PCNSE v10 Practice Test

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Which feature checks Panorama connectivity status after a commit?

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

What are two characteristic types that can be defined for a variable? (Choose two)

What are three types of Decryption Policy rules? (Choose three.)

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?

When overriding a template configuration locally on a firewall, what should you consider?

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?

Place the steps in the WildFire process workflow in their correct order. Select and Place:

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

Which statement about High Availability timer settings is true?

Match each type of DoS attack to an example of that type of attack

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

Match each GlobalProtect component to the purpose of that component

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Which option describes the operation of the automatic commit recovery feature?

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?

SD-WAN is designed to support which two network topology types? (Choose two.)

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

WildFire will submit for analysis blocked files that match which profile settings?

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

During the packet flow process, which two processes are performed in application identification? (Choose two.)

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?

Which GlobalProtect component must be configured to enable Clientless VPN?

In a Panorama template which three types of objects are configurable? (Choose three)

Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?

An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?

Which configuration task is best for reducing load on the management plane?

When you configure an active/active high availability pair which two links can you use? (Choose two)

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

Which statement accurately describes service routes and virtual systems?

As a best practice, which URL category should you target first for SSL decryption?

An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls. If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Which log type would provide information about traffic blocked by a Zone Protection profile?

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

Which three statements accurately describe Decryption Mirror? (Choose three.)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

Which three statements accurately describe Decryption Mirror? (Choose three.)

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

PBF can address which two scenarios? (Choose two.)

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)