PCNSE v10 – Cyber Security, Networking, Technology Courses and Blog

Certification Provider: Palo Alto Networks

Exam: Palo Alto Networks Certified Network Security Engineer

Exam Code: PCNSE v10

Total Question: 75

Question per Quiz: 75

Updated On: 10 May 2022

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

performing a factory reset of the firewall

removing the Panorama serial number from the ZTP service

removing the firewall as a managed device in Panorama

performing a local firewall commit

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

the website matches a sensitive category

the web server requires mutual authentication

the website matches a category that is not allowed for most users

the website matches a high-risk category

Which three statements accurately describe Decryption Mirror? (Choose three.)

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

Only management consent is required to use the Decryption Mirror feature

Decryption Mirror requires a tap interface on the firewall

Decryption, storage, inspection and use of SSL traffic are regulated in certain countries

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

variables

collector groups

virtual systems

template stacks

Which two features require another license on the NGFW? (Choose two.)

SSL Inbound Inspection

Decryption Mirror

SSL Forward Proxy

Decryption Broker

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Yes. because the action is set to "allow ''

No because WildFire categorized a file with the verdict "malicious"

No because WildFire classified the seventy as "high."

Yes because the action is set to "alert"

When overriding a template configuration locally on a firewall, what should you consider?

Only Panorama can revert the override

The firewall template will show that it is out of sync within Panorama

Panorama will lose visibility into the overridden configuration

Panorama will update the template with the overridden value

In a Panorama template which three types of objects are configurable? (Choose three)

QoS profiles

interface management profiles

HIP objects

certificate profiles

security profiles

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

10.

During the packet flow process, which two processes are performed in application identification? (Choose two.)

application changed from content inspection

pattern based application identification

application override policy match

session application identified

11.

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

stateful firewall connection

link state

certificates

profiles

12.

Before you upgrade a Palo Alto Networks NGFW, what must you do?

Make sure that the firewall is running a supported version of the app + threat update

Make sure that the PAN-OS support contract is valid for at least another year

Export a device state of the firewall

Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

13.

Match each type of DoS attack to an example of that type of attack

Volumetric Based SYN Flood Attack

Protocol Based SYN flood Attack

Application Based Slowris

Volumetric Based UDP Flood Attack

14.

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

Add the template as a reference template in the device group

Add a firewall to both the device group and the template

Specify the target device as the master device in the device group

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

15.

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

post-logon (always on)

user-logon (always on)

pre-logon then on-demand

certificate-logon

on-demand (manual user initiated connection)

16.

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https //www firewall-do-not-trust-website com Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

Forward-Untrust-Certificate

Forward-Trust-Certificate

Firewall-Trusted-Root-CA

Firewall-CA

17.

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Global

Shared

Universal

Master

18.

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

Use the same Forward Trust certificate on all firewalls in the network

Use an enterprise CA-signed certificate for the Forward Untrust certificate

Obtain an enterprise CA-signed certificate for the Forward Trust certificate

Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate

19.

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Disable HIP Profile

Add server IP Security Policy exception

Apply an Application Override

Disable Server Response Inspection

20.

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Clone the security policy and add it to the other device groups

Add the policy in the shared device group as a pre-rule

Add the policy to the target device group and apply a master device to the device group

Reference the targeted device's templates in the target device group

21.

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

incomplete

unknown-udp

unknown-ip

not-applicable

22.

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)

no install on the route

duplicate static route

disabling of the static route

path monitoring on the static route

23.

What are three types of Decryption Policy rules? (Choose three.)

SSL Forward Proxy

SSL Inbound Inspection

Decryption Mirror

SSH Proxy

Decryption Broker

24.

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Phase 1 SAs are synchronized over HA1 links

Phase 2 SAs are synchronized over HA2 finks

Phase 1 and Phase 2 SAs are synchronized over HA3 links

Phase 1 and Phase 2 SAs are synchronized over HA2 links

25.

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

certificate authority (CA) certificate

client certificate

certificate profile

server certificate

26.

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

You must enable DoS and zone protection

You must set the interface to Layer 2 Layer 3. or virtual wire

You must use a static IP address

The interface must be used for traffic to the required services

27.

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

machine certificate

server certificate

client certificate

certificate authority (CA) certificate

28.

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

machine certificate

certificate authority (CA) certificate

client certificate

server certificate

29.

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on sub interfaces only

Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

Layer 3 interfaces but configuring EIGRP on the attached virtual router

Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel {with the GlobalProtect License to support LSVPN and EIGRP protocols)

30.

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

The directory structure must include a /config /content, /software and /license folders

The /config /content and /software folders are mandatory while the /license and /plugin folders are optional

The bootstrap package is stored on an AFS share or a discrete container file bucket

The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder

The bootstrap xml file allows for automated deployment of VM-Series firewalls with full network and policy configurations.

31.

Which configuration task is best for reducing load on the management plane?

Disable logging on the default deny rule

Disable pre-defined reports

Set the URL filtering action to send alerts

Enable session logging at start

32.

What are two valid deployment options for Decryption Broker? (Choose two)

Transparent Mirror Security Chain

Transparent Bridge Security Chain

Layer 2 Security Chain

Layer 3 Security Chain

33.

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

self-signed CA certificate

wildcard server certificate

client certificate

enterprise CA certificate

34.

The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

action 'reset-server' and packet capture 'disable'

action 'reset-both' and packet capture 'single-packet'

action 'reset-both' and packet capture 'extended-capture'

action 'default' and packet capture 'single-packet'

35.

A variable name must start with which symbol?

36.

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Enable SSL decryption for source users and known malicious URL categories

Enable SSL decryption for known malicious source IP addresses

Enable SSL decryption for known malicious destination IP addresses

Enable SSL decryption for malicious source users

37.

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Allow the firewall to block the sites to improve the security posture

Install the unsupported cipher into the firewall to allow the sites to be decrypted

Create a Security policy to allow access to those sites

38.

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

HA Sync does not occur the firewall drops the session.

HA Sync occurs the firewall allows the session Put does not decrypt the session.

A Sync does not occur the existing session is transferred to the active firewall.

HA Sync occurs the session is sent to testpath

39.

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

The TCP connection was terminated without identifying any application data

There is not enough application data after the TCP connection was established

The TCP connection did not fully establish

The client sent a TCP segment with the PUSH flag set

There was no application data after the TCP connection was established

40.

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

link requirements

IP Addresses

branch and hub locations

the name of the ISP

41.

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

Upgrade the firewall first, wait at least 24 hours, and then upgrade the Panorama version.

Upgrade Panorama to a version at or above the target firewall version.

Export the device state, perform the update, and then import the device state.

Perform the Panorama and firewall upgrades simultaneously.

42.

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Citrix terminal server agent with adequate data-plane resource

Windows-based User-ID agent on a standalone server

PAN-OS integrated agent

Captive Portal

43.

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

A single transparent bridge security chain is supported per firewall

A single transparent bridge security chain is supported per pair of interface

L3 security chains support up to 32 security chains

L3 security chains support up to 64 security chains

44.

PBF can address which two scenarios? (Select Two)

providing application connectivity the primary circuit fail

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

enabling the firewall to bypass Layer 7 inspection

forwarding all traffic by using source port 78249 to a specific egress interface

45.

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A Decryption profile must be attached to the Security policy that the traffic matches

There must be a certificate with both the Forward Trust option and Forward Untrust option selected

A Decryption profile must be attached to the Decryption policy that the traffic matches

There must be a certificate with only the Forward Trust option selected

46.

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Disable config Sync

Disable the HA2 link

Set the passive link state to 'shutdown'

Disable HA

47.

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

A single transparent bridge security chain is supported per pair of interfaces

L3 security chains support up to 64 security chains

A single transparent bridge security chain is supported per firewall

L3 security chains support up to 32 security chains

48.

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

24 hours

1 to 4 hours

6 to 12 hours

36 hours

49.

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

Address Objects -Shared Address1 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Branch Policy1

Address Objects -Shared Address1 -Shared Address2 -Branch Address1 -DC Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1

Address Objects -Shared Address1 -Shared Address2 -Branch Address1 Policies -Shared Policy1 -Shared Policy2 -Branch Policy1

50.

The UDP-4501 protocol-port is used between which two GlobalProtect components?

GlobalProtect portal and GlobalProtect gateway

GlobalProtect app and GlobalProtect portal

GlobalProtect app and GlobalProtect gateway

GlobalProtect app and GlobalProtect satellite

51.

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Perform a commit force from the CLI of the firewall.

Reload the running configuration and perform a Firewall local commit.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

Perform a template commit push from Panorama using the "Force Template Values'' option

52.

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

Configure policy-based forwarding

Upgrade to a PAN-OS SD-WAN subscription

Configure a remote network on PAN-OS

Deploy Prisma SD-WAN with Prisma Access

53.

Match each GlobalProtect component to the purpose of that component

54.

When you configure an active/active high availability pair which two links can you use? (Choose two)

Console Backup

HA3

HSCI-C

HA2 backup

55.

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id

172.16.33.33/24 type IPv4 address protocol 0 port 0."

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Check whether the VPN peer on one end is set up correctly using policy-based VPN.

56.

57.

As a best practice, which URL category should you target first for SSL decryption?

Financial Services

High Risk

Health and Medicine

Online Storage and Backup

58.

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

WildFire and Threat Prevention combine to provide the utmost security posture for the firewall

After 24 hours WildFire signatures are included in the antivirus update

WildFire and Threat Prevention combine to minimize the attack surface

Protection against unknown malware can be provided in near real-time

59.

Which option is part of the content inspection process?

SSL Proxy re-encrypt

Packet forwarding process

IPsec tunnel encryption

Packet egress process

60.

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

Destination Zone

Source Interface

Custom URL Category

User-ID

App-ID

61.

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CA). An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )
Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate
Enterprise-intermediate-CA
Enterprise-Root-CA which is verified only as Trusted Root CA

Enterprise-Trusted-CA which is a self-signed CA

Enterprise-Root-CA which is a self-signed CA

Enterprise-Untrusted-CA which is a self-signed CA

Enterprise-intermediate-CA which was. in turn, issued by Enterprise-Root-CA

62.

Place the steps in the WildFire process workflow in their correct order.

63.

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

the web server requires mutual authentication

the website matches a sensitive category

the website matches a category that is not allowed for most users

the website matches a high-risk category

64.

What are two characteristic types that can be defined for a variable? (Choose two)

IP netmask

FQDN

path group

zone

65.

An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls. If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

No service route is configured on the firewalls to Palo Alto Networks update servers

Panorama does not have valid licenses to push the dynamic updates

Locally-defined dynamic update settings take precedence over the settings that Panorama pushed

Panorama has no connection to Palo Alto Networks update servers

66.

Which rule type controls end user SSL traffic to external websites?

SSL Inbound Inspection

SSL Outbound Proxyless Inspection

SSH Proxy

SSL Forward Proxy

67.

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

File Blocking profiles applied to outbound security policies with action set to alert

Antivirus profiles applied to outbound security policies with action set to alert

Vulnerability Protection profiles applied to outbound security policies with action set to block

Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

68.

What are three reasons for excluding a site from SSL decryption? (Choose three.)

the website is not present in English

unsupported ciphers

mutual authentication

certificate pinning

unsupported browser version

69.

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

70.

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

LDAP Server Profile configuration

Windows-based User-ID agent

GlobalProtect

PAN-OS integrated User-ID agent

71.

Which three options are supported in HA Lite? (Choose three.)

Active/passive deployment

Virtual link

Session synchronization

Configuration synchronization

Synchronization of IPsec security associations

72.

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Rule Usage Hit counter will reset.

Rule Usage Hit counter will not be reset

Highlight Unused Rules will highlight all rules.

Highlight Unused Rules will highlight zero rules.

73.

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

Configure the management interface as HA2 Backup

Configure Ethernet 1/1 as HA1 Backup

Configure the management interface as HA1 Backup

Configure the management interface as HA3 Backup

Configure Ethernet 1/1 as HA2 Backup

74.

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

Layer 3 security chain

Layer 2 security chain

Transparent Proxy security chain

Transparent Bridge security chain

75.

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Upgrade one major version at a time

Upgrade directly to the target major version

Upgrade two major versions at a time

Upgrade one major version at a time