PCNSE v10 Practice Test

Match each type of DoS attack to an example of that type of attack

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Which two features require another license on the NGFW? (Choose two.)

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Which log type would provide information about traffic blocked by a Zone Protection profile?

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

What are two characteristic types that can be defined for a variable? (Choose two.)

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

PBF can address which two scenarios? (Select Two)

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Place the steps in the WildFire process workflow in their correct order.

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

SD-WAN is designed to support which two network topology types? (Choose two.)

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Which CLI command is used to determine how much disk space is allocated to logs?

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

When overriding a template configuration locally on a firewall, what should you consider?

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

Which feature checks Panorama connectivity status after a commit?

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

When setting up a security profile, which three items can you use? (Choose three.)

To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints. The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue. What must be configured to enable the Connect Before Logon feature?

Which two features require another license on the NGFW? (Choose two.)

In a Panorama template which three types of objects are configurable? (Choose three)

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)

Which rule type controls end user SSL traffic to external websites?

Match each GlobalProtect component to the purpose of that component

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

What are two valid deployment options for Decryption Broker? (Choose two)

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

What is the dependency for users to access services that require authentication?

As a best practice, which URL category should you target first for SSL decryption?

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

Which three statements accurately describe Decryption Mirror? (Choose three.)

What file type upload is supported as part of the basic WildFire service?