Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Exam Practice Test

Demo: 88 questions
Total 294 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Question 1

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?

Options:

A.

HA1

B.

HA3

C.

HA2

D.

HA4

Question 2

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

Options:

A.

Firewalls which support policy-based VPNs.

B.

The remote device is a non-Palo Alto Networks firewall.

C.

Firewalls which support route-based VPNs.

D.

The remote device is a Palo Alto Networks firewall.

Question 3

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Question 4

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

Options:

A.

Click Session Browser and review the session details.

B.

Click Traffic view and review the information in the detailed log view.

C.

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.

Click App Scope > Network Monitor and filter the report for NAT rules.

Question 5

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

Options:

A.

OSPFV3

B.

ECMP

C.

ASBR

D.

OSBF

Question 6

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Options:

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Question 7

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

Options:

A.

Apply DOS profile to security rules allow traffic from outside.

B.

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

C.

Enable packet buffer protection for the affected zones.

D.

Add a Zone Protection profile to the affected zones.

Question 8

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

Options:

A.

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

B.

Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

C.

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

D.

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Question 9

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

Options:

A.

Create a Group Mapping for the GlobalProtect Group.

B.

Enable Captive Portal on the expected source interfaces.

C.

Add the users to the proper Dynamic User Group.

D.

Enable User-ID on the expected trusted zones.

Question 10

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Question 11

What does the User-ID agent use to find login and logout events in syslog messages?

Options:

A.

Syslog Server profile

B.

Authentication log

C.

Syslog Parse profile

D.

Log Forwarding profile

Question 12

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

Options:

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.

Required: Download PAN-OS 10.2.0.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.

Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Question 13

A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two)

Options:

A.

SSL

B.

TLS

C.

HTTP

D.

Email

Question 14

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

Options:

A.

Click the hyperlink for the Zero Access.Gen threat.

B.

Click the left arrow beside the Zero Access.Gen threat.

C.

Click the source user with the highest threat count.

D.

Click the hyperlink for the hotport threat Category.

Question 15

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

Options:

A.

Configure the DNS server locally on the firewall.

B.

Change the DNS server on the global template.

C.

Override the DNS server on the template stack.

D.

Configure a service route for DNS on a different interface.

Question 16

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

Options:

A.

Encryption algorithm

B.

Number of security zones in decryption policies

C.

TLS protocol version

D.

Number of blocked sessions

Question 17

A standalone firewall with local objects and policies needs to be migrated into Panorama. What procedure should you use so Panorama is fully managing the firewall?

Options:

A.

Use the "import device configuration to Panorama" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

B.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then "export or push device config bundle" to push the configuration.

C.

Use the "import device configuration to Panorama" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

D.

Use the "import Panorama configuration snapshot" operation, commit to Panorama, then perform a device-group commit push with "include device and network templates".

Question 18

What happens when the log forwarding built-in action with tagging is used?

Options:

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Question 19

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?

Options:

A.

The amount of decrypted traffic

B.

The timeout value for admin sessions

C.

The number of mapped User-ID groups

D.

The number of permitted IP addresses on the management interface

Question 20

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

Options:

A.

Panorama provides information about system resources of the managed devices in the Managed Device > Health menu.

B.

Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a system log and can send email alerts.

C.

Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

D.

Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls

Question 21

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?

Options:

A.

South

B.

West

C.

East

D.

Central

Question 22

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

Options:

A.

the 'Shared' device group

B.

template stacks

C.

a device group

D.

template variables

Question 23

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Question 24

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Question 25

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Question 26

Please match the terms to their corresponding definitions.

Options:

Question 27

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.

shared pre-rules

DATACENTER DG pre rules

rules configured locally on the firewall

shared post-rules

DATACENTER_DG post-rules

DATACENTER.DG default rules

B.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

shared post-rules

DATACENTER.DG post-rules

shared default rules

C.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

shared default rules

D.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

DATACENTER_DG default rules

Question 28

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

Options:

A.

Threat

B.

HIP Match

C.

Traffic

D.

Configuration

Question 29

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Question 30

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Question 31

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Question 32

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)

Options:

A.

External zones with the virtual systems added.

B.

Layer 3 zones for the virtual systems that need to communicate.

C.

Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate.

D.

Add a route with next hop next-vr by using the VR configured in the virtual system.

E.

Ensure the virtual systems are visible to one another.

Question 33

Given the following snippet of a WildFire submission log, did the end user successfully download a file?

Options:

A.

No, because the URL generated an alert.

B.

Yes, because both the web-browsing application and the flash file have the 'alert" action.

C.

Yes, because the final action is set to "allow.''

D.

No, because the action for the wildfire-virus is "reset-both."

Question 34

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Options:

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Question 35

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Question 36

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.

debug dataplane Internal vif route 250

B.

show routing route type service-route

C.

show routing route type management

D.

debug dataplane internal vif route 255

Question 37

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.

/content

B.

/software

C.

/piugins

D.

/license

E.

/opt

Question 38

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

Options:

A.

RADIUS

B.

TACACS+

C.

Kerberos

D.

LDAP

E.

SAML

Question 39

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Question 40

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)

Options:

A.

Telemetry feature is automatically enabled during PAN-OS installation.

B.

Telemetry data is uploaded into Strata Logging Service.

C.

Telemetry feature is using Traffic logs and packet captures to collect data.

D.

Telemetry data is shared in real time with Palo Alto Networks.

Question 41

Why would a traffic log list an application as "not-applicable”?

Options:

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Question 42

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.

1 to 4 hours

B.

6 to 12 hours

C.

24 hours

D.

36 hours

Question 43

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

Options:

A.

Command line > debug dataplane packet-diag clear filter-marked-session all

B.

In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

C.

Command line> debug dataplane packet-diag clear filter all

D.

In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

Question 44

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Question 45

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Dynamic Read only superuser.

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Device Group and Template Admin

D.

Create a Custom Panorama Admin

Question 46

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:

A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Question 47

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

Options:

A.

The running configuration with the candidate configuration of the firewall

B.

Applications configured in the rule with applications seen from traffic matching the same rule

C.

Applications configured in the rule with their dependencies

D.

The security rule with any other security rule selected

Question 48

An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.

• Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Options:

A.

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B.

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C.

Set DNS and Palo Alto Networks Services to use the MGT source interface.

D.

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Question 49

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

Options:

A.

show routing protocol bgp summary

B.

show routing protocol bgp rib-out

C.

show routing protocol bgp state

D.

show routing protocol bgp peer

Question 50

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Question 51

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Question 52

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Options:

A.

Captive portal

B.

Standalone User-ID agent

C.

Syslog listener

D.

Agentless User-ID with redistribution

Question 53

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.

PBF > Zone Protection Profiles > Packet Buffer Protection

B.

BGP > PBF > NAT

C.

PBF > Static route > Security policy enforcement

D.

NAT > Security policy enforcement > OSPF

Question 54

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys Where are the pre-shared keys located on the firewall?

Options:

A.

Network/lPSec Tunnels

B.

Network/Network Profiles/IKE Gateways

C.

Network/Network ProfilesTlPSec Crypto

D.

Network/Network Profiles/IKE Crypto

Question 55

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Question 56

Which three authentication types can be used to authenticate users? (Choose three.)

Options:

A.

Local database authentication

B.

PingID

C.

Kerberos single sign-on

D.

GlobalProtect client

E.

Cloud authentication service

Question 57

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

Options:

A.

Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

B.

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

D.

Create the appropriate rules with a Block action and apply them at the top of the Default Rules.

Question 58

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

Options:

A.

Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server

B.

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

C.

Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

D.

Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

Question 59

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

Options:

A.

On Palo Alto Networks Update Servers

B.

M600 Log Collectors

C.

Cortex Data Lake

D.

Panorama

Question 60

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

Options:

A.

It applies to existing sessions and is global.

B.

It applies to new sessions and is not global.

C.

It applies to existing sessions and is not global.

D.

It applies to new sessions and is global.

Question 61

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Options:

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Question 62

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

Options:

A.

Upload the image to Panorama > Software menu, and deploy it to the firewalls. *

B.

Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

C.

Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

D.

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Question 63

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Options:

A.

Resource Protection

B.

TCP Port Scan Protection

C.

Packet Based Attack Protection

D.

Packet Buffer Protection

Question 64

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

Options:

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Question 65

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

Options:

A.

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B.

Phase 2 SAs are synchronized over HA2 links.

C.

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

D.

Phase 1 SAs are synchronized over HA1 links.

Question 66

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)

Options:

A.

Low

B.

High

C.

Critical

D.

Informational

E.

Medium

Question 67

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

Options:

A.

upload-onlys

B.

install and reboot

C.

upload and install

D.

upload and install and reboot

E.

verify and install

Question 68

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.

debug dataplane internal vif route 255

B.

show routing route type management

C.

debug dataplane internal vif route 250

D.

show routing route type service-route

Question 69

Which three statements accurately describe Decryption Mirror? (Choose three.)

Options:

A.

Decryption Mirror requires a tap interface on the firewall

B.

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

C.

Only management consent is required to use the Decryption Mirror feature.

D.

Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.

E.

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Question 70

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)

Options:

A.

DNS Proxy

B.

SSL/TLS profiles

C.

address groups

D.

URL Filtering profiles

Question 71

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Question 72

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?

Options:

A.

Virtual Wire interface

B.

Loopback interface

C.

Layer 3 interface

D.

Layer 2 interface

Question 73

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

Options:

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Question 74

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows

Options:

A.

Deploy the GlobalProtect as a lee data hub.

B.

Deploy Window User 0 agents on each domain controller.

C.

Deploys AILS integrated Use 10 agent on each vsys.

D.

Deploy a M.200 as a Users-ID collector.

Question 75

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Question 76

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?

Options:

A.

Monitor > Logs > System

B.

Device > High Availability > Active/Passive Settings

C.

Monitor > Logs > Traffic

D.

Dashboard > Widgets > High Availability

Question 77

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

Options:

A.

SSL/TLS Service

B.

HTTP Server

C.

Decryption

D.

Interface Management

Question 78

Which rule type controls end user SSL traffic to external websites?

Options:

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSH Proxy

D.

SSL Inbound Inspection

Question 79

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

Options:

A.

ICMP Drop

B.

TCP Drop

C.

SYN Random Early Drop

D.

TCP Port Scan Block

Question 80

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

Options:

A.

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.

Place firewalls where administrators can opt to bypass the firewall when needed.

D.

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Question 81

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:

A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Question 82

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?

Options:

A.

Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.

B.

Open a support case.

C.

Review traffic logs to add the exception from there.

D.

Select 'Show all signatures' within the Vulnerability Protection Profile under 'Exceptions'.

Question 83

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Question 84

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Question 85

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

Options:

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Question 86

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Options:

A.

ingress for the outgoing traffic to the internet

B.

Loopback for the proxy

C.

Firewall management

D.

ingress for the client traffic

Question 87

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

Options:

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Question 88

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

Options:

A.

Any configuration on an M-500 would address the insufficient bandwidth concerns

B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

C.

Configure log compression and optimization features on all remote firewalls

D.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Demo: 88 questions
Total 294 questions