Download Updated PCNSE Dumps Questions V15.02 To Prepare PCNSE Exam Well

1. When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices

What should you recommend?

2. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

3. PBF can address which two scenarios? (Select Two)

4. in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

5. When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?

6. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

7. Where is information about packet buffer protection logged?

8. An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

9. When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

10. DRAG DROP

Match each type of DoS attack to an example of that type of attack

11. In a Panorama template which three types of objects are configurable? (Choose three)

12. Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

13. What are two valid deployment options for Decryption Broker? (Choose two)

14. A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.

Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

15. When setting up a security profile which three items can you use? (Choose three)

16. An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed

Which Panorama tool can help this organization?

17. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

18. Which CLI command displays the physical media that are connected to ethernetl/8?

19. An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

20. Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

21. Refer to the diagram.

An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups

Where will the object need to be created within the device-group hierarchy?

22. How can packet butter protection be configured?

23. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system)

ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

24. The UDP-4501 protocol-port is used between which two GlobalProtect components?

25. Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized

Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?

26. An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.

Which server OS platforms can be used for server monitoring with User-ID?

27. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

28. While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

29. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

30. What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

31. Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

32. During SSL decryption which three factors affect resource consumption1? (Choose three )

33. What is considered the best practice with regards to zone protection?

34. A customer is replacing their legacy remote access VPN solution The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.

Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled

What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?

35. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

36. Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

37. Which benefit do policy rule UUIDs provide?

38. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

39. When overriding a template configuration locally on a firewall, what should you consider?

40. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

41. Which configuration task is best for reducing load on the management plane?

42. Which GlobalProtect component must be configured to enable Chentless VPN?

43. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

44. Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

45. An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane

Which CLI command should the administrator use to obtain the packet capture for validating the configuration^

46. What are three reasons for excluding a site from SSL decryption? (Choose three.)

47. As a best practice, which URL category should you target first for SSL decryption*?

48. What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

49. A organizations administrator has the funds available to purchase more firewalls to increase the organization's security posture.

The partner SE recommends placing the firewalls as close as possible to the resources that they protect

Is the SE's advice correct and why or why not?

50. A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

51. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

52. When you configure an active/active high availability pair which two links can you use? (Choose two)

53. An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infrastructure?

54. An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

55. A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

56. A remote administrator needs access to the firewall on an untrust interlace.

Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

57. What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

58. When using certificate authentication for firewall administration, which method is used for authorization?

59. An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

60. Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

61. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

62. Which statement accurately describes service routes and virtual systems?

63. Which statement is true regarding a Best Practice Assessment?

64. An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

65. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

66. An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the

internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three )

67. What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)

68. In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

69. A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.

Which Security Profile should be applied to a policy to prevent these packet floods?

70. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

71. Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

72. An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version

What is considered best practice for this scenario?

73. What are three types of Decryption Policy rules? (Choose three.)

74. A standalone firewall with local objects and policies needs to be migrated into Panorama.

What procedure should you use so Panorama is fully managing the firewall?

75. Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

76. An administrator is building Security rules within a device group to block traffic to and from malicious locations

How should those rules be configured to ensure that they are evaluated with a high priority?

77. A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.

Where would you configure this setting?

78. In a device group, which two configuration objects are defined? (Choose two )

79. What is a key step in implementing WildFire best practices?

80. Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two)

81. An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

82. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

83. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

84. Which two features require another license on the NGFW? (Choose two.)

85. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

86. An administrator needs to gather information about the CPU utilization on both the management plane and the data plane

Where does the administrator view the desired data?

87. A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

88. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

89. Users within an enterprise have been given laptops that are joined to the corporate domain.

In some cases, IT has also deployed Linux-based OS systems with a graphical desktop.

Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.

Which method can capture IP-to-user mapping information for users on the Linux machines?

90. An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

91. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two )

92. An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

93. Which three statements accurately describe Decryption Mirror? (Choose three.)

94. When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

95. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

96. An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

97. Given the following configuration, which route is used for destination 10.10.0.4?

98. When you configure a Layer 3 interface what is one mandatory step?

99. Use the image below.

If the firewall has the displayed link monitoring configuration what will cause a failover?

100. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?