PCNSE v10 Practice Test

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?

What are two characteristic types that can be defined for a variable? (Choose two.)

WildFire will submit for analysis blocked files that match which profile settings?

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

Which statement about High Availability timer settings is true?

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

What is the dependency for users to access services that require authentication?

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

What are three reasons for excluding a site from SSL decryption? (Choose three.)

SD-WAN is designed to support which two network topology types? (Choose two.)

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

What are three types of Decryption Policy rules? (Choose three.)

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

Which option describes the operation of the automatic commit recovery feature?

When setting up a security profile, which three items can you use? (Choose three.)

An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

What are three types of Decryption Policy rules? (Choose three.)

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Which three statements accurately describe Decryption Mirror? (Choose three.)

PBF can address which two scenarios? (Choose two.)

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Panorama provides which two SD-WAN functions? (Choose two.)

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

In a Panorama template which three types of objects are configurable? (Choose three)

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

When overriding a template configuration locally on a firewall, what should you consider?

The UDP-4501 protocol-port is used between which two GlobalProtect components?

What are two valid deployment options for Decryption Broker? (Choose two)

Which CLI command is used to determine how much disk space is allocated to logs?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?