Certification Provider:Â Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer (PCNSE)
Exam Code: PCNSE v10
Total Question: 181
Question per Quiz: 75
Updated On: 20 April 2023
Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.
1.
You have upgraded your Panorama with Log Collectors to 10.2. Before upgrading your firewalls using Panorama, what do you need do?
2.
A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?
3.
Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
4.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
5.
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
6.
A variable name must start with which symbol?
7.
What are two valid deployment options for Decryption Broker? (Choose two)
8.
What is the dependency for users to access services that require authentication?
9.
An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?
10.
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.
11.
Which statement accurately describes service routes and virtual systems?
12.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?
13.
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
14.
What are two characteristic types that can be defined for a variable? (Choose two.)
15.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
16.
A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices. What should the administrator implement?
17.
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?
18.
As a best practice, which URL category should you target first for SSL decryption?
19.
When setting up a security profile, which three items can you use? (Choose three.)
20.
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:
21.
An administrator receives the following error message. How should the administrator identify the root cause of this error message?
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
22.
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices?
23.
What is a correct statement regarding administrative authentication using external services with a local authorization method?
24.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
25.
An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)
26.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)
27.
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization?
28.
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?
29.
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall. An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com. Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
30.
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the Web Ul? (Choose two )
31.
When overriding a template configuration locally on a firewall, what should you consider?
32.
What are three types of Decryption Policy rules? (Choose three.)
33.
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?
34.
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
35.
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?
36.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17. Which upgrade path maintains synchronization of the HA session (and prevents network outage)?
37.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall. The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?
38.
Match each type of DoS attack to an example of that type of attack
39.
Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?
40.
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
41.
What file type upload is supported as part of the basic WildFire service?
42.
Which three items are important considerations during SD-WAN configuration planning? (Choose three.)
43.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
44.
During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints. The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue. What must be configured to enable the Connect Before Logon feature?
45.
What are three types of Decryption Policy rules? (Choose three.)
46.
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)
47.
What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)
48.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
49.
How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?
50.
Which two features require another license on the NGFW? (Choose two.)
51.
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
52.
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
53.
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
54.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
55.
Which two events trigger the operation of automatic commit recovery? (Choose two.)
56.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
57.
Match each GlobalProtect component to the purpose of that component
58.
The UDP-4501 protocol-port is used between which two GlobalProtect components?
59.
What are three reasons for excluding a site from SSL decryption? (Choose three.)
60.
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?
61.
An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?
62.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
63.
In an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?
64.
Which three options are supported in HA Lite? (Choose three.)
65.
An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?
66.
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
67.
An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?
68.
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?
69.
Which option is part of the content inspection process?
70.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)
71.
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?
72.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)
73.
An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?
74.
In a Panorama template which three types of objects are configurable? (Choose three)
75.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?