PCNSE v10

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Which statement accurately describes service routes and virtual systems?

What file type upload is supported as part of the basic WildFire service?

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

Which option is part of the content inspection process?

Which three statements accurately describe Decryption Mirror? (Choose three.)

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?

Which configuration is backed up using the Scheduled Config Export feature in Panorama?

WildFire will submit for analysis blocked files that match which profile settings?

A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table. Which two configurations should you check on the firewall? (Choose two.)

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?

Which option describes the operation of the automatic commit recovery feature?

As a best practice, which URL category should you target first for SSL decryption?

An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)

Match each GlobalProtect component to the purpose of that component

Place the steps in the WildFire process workflow in their correct order. Select and Place:

Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

When you configure an active/active high availability pair which two links can you use? (Choose two)

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)

Which three options are supported in HA Lite? (Choose three.)

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

In a Panorama template which three types of objects are configurable? (Choose three)

PBF can address which two scenarios? (Choose two.)

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com. Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

Panorama provides which two SD-WAN functions? (Choose two.)

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

Which three statements accurately describe Decryption Mirror? (Choose three.)

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Which rule type controls end user SSL traffic to external websites?

A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

What are two valid deployment options for Decryption Broker? (Choose two)

Which feature checks Panorama connectivity status after a commit?

An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Which statement about High Availability timer settings is true?

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

An engineer has been given approval to upgrade their environment 10 PAN-OS 10.2. The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

The UDP-4501 protocol-port is used between which two GlobalProtect components?

Match each type of DoS attack to an example of that type of attack

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?