PCNSE v10

Which CLI command is used to determine how much disk space is allocated to logs?

You have upgraded your Panorama with Log Collectors to 10.2. Before upgrading your firewalls using Panorama, what do you need do?

Before you upgrade a Palo Alto Networks NGFW, what must you do?

PBF can address which two scenarios? (Select Two)

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com. Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

WildFire will submit for analysis blocked files that match which profile settings?

An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Which statement accurately describes service routes and virtual systems?

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

Which feature checks Panorama connectivity status after a commit?

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

SD-WAN is designed to support which two network topology types? (Choose two.)

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized. Given the size of this environment, which User-ID collection method is sufficient?

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

In a Panorama template which three types of objects are configurable? (Choose three)

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

PBF can address which two scenarios? (Choose two.)

What are three types of Decryption Policy rules? (Choose three.)

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

Which two features require another license on the NGFW? (Choose two.)

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Which three options are supported in HA Lite? (Choose three.)

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

Which statement about High Availability timer settings is true?

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

An administrator receives the following error message. How should the administrator identify the root cause of this error message?

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

What are two characteristic types that can be defined for a variable? (Choose two)

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

As a best practice, which URL category should you target first for SSL decryption?

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

Which GlobalProtect component must be configured to enable Clientless VPN?

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

Match each GlobalProtect component to the purpose of that component

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

A variable name must start with which symbol?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?

What is the dependency for users to access services that require authentication?

A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)