/configure-administrative-accounts-and-authentication/configure-certificatebased-administrator-authentication-to-the-web-interface.html
QUESTION 406
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All
84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is
missing?
A.
B.
C.
D.
WildFire logs
System logs
Threat logs
Traffic logs
Answer: A
Explanation:
Reference:
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-logcollection/configure-log-forwarding-to-panorama.html
QUESTION 407
A company wants to use their Active Directory groups to simplify their Security policy creation from
Panorama.
Which configuration is necessary to retrieve groups from Panorama?
A.
B.
C.
D.
Configure an LDAP Server profile and enable the User-ID service on the management interface.
Configure a group mapping profile to retrieve the groups in the target template.
Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
Configure a master device within the device groups.
Answer: D
Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
QUESTION 408
How can packet buffer protection be configured?
A. at zone level to protect firewall resources and ingress zones, but not at the device level
B. at the interface level to protect firewall resources
C. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone
level
D. at the device level (globally) and, if enabled globally, at the zone level
Answer: D
Explanation
You can configure Packet Buffer Protection at two levels: the device level (global) and if enabled
globally, you can also enable it at the zone level.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
174
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection/configure-zone-protection-to-increase-network-security/configure-packet-bufferprotection.html
QUESTION 409
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec
connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware
be introduced to the environment.
What is the best solution for the customer?
A.
B.
C.
D.
Configure a remote network on PAN-OS
Upgrade to a PAN-OS SD-WAN subscription
Configure policy-based forwarding
Deploy Prisma SD-WAN with Prisma Access
Answer: B
Explanation:
There are two SD-WAN options:
- Pan-OS SD-WAN which requires a subscription and leverages existing firewalls
- Cloudgenix SD-WAN which requires ION devices (hardware)
Reference: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/aboutsd-wan.html
QUESTION 410
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business
application uptime requirements.
What is the correct setting?
A.
B.
C.
D.
Change the HA timer profile to "user-defined" and manually set the timers.
Change the HA timer profile to "fast".
Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
Change the HA timer profile to "quick" and customize in advanced profile.
Answer: C
Explanation:
Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster
failover timer settings. The Advanced profile allows you to customize the timer values to suit your
network requirements.
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-upactivepassive-ha/configure-activepassive-ha.html
QUESTION 411
What is the function of a service route?
A. The service packets exit the firewall on the port assigned for the external service. The server sends
its response to the configured source interface and source IP address.
B. The service packets enter the firewall on the port assigned from the external service. The server
sends its response to the configured destination interface and destination IP address.
C. The service route is the method required to use the firewall's management plane to provide services
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
175
to applications.
D. Service routes provide access to external services, such as DNS servers, external authentication
servers or Palo Alto Networks services like the Customer Support Portal.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/serviceroutes-overview#id69ef535a-d5b0-4c79-bb7f-1302a438e7c5
"The service packets exit the firewall on the port assigned for the external service and the server
sends its response to the configured source interface and source IP address."
QUESTION 412
Which of the following commands would you use to check the total number of the sessions that are
currently going through SSL Decryption processing?
A.
B.
C.
D.
show session all filter ssl-decryption yes total-count yes
show session all ssl-decrypt yes count yes
show session all filter ssl-decrypt yes count yes
show session filter ssl-decryption yes total-count yes
Answer: C
Explanation:
To display the count of decrypted sessions
> show session all filter ssl-decrypt yes count yes
Number of sessions that match filter: 2758
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
QUESTION 413
Refer to the image. An administrator is tasked with correcting an NTP service configuration for
firewalls that cannot use the Global template NTP servers. The administrator needs to change the
IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?
A. Override the value on the NYCFW template.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
176
B. Override a template value using a template stack variable.
C. Override the value on the Global template.
D. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Answer: B
Explanation
Both templates and template stacks support variables. Variables allow you to create placeholder
objects with their value specified in the template or template stack based on your configuration
needs. Create a template or template stack variable to replace IP addresses, Group IDs, and
interfaces in your configurations.
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/managetemplates-and-template-stacks/override-a-template-setting.html
QUESTION 414
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command
would you use to check the details of the end entity certificate that is signed by the Forward Trust
Certificate or Forward Untrust Certificate?
A.
B.
C.
D.
show system setting ssl-decrypt certs
show system setting ssl-decrypt certificate
debug dataplane show ssl-decrypt ssl-stats
show system setting ssl-decrypt certificate-cache
Answer: B
Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
QUESTION 415
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the
onboarding process?
A.
B.
C.
D.
removing the Panorama serial number from the ZTP service
performing a factory reset of the firewall
performing a local firewall commit
removing the firewall as a managed device in Panorama
Answer: C
Explanation
Performing a local commit on the ZTP firewall disables ZTP functionality and results in the failure
to successfully add the firewall to Panorama.
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/set-upzero-touch-provisioning/add-ztp-firewalls-to-panorama/add-a-ztp-firewall-topanorama.html#id182211ac-a31c-4122-a11f-19450ec9ca4e
QUESTION 416
In URL filtering, which component matches URL patterns?
A. live URL feeds on the management plane
B. security processing on the data plane
C. single-pass pattern matching on the data plane
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
177
D. signature matching on the data plane
Answer: B
Explanation:
URL matching happens at “security processing on the data plane”.
Reference: https://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-altofirewall-single-pass-parallel-processing-hardware-architecture.html
QUESTION 417
In a template, you can configure which two objects? (Choose two.)
A.
B.
C.
D.
Monitor profile
application group
SD-WAN path quality profile
IPsec tunnel
Answer: AD
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/networknetwork-profiles/network-network-profiles-monitor.html
QUESTION 418
An organization's administrator has the funds available to purchase more firewalls to increase the
organization's security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they
protect.
Is the SE's advice correct, and why or why not?
A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the
cyberattack lifecycle, independent of placement.
B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.
C. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive
devices inside the network.
D. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration
of specific device types and operating systems.
Answer: B
Explanation:
"The firewall is a session-based device that isn’t designed to scale to millions of connections-persecond (CPS) to defend against large volumetric DoS attacks."
"For the best DoS protection, place firewalls as close to the resources you’re protecting as possible.
This reduces the number of sessions the firewall needs to handle and therefore the amount of
firewall resources required to provide DoS protection."
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dosprotection/zone-defense/firewall-placement-for-dos-protection
QUESTION 419
An administrator needs to validate that policies that will be deployed will match the appropriate
rules in the device-group hierarchy.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
178
Which tool can the administrator use to review the policy creation logic and verify that unwanted
traffic is not allowed?
A.
B.
C.
D.
Preview Changes
Policy Optimizer
Managed Devices Health
Test Policy Match
Answer: A
Explanation
Using "preview changes" with broad context you can see polices-tree structure and works BEFORE
commit.
QUESTION 420
What is a key step in implementing WildFire best practices?
A.
B.
C.
D.
Configure the firewall to retrieve content updates every minute.
Ensure that a Threat Prevention subscription is active.
In a mission-critical network, increase the WildFire size limits to the maximum value.
In a security-first network, set the WildFire size limits to the minimum value.
Answer: B
Explanation
In the WildFire best practices linked below, the first step is to "... make sure that you have an active
Threat Prevention subscription. Together, WildFire® and Threat Prevention enable comprehensive
threat detection and prevention."
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-deployment-bestpractices/wildfire-best-practices.html
QUESTION 421
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?
A.
B.
C.
D.
Phase 2 SAs are synchronized over HA2 links.
Phase 1 and Phase 2 SAs are synchronized over HA2 links.
Phase 1 SAs are synchronized over HA1 links.
Phase 1 and Phase 2 SAs are synchronized over HA3 links.
Answer: A
Explanation
From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA
pair, not all IPSEC related information is synchronized between the firewalls... This is an expected
behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."
And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec
security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link
is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the
passive firewall."
QUESTION 422
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet
facing interface of the firewall.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
179
Which Security Profile should be applied to a policy to prevent these packet floods?
A.
B.
C.
D.
Vulnerability Protection profile
DoS Protection profile
Data Filtering profile
URL Filtering profile
Answer: B
Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
QUESTION 423
What are three reasons why an installed session can be identified with the "application incomplete"
tag? (Choose three.)
A.
B.
C.
D.
E.
There was no application data after the TCP connection was established.
The client sent a TCP segment with the PUSH flag set.
The TCP connection was terminated without identifying any application data.
There is not enough application data after the TCP connection was established.
The TCP connection did not fully establish.
Answer: ACE
Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
QUESTION 424
Which three statements correctly describe Session 380280? (Choose three.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
180
A.
B.
C.
D.
E.
The application was initially identified as "ssl."
The session has ended with the end-reason "unknown."
The session cid not go through SSL decryption processing.
The application shifted to "web-browsing."
The session went through SSL decryption processing.
Answer: ADE
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
181
QUESTION 425
An administrator's device-group commit push is failing due to a new URL category.
How should the administrator correct this issue?
A.
B.
C.
D.
update the Firewall Apps and Threat version to match the version of Panorama
change the new category action to "alert" and push the configuration again
ensure that the firewall can communicate with the URL cloud
verity that the URL seed tile has been downloaded and activated on the firewall
Answer: A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNqw
QUESTION 426
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul
authentication? (Choose three.)
A.
B.
C.
D.
E.
Authentication Algorithm
Encryption Algorithm
Certificate
Maximum TLS version
Minimum TLS version
Answer: CDE
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificatemanagement/configure-an-ssltls-service-profile
QUESTION 427
Which type of interface does a firewall use to forward decrypted traffic to a security chain for
inspection?
A.
B.
C.
D.
Layer 3
Layer 2
Tap
Decryption Mirror
Answer: A
Explanation:
Configure security chain devices with Layer 3 interfaces to connect to the security chain network.
These Layer 3 interfaces must have an assigned IP address and subnet mask.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryptionbroker/security-chain-layer-3-guidelines.html
QUESTION 428
Drag and Drop Question
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
182
Answer:
Explanation:
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/managefirewalls/set-up-zero-touch-provisioning/ztp-overview/ztp-configuration-elements.html
QUESTION 429
Which benefit do policy rule UUIDs provide?
A. functionality for scheduling policy actions
B. the use of user IP mapping and groups in policies
C. cloning of policies between device-groups
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
183
D. an audit trail across a policy's lifespan
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/managementfeatures/universally-unique-identifiers-for-policy-rules.html
QUESTION 430
What are two valid deployment options for Decryption Broker? (Choose two)
A.
B.
C.
D.
Transparent Bridge Security Chain
Layer 3 Security Chain
Layer 2 Security Chain
Transparent Mirror Security Chain
Answer: AB
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-broker
QUESTION 431
An administrator needs to evaluate a recent policy change that was committed and pushed to a
firewall device group.
How should the administrator identify the configuration changes?
A.
B.
C.
D.
review the configuration logs on the Monitor tab
click Preview Changes under Push Scope
use Test Policy Match to review the policies in Panorama
context-switch to the affected firewall and use the configuration audit tool
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-webinterface/panorama-commit-operations.html
QUESTION 432
Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).
A.
B.
C.
D.
Zone Protection Profiles protect ingress zones
Zone Protection Profiles protect egress zones
DoS Protection Profiles are packet-based, not signature-based
DoS Protection Profiles are linked to Security policy rules
Answer: AD
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/zone-protection-profiles
QUESTION 433
Which two statements are true for the DNS Security service? (Choose two.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
184
A.
B.
C.
D.
It eliminates the need for dynamic DNS updates
It functions like PAN-DB and requires activation through the app portal
It removes the 100K limit for DNS entries for the downloaded DNS updates
It is automatically enabled and configured
Answer: AB
Explanation:
https://docs.paloaltonetworks.com/dns-security.html
QUESTION 434
An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does
this provide?
A. Automatically include users as members without having to manually create and commit policy or
group changes
B. DUGs are used to only allow administrators access to the management interface on the Palo Alto
Networks firewall
C. It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based
policies
D. Schedule commits at a regular intervals to update the DUG with new users matching the tags
specified
Answer: A
Explanation:
Dynamic user groups help you to create policy that provides auto-remediation for anomalous user
behavior and malicious activity while maintaining user visibility. Previously, quarantining users in
response to suspicious activity meant time-and resource-consuming updates for all members of
the group or updating the IP address-to-username mapping to a label to enforce policy at the cost
of user visibility, as well as having to wait until the firewall checked the traffic. Now, you can
configure a dynamic user group to automatically include users as members without having to
manually create and commit policy or group changes and still maintain user-to-data correlation at
the device level before the firewall even scans the traffic.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamicuser-groups.html
QUESTION 435
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the
GlobalProtect gateway?
A.
B.
C.
D.
It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway
It stops the tunnel-establishment processing to the GlobalProtect gateway immediately
It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS
It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/networkglobalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agentapp-tab.html
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
185
QUESTION 436
A standalone firewall with local objects and policies needs to be migrated into Panorama. What
procedure should you use so Panorama is fully managing the firewall?
A. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit
push with "include device and network templates"
B. Use the "import device configuration to Panorama" operation, then "export or push device config
bundle" to push the configuration
C. Use the "import Panorama configuration snapshot" operation, then "export or push device config
bundle" to push the configuration
D. Use the "import device configuration to Panorama" operation, then perform a device-group commit
push with "include device and network templates"
Answer: B
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-afirewall-to-panorama-management/migrate-a-firewall-to-panorama-management.html
QUESTION 437
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto
Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice
standard? (Choose three)
A.
B.
C.
D.
E.
High
Medium
Critical
Informational
Low
Answer: ABC
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
QUESTION 438
A customer is replacing their legacy remote access VPN solution.
The current solution is in place to secure internet egress and provide access to resources located
in the main datacenter for the connected clients.
Prisma Access has been selected to replace the current remote access VPN solution.
During onboarding the following options and licenses were selected and enabled
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
186
What must be configured on Prisma Access to provide connectivity to the resources in the
datacenter?
A. Configure a mobile user gateway in the region closest to the datacenter to enable connectivity to
the datacenter
B. Configure a remote network to provide connectivity to the datacenter
C. Configure Dynamic Routing to provide connectivity to the datacenter
D. Configure a service connection to provide connectivity to the datacenter
Answer: B
QUESTION 439
A network security engineer has applied a File Blocking profile to a rule with the action of Block.
The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is
being blocked by the firewall when trying to download a TAR file. The user is getting no error
response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file?
A.
B.
C.
D.
Threat log
Data Filtering log
WildFire Submissions log
URL Filtering log
Answer: B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ1CAK
QUESTION 440
To support a new compliance requirement, your company requires positive username attribution of
every IP address used by wireless devices. You must collect IP address-to-username mappings
as soon as possible with minimal downtime and minimal configuration changes to the wireless
devices themselves. The wireless devices are from various manufacturers.
Given the scenario, choose the option for sending IP address-to-username mappings to the firewall
A.
B.
C.
D.
UID redistribution
RADIUS
syslog listener
XFF headers
Answer: C
QUESTION 441
An administrator has configured PAN-OS SD-WAN and has received a request to find out the
reason for a session failover for a session that has already ended. Where would you find this in
Panorama or firewall logs?
A.
B.
C.
D.
Traffic Logs
System Logs
Session Browser
You cannot find failover details on closed sessions
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
187
Answer: D
QUESTION 442
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
A. Run the latest PAN-OS version in a supported release tree to have the best performance for the
new App-IDs
B. Configure a security policy rule to allow new App-IDs that might have network-wide impact
C. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
D. Study the release notes and install new App-IDs if they are determined to have low impact
Answer: BD
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-idsintroduced-in-content-releases/app-id-updates-workflow.html
QUESTION 443
What type of address object would be useful for internal devices where the addressing structure
assigns meaning to certain bits in the address, as illustrated in the diagram?
A.
B.
C.
D.
IP Netmask
IP Wildcard Mask
IP Address
IP Range
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/wildcardaddress
QUESTION 444
Which statement is true regarding a Best Practice Assessment?
A. It shows how your current configuration compares to Palo Alto Networks recommendations
B. It runs only on firewalls
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where
you should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas
of network and security architecture
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
188
Answer: A
QUESTION 445
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all
devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls
to Panorama. Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
A.
B.
C.
D.
Use the import option to pull logs.
Export the log database
Use the scp logdb export command
Use the ACC to consolidate the logs
Answer: C
Explanation:
commands:
request logdb
migrate-to-panorama start end-timestart-timetype
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-panorama/installcontent-and-software-updates-for-panorama/migrate-panorama-logs-to-new-log-format
QUESTION 446
The manager of the network security team has asked you to help configure the company's Security
Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has
assigned you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best matches
Palo Alto Networks best practice'?
A.
B.
C.
D.
action 'reset-both' and packet capture 'extended-capture'
action 'default' and packet capture 'single-packet'
action 'reset-both' and packet capture 'single-packet'
action 'reset-server' and packet capture 'disable'
Answer: A
Explanation:
"Enable extended-capture for critical, high, and medium severity events and single-packet capture
for low severity events. "
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-securityprofiles-vulnerability-protection
QUESTION 447
When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?
A.
B.
C.
D.
OSPFv3
BGP
OSPF
RIP
Answer: C
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
189
QUESTION 448
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but
the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer
only had the following directories: /config, /license and /software.
Why did the bootstrap process fail for the VM-Series firewall in Azure?
A. All public cloud deployments require the /plugins folder to support proper firewall native integrations
B. The /content folder is missing from the bootstrap package
C. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process
from successfully completing
D. The /config or /software folders were missing mandatory files to successfully bootstrap
Answer: B
Explanation:
https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-seriesfirewall/prepare-the-bootstrap-package
QUESTION 449
A superuser is tasked with creating administrator accounts for three contractors.
For compliance purposes, all three contractors will be working with different device-groups in their
hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
A.
B.
C.
D.
Create a Dynamic Admin with the Panorama Administrator role
Create a Custom Panorama Admin
Create a Device Group and Template Admin
Create a Dynamic Read only superuser
Answer: C
QUESTION 450
Based on the graphic, which statement accurately describes the output shown in the Server
Monitoring panel?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
190
A.
B.
C.
D.
The User-ID agent is connected to a domain controller labeled lab-client.
The host lab-client has been found by the User-ID agent.
The host lab-client has been found by a domain controller.
The User-ID agent is connected to the firewall labeled lab-client.
Answer: A
Explanation:
The User-ID agent is connected to a domain controller labeled lab-client.
QUESTION 451
An engineer was tasked to simplify configuration of multiple firewalls with a specific set of
configurations shared across all devices.
Which two advantages would be gained by using multiple templates in a stack? (Choose two.)
A.
B.
C.
D.
inherit address-objects from templates
define a common standard template configuration for firewalls
standardize server profiles and authentication configuration across all stacks
standardize log-forwarding profiles for security polices across all stacks
Answer: BC
Explanation:
Address-objects and log-forwarding profiles are device-group.
QUESTION 452
Refer to the diagram. An administrator needs to create an address object that will be useable by
the NYC. MA, CA and WA device groups.
Where will the object need to be created within the device-group hierarchy?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
191
A.
B.
C.
D.
Americas
US
East
West
Answer: A
QUESTION 453
You need to allow users to access the office-suite applications of their choice.
How should you configure the firewall to allow access to any office-suite application?
A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
B. Create an Application Group and add business-systems to it.
C. Create an Application Filter and name it Office Programs, then filter it on the office-programs
subcategory.
D. Create an Application Filter and name it Office Programs then filter on the business-systems
category.
Answer: C
Explanation:
"...subcategories in the business-systems category include auth-service, database, erp-crm,
general-business, management, office-programs, software-update, and storage-backup."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objectsapplications/applications-overview
QUESTION 454
A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints
and follow Palo Alto Networks best practices.
To install the certificate and key for an endpoint, which three components are required? (Choose
three.)
A. server certificate
B. local computer store
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
192
C. private key
D. self-signed certificate
E. machine certificate
Answer: BDE
Explanation:
https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quickconfigs/remote-access-vpn-with-pre-logon.html
QUESTION 455
Drag and Drop Question
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS
attack to an example of that type of attack.
Answer:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
193
Explanation:
Application-Based Attacks
-- Target weaknesses in a particular application and try to exhaust its resources so legitimate users
can't use it. An example is the Slowloris attack.
Protocol-Based Attacks
-- Also known as state-exhaustion attacks, they target protocol weaknesses. A common example
is a SYN flood attack.
Volumetric Attacks
- -High-volume attacks that attempt to overwhelm the available network resources, especially
bandwidth, and bring down the target to prevent legitimate users from accessing its resources. An
example is a UDP flood attack.
QUESTION 456
To ensure that a Security policy has the highest priority, how should an administrator configure a
Security policy in the device group hierarchy?
A.
B.
C.
D.
Add the policy in the shared device group as a pre-rule
Reference the targeted device's templates in the target device group
Add the policy to the target device group and apply a master device to the device group
Clone the security policy and add it to the other device groups
Answer: A
Explanation:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/device-groups/device-grouphierarchy.html
QUESTION 457
Which GlobalProtect gateway setting is required to enable split-tunneling by access route,
destination domain, and application?
A. No Direct Access to local networks
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
194
B. Satellite mode
C. Tunnel mode
D. IPSec mode
Answer: A
Explanation:
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotectgateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-theaccess-route.html
QUESTION 458
Which two firewall components enable you to configure SYN flood protection thresholds? (Choose
two)
A.
B.
C.
D.
Dos Protection policy
QoS Profile
Zone Protection Profile
DoS Protection Profile
Answer: CD
Explanation:
Flood Attack Protection
Zone Protection Profiles protect against of five types of floods:
SYN (TCP)
UDP
ICMP
ICMPv6
Other IP
QUESTION 459
An administrator is attempting to create policies tor deployment of a device group and template
stack.
When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
A.
B.
C.
D.
Specify the target device as the master device in the device group
Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
Add the template as a reference template in the device group
Add a firewall to both the device group and the template
Answer: C
Explanation:
In order to see what is in a template, the device-group needs the template referenced. Even if you
add the firewall to both the template and device-group, the device-group will not see what is in the
template.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
QUESTION 460
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company
com At other times the session times out. At other times the session times out The NGFW has
been configured with a PBF rule that the user traffic matches when it goes to
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
195
http://www.company.com goes to http://www company com
How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?
A.
B.
C.
D.
Create and add a monitor profile with an action of fail over in the PBF rule in question
Create and add a monitor profile with an action of wait recover in the PBF rule in question
Configure path monitoring for the next hop gateway on the default route in the virtual router
Enable and configure a link monitoring profile for the external interface of the firewall
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/networknetwork-profiles/network-network-profiles-monitor
A monitor profile is used to monitor IPSec tunnels and to monitor a next-hop device for policy-based
forwarding (PBF) rules. In both cases, the monitor profile is used to specify an action to take when
a resource (IPSec tunnel or next-hop device) becomes unavailable.
wait-recover - Wait for the tunnel to recover; do not take additional action. Packets will continue to
be sent according to the PBF rule.
fail-over - Traffic will fail over to a backup path, if one is available. The firewall uses routing table
lookup to determine routing for the duration of this session.
QUESTION 461
An engineer is in the planning stages of deploying User-ID in a diverse directory services
environment.
Which server OS platforms can be used for server monitoring with User-ID?
A.
B.
C.
D.
Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange
Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory
Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/usermapping/server-monitoring
QUESTION 462
Your company has to Active Directory domain controllers spread across multiple WAN links. All
users authenticate to Active Directory Each link has substantial network bandwidth to support all
mission-critical applications. The firewalls management plane is highly utilized.
Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
A.
B.
C.
D.
PAN-OS integrated agent
Captive Portal
Citrix terminal server agent with adequate data-plane resources
Windows-based User-ID agent on a standalone server
Answer: D
QUESTION 463
A customer is replacing their legacy remote access VPN solution. The current solution is in place
to secure only internet egress for the connected clients.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
196
Prisma Access has been selected to replace the current remote access VPN solution.
During onboarding the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks 300Mbps
- Prisma Access for Mobile Users 1500 Users
- Cortex Data Lake 2TB
- Trusted Zones trust
- Untrusted Zones untrust
- Parent Device Group shared
How can you configure Prisma Access to provide the same level of access as the current VPN
solution?
A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic
outbound to the internet
B. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the
desired traffic outbound to the internet
C. Configure remote networks with a service connection and trust-to-untrust Security policy rules to
allow the desired traffic outbound to the internet
D. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic
outbound to the internet
Answer: A
QUESTION 464
What best describes the HA Promotion Hold Time?
A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring
devices
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path
monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after
communications with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the active
firewall if the firewall is operational again
Answer: C
QUESTION 465
During the process of developing a decryption strategy and evaluating which websites are required
for corporate users to access, several sites have been identified that cannot be decrypted due to
technical reasons.
In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be
blocked if decrypted.
How should the engineer proceed?
A.
B.
C.
D.
Allow the firewall to block the sites to improve the security posture
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Create a Security policy to allow access to those sites
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
197
QUESTION 466
When using certificate authentication for firewall administration, which method is used for
authorization?
A.
B.
C.
D.
Radius
LDAP
Kerberos
Local
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcCCAS
QUESTION 467
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options
are available? (Choose three )
A.
B.
C.
D.
E.
user-logon (always on)
pre-logon then on-demand
on-demand (manual user initiated connection)
post-logon (always on)
certificate-logon
Answer: ACD
QUESTION 468
An administrator analyzes the following portion of a VPN system log and notices the following issue:
`Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24
type IPv4 address protocol 0 port 0.`
What is the cause of the issue?
A.
B.
C.
D.
IPSec crypto profile mismatch
IPSec protocol mismatch
mismatched Proxy-IDs
bad local and peer identification IP addresses in the IKE gateway
Answer: C
QUESTION 469
What is considered the best practice with regards to zone protection?
A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from
other threat logs
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone
protection
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
198
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity
Answer: B
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-bestpractices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices
Log Forwarding—For easier management, forward DoS logs separately from other Threat logs
directly to administrators via email and to a log server.
QUESTION 470
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet
gateway and wants to be sure of the functions that are supported on the vwire interface.
What are three supported functions on the VWire interface? (Choose three )
A.
B.
C.
D.
E.
NAT
QoS
IPSec
OSPF
SSL Decryption
Answer: ABE
Explanation:
The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition
to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive
and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection,
DoS protection, packet buffer protection, tunnel content inspection, and NAT.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configureinterfaces/virtual-wire-interfaces
QUESTION 471
An administrator needs to build Security rules in a Device Group that allow traffic to specific users
and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
A. The Security rules must be targeted to a firewall in the device group and have Group Mapping
configured
B. A master device with Group Mapping configured must be set in the device group where the Security
rules are configured
C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same
mappings
D. A User-ID Certificate profile must be configured on Panorama
Answer: B
QUESTION 472
Which three use cases are valid reasons for requiring an Active/Active high availability deployment?
(Choose three )
A. The environment requires real, full-time redundancy from both firewalls at all times
B. The environment requires Layer 2 interfaces in the deployment
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
199
C. The environment requires that both firewalls maintain their own routing tables for faster dynamic
routing protocol convergence
D. The environment requires that all configuration must be fully synchronized between both members
of the HA pair
E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic
spikes
Answer: CDE
QUESTION 473
Which protocol is supported by GlobalProtect Clientless VPN?
A.
B.
C.
D.
HTTPS
FTP
RDP
SSH
Answer: C
QUESTION 474
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entnes about
grayware in any of the logs of the corresponding firewall.
Which setting can the administrator configure on the firewall to log grayware verdicts?
A.
B.
C.
D.
within the log settings option in the Device tab
within the log forwarding profile attached to the Security policy rule
in WildFire General Settings, select "Report Grayware Files"
in Threat General Settings, select "Report Grayware Files"
Answer: C
Explanation:
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/monitor-wildfire-activity/use-thefirewall-to-monitor-malware/configure-wildfire-submissions-log-settings/enable-logging-for-benignand-grayware-samples
QUESTION 475
What would allow a network security administrator to authenticate and identify a user with a new
BYOD-type device that is not joined to the corporate domain?
A.
B.
C.
D.
a Security policy with 'known-user" selected in the Source User field
an Authentication policy with 'unknown' selected in the Source User field
a Security policy with 'unknown' selected in the Source User field
an Authentication policy with 'known-user' selected in the Source User field
Answer: B
Explanation:
As authentication policy with with the "Unknown", as unknown - Includes all users for whom the
firewall does not have IP address-to-username mappings. After the rule evokes authentication, the
firewall creates user mappings for unknown users based on the usernames they entered.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
200
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policiesauthentication/building-blocks-of-an-authentication-policy-rule
QUESTION 476
Which statement is correct given the following message from the PanGPA log on the GlobalProtect
app?
Failed to connect to server at port:4767
A.
B.
C.
D.
The PanGPS process failed to connect to the PanGPA process on port 4767
The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
The PanGPA process failed to connect to the PanGPS process on port 4767
The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk6CAC
QUESTION 477
Which GlobalProtect component must be configured to enable Chentless VPN?
A.
B.
C.
D.
GlobalProtect satellite
GlobalProtect app
GlobalProtect portal
GlobalProtect gateway
Answer: C
Explanation:
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A
new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used
with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5
QUESTION 478
A network security engineer must implement Quality of Service policies to ensure specific levels of
delivery guarantees for various applications in the environment.
]They want to ensure that they know as much as they can about QoS before deploying.
Which statement about the QoS feature is correct?
A.
B.
C.
D.
QoS is only supported on firewalls that have a single virtual system configured
QoS can be used in conjunction with SSL decryption
QoS is only supported on hardware firewalls
QoS can be used on firewalls with multiple virtual systems configured
Answer: D
QUESTION 479
Which statement regarding HA timer settings is true?
A. Use the Recommended profile for typical failover timer settings
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
201
B. Use the Moderate profile for typical failover timer settings
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.
Answer: A
QUESTION 480
What is the best description of the HA4 Keep-Alive Threshold (ms)?
A. the maximum interval between hello packets that are sent to verify that the HA functionality on the
other firewall is operational.
B. The time that a passive or active-secondary firewall will wait before taking over as the active or
active-primary firewall
C. the timeframe within which the firewall must receive keepalives from a cluster member to know that
the cluster member is functional.
D. The timeframe that the local firewall wait before going to Active state when another cluster member
is preventing the cluster from fully synchronizing.
Answer: C
QUESTION 481
Where is information about packet buffer protection logged?
A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP
address are in the Threat log
B. All entries are in the System log
C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP
addresses are in the Threat log
D. All entries are in the Alarms log
Answer: C
Explanation:
The firewall records alert events in the System log and events for dropped traffic, discarded
sessions, and blocked IP address in the Threat log.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
QUESTION 482
An administrator needs firewall access on a trusted interface. Which two components are required
to configure certificate based, secure authentication to the web Ul? (Choose two )
A.
B.
C.
D.
certificate profile
server certificate
SSH Service Profile
SSL/TLS Service Profile
Answer: AD
QUESTION 483
When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
202
can be implemented using phased approach in alignment with Palo Alto Networks best practices
What should you recommend?
A.
B.
C.
D.
Enable SSL decryption for known malicious source IP addresses
Enable SSL decryption for source users and known malicious URL categories
Enable SSL decryption for malicious source users
Enable SSL decryption for known malicious destination IP addresses
Answer: B
QUESTION 484
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto
Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way
that is minimally invasive?
A.
B.
C.
D.
Layer 3
Virtual Wire
Tap
Layer 2
Answer: C
QUESTION 485
A user at an internal system queries the DNS server for their web server with a private IP of
10.250.241.131 in the webserver.
The DNS server returns an address of the web server's public address 200.1.1.10.
In order to reach the web server, which security rule and U-Turn NAT rule must be configured on
the firewall?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
203
A.
B.
C.
D.
Answer: A
QUESTION 486
What is the function of a service route?
A. The service route is the method required to use the firewall's management plane to provide services
to applications
B. The service packets enter the firewall on the port assigned from the external service. The server
sends its response to the configured destination interface and destination IP address
C. The service packets exit the firewall on the port assigned for the external service. The server sends
its response to the configured source interface and source IP address
D. Service routes provide access to external services such as DNS servers external authentication
servers or Palo Alto Networks services like the Customer Support Portal
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
204
Answer: C
QUESTION 487
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with
three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute
location?
A.
B.
C.
D.
90Mbps
300 Mbps
75Mbps
50Mbps
Answer: D
Explanation:
The number you specify for the bandwidth applies to both the egress and ingress traffic for the
remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you
with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress.
Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped;
for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps
on egress (50 Mbps plus 10% overage allocation).
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panoramaadmin/prisma-access-for-networks/how-to-calculate-network-bandwidth
QUESTION 488
A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processorintensive decryption methods for lower-risk traffic
B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processorintensive decryption methods for tower-risk traffic
C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less
processor-intensive
D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploydecryption/size-the-decryption-firewall-deployment
QUESTION 489
What can you use with Global Protect to assign user-specific client certificates to each
GlobalProtect user?
A.
B.
C.
D.
SSL/TLS Service profile
Certificate profile
SCEP
OCSP Responder
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
205
Answer: C
QUESTION 490
In the screenshot above which two pieces ot information can be determined from the ACC
configuration shown? (Choose two)
A. The Network Activity tab will display all applications, including FTP.
B. Threats with a severity of "high" are always listed at the top of the Threat Name list
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
206
C. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat
Type
D. The ACC has been filtered to only show the FTP application
Answer: AC
QUESTION 491
An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?
A.
B.
C.
D.
Variable CSV export under Panorama > templates
PDF Export under Panorama > templates
Manage variables under Panorama > templates
Managed Devices > Device Association
Answer: B
QUESTION 492
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn
on the feature inside which type of SD-WAN profile?
A.
B.
C.
D.
Certificate profile
Path Quality profile
SD-WAN Interface profile
Traffic Distribution profile
Answer: C
Explanation:
https://docs.paloaltonetworks.com/sd-wan/2-0/sd-wan-admin/configure-sd-wan/create-an-errorcorrection-profile
QUESTION 493
The administrator for a small company has recently enabled decryption on their Palo Alto Networks
firewall using a self-signed root certificate. They have also created a Forward Trust and Forward
Untrust certificate and set them as such.
The admin has not yet installed the root certificate onto client systems.
What effect would this have on decryption functionality?
A.
B.
C.
D.
Decryption will function and there will be no effect to end users
Decryption will not function because self-signed root certificates are not supported
Decryption will not function until the certificate is installed on client systems
Decryption will function but users will see certificate warnings for each SSL site they visit
Answer: D
QUESTION 494
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session
DoS attacks.
Which sessions does Packet Buffer Protection apply to?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
207
A.
B.
C.
D.
It applies to existing sessions and is not global
It applies to new sessions and is global
It applies to new sessions and is not global
It applies to existing sessions and is global
Answer: D
QUESTION 495
A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for
the IP address of the web server, www.xyz.com. The DNS server returns an address of 172.16.15.1.
In order to reach the web server, which Security rule and NAT rule must be configured on the
firewall?
A. Activity tab will display all applications
B.
C.
D.
Answer: D
QUESTION 496
An administrator is building Security rules within a device group to block traffic to and from malicious
locations.
How should those rules be configured to ensure that they are evaluated with a high priority?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
208
A. Create the appropriate rules with a Block action and apply them at the top of the Default Rules
B. Create the appropriate rules with a Block action and apply them at the top of the Security PostRules.
C. Create the appropriate rules with a Block action and apply them at the top of the local firewall
Security rules.
D. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules
Answer: D
QUESTION 497
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an
external router using the BGP protocol. The peer relationship is not establishing.
What command could the engineer run to see the current state of the BGP state between the two
devices?
A.
B.
C.
D.
show routing protocol bgp state
show routing protocol bgp peer
show routing protocol bgp summary
show routing protocol bgp rib-out
Answer: B
QUESTION 498
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between
peers.
Where can the administrator find the corresponding logs after running a test command to initiate
the VPN?
A.
B.
C.
D.
Configuration logs
System logs
Traffic logs
Tunnel Inspection logs
Answer: B
QUESTION 499
An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between
peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not
appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A.
B.
C.
D.
Export the log database.
Use the import option to pull logs.
Use the ACC to consolidate the logs.
Use the scp logdb export command.
Answer: D
QUESTION 500
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
209
A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime
stats within the GUI. Where can they find this information?
A.
B.
C.
D.
routes listed in the routing table with flags
routes listed in the routing table with flags A?
under the BGP Summary tab
routes listed in the forwarding table with BGP in the Protocol column
Answer: C
QUESTION 501
Which GlobalProtect component must be configured to enable Clientless VPN?
A.
B.
C.
D.
GlobalProtect satellite
GlobalProtect app
GlobalProtect portal
GlobalProtect gateway
Answer: C
Explanation:
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A
new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used
with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5
QUESTION 502
SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website
https //www important-website com certificate End-users are receiving me "security certificate is
not trusted is warning Without SSL decryption the web browser shows that the website certificate
is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-KnownRoot-CA.
The network security administrator who represents the customer requires the following two
behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com website.
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?
A. Navigate to Device > Certificate Management > Certificates > Device Certificates, import WellKnown-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and
commit the configuration
B. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user
systems m the user and local computer stores
C. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate
Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted
Root CA check box, and commit the configuration
D. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the
configuration
Answer: A
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
210
QUESTION 503
A firewall has been assigned to a new template stack that contains both "Global" and "Local"
templates in Panorama, and a successful commit and push has been performed.
While validating the configuration on the local firewall, the engineer discovers that some settings
are not being applied as intended.
The setting values from the "Global" template are applied to the firewall instead of the "Local"
template that has different values for the same settings.
What should be done to ensure that the settings in the "Local" template are applied while
maintaining settings from both templates?
A.
B.
C.
D.
Move the "Global" template above the "Local" template in the template stack.
Perform a commit and push with the "Force Template Values" option selected.
Move the "Local" template above the "Global" template in the template stack.
Override the values on the local firewall and apply the correct settings for each value.
Answer: C
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panoramaoverview/centralized-firewall-configuration-and-update-management/templates-and-templatestacks
QUESTION 504
WildFire will submit for analysis blocked files that match which profile settings?
A.
B.
C.
D.
files matching Anti-Spyware signatures
files that are blocked by URL filtering
files that are blocked by a File Blocking profile
files matching Anti-Virus signatures
Answer: D
QUESTION 505
A network administrator plans a Prisma Access deployment with three service connections, each
with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and
management overhead on on-prem network devices.
What should the administrator implement?
A.
B.
C.
D.
target service connection for traffic steering
summarized BGP routes before advertising
hot potato routing
default routing
Answer: C
QUESTION 506
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
A. signature matching for content inspection
B. IPSec tunnel standup
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
211
C. Quality of Service
D. logging
Answer: D
QUESTION 507
An organization wishes to roll out decryption but gets some resistance from engineering leadership
regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?
A.
B.
C.
D.
Guest devices may not trust the CA certificate used for the forward untrust certificate.
Guests may use operating systems that can't be decrypted.
The organization has no legal authority to decrypt their traffic.
Guest devices may not trust the CA certificate used for the forward trust certificate.
Answer: D
QUESTION 508
A firewall has Security policies from three sources:
1. locally created policies
2. shared device group policies as pre-rules
3. the firewall's device group as post-rules
How will the rule order populate once pushed to the firewall?
A.
B.
C.
D.
shared device group policies, firewall device group policies, local policies.
firewall device group policies, local policies, shared device group policies
shared device group policies, local policies, firewall device group policies
local policies, firewall device group policies, shared device group policies
Answer: C
QUESTION 509
An administrator wants to enable WildFire inline machine learning.
Which three file types does WildFire inline ML analyze? (Choose three.)
A.
B.
C.
D.
E.
MS Office
ELF
APK
VBscripts
Powershell scripts
Answer: CDE
QUESTION 510
Drag and Drop Question
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
212
routing protocols, and the engineer is trying to determine routing priority Match the default
Administrative Distances for each routing protocol.
Answer:
Explanation:
Static - Range is 10-240; default is 10.
OSPF Internal - Range is 10-240; default is 30.
OSPF External - Range is 10-240; default is 110.
IBGP - Range is 10-240; default is 200.
EBGP- Range is 10-240; default is 20.
RIP - Range is 10-240; default is 120.
QUESTION 511
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto
Networks appliances. Which profile should be configured in order to achieve this?
A. SSH Service profile
B. SSL/TLS Service profile
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
213
C. Decryption profile
D. Certificate profile
Answer: A
QUESTION 512
A company is using wireless controllers to authenticate users.
Which source should be used for User-ID mappings?
A.
B.
C.
D.
Syslog
XFF headers
server monitoring
client probing
Answer: A
QUESTION 513
An engineer is configuring SSL Inbound Inspection for public access to a company's application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed
successfully?
A.
B.
C.
D.
Self-signed CA and End-entity certificate
Root CA and Intermediate CA(s)
Self-signed certificate with exportable private key
Intermediate CA (s) and End-entity certificate
Answer: D
QUESTION 514
A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their
DMZ to prevent the hosted service from being exploited.
Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS
encapsulation?
A.
B.
C.
D.
Decryption policy and a Data Filtering profile
a WildFire profile and a File Blocking profile
Vulnerability Protection profile and a Decryption policy
a Vulnerability Protection profile and a QoS policy
Answer: C
QUESTION 515
Which two statements correctly describe Session 380280? (Choose two.)
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
214
A.
B.
C.
D.
The session went through SSL decryption processing.
The session has ended with the end-reason unknown.
The application has been identified as web-browsing.
The session did not go through SSL decryption processing.
Answer: AC
QUESTION 516
While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application
column What best explains these occurrences?
A.
B.
C.
D.
A handshake took place, but no data packets were sent prior to the timeout.
A handshake took place; however, there were not enough packets to identify the application.
A handshake did take place, but the application could not be identified.
A handshake did not take place, and the application could not be identified.
Answer: C
Explanation:
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
215
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text
=unknown%2Dtcp%3A,firewall%20does%20not%20have%20signatures.
QUESTION 517
A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the
neighbor is correct, but the route is not in the neighbor's routing table. Which two configurations
should you check on the firewall? (Choose two.)
A. In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF
Export Rules section.
B. Within the redistribution profile ensure that Redist is selected.
C. Ensure that the OSPF neighbor state Is "2-Way."
D. In the redistribution profile check that the source type is set to "ospf."
Answer: AB
QUESTION 518
Which statement best describes the Automated Commit Recovery feature?
A. It performs a connectivity check between the firewall and Panorama after every configuration
commit on the firewall. It reverts the configuration changes on the firewall if the check fails.
B. It restores the running configuration on a firewall and Panorama if the last configuration commit
fails.
C. It performs a connectivity check between the firewall and Panorama after every configuration
commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if
the check fails.
D. It restores the running configuration on a firewall if the last configuration commit fails.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/administer-panorama/enableautomated-commit-recovery
QUESTION 519
A firewall administrator wants to avoid overflowing the company syslog server with traffic logs. What
should the administrator do to prevent the forwarding of DNS traffic logs to syslog?
A. Disable logging on security rules allowing DNS.
B. Go to the Log Forwarding profile used to forward traffic logs to syslog.
Then, under traffic logs match list, create a new filter with application not equal to DNS.
C. Create a security rule to deny DNS traffic with the syslog server in the destination
D. Go to the Log Forwarding profile used to forward traffic logs to syslog.
Then, under traffic logs match list, create a new filter with application equal to DNS.
Answer: B
QUESTION 520
An engineer is planning an SSL decryption implementation Which of the following statements is a
best practice for SSL decryption?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
216
A.
B.
C.
D.
Use the same Forward Trust certificate on all firewalls in the network.
Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
Use an enterprise CA-signed certificate for the Forward Untrust certificate.
Answer: C
QUESTION 521
An administrator needs to optimize traffic to prefer business-critical applications over non-critical
applications. QoS natively integrates with which feature to provide service quality?
A.
B.
C.
D.
certificate revocation
Content-ID
App-ID
port inspection
Answer: C
Explanation:
The Palo Alto Networks firewall provides this capability by integrating the features App-ID and UserID with the QoS configuration.
QUESTION 522
What can an engineer use with GlobalProtect to distribute user-specific client certificates to each
GlobalProtect user?
A.
B.
C.
D.
Certificate profile
SSL/TLS Service profile
OCSP Responder
SCEP
Answer: D
QUESTION 523
Which three actions can Panorama perform when deploying PAN-OS images to its managed
devices? (Choose three.)
A.
B.
C.
D.
E.
upload-only
upload and install and reboot
verify and install
upload and install
install and reboot
Answer: ABE
QUESTION 524
During the implementation of SSL Forward Proxy decryption, an administrator imports the
company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's
Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy
and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
217
Enterprise CA chain of trust are signed by the company's Intermediate CA. Which method should
the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall
for use with decryption?
A.
B.
C.
D.
Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Answer: B
QUESTION 525
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after
enabling the Advance Routing Engine run on PAN-OS 10.2?
A. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD
profile under Network > Virtual Router > BGP > BFD
B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD
profile under Network > Virtual Router > BGP > General > Global BFD Profile
C. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD
profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD
profile under Network > Routing > Logical Routers > BGP > BFD
Answer: C
Explanation:
The Advanced Routing Engine uses Logical Routers, not Virtual Routers.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advancedrouting/configure-bgp-on-an-advanced-routing-engine
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advancedrouting/create-bfd-profiles
QUESTION 526
An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Path Monitoring has been enabled with a Failure Condition of "any."
A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8
and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.
Which scenario will cause the Active firewall to fail over?
A.
B.
C.
D.
IP address 8.8.8.8 is unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
IP address 4.2.2.2 is unreachable for 2 seconds.
Answer: C
Explanation:
2 seconds as 3 x 500ms is more than 1 sec, and failure condition set to all means both have to be
unreachable>
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/static-routes/configurepath-monitoring-for-a-static-route
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
218
QUESTION 527
With the default TCP and UDP settings on the firewall, what will be the identified application in the
following session?
A.
B.
C.
D.
Incomplete
unknown-tcp
Insufficient-data
not-applicable
Answer: B
Explanation:
It is a UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP
connections only.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
QUESTION 528
Which Security profile generates a packet threat type found in threat logs?
A.
B.
C.
D.
Zone Protection
WildFire
Anti-Spyware
Antivirus
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-formonitoring/syslog-field-descriptions/threat-log-fields
packet - Packet-based attack protection triggered by a Zone Protection profile.
QUESTION 529
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
219
A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which
option will help the customer?
A.
B.
C.
D.
Configure a Data Filtering profile with alert mode.
Configure an Antivirus profile with alert mode.
Configure a Vulnerability Protection profile with alert mode
Configure an Anti-Spyware profile with alert mode.
Answer: C
QUESTION 530
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the
firewall sourced from the outside zone. What should the firewall administrator do to mitigate this
type of attack?
A. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules
allowing traffic from the outside zone
B. Enable packet buffer protection in the outside zone.
C. Create a Security rule to deny all ICMP traffic from the outside zone.
D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and
apply it to the outside zone.
Answer: D
QUESTION 531
An engineer needs to permit XML API access to a firewall for automation on a network segment
that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this
network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this
request?
A.
B.
C.
D.
Specify the subinterface as a management interface in Setup > Device > Interfaces.
Enable HTTPS in an Interface Management profile on the subinterface.
Add the network segment's IP range to the Permitted IP Addresses list
Configure a service route for HTTP to use the subinterface
Answer: B
QUESTION 532
An engineer needs to see how many existing SSL decryption sessions are traversing a firewall
What command should be used?
A.
B.
C.
D.
show dataplane pool statistics I match proxy
debug dataplane pool statistics I match proxy
debug sessions I match proxy
show sessions all
Answer: B
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
220
QUESTION 533
Which steps should an engineer take to forward system logs to email?
A. Create a new email profile under Device > server profiles; then navigate to Objects > Log
Forwarding profile > set log type to system and the add email profile.
B. Enable log forwarding under the email profile in the Objects tab.
C. Create a new email profile under Device > server profiles: then navigate to Device > Log
Settings > System and add the email profile under email.
D. Enable log forwarding under the email profile in the Device tab.
Answer: C
QUESTION 534
A network security administrator has an environment with multiple forms of authentication. There
is a network access control system in place that authenticates and restricts access for wireless
users, multiple Windows domain controllers, and an MDM solution for company-provided
smartphones. All of these devices have their authentication events logged. Given the information,
what is the best choice for deploying User-ID to ensure maximum coverage?
A.
B.
C.
D.
Syslog listener
agentless User-ID with redistribution
standalone User-ID agent
captive portal
Answer: A
Explanation:
To obtain user mappings from existing network services that authenticate users—such as wireless
controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access
Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User Mapping.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users
QUESTION 535
Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is
configured to respond only to the ssh requests coming from IP 172.16.16.1. In order to reach the
SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the
firewall?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
221
A.
B.
C.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
222
D.
Answer: C
QUESTION 536
Which Panorama feature protects logs against data loss if a Panorama server fails?
A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails
inside the Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA
Cluster.
D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the
Collector Group
Answer: B
Explanation:
Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-logcollection/manage-collector-groups/configure-a-collector-group
QUESTION 537
An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended"
state due to Non-functional loop.
Which three actions will help the administrator resolve this issue? (Choose three.)
A.
B.
C.
D.
E.
Use the CLI command show high-availability flap-statistics
Check the HA Link Monitoring interface cables.
Check the High Availability > Link and Path Monitoring settings.
Check High Availability > Active/Passive Settings > Passive Link State
Check the High Availability > HA Communications > Packet Forwarding settings.
Answer: ACD
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgVCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaaCAC
QUESTION 538
Which User-ID mapping method should be used in a high-security environment where all IP
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
223
address- to-user mappings should always be explicitly known?
A.
B.
C.
D.
PAN-OS integrated User-ID agent
GlobalProtect
Windows-based User-ID agent
LDAP Server Profile configuration
Answer: B
QUESTION 539
What can be used to create dynamic address groups?
A.
B.
C.
D.
dynamic address
region objects
tags
FODN addresses
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/monitor-changes-in-thevirtual-environment/use-dynamic-address-groups-in-policy
QUESTION 540
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed
and pushed to the devices at the end of the day at a certain time. How can they achieve this?
A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API
call to commit all Panorama changes.
C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API
call to commit all Panorama changes.
D. Use the Scheduled Config Push taschedule Commit to Panorama and also Push to Devices.
Answer: B
Explanation:
You can only schedule a push, mot commit.
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/schedulea-configuration-push-to-managed-firewalls
QUESTION 541
Which statement accurately describes service routes and virtual systems?
A. Virtual systems that do not have specific service routes configured inherit the global service and
service route settings for the firewall.
B. Virtual systems can only use one interface for all global service and service routes of the firewall.
C. Virtual systems cannot have dedicated service routes configured; and virtual systems always
use the global service and service route settings for the firewall.
D. The interface must be used for traffic to the required external services.
Answer: A
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
224
Explanation:
When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service
and service route settings. For example, the firewall can use a shared email server to originate
email alerts to all virtual systems. In some scenarios, you’d want to create different service routes
for each virtual system.
QUESTION 542
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.
When upgrading Log Collectors to 10.2, you must do what?
A.
B.
C.
D.
Upgrade the Log Collectors one at a time.
Add Panorama Administrators to each Managed Collector.
Add a Global Authentication Profile to each Managed Collector.
Upgrade all the Log Collectors at the same time.
Answer: D
Explanation:
You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deployupdates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-tolog-collectors-when-panorama-is-internet-connected
QUESTION 543
Which configuration is backed up using the Scheduled Config Export feature in Panorama?
A.
B.
C.
D.
Panorama running configuration
Panorama candidate configuration
Panorama candidate configuration and candidate configuration of all managed devices
Panorama running configuration and running configuration of all managed devices
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-webinterface/panorama-scheduled-config-export
QUESTION 544
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about
grayware in any of the logs of the corresponding firewall. Which setting can the administrator
configure on the firewall to log grayware verdicts?
A.
B.
C.
D.
within the log forwarding profile attached to the Security policy rule
within the log settings option in the Device tab
in WildFire General Settings, select "Report Grayware Files"
in Threat General Settings, select "Report Grayware Files"
Answer: C
QUESTION 545
You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls
using Panorama, what do you need do?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
225
A. Refresh your licenses with Palo Alto Network Support - Panorama/Licenses/Retrieve License
Keys from License Server.
B. Re-associate the firewalls in Panorama/Managed Devices/Summary.
C. Commit and Push the configurations to the firewalls.
D. Refresh the Mastor Key in Panorama/Master Key and Diagnostic
Answer: C
QUESTION 546
A network security engineer has applied a File Blocking profile to a rule with the action of Block.
The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is
being blocked by the firewall when trying to download a TAR file. The user is getting no error
response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file?
A.
B.
C.
D.
URL Filtering log
Data Filtering log
Threat log
WildFire Submissions log
Answer: B
QUESTION 547
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall
to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose
two.)
A. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection >
TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass
B. > set session tcp-reject-non-syn no
C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection >
TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global
D. # set deviceconfig setting session tcp-reject-non-syn no
Answer: CD
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEwCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
QUESTION 548
Which CLI command is used to determine how much disk space is allocated to logs?
A.
B.
C.
D.
show logging-status
show system info
debug log-receiver show
show system logdb-quota
Answer: D
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
226
Explanation:
show system logdb-quota
Quotas:
system: 4.00%, 0.609 GB Expiration-period: 0 days
config: 4.00%, 0.609 GB Expiration-period: 0 days
alarm: 3.00%, 0.457 GB Expiration-period: 0 days
QUESTION 549
An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to
identify with App-ID. Why would the application field display as incomplete?
A.
B.
C.
D.
The client sent a TCP segment with the PUSH flag set.
The TCP connection was terminated without identifying any application data.
There is insufficient application data after the TCP connection was established.
The TCP connection did not fully establish.
Answer: D
Explanation:
"Incomplete" is displayed in the application field if the three-way TCP handshake did not complete.
"Incomplete means that either the three-way TCP handshake did not complete OR the three-way
TCP handshake did complete but there was not enough data after the handshake to identify the
application. In other words that traffic being seen is not really an application."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
QUESTION 550
Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data
Lake?
A.
B.
C.
D.
Legacy
Log Collector
Panorama
Management Only
Answer: D
QUESTION 551
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an
active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability >
General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up
only on the active firewall.
Why is the AE interface showing down on the passive firewall?
A. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under
the High Availability Options on the LACP tab of the AE Interface.
B. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable
LACP selection on the LACP tab of the AE Interface.
C. It participates in LACP negotiation when Fast is selected for Transmission Rate under the
Enable LACP selection on the LACP tab of the AE Interface.
D. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP
selection on the LACP tab of the AE Interface.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
227
Answer: A
QUESTION 552
An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Link and Path Monitoring is enabled with the Failure Condition set to `any`.
There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with
a Group Failure Condition set to `all`.
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?
A.
B.
C.
D.
Non-functional
Passive
Active-Secondary
Active
Answer: D
QUESTION 553
An engineer is pushing configuration from Panorama lo a managed firewall. What happens when
the pushed Panorama configuration has Address Object names that duplicate the Address Objects
already configured on the firewall?
A. The firewall rejects the pushed configuration, and the commit fails.
B. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones;
it will update the references to the objects accordingly and fully commit the pushed configuration.
C. The firewall fully commits all of the pushed configuration and overwrites its locally configured
objects
D. The firewall ignores only the pushed objects that have the same name as the locally configured
objects, and it will commit the rest of the pushed configuration.
Answer: A
Explanation:
Validation Error:
. address -> Test duplicate 'Test duplicate' is already in use.
QUESTION 554
What is a correct statement regarding administrative authentication using external services with a
local authorization method?
A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but
access domains have not been supported by this method.
B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use
external authentication services for administrative authentication.
C. The administrative accounts you define locally on the firewall serve as references to the
accounts defined on an external authentication server.
D. The administrative accounts you define on an external authentication server serve as references
to the accounts defined locally on the firewall.
Answer: C
QUESTION 555
An administrator wants multiple web servers In the DMZ to receive connections initiated from the
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
228
internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at
10.1.1.22.
Based on the image, which NAT rule will forward web-browsing traffic correctly?
A.
B.
C.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
229
D.
Answer: B
QUESTION 556
An engineer is tasked with enabling SSL decryption across the environment. What are three valid
parameters of an SSL Decryption policy? (Choose three.)
A.
B.
C.
D.
E.
URL categories
source users
source and destination IP addresses
App-ID
GlobalProtect HIP
Answer: ABC
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-todecrypt/create-a-decryption-policy-rule
QUESTION 557
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward
traffic logs to Panorama.
In which section is this configured?
A.
B.
C.
D.
Panorama > Managed Devices
Monitor > Logs > Traffic
Device Groups > Objects > Log Forwarding
Templates > Device > Log Settings
Answer: C
QUESTION 558
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a
false-positive action. How can the administrator create an exception for this particular file?
A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus
profile.
B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
D. Disable the WildFire profile on the related Security policy.
Answer: A
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
230
QUESTION 559
A web server is hosted in the DMZ and the server is configured to listen for incoming connections
on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone
needs to be configured to allow web-browsing access. The web server hosts its contents over
HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which
combination of service and application, and order of Security policy rules, needs to be configured
to allow cJeartext web-browsing traffic to this server on tcp/443?
A. Rule #1 application: web-browsing; service application-default; action: allow Rule #2application:
ssl; service: application-default; action: allow
B. Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application: ssl;
service: application-default, action: allow
C. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl;
service: application-default; action: allow
D. Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; webbrowsing; service application-default; action: allow
Answer: B
QUESTION 560
The firewall identifies a popular application as an unKnown-tcp. Which two options are available to
identify the application? (Choose two.)
A.
B.
C.
D.
Create a custom application.
Submit an App-ID request to Palo Alto Networks.
Create a custom object for the application server.
Create a Security policy to identify the custom application.
Answer: AB
QUESTION 561
Refer to the screenshots. Without the ability to use Context Switch, where do admin accounts need
to be configured in order to provide admin access to Panorama and to the managed devices?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
231
A. The Panorama section overrides the Device section. The accounts need to be configured only in
the Panorama section.
B. The sections are independent. The accounts need to be configured in both the Device and
Panorama sections.
C. The Device section overrides Panorama section. The accounts need to be configured only in the
Device section.
D. Configuration in the sections is merged together. The accounts need to be configured in either
section.
Answer: B
QUESTION 562
Your company wants greater visibility into their traffic and has asked you to start planning an SSL
Decryption project. The company does not have a PKI infrastructure, and multiple certificates would
be needed for this project. Which type of certificate can you use to generate other certificates?
A.
B.
C.
D.
self-signed root CA
external CA certificate
server certificate
device certificate
Answer: A
QUESTION 563
Given the screenshot, how did the firewall handle the traffic?
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
232
A.
B.
C.
D.
Traffic was allowed by policy but denied by profile as encrypted.
Traffic was allowed by policy but denied by profile as a threat.
Traffic was allowed by profile but denied by policy as a threat.
Traffic was allowed by policy but denied by profile as a nonstandard port.
Answer: B
QUESTION 564
A network administrator notices there is a false-positive situation after enabling Security profiles.
When the administrator checks the threat prevention logs, the related signature displays:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature
exceptions tab and then click show all signatures Search related threat ID and click enable Change
the default action Commit
B. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions
tab and then click show all signatures Search related threat ID and click enable Commit
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
233
C. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the
Exceptions tab and then click show all signatures Search related threat ID and click enable Commit
D. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions
tabs Search related threat ID and click enable Commit
Answer: D
Explanation:
Step 3 here - DNS signatures are handled differently
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/create-threatexceptions
QUESTION 565
A firewall administrator is investigating high packet buffer utilization in the company firewall. After
looking at the threat logs and seeing many flood attacks coming from a single source that are
dropped by the firewall, the administrator decides to enable packet buffer protection to protect
against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet
buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
A.
B.
C.
D.
Apply DOS profile to security rules allow traffic from outside.
Enable packet buffer protection for the affected zones.
Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
Add a Zone Protection profile to the affected zones.
Answer: B
QUESTION 566
A network engineer is troubleshooting a VPN
decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?
A.
B.
C.
D.
and
wants
to
verify
whether
the
Show running tunnel flow lookup
Show vpn flow name <tunnel name>
Show vpn ipsec-sa tunnel <tunnel name>
Show vpn tunnel name | match encap
Answer: B
Explanation:
Check if encapsulation and decapsulation bytes are increasing. If the firewall is passing traffic, then
both values should be increasing.
> show vpn flow name <tunnel.id/tunnel.name> | match bytes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
QUESTION 567
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
A. PBF > Static route > Security policy enforcement
B. BGP < PBF > NAT
C. PBF > Zone Protection Profiles > Packet Buffer Protection
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
234
D. NAT > Security policy enforcement > OSPF
Answer: A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
Under Slowpath(session setup stage) PBF, then static routes and then policy enforment.
QUESTION 568
While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is
also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the
drop to only the attacking sessions?
A.
B.
C.
D.
Enable resources protection under the DoS Protection profile.
Change the SYN flood action from Random Early Drop to SYN cookies.
Increase the activate rate for the SYN flood protection.
Change the DoS Protection profile type from aggregate to classified.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dosprotection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-againstflooding-of-new-sessions
QUESTION 569
A firewall administrator wants to have visibility on one segment of the company network. The traffic
on the segment is routed on the Backbone switch. The administrator is planning to apply Security
rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough
system resources to get extra traffic on the firewall. The administrator needs to complete this
operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?
A.
B.
C.
D.
Configure the TAP interface for segment X on the firewall
Configure a Layer 3 interface for segment X on the firewall.
Configure vwire interfaces for segment X on the firewall.
Configure a new vsys for segment X on the firewall.
Answer: C
Explanation:
As it specifically states in the question that security rules will be applied, VWire is the only method
that allows this without making any IP address changes.
QUESTION 570
A company is deploying User-ID in their network. The firewall team needs to have the ability to see
and choose from a list of usernames and user groups directly inside the Panorama policies when
creating new security rules.
How can this be achieved?
A. by configuring User-ID group mapping in Panorama > User Identification
B. by configuring Master Device in Panorama > Device Groups
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
235
C. by configuring User-ID source device in Panorama > Managed Devices
D. by configuring Data Redistribution Client in Panorama > Data Redistribution
Answer: B
Explanation:
For Panorama to use username or groups, its needs a master device set in the device group.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
QUESTION 571
After some firewall configuration changes, an administrator discovers that application identification
has started failing. The administrator investigates further and notices that a high number of
sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup >
Content-ID > Content-ID Settings
B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup >
Content-ID > Content-ID Settings
C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number
of available packet buffers.
D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-oforder and application identification.
Answer: A
Explanation:
Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID
inspection when the App-ID inspection queue is full.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setupcontent-id
QUESTION 572
A network administrator configured a site-to-site VPN tunnel where the peer device will act as
initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?
A.
B.
C.
D.
Use the Dynamic IP address type.
Enable Passive Mode.
Set up certificate authentication.
Configure the peer address as an FQDN.
Answer: A
QUESTION 573
Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive application to go
directly to the internet through the branch's ISP link instead of going back to the data-center hub
through the VPN tunnel, thus saving WAN bandwidth costs?
A.
B.
C.
D.
SD-WAN Full Mesh with branches only
SD-WAN direct internet access (DIA) links
SD-WAN Interface profile
VPN Cluster
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
236
Answer: B
Explanation:
https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/sd-wan-overview/about-sd-wan
QUESTION 574
A network administrator is trying to prevent domain username and password submissions to
phishing sites on some allowed URL categories.
Which set of steps does the administrator need to take in the URL Filtering profile to prevent
credential phishing on the firewall?
A. Choose the URL categories in the User Credential Submission column and set action to block
Select the User credential Detection tab and select Use Domain Credential Filter Commit
B. Choose the URL categories in the User Credential Submission column and set action to block
Select the User credential Detection tab and select use IP User Mapping Commit
C. Choose the URL categories on Site Access column and set action to block Click the User credential
Detection tab and select IP User Mapping Commit
D. Choose the URL categories in the User Credential Submission column and set action to block
Select the URL filtering settings and enable Domain Credential Filter Commit
Answer: A
QUESTION 575
Which feature of Panorama allows an administrator to create a single network configuration that
can be reused repeatedly for large-scale deployments even if values of configured objects, such
as routes and interface addresses, change?
A.
B.
C.
D.
template variables
the 'Shared' device group
template stacks
a device group
Answer: A
QUESTION 576
A network administrator wants to deploy SSL Inbound Inspection.
What two attributes should the required certificate have? (Choose two.)
A.
B.
C.
D.
a client certificate
a private key
a server certificate
a subject alternative name
Answer: BC
QUESTION 577
Which component enables you to configure firewall resource protection settings?
A. DoS Protection Profile
B. QoS Profile
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
237
C. Zone Protection Profile
D. DoS Protection policy
Answer: A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHDCA0
QUESTION 578
How can an administrator use the Panorama device-deployment option to update the apps and
threat version of an HA pair of managed firewalls?
A.
B.
C.
D.
Choose the download and install action for both members of the HA pair in the Schedule object
Switch context to the firewalls to start the download and install process
Download the apps to the primary no further action is required
Configure the firewall's assigned template to download the content updates
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-webinterface/panorama-device-deployment/schedule-dynamic-content-updates
QUESTION 579
A Panorama administrator configures a new zone and uses the zone in a new Security policy. After
the administrator commits the configuration to Panorama, which device-group commit push
operation should the administrator use to ensure that the push is successful?
A.
B.
C.
D.
merge with candidate config
include device and network templates
specify the template as a reference template
force template values
Answer: B
Explanation:
You need to push both the template and device group.
QUESTION 580
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer
uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity
date on the PA-generated certificate is taken from what?
A.
B.
C.
D.
The trusted certificate
The server certificate
The untrusted certificate
The root CA
Answer: B
QUESTION 581
Refer to the exhibit.
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
238
Based on the screenshots above, what is the correct order in which the various rules are deployed
to firewalls inside the DATACENTER_DG device group?
A. shared pre-rules
DATACENTER DG pre rules
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules
DATACENTER.DG default rules
B. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
shared post-rules
DATACENTER.DG post-rules
shared default rules
C. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
shared default rules
D. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
DATACENTER_DG default rules
Answer: A
QUESTION 582
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion
on a managed firewall?
A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama
generates a system log and can send email alerts
B. Panorama provides visibility into all the system and traffic logs received from firewalls it does not
offer any ability to see or monitor resource utilization on managed firewalls
C. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts
when resource exhaustion is detected on a managed firewall
D. Panorama provides information about system resources of the managed devices in the Managed
Devices > Health menu
Answer: A
QUESTION 583
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
239
Four configuration choices are listed, and each could be used to block access to a specific URL. If
you configured each choice to block the same URL, then which choice would be evaluated last in
the processing order to block access to the URL1?
A.
B.
C.
D.
PAN-DB URL category in URL Filtering profile
Custom URL category in Security policy rule
Custom URL category in URL Filtering profile
EDL in URL Filtering profile
Answer: D
Get Latest & Actual PCNSE Exam's Question and Answers from PassLeader.
https://www.passleader.com/
240
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
Cylo
Cylo
isitvivid
isitvivid
HL
HL
kill switch
kill switch
AP World History
AP World History
Download
advertisement