New PCNSE Exam Dumps (V20.02): Update For 2023

1. While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

2. A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

3. Which statement accurately describes service routes and virtual systems?

4. What are two best practices for incorporating new and modified App-IDs? (Choose two)

5. Which CLI command is used to determine how much disk space is allocated to logs?

6. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

7. What best describes the HA Promotion Hold Time?

8. Which data flow describes redistribution of user mappings?

9. What is the function of a service route?

10. In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two)

11. A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama.

What are the next steps to migrate configuration from the firewalls to Panorama?

12. An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

13. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

14. An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.

Which configuration setting or step will allow the firewall to get automatic application signature updates?

15. A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?

16. PBF can address which two scenarios? (Select Two)

17. Which statement is true regarding a Best Practice Assessment?

18. An administrator needs firewall access on a trusted interface.

Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two)

19. View the screenshots.

A QoS profile and policy rules are configured as shown.

Based on this information, which two statements are correct? (Choose two.)

20. Which log type would provide information about traffic blocked by a Zone Protection profile?

21. A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

22. An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

23. A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

24. An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

25. Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

26. An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

27. An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

28. When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

29. A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

30. An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices Which Mo variable types can be defined? (Choose two.)

31. Before you upgrade a Palo Alto Networks NGFW, what must you do?

32. Which two statements correctly describe Session 380280? (Choose two.)

33. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

34. Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

35. A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing.

What command could the engineer run to see the current state of the BGP state between the two devices?

36. Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized.

Given the size of this environment, which User-ID collection method is sufficient?

37. Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

38. Which statement regarding HA timer settings is true?

39. Review the screenshot of the Certificates page.

An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate <n all client systems When testing, they noticed that every time a user visited an SSL site they received unsecured website warnings What is the cause of the unsecured website warnings.

40. An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

41. Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

42. DRAG DROP

Match each GlobalProtect component to the purpose of that component

43. During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

44. An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch.

Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

45. Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)

46. What is the best description of the HA4 Keep-Alive Threshold (ms)?

47. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

48. Where is information about packet buffer protection logged?

49. Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

50. A client wants to detect the use of weak and manufacturer-default passwords for loT devices.

Which option will help the customer?

51. An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

52. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?

53. An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

54. the firewall's device group as post-rules

How will the rule order populate once pushed to the firewall?

55. A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

56. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

57. A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

58. An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

59. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

60. An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

61. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

62. An administrator wants to enable WildFire inline machine learning.

Which three file types does WildFire inline ML analyze? (Choose three.)

63. An engineer needs to redistribute User-ID mappings from multiple data centers.

Which data flow best describes redistribution of user mappings?

64. Which statement about High Availability timer settings is true?

65. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

66. What is considered the best practice with regards to zone protection?

67. A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

68. SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

69. A standalone firewall with local objects and policies needs to be migrated into Panorama.

What procedure should you use so Panorama is fully managing the firewall?

70. DRAG DROP

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority.

Match the default Administrative Distances for each routing protocol.

71. An engineer needs to see how many existing SSL decryption sessions are traversing a firewall

What command should be used?

72. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

73. The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

74. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)