PCNSE v10 Practice Test

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

When you configure an active/active high availability pair which two links can you use? (Choose two)

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table. Which two configurations should you check on the firewall? (Choose two.)

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

Which configuration task is best for reducing load on the management plane?

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

During the packet flow process, which two processes are performed in application identification? (Choose two.)

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

What are two valid deployment options for Decryption Broker? (Choose two)

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

PBF can address which two scenarios? (Select Two)

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?

Which three options are supported in HA Lite? (Choose three.)

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?

Before you upgrade a Palo Alto Networks NGFW, what must you do?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?

When overriding a template configuration locally on a firewall, what should you consider?

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

As a best practice, which URL category should you target first for SSL decryption?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

Which two features require another license on the NGFW? (Choose two.)

As a best practice, which URL category should you target first for SSL decryption?

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

Which option is part of the content inspection process?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?