Palo Alto Networks Certified Network Security Engineer Exam Updated PCNSE Dumps Questions V13.02 [2022]

1. Topic 1, Main Questions NEW

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

An end-user visits the untrusted website https //www firewall-do-not-trust-website com

Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

2. A standalone firewall with local objects and policies needs to be migrated into Panorama.

What procedure should you use so Panorama is fully managing the firewall?

3. Which CLI command displays the physical media that are connected to ethernetl/8?

4. DRAG DROP

Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.

5. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

6. How can packet butter protection be configured?

7. in a template you can configure which two objects? (Choose two.)

8. Which statement accurately describes service routes and virtual systems?

9. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

10. When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

11. Which configuration task is best for reducing load on the management plane?

12. Which two statements are true for the DNS Security service? (Choose two.)

13. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls.

The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

14. An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

15. Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

16. An administrator device-group commit push is tailing due to a new URL category

How should the administrator correct this issue?

17. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

18. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

19. SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root-CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

20. An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed

Which Panorama tool can help this organization?

21. An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

22. A customer wants to spin their session load equally across two SD-WAN-enabled interfaces.

Where would you configure this setting?

23. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

24. An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant.

Which two statements are correct regarding the bootstrap package contents? (Choose two)

25. A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software

Why did the bootstrap process fail for the VM-Series firewall in Azure?

26. A remote administrator needs access to the firewall on an untrust interlace.

Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

27. What is a key step in implementing WildFire best practices?

28. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

29. In a device group, which two configuration objects are defined? (Choose two )

30. An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version

What is considered best practice for this scenario?

31. An engines must configure the Decryption Broker feature.

To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

32. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

33. Given the following configuration, which route is used for destination 10.10.0.4?

34. When you configure a Layer 3 interface what is one mandatory step?

35. The following objects and policies are defined in a device group hierarchy

A)

B)

C)

Address Objects

-Shared Address 1

-Branch Address2

Policies -Shared Polic1

l -Branch Policyl

D)

Address Objects

-Shared Addressl

-Shared Address2

-Branch Addressl

Policies -Shared Policyl

-Shared Policy2

-Branch Policyl

36. What are two valid deployment options for Decryption Broker? (Choose two)

37. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

38. An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panoram A. Pre-existing logs from the firewalls are not appearing in Panoram A.

Which action would enable the firewalls to send their pre-existing logs to Panorama?

39. An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

40. Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

41. A organizations administrator has the funds available to purchase more firewalls to increase the organization's security posture.

The partner SE recommends placing the firewalls as close as possible to the resources that they protect

Is the SE's advice correct and why or why not?

42. Refer to the diagram.

An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups

Where will the object need to be created within the device-group hierarchy?

43. A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

44. Which statement is true regarding a Best Practice Assessment?

45. Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two)

46. An administrator wants to enable zone protection Before doing so, what must the administrator consider?

47. A firewall should be advertising the static route 10 2 0 0/24 into OSPF. The configuration on the neighbor is correct but the route is not in the neighbor's routing table

Which two configurations should you check on the firewall'? (Choose two)

48. A remote administrator needs firewall access on an untrusted interface.

Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

49. What are two characteristic types that can be defined for a variable? (Choose two )

50. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

51. When setting up a security profile which three items can you use? (Choose three )

52. An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

53. To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to-username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves. The wireless devices are from various manufacturers

Given the scenario, choose the option for sending IP address-to-username mappings to the firewall

54. Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.

Which method can capture IP-to-user mapping information for users on the Linux machines?

55. An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?

56. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

57. in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

58. What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

59. An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the devce-oroup hierarchy.

Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

60. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two )

61. DRAG DROP

Match each type of DoS attack to an example of that type of attack

62. An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended.

Where would you find this in Panorama or firewall logs?

63. An engineer must configure a new SSL decryption deployment

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

64. Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

65. Before you upgrade a Palo Alto Networks NGFW, what must you do?

66. What happens when en A P firewall cluster synchronies IPsec tunnel secunty associations (SAs)?

67. What are two best practices for incorporating new and modified App-IDs? (Choose two.)

68. DRAG DROP

Match each GlobalProtect component to the purpose of that component

69. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

70. An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane

Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

71. An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

72. An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information.

However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD

How can portaes based on group mapping be learned and enforced in Prisma Access?

73. DRAG DROP

Match each SD-WAN configuration element to the description of that element.

74. A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.

Prisma Access has been selected to replace the current remote access VPN solution.

During onboarding the following options and licenses were selected and enabled

What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?

75. While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

76. A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.

Which Security Profile should be applied to a policy to prevent these packet floods?

77. A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.

To install the certificate and key for an endpoint, which three components are required? (Choose three.)

78. Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

79. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

80. What are three reasons why an installed session can be identified with the application

81. Which benefit do policy rule UUIDs provide?

82. When you configure an active/active high availability pair which two links can you use? (Choose two)

83. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

84. In a firewall, which three decryption methods are valid? (Choose three )

85. A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users

Which two settings must the customer configure? (Choose two)

86. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

87. PBF can address which two scenarios? (Select Two)

88. You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For.

Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

89. As a best practice, which URL category should you target first for SSL decryption*?

90. Which Panorama objects restrict administrative access to specific device-groups?

91. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

92. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system)

ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

93. In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

94. What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

95. Which three statements accurately describe Decryption Mirror? (Choose three.)

96. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

97. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

98. Use the image below.

If the firewall has the displayed link monitoring configuration what will cause a failover?

99. During SSL decryption which three factors affect resource consumption1? (Choose three )

100. A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?