PCNSE v10 Practice Test

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https //www firewall-do-not-trust-website com Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

When overriding a template configuration locally on a firewall, what should you consider?

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

PBF can address which two scenarios? (Select Two)

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

As a best practice, which URL category should you target first for SSL decryption?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Which rule type controls end user SSL traffic to external websites?

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

Which three statements accurately describe Decryption Mirror? (Choose three.)

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

The UDP-4501 protocol-port is used between which two GlobalProtect components?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

What are three types of Decryption Policy rules? (Choose three.)

As a best practice, which URL category should you target first for SSL decryption?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Match each type of DoS attack to an example of that type of attack

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

In a Panorama template which three types of objects are configurable? (Choose three)

What file type upload is supported as part of the basic WildFire service?

SD-WAN is designed to support which two network topology types? (Choose two.)

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Which option describes the operation of the automatic commit recovery feature?

Which two features require another license on the NGFW? (Choose two.)

What are two valid deployment options for Decryption Broker? (Choose two)

Place the steps in the WildFire process workflow in their correct order. Select and Place:

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

PBF can address which two scenarios? (Choose two.)

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CA). An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are aa above image. The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command: > request restart system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

What are three types of Decryption Policy rules? (Choose three.)

A variable name must start with which symbol?

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Which option is part of the content inspection process?

An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

Which configuration task is best for reducing load on the management plane?

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

During the packet flow process, which two processes are performed in application identification? (Choose two.)

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

What are two characteristic types that can be defined for a variable? (Choose two)

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)