Certification Provider:Â Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer (PCNSE)
Exam Code: PCNSE v10
Total Question: 181
Question per Quiz: 75
Updated On: 20 April 2023
Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.
1.
Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)
2.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
3.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )
4.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?
5.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)
6.
In a Panorama template which three types of objects are configurable? (Choose three)
7.
An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)
8.
Which configuration task is best for reducing load on the management plane?
9.
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?
10.
An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?
11.
An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?
12.
An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
13.
What are two valid deployment options for Decryption Broker? (Choose two)
14.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
15.
Which two features require another license on the NGFW? (Choose two.)
16.
Which three statements accurately describe Decryption Mirror? (Choose three.)
17.
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
18.
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)
19.
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?
20.
Before you upgrade a Palo Alto Networks NGFW, what must you do?
21.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
22.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)
23.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
24.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
25.
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
26.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
27.
An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?
28.
When overriding a template configuration locally on a firewall, what should you consider?
29.
When you configure an active/active high availability pair, which two links can you use? (Choose two.)
30.
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)
31.
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
32.
A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?
33.
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
34.
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?
35.
An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
36.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
37.
Place the steps in the WildFire process workflow in their correct order.
38.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
39.
What are three types of Decryption Policy rules? (Choose three.)
40.
An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
41.
To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?
42.
An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
43.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
44.
Which three statements accurately describe Decryption Mirror? (Choose three.)
45.
An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
46.
Match each GlobalProtect component to the purpose of that component
47.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
48.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
49.
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
50.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
51.
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?
52.
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:
53.
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?
54.
Which two features require another license on the NGFW? (Choose two.)
55.
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)
56.
Which statement accurately describes service routes and virtual systems?
57.
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?
58.
An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)
59.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?
60.
An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?
61.
Match each type of DoS attack to an example of that type of attack
62.
Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
63.
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
64.
Which feature checks Panorama connectivity status after a commit?
65.
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?
66.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
67.
A variable name must start with which symbol?
68.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
69.
Place the steps in the WildFire process workflow in their correct order. Select and Place:
70.
Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?
71.
Which log type would provide information about traffic blocked by a Zone Protection profile?
72.
An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)
73.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
74.
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization?
75.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?