PCNSE v10 Practice Test

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

PBF can address which two scenarios? (Select Two)

Which GlobalProtect component must be configured to enable Clientless VPN?

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?

Which three statements accurately describe Decryption Mirror? (Choose three.)

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls. If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

What is a correct statement regarding administrative authentication using external services with a local authorization method?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

What are two characteristic types that can be defined for a variable? (Choose two.)

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

Which three options are supported in HA Lite? (Choose three.)

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

What are two characteristic types that can be defined for a variable? (Choose two)

An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com. Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

When setting up a security profile, which three items can you use? (Choose three.)

When overriding a template configuration locally on a firewall, what should you consider?

Which configuration is backed up using the Scheduled Config Export feature in Panorama?

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

What are three types of Decryption Policy rules? (Choose three.)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

PBF can address which two scenarios? (Choose two.)

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Match each GlobalProtect component to the purpose of that component

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

As a best practice, which URL category should you target first for SSL decryption?

Before you upgrade a Palo Alto Networks NGFW, what must you do?

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

Place the steps in the WildFire process workflow in their correct order.

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?

What is the dependency for users to access services that require authentication?

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

Which statement about High Availability timer settings is true?

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

What file type upload is supported as part of the basic WildFire service?

When overriding a template configuration locally on a firewall, what should you consider?

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

Which option is part of the content inspection process?

Match each type of DoS attack to an example of that type of attack

Which configuration task is best for reducing load on the management plane?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?