Certification Provider: Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer (PCNSE)
Exam Code: PCNSE v10
Total Question: 181
Question per Quiz: 75
Updated On: 20 April 2023
Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.
1.
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:
2.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)
3.
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
4.
You have upgraded your Panorama with Log Collectors to 10.2. Before upgrading your firewalls using Panorama, what do you need do?
5.
A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?
6.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
7.
WildFire will submit for analysis blocked files that match which profile settings?
8.
A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?
9.
An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
10.
Which statement accurately describes service routes and virtual systems?
11.
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?
12.
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table. Which two configurations should you check on the firewall? (Choose two.)
13.
When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?
14.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
15.
What are two valid deployment options for Decryption Broker? (Choose two)
16.
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?
17.
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
18.
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?
19.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
20.
An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)
21.
Which three options are supported in HA Lite? (Choose three.)
22.
Which CLI command is used to determine how much disk space is allocated to logs?
23.
A variable name must start with which symbol?
24.
An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?
25.
Which two features require another license on the NGFW? (Choose two.)
26.
Before you upgrade a Palo Alto Networks NGFW, what must you do?
27.
An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?
28.
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?
29.
As a best practice, which URL category should you target first for SSL decryption?
30.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)
31.
When you configure an active/active high availability pair, which two links can you use? (Choose two.)
32.
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?
33.
What is the dependency for users to access services that require authentication?
34.
Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?
35.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
36.
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
37.
An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?
38.
PBF can address which two scenarios? (Choose two.)
39.
An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
40.
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
41.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
42.
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)
43.
When setting up a security profile, which three items can you use? (Choose three.)
44.
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:
45.
A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?
46.
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?
47.
PBF can address which two scenarios? (Select Two)
48.
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?
49.
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
50.
What are two characteristic types that can be defined for a variable? (Choose two.)
51.
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?
52.
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization?
53.
During the packet flow process, which two processes are performed in application identification? (Choose two.)
54.
Place the steps in the WildFire process workflow in their correct order. Select and Place:
55.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?
56.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
57.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
58.
Which feature checks Panorama connectivity status after a commit?
59.
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
60.
To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?
61.
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?
62.
Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
63.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
64.
Which configuration task is best for reducing load on the management plane?
65.
In a security-first network what is the recommended threshold value for content updates to be dynamically updated?
66.
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
67.
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?
68.
An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
69.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
70.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
71.
An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?
72.
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?
73.
In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?
74.
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
75.
Panorama provides which two SD-WAN functions? (Choose two.)