Palo Alto Networks PCNSE Dumps (V27.02) – Updated Preparation Materials Enable You to Validate Your Skills and Achieve Favorable Results

1. A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

2. A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

3. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

4. DRAG DROP

Match the terms to their corresponding definitions

5. Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

6. Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

7. An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

8. ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

9. Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

10. A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

11. Which log type would provide information about traffic blocked by a Zone Protection profile?

12. Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

13. An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

14. Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

15. A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

16. Which new PAN-OS 11.0 feature supports IPv6 traffic?

17. An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

18. Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

19. An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

20. With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

21. Which statement regarding HA timer settings is true?

22. A company has configured a URL Filtering profile with override action on their firewall.

Which two profiles are needed to complete the configuration? (Choose two)

23. A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration What can they do to reduce commit times?

24. Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

25. Why would a traffic log list an application as "not-applicable”?

26. Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

27. Where can a service route be configured for a specific destination IP?

28. A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

29. Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

30. Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

31. An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

32. A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

33. An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

34. An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

35. An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

36. Which three items must be configured to implement application override? (Choose three )

37. When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

38. Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

39. What is the best definition of the Heartbeat Interval?

40. After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

41. Which two statements correctly describe Session 380280? (Choose two.)

42. An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

43. Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

44. Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

45. An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

46. A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?

47. An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

48. In a template, which two objects can be configured? (Choose two.)

49. An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

50. Review the images.

A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

51. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

52. Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

53. Which protocol is supported by GlobalProtect Clientless VPN?

54. Which type of zone will allow different virtual systems to communicate with each other?

55. A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

56. During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

57. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

58. An administrator notices that an interface configuration has been overridden locally on a firewall.

They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

59. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

60. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

61. What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

62. An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

63. An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

64. A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

65. An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

66. An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

67. Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

68. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?