Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Exam Practice Test

Page: 1 / 33
Total 334 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Question 1

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

Options:

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Question 2

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Question 3

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

Options:

A.

Management plane CPU

B.

Dataplane CPU

C.

Packet buffers

D.

On-chip packet descriptors

Question 4

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Dynamic Read-only Superuser

D.

Create a Custom Panorama Admin

Question 5

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

Options:

A.

Firewalls which support policy-based VPNs.

B.

The remote device is a non-Palo Alto Networks firewall.

C.

Firewalls which support route-based VPNs.

D.

The remote device is a Palo Alto Networks firewall.

Question 6

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Question 7

What can the Log Forwarding built-in action with tagging be used to accomplish?

Options:

A.

Block the source zones of selected unwanted traffic.

B.

Block the destination IP addresses of selected unwanted traffic.

C.

Forward selected logs to the Azure Security Center.

D.

Block the destination zones of selected unwanted traffic.

Question 8

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?

Options:

A.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. * Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source HIP profile. Enable GlobalProtect Gateway Agent for HIP Notification.

B.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.

C.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Portal Agent for HIP Notification.

D.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification.

Question 9

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

Options:

A.

Panorama provides information about system resources of the managed devices in the Managed Device > Health menu.

B.

Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a system log and can send email alerts.

C.

Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

D.

Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls

Question 10

Which statement applies to HA timer settings?

Options:

A.

Use the Critical profile for faster failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings

D.

Use the Recommended profile for typical failover timer settings

Question 11

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?

Options:

A.

Performs malicious content analysis on the linked page, but not the corresponding PE file.

B.

Performs malicious content analysis on the linked page and the corresponding PE file.

C.

Does not perform malicious content analysis on either the linked page or the corresponding PE file.

D.

Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file.

Question 12

What happens when the log forwarding built-in action with tagging is used?

Options:

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Question 13

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Dynamic Read only superuser.

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Device Group and Template Admin

D.

Create a Custom Panorama Admin

Question 14

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

Question # 14

Options:

A.

Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both external servers as "Destination Address." and Source Translation remaining as is with bidirectional option enabled

B.

Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

C.

Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.

D.

Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

Question 15

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?

Options:

A.

Enable PFS under the IKE gateway advanced options.

B.

Enable PFS under the IPSec Tunnel advanced options.

C.

Add an authentication algorithm in the IPSec Crypto profile.

D.

Select the appropriate DH Group under the IPSec Crypto profile.

Question 16

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?

Options:

A.

Virtual ware

B.

Tap

C.

Layer 2

D.

Layer 3

Question 17

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

Options:

A.

Multiple external gateways

B.

Single or multiple internal gateways

C.

Split DNS and HIP checks

D.

IPv6 for internal gateways

Question 18

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

Options:

A.

Run the CLI command show advanced-routing ospf neighbor

B.

In the WebUI, view the Runtime Stats in the virtual router

C.

Look for configuration problems in Network > virtual router > OSPF

D.

In the WebUI, view Runtime Stats in the logical router

Question 19

Exhibit.

Question # 19

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

Options:

A.

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

B.

Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

C.

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

D.

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Question 20

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

Options:

A.

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

B.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

C.

The firewall rejects the pushed configuration, and the commit fails.

D.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Question 21

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Question 22

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?

Options:

A.

Managed Devices Health

B.

Test Policy Match

C.

Preview Changes

D.

Policy Optimizer

Question 23

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

Options:

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Question 24

Which rule type controls end user SSL traffic to external websites?

Options:

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSH Proxy

D.

SSL Inbound Inspection

Question 25

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Question 26

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Question 27

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

Options:

A.

Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

B.

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

D.

Create the appropriate rules with a Block action and apply them at the top of the Default Rules.

Question 28

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows

Options:

A.

Deploy the GlobalProtect as a lee data hub.

B.

Deploy Window User 0 agents on each domain controller.

C.

Deploys AILS integrated Use 10 agent on each vsys.

D.

Deploy a M.200 as a Users-ID collector.

Question 29

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

    End-users must not get the warning for the https://www.very-important-website.com/ website

    End-users should get the warning for any other untrusted websiteWhich approach meets the two customer requirements?

Options:

A.

Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores

B.

Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

Question 30

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)

Options:

A.

Ps1

B.

Perl

C.

Python

D.

VBS

Question 31

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

Options:

A.

RADIUS

B.

TACACS+

C.

Kerberos

D.

LDAP

E.

SAML

Question 32

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS.

The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.

What is the recommended order of operational steps when upgrading?

Options:

A.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

B.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

Question 33

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Question 34

PBF can address which two scenarios? (Choose two.)

Options:

A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Question 35

Which statement about High Availability timer settings is true?

Options:

A.

Use the Critical timer for faster failover timer settings.

B.

Use the Aggressive timer for faster failover timer settings

C.

Use the Moderate timer for typical failover timer settings

D.

Use the Recommended timer for faster failover timer settings.

Question 36

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:

A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Question 37

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

Options:

A.

Log Collector

B.

Panorama

C.

Legacy

D.

Management Only

Question 38

Exhibit.

Question # 38

Given the screenshot, how did the firewall handle the traffic?

Options:

A.

Traffic was allowed by profile but denied by policy as a threat.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by policy but denied by profile as encrypted.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Question 39

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

Options:

A.

an Authentication policy with 'unknown' selected in the Source User field

B.

an Authentication policy with 'known-user' selected in the Source User field

C.

a Security policy with 'known-user' selected in the Source User field

D.

a Security policy with 'unknown' selected in the Source User field

Question 40

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

Options:

A.

Tunnel

B.

Ethernet

C.

VLAN

D.

Lookback

Question 41

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

Options:

A.

Upload the image to Panorama > Software menu, and deploy it to the firewalls. *

B.

Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

C.

Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

D.

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Question 42

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

Options:

A.

A User-ID Certificate profile must be configured on Panorama.

B.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings.

D.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

Question 43

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

Options:

A.

Client probing

B.

Syslog

C.

XFF Headers

D.

Server Monitoring

Question 44

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

Options:

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Question 45

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

Options:

A.

Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

B.

Use the highest TLS protocol version to maximize security.

C.

Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

D.

Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

Question 46

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Question # 46

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Question 47

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Question # 47

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

Options:

A.

Hello Interval

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Monitor Fail Hold Up Time

Question 48

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

Options:

A.

Log Ingestion

B.

HTTP

C.

Log Forwarding

D.

LDAP

Question 49

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

Options:

A.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

B.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C.

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

D.

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Question 50

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

Options:

A.

Enable PFS under the IKE Gateway advanced options

B.

Enable PFS under the IPsec Tunnel advanced options

C.

Select the appropriate DH Group under the IPsec Crypto profile

D.

Add an authentication algorithm in the IPsec Crypto profile

Question 51

Where can a service route be configured for a specific destination IP?

Options:

A.

Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4

B.

Use Device > Setup > Services > Services

C.

Use Device > Setup > Services > Service Route Configuration > Customize > Destination

D.

Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

Question 52

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

Options:

A.

Use the "import device configuration to Panorama" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

B.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

C.

Use the "import device configuration to Panorama" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

D.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

Question 53

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

Options:

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Question 54

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Question 55

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

Options:

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Question 56

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Question 57

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Datacenter

B.

Values in efwOlab.chi

C.

Values in Global Settings

D.

Values in Chicago

Question 58

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Options:

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Question 59

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Question 60

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Question 61

An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an active/passive HA pair. Which NGFW receives the from Panorama?

Options:

A.

The active firewall which then synchronizes to the passive firewall

B.

The passive firewall, which then synchronizes to the active firewall

C.

Both the active and passive firewalls which then synchronize with each other

D.

Both the active and passive firewalls independently, with no synchronization afterward

Question 62

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

Options:

A.

Configure a URL profile to block the phishing category.

B.

Create a URL filtering profile

C.

Enable User-ID.

D.

Create an anti-virus profile.

E.

Create a decryption policy rule.

Question 63

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

Options:

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Question 64

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Options:

A.

IPSec Tunnel settings

B.

IKE Crypto profile

C.

IPSec Crypto profile

D.

IKE Gateway profile

Question 65

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Question 66

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

Options:

A.

Source IP address

B.

Dynamic tags

C.

Static tags

D.

Ldap attributes

Question 67

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

Options:

A.

Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to ensure version consistency

B.

Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer

C.

Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability

D.

Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

Question 68

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?

Options:

A.

It automatically pushes the configuration to Panorama after strengthening the overall security posture

B.

It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama

C.

The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment

D.

The AIOps plugin in Panorama retroactively checks the policy changes during the commits

Question 69

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)

Options:

A.

Configure resource limits for the NGFW system

B.

Commit changes made to the candidate configuration of the assigned vsys

C.

Create and edit Security policies and security profiles for only the assigned vsys

D.

Configure interfaces and subinterfaces that exist in the assigned vsys

Question 70

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.

Tunnel mode

B.

Satellite mode

C.

IPSec mode

D.

No Direct Access to local networks

Question 71

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options:

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

Question 72

In a template, which two objects can be configured? (Choose two.)

Options:

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Question 73

Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

Options:

A.

HA cluster members must share the same zone names.

B.

Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces

C.

Panorama must be used to manage HA cluster members.

D.

HA cluster members must be the same firewall model and run the same PAN-OS version.

Question 74

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

Options:

A.

Lower the interface MTU value below 1500.

B.

Enable the Ignore IPv4 Don't Fragment (DF) setting.

C.

Change the subnet mask from /23 to /24.

D.

Adjust the TCP maximum segment size (MSS) value.

Question 75

As a best practice, logging at session start should be used in which case?

Options:

A.

While troubleshooting

B.

Only on Deny rules

C.

On all Allow rules

D.

Only when log at session end is enabled

Question 76

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

Options:

A.

Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate

B.

External zones with the virtual systems added

C.

Route added with next hop next-vr by using the VR configured in the virtual system

D.

Layer 3 zones for the virtual systems that need to communicate

Question 77

A firewall engineer is configuring quality of service (OoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule?

Options:

A.

Post-NAT source IP address Pre-NAT source zone

B.

Post-NAT source IP address Post-NAT source zone

C.

Pre-NAT source IP address Post-NAT source zone

D.

Pre-NAT source IP address Pre-NAT source zone

Question 78

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?

Options:

A.

Add service accounts running on that machine to the "Ignore User List" in the User-ID agent setup

B.

Remove the identity redistribution rules synced from Cloud Identity Engine from the User-ID agent configuration

C.

Remove the rate-limiting rule that is assigned to User A access from the User-ID agent configuration

D.

Add the subnets of both the user machine and the resource to the "Include List" in the User-ID agent configuration

Question 79

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

Options:

A.

Command line > debug dataplane packet-diag clear filter-marked-session all

B.

In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

C.

Command line> debug dataplane packet-diag clear filter all

D.

In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

Question 80

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

Options:

A.

By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

B.

By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'

C.

By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"

D.

By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"

Question 81

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

Options:

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Question 82

What must be taken into consideration when preparing a log forwarding design for all of a customer’s deployed Palo Alto Networks firewalls?

Options:

A.

The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected

B.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules

C.

App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected

D.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings"

Question 83

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Options:

A.

Authentication Portal

B.

SSL Decryption profile

C.

SSL decryption policy

D.

comfort pages

Question 84

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)

Options:

A.

DNS Proxy

B.

SSL/TLS profiles

C.

address groups

D.

URL Filtering profiles

Question 85

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?

Options:

A.

Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.

B.

Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls

C.

Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.

D.

Create custom vulnerability signatures manually in Panorama, and push them to the firewalls

Question 86

Which three authentication types can be used to authenticate users? (Choose three.)

Options:

A.

Local database authentication

B.

PingID

C.

Kerberos single sign-on

D.

GlobalProtect client

E.

Cloud authentication service

Question 87

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

Question # 87

Options:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Question 88

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Question 89

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Options:

A.

Captive portal

B.

Standalone User-ID agent

C.

Syslog listener

D.

Agentless User-ID with redistribution

Question 90

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Question 91

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

Options:

A.

Traffic logs

B.

Data filtering logs

C.

Policy Optimizer

D.

Wireshark

Question 92

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Question 93

As a best practice, which URL category should you target first for SSL decryption?

Options:

A.

Online Storage and Backup

B.

High Risk

C.

Health and Medicine

D.

Financial Services

Question 94

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

Options:

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Question 95

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)

Options:

A.

Schedule

B.

Source Device

C.

Custom Application

D.

Source Interface

Question 96

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?

Options:

A.

Terminal Server Agent for User Mapping

B.

Windows-Based User-ID Agent

C.

PAN-OS Integrated User-ID Agent

D.

PAN-OS XML API

Question 97

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Question 98

Refer to Exhibit:

Question # 98

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

Question # 98

B)

Question # 98

C)

Question # 98

D)

Question # 98

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 99

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?

Options:

A.

Device > Setup Settings Do not enable on each interface

B.

Network > Zone Settings Do not enable on each interface

C.

Network > Zone Settings Enable on each interface

D.

Device > Setup Settings Enable on each interface

Question 100

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

Page: 1 / 33
Total 334 questions