PCNSE v10 Practice Test

Panorama provides which two SD-WAN functions? (Choose two.)

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

Which statement about High Availability timer settings is true?

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

PBF can address which two scenarios? (Select Two)

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

What are three types of Decryption Policy rules? (Choose three.)

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

Which three items are important considerations during SD-WAN configuration planning? (Choose three.)

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

As a best practice, which URL category should you target first for SSL decryption?

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

Before you upgrade a Palo Alto Networks NGFW, what must you do?

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

Match each type of DoS attack to an example of that type of attack

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

The UDP-4501 protocol-port is used between which two GlobalProtect components?

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?

What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Which configuration task is best for reducing load on the management plane?

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Which two features require another license on the NGFW? (Choose two.)

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

Which feature checks Panorama connectivity status after a commit?

Which three statements accurately describe Decryption Mirror? (Choose three.)

Which statement accurately describes service routes and virtual systems?

An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Place the steps in the WildFire process workflow in their correct order.

Which configuration is backed up using the Scheduled Config Export feature in Panorama?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization?