Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Exam Practice Test

Demo: 100 questions
Total 334 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Question 1

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Options:

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Question 2

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Question 3

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

TAP

B.

Layer 2

C.

Layer 3

D.

Virtual Wire

Question 4

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Dynamic Read-only Superuser

D.

Create a Custom Panorama Admin

Question 5

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

Options:

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Question 6

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Question 7

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Question 8

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.

1 to 4 hours

B.

6 to 12 hours

C.

24 hours

D.

36 hours

Question 9

PBF can address which two scenarios? (Choose two.)

Options:

A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Question 10

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

Options:

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Question 11

Please match the terms to their corresponding definitions.

Options:

Question 12

Which operation will impact the performance of the management plane?

Options:

A.

Decrypting SSL sessions

B.

Generating a SaaS Application report

C.

Enabling DoS protection

D.

Enabling packet buffer protection

Question 13

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: ‘The company uses four Microsoft Active ‘servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User

Options:

A.

network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.40/28 Exchange

B.

network 192.188 28 32/27 with server type Microsoft

C.

one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers

D.

the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

Question 14

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:

A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Question 15

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

Options:

A.

Check dependencies

B.

Schedules

C.

Verify

D.

Revert content

E.

Install

Question 16

A firewall engineer is configuring quality of service (OoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule?

Options:

A.

Post-NAT source IP address Pre-NAT source zone

B.

Post-NAT source IP address Post-NAT source zone

C.

Pre-NAT source IP address Post-NAT source zone

D.

Pre-NAT source IP address Pre-NAT source zone

Question 17

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)

Options:

A.

Configure resource limits for the NGFW system

B.

Commit changes made to the candidate configuration of the assigned vsys

C.

Create and edit Security policies and security profiles for only the assigned vsys

D.

Configure interfaces and subinterfaces that exist in the assigned vsys

Question 18

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

Options:

A.

Click Session Browser and review the session details.

B.

Click Traffic view and review the information in the detailed log view.

C.

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.

Click App Scope > Network Monitor and filter the report for NAT rules.

Question 19

Review the screenshots.

What is the most likely reason for this decryption error log?

Options:

A.

The Certificate fingerprint could not be found.

B.

The client expected a certificate from a different CA than the one provided.

C.

The client received a CA certificate that has expired or is not valid.

D.

Entrust is not a trusted root certificate authority (CA).

Question 20

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.

Perform a commit force from the CLI of the firewall.

B.

Perform a template commit push from Panorama using the "Force Template Values" option.

C.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.

Reload the running configuration and perform a Firewall local commit.

Question 21

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

Options:

A.

Traffic logs

B.

Data filtering logs

C.

Policy Optimizer

D.

Wireshark

Question 22

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

Options:

A.

A User-ID Certificate profile must be configured on Panorama.

B.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings.

D.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

Question 23

What are three prerequisites for credential phishing prevention to function? (Choose three.)

Options:

A.

In the URL filtering profile, use the drop-down list to enable user credential detection.

B.

Enable Device-ID in the zone.

C.

Select the action for Site Access for each category.

D.

Add the URL filtering profile to one or more Security policy rules.

E.

Set phishing category to block in the URL Filtering profile.

Question 24

Which CLI command displays the physical media that are connected to ethernet1/8?

Options:

A.

> show system state filter-pretty sys.si. p8. stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show system state filter-pretty sys.sl.p8.med

D.

> show interface ethernet1/8

Question 25

An engineer needs to collect User-ID mappings from the company’s existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)

Options:

A.

Client Probing

B.

Syslog

C.

Server Monitoring

D.

XFF Headers

Question 26

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

Options:

A.

Encryption algorithm

B.

Number of security zones in decryption policies

C.

TLS protocol version

D.

Number of blocked sessions

Question 27

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Question 28

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

Options:

A.

Use the "import device configuration to Panorama" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

B.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

C.

Use the "import device configuration to Panorama" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

D.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

Question 29

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?

Options:

A.

Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

B.

Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

C.

Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

D.

Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

Question 30

Which translated port number should be used when configuring a NAT rule for a transparent proxy?

Options:

A.

80

B.

443

C.

8080

D.

4443

Question 31

Which new PAN-OS 11.0 feature supports IPv6 traffic?

Options:

A.

DHCPv6 Client with Prefix Delegation

B.

OSPF

C.

DHCP Server

D.

IKEv1

Question 32

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?

Options:

A.

Ping interval of 200 ms and ping count of three failed pings

B.

Ping interval of 5000 ms and ping count of 10 failed pings

C.

Ping interval of 200 ms and ping count of 10 failed pings

D.

Ping interval of 5000 ms and ping count of three failed pings

Question 33

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Options:

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Question 34

What is the best description of the Cluster Synchronization Timeout (min)?

Options:

A.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

D.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

Question 35

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Options:

A.

Initial

B.

Tentative

C.

Passive

D.

Active-secondary

Question 36

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

Options:

A.

Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

B.

Use the highest TLS protocol version to maximize security.

C.

Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

D.

Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

Question 37

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:

A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Question 38

Which rule type controls end user SSL traffic to external websites?

Options:

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSH Proxy

D.

SSL Inbound Inspection

Question 39

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

Options:

A.

Windows User-ID agent

B.

GlobalProtect

C.

XMLAPI

D.

External dynamic list

E.

Dynamic user groups

Question 40

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?

Options:

A.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. * Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source HIP profile. Enable GlobalProtect Gateway Agent for HIP Notification.

B.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.

C.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Portal Agent for HIP Notification.

D.

Create Security Profiles for Antivirus and Anti-Spyware.

Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification.

Question 41

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Question 42

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

Options:

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Question 43

Which statement about High Availability timer settings is true?

Options:

A.

Use the Critical timer for faster failover timer settings.

B.

Use the Aggressive timer for faster failover timer settings

C.

Use the Moderate timer for typical failover timer settings

D.

Use the Recommended timer for faster failover timer settings.

Question 44

What happens when the log forwarding built-in action with tagging is used?

Options:

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Question 45

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

Options:

A.

Create a Group Mapping for the GlobalProtect Group.

B.

Enable Captive Portal on the expected source interfaces.

C.

Add the users to the proper Dynamic User Group.

D.

Enable User-ID on the expected trusted zones.

Question 46

In a template, which two objects can be configured? (Choose two.)

Options:

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Question 47

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

Options:

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Question 48

Which protocol is natively supported by GlobalProtect Clientless VPN?

Options:

A.

HTP

B.

SSH

C.

HTTPS

D.

RDP

Question 49

Which link is responsible for synchronizing sessions between high availability (HA) peers?

Options:

A.

HA1

B.

HA3

C.

HA4

D.

HA2

Question 50

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Options:

A.

Configure a Captive Portal authentication policy that uses an authentication sequence.

B.

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

C.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

D.

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

Question 51

Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 52

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Question 53

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys Where are the pre-shared keys located on the firewall?

Options:

A.

Network/lPSec Tunnels

B.

Network/Network Profiles/IKE Gateways

C.

Network/Network ProfilesTlPSec Crypto

D.

Network/Network Profiles/IKE Crypto

Question 54

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?

Options:

A.

Monitor Fail Hold Up Time

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Hello Interval

Question 55

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?

Options:

A.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

B.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Question 56

Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

Options:

A.

HA cluster members must share the same zone names.

B.

Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces

C.

Panorama must be used to manage HA cluster members.

D.

HA cluster members must be the same firewall model and run the same PAN-OS version.

Question 57

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Question 58

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Options:

A.

Configure a floating IP between the firewall pairs.

B.

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.

On one pair of firewalls, run the CLI command: set network interface vlan arp.

Question 59

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

Options:

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.

Required: Download PAN-OS 10.2.0.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.

Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Question 60

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.

PBF > Zone Protection Profiles > Packet Buffer Protection

B.

BGP > PBF > NAT

C.

PBF > Static route > Security policy enforcement

D.

NAT > Security policy enforcement > OSPF

Question 61

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

Options:

A.

1

B.

2

C.

3

D.

4

Question 62

Which protocol is supported by GlobalProtect Clientless VPN?

Options:

A.

FTP

B.

RDP

C.

SSH

D.

HTTPS

Question 63

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?

Options:

A.

Create a custom application, define its properties and signatures, and ensure all scanning options in the "Advanced" tab are unchecked

B.

Create a custom application, define its properties, then create an application override and reference the custom application

C.

Create a new security rule specifically for the affected traffic, but do not reference any Security Profiles inside the rule

D.

Create a new security rule specifically for the affected traffic, and select "Disable Server Response Inspection"

Question 64

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

Options:

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Question 65

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Options:

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Create an Application Override using TCP ports 443 and 80.

C.

Add the HTTP. SSL. and Evernote applications to the same Security policy.

D.

Add only the Evernote application to the Security policy rule.

Question 66

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

Options:

A.

Configure the DNS server locally on the firewall.

B.

Change the DNS server on the global template.

C.

Override the DNS server on the template stack.

D.

Configure a service route for DNS on a different interface.

Question 67

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Options:

A.

Authentication Portal

B.

SSL Decryption profile

C.

SSL decryption policy

D.

comfort pages

Question 68

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Question 69

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

Options:

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Question 70

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two)

Options:

A.

RSA

B.

DHE

C.

ECDSA

D.

ECDHE

Question 71

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Question 72

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.

HSCI-C

B.

Console Backup

C.

HA3

D.

HA2 backup

Question 73

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

Options:

A.

On Palo Alto Networks Update Servers

B.

M600 Log Collectors

C.

Cortex Data Lake

D.

Panorama

Question 74

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

Options:

A.

The firewall template will show that it is out of sync within Panorama.

B.

The modification will not be visible in Panorama.

C.

Only Panorama can revert the override.

D.

Panorama will update the template with the overridden value.

Question 75

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?

Options:

A.

Dedicated Service Account

B.

System Account

C.

Domain Administrator

D.

Enterprise Administrator

Question 76

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

Options:

A.

Successful GlobalProtect Deployed Activity

B.

GlobalProtect Deployment Activity

C.

GlobalProtect Quarantine Activity

D.

Successful GlobalProtect Connection Activity

Question 77

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?

Options:

A.

Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.

B.

Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls

C.

Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.

D.

Create custom vulnerability signatures manually in Panorama, and push them to the firewalls

Question 78

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

Options:

A.

Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

B.

Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

C.

Navigate to Objects > Security Profiles > Vulnerability Protection

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable

Commit

D.

Navigate to Objects > Security Profiles > Anti-Spyware

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable Commit

Question 79

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Options:

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Question 80

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Options:

A.

Resource Protection

B.

TCP Port Scan Protection

C.

Packet Based Attack Protection

D.

Packet Buffer Protection

Question 81

When using certificate authentication for firewall administration, which method is used for authorization?

Options:

A.

Local

B.

Radius

C.

Kerberos

D.

LDAP

Question 82

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

Options:

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.

Question 83

A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two)

Options:

A.

SSL

B.

TLS

C.

HTTP

D.

Email

Question 84

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Question 85

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Question 86

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

Options:

A.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone protection profile.

C.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

D.

Remove the Zone protection profile from the zone setting.

Question 87

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Options:

A.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option

B.

Perform a template commit push from Panorama using the "Force Template Values" option

C.

Perform a commit force from the CLI of the firewall

D.

Reload the running configuration and perform a firewall local commit

Question 88

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Question 89

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

Options:

A.

Ensure Force Template Values is checked when pushing configuration.

B.

Push the Template first, then push Device Group to the newly managed firewall.

C.

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.

Push the Device Group first, then push Template to the newly managed firewall

Question 90

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

C.

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

D.

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Question 91

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?

Options:

A.

Select the check box "Log packet-based attack events" in the Zone Protection profile

B.

No action is needed Zone Protection events appear in the threat logs by default

C.

Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall

D.

Access the CLI in each firewall and enter the command set system setting additional-threat-log on

Question 92

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Question 93

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Options:

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Question 94

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Question 95

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

Options:

A.

SSL/TLS Service Profile

B.

SSH Service Profile

C.

Certificate Profile

D.

Decryption Profile

Question 96

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?

Options:

A.

An Enterprise Root CA certificate

B.

The same certificate as the Forward Trust certificate

C.

A Public Root CA certificate

D.

The same certificate as the Forward Untrust certificate

Question 97

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

Options:

A.

Source IP address

B.

Dynamic tags

C.

Static tags

D.

Ldap attributes

Question 98

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Options:

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Question 99

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

Options:

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Question 100

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

Options:

A.

show routing protocol bgp summary

B.

show routing protocol bgp rib-out

C.

show routing protocol bgp state

D.

show routing protocol bgp peer

Demo: 100 questions
Total 334 questions