PCNSE v10

An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?

What are two valid deployment options for Decryption Broker? (Choose two)

An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Which option describes the operation of the automatic commit recovery feature?

What are three reasons for excluding a site from SSL decryption? (Choose three.)

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

Which two events trigger the operation of automatic commit recovery? (Choose two.)

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

What are three types of Decryption Policy rules? (Choose three.)

PBF can address which two scenarios? (Select Two)

What are two characteristic types that can be defined for a variable? (Choose two)

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?

The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?

How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?

A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?

In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

What are two characteristic types that can be defined for a variable? (Choose two.)

An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints. The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue. What must be configured to enable the Connect Before Logon feature?

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

What file type upload is supported as part of the basic WildFire service?

PBF can address which two scenarios? (Choose two.)

Match each type of DoS attack to an example of that type of attack

Match each GlobalProtect component to the purpose of that component

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)

In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?

Which three statements accurately describe Decryption Mirror? (Choose three.)

Which CLI command is used to determine how much disk space is allocated to logs?

When setting up a security profile, which three items can you use? (Choose three.)

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

During the packet flow process, which two processes are performed in application identification? (Choose two.)

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?

Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

Place the steps in the WildFire process workflow in their correct order. Select and Place:

The UDP-4501 protocol-port is used between which two GlobalProtect components?

An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

An engineer is bootstrapping a VM-Series Firewall other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?

Which two features require another license on the NGFW? (Choose two.)

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to: