Certification Provider: Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer (PCNSE)
Exam Code: PCNSE v10
Total Question: 181
Question per Quiz: 75
Updated On: 20 April 2023
Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.
1.
An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)
2.
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
3.
Which three statements accurately describe Decryption Mirror? (Choose three.)
4.
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
5.
Which log type would provide information about traffic blocked by a Zone Protection profile?
6.
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
7.
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?
8.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
9.
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
10.
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?
11.
In a security-first network what is the recommended threshold value for content updates to be dynamically updated?
12.
What are three types of Decryption Policy rules? (Choose three.)
13.
An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
14.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?
15.
An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?
16.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
17.
When you configure an active/active high availability pair which two links can you use? (Choose two)
18.
An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?
19.
What are two valid deployment options for Decryption Broker? (Choose two)
20.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
21.
Match each type of DoS attack to an example of that type of attack
22.
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)
23.
An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
24.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
25.
What is the dependency for users to access services that require authentication?
26.
Before you upgrade a Palo Alto Networks NGFW, what must you do?
27.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)
28.
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
29.
PBF can address which two scenarios? (Choose two.)
30.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
31.
During the packet flow process, which two processes are performed in application identification? (Choose two.)
32.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)
33.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
34.
An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
35.
Which rule type controls end user SSL traffic to external websites?
36.
Which CLI command is used to determine how much disk space is allocated to logs?
37.
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)
38.
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?
39.
Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
40.
Which three statements accurately describe Decryption Mirror? (Choose three.)
41.
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?
42.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?
43.
What is a correct statement regarding administrative authentication using external services with a local authorization method?
44.
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?
45.
SD-WAN is designed to support which two network topology types? (Choose two.)
46.
In a Panorama template which three types of objects are configurable? (Choose three)
47.
When setting up a security profile, which three items can you use? (Choose three.)
48.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
49.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )
50.
The UDP-4501 protocol-port is used between which two GlobalProtect components?
51.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)
52.
An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?
53.
An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?
54.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
55.
What are three reasons for excluding a site from SSL decryption? (Choose three.)
56.
When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?
57.
Which GlobalProtect component must be configured to enable Clientless VPN?
58.
As a best practice, which URL category should you target first for SSL decryption?
59.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
60.
An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)
61.
Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
62.
Which two features require another license on the NGFW? (Choose two.)
63.
An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?
64.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
65.
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?
66.
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)
67.
How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?
68.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)
69.
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?
70.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?
71.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
72.
What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)
73.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?
74.
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?
75.
What file type upload is supported as part of the basic WildFire service?