New PCNSE Dumps Released To Ensure You Pass Palo Alto Networks Certified Network Security Engineer Exam

1. DRAG DROP

Please match the terms to their corresponding definitions.

2. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

3. Use the image below If the firewall has the displayed link monitoring configuration what will cause a failover?

4. A variable name must start with which symbol?

5. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls.

The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

6. In a Panorama template which three types of objects are configurable? (Choose three)

7. An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant.

Which two statements are correct regarding the bootstrap package contents? (Choose two)

8. An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?

9. DRAG DROP

Match each SD-WAN configuration element to the description of that element.

10. Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

11. Which Panorama objects restrict administrative access to specific device-groups?

12. During SSL decryption which three factors affect resource consumption1? (Choose three)

13. In a firewall, which three decryption methods are valid? (Choose three)

14. Before you upgrade a Palo Alto Networks NGFW what must you do?

15. Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

16. An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

17. An engineer must configure a new SSL decryption deployment

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

18. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

19. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

20. When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

21. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

22. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

23. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

24. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)

25. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

26. Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

27. An administrator needs to gather information about the CPU utilization on both the management plane and the data plane

Where does the administrator view the desired data?

28. Given the following configuration, which route is used for destination 10.10.0.4?

29. An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane

Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

30. When you configure a Layer 3 interface what is one mandatory step?

31. Which three statements accurately describe Decryption Mirror? (Choose three.)

32. The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

An end-user visits the untrusted website https //www firewall-do-not-trust-website com

Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

33. An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription

How does adding the WildFire subscription improve the security posture of the organization1?

34. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

35. PBF can address which two scenarios? (Select Two)

36. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system)

ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www example-website com was issued by which of the following?

37. Refer to the exhibit.

Which certificate can be used as the Forward Trust certificate?

38. Which CLI command displays the physical media that are connected to ethernetl/8?

39. DRAG DROP

Match each GlobalProtect component to the purpose of that component

40. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route

What are two reasons why the firewall might not use a static route"? (Choose two.)

41. DRAG DROP

Match each type of DoS attack to an example of that type of attack

42. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

43. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

44. An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed

Which Panorama tool can help this organization?

45. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two)

46. When setting up a security profile which three items can you use? (Choose three)

47. A firewall should be advertising the static route 10 2 0 0/24 into OSPF. The configuration on the neighbor is correct but the route is not in the neighbor's routing table

Which two configurations should you check on the firewall'? (Choose two)

48. The following objects and policies are defined in a device group hierarchy

A)

B)

C)

Address Objects

-Shared Address 1

-Branch Address2

Policies -Shared Polic1

l -Branch Policyl

D)

Address Objects

-Shared Addressl

-Shared Address2

-Branch Addressl

Policies -Shared Policyl

-Shared Policy2

-Branch Policyl

49. What are two characteristic types that can be defined for a variable? (Choose two)

50. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

51. What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

52. When you configure an active/active high availability pair which two links can you use? (Choose two)

53. In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

54. Which rule type controls end user SSL traffic to external websites?

55. An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version

What is considered best practice for this scenario?

56. When overriding a template configuration locally on a firewall, what should you consider?

57. As a best practice, which URL category should you target first for SSL decryption?

58. Which configuration task is best for reducing load on the management plane?

59. The UDP-4501 protocol-port is used between which two GlobalProtect components?

60. Which statement accurately describes service routes and virtual systems?

61. An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

62. An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

63. An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1. The firewalls are currently running PAN-OS 8.1.17.

Which upgrade path maintains synchronization of the HA session (and prevents network outage)?

64. Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

65. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?

66. During the packet flow process, which two processes are performed in application identification? (Choose two.)

67. A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

68. Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

69. Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

70. Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

71. Which three options are supported in HA Lite? (Choose three.)

72. Which User-ID method should be configured to map IP addresses to usernames for users

connected through a terminal server?

73. An administrator wants to upgrade an NGFW from PAN-OS® 9.0 to PAN-OS® 10.0. The firewall is not a part of an HA pair .

What needs to be updated first?

74. Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

75. An administrator accidentally closed the commit window/screen before the commit was finished .

Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

76. What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

77. Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

78. Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

79. Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

80. Which is not a valid reason for receiving a decrypt-cert-validation error?

81. A session in the Traffic log is reporting the application as “incomplete.”

What does “incomplete” mean?

82. Which option is part of the content inspection process?

83. Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:

84. Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

85. Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

86. Which operation will impact the performance of the management plane?

87. An administrator just submitted a newly found piece of spyware for WildFire analysis. The

spyware passively monitors behavior without the user’s knowledge.

What is the expected verdict from WildFire?

88. Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

89. What are two benefits of nested device groups in Panorama? (Choose two.)

90. The certificate information displayed in the following image is for which type of certificate?

91. Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

92. Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

93. Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”

94. A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

95. An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router .

Which two options enable the administrator to troubleshoot this issue? (Choose two.)

96. The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

97. Which feature can provide NGFWs with User-ID mapping information?

98. How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

99. An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.

The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.

Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

100. To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.