Certification Provider:Â Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer
Exam Code: PCNSE v10
Total Question: 120
Question per Quiz: 75
Updated On: 23 July 2022
1.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?
2.
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
3.
Before you upgrade a Palo Alto Networks NGFW, what must you do?
4.
When setting up a security profile, which three items can you use? (Choose three.)
5.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)
6.
Which three statements accurately describe Decryption Mirror? (Choose three.)
7.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
8.
When overriding a template configuration locally on a firewall, what should you consider?
9.
PBF can address which two scenarios? (Select Two)
10.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)
11.
Which two events trigger the operation of automatic commit recovery? (Choose two.)
12.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
13.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)
14.
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)
15.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
16.
Match each type of DoS attack to an example of that type of attack
17.
During the packet flow process, which two processes are performed in application identification? (Choose two.)
18.
Place the steps in the WildFire process workflow in their correct order.
19.
What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?
20.
Match each GlobalProtect component to the purpose of that component
21.
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
22.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?
23.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
24.
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?
25.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )
26.
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)
27.
What are three types of Decryption Policy rules? (Choose three.)
28.
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:
29.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
30.
Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
31.
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
32.
Which two features require another license on the NGFW? (Choose two.)
33.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
34.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.)
35.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CA). An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?
- Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )
- Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate
- Enterprise-intermediate-CA
- Enterprise-Root-CA which is verified only as Trusted Root CA
36.
An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?
37.
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?
38.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
39.
When you configure an active/active high availability pair which two links can you use? (Choose two)
40.
What are three reasons for excluding a site from SSL decryption? (Choose three.)
41.
Which option is part of the content inspection process?
42.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
43.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)
44.
Panorama provides which two SD-WAN functions? (Choose two.)
45.
What are three reasons for excluding a site from SSL decryption? (Choose three.)
46.
Place the steps in the WildFire process workflow in their correct order. Select and Place:
47.
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
48.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
49.
An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment. What is the best solution for the customer?
50.
Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
51.
Which rule type controls end user SSL traffic to external websites?
52.
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
53.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
54.
PBF can address which two scenarios? (Choose two.)
55.
As a best practice, which URL category should you target first for SSL decryption?
56.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?
57.
What are two valid deployment options for Decryption Broker? (Choose two)
58.
An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?
59.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
60.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
61.
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
62.
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table. Which two configurations should you check on the firewall? (Choose two.)
63.
In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?
64.
SD-WAN is designed to support which two network topology types? (Choose two.)
65.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
66.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
67.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
68.
What are three types of Decryption Policy rules? (Choose three.)
69.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
70.
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. Select and Place:
71.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
72.
Which three statements accurately describe Decryption Mirror? (Choose three.)
73.
What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)
74.
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are aa above image. The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command: > request restart system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:
75.
An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?