PCNSE v10

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Which two features require another license on the NGFW? (Choose two.)

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

When overriding a template configuration locally on a firewall, what should you consider?

Which CLI command is used to determine how much disk space is allocated to logs?

What is the dependency for users to access services that require authentication?

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

Which statement accurately describes service routes and virtual systems?

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

WildFire will submit for analysis blocked files that match which profile settings?

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription. How does adding the WildFire subscription improve the security posture of the organization?

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)

As a best practice, which URL category should you target first for SSL decryption?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?

An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?

Which log type would provide information about traffic blocked by a Zone Protection profile?

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?

What are three types of Decryption Policy rules? (Choose three.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Which GlobalProtect component must be configured to enable Clientless VPN?

What are two characteristic types that can be defined for a variable? (Choose two)

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?

SD-WAN is designed to support which two network topology types? (Choose two.)

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

Panorama provides which two SD-WAN functions? (Choose two.)

Place the steps in the WildFire process workflow in their correct order.

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

Which rule type controls end user SSL traffic to external websites?

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

Which three statements accurately describe Decryption Mirror? (Choose three.)

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)