PCNSE Exam Dumps V14.02 – Be Available For Your PCNSE Exam Preparation

1. A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.

Which configuration is necessary to retrieve groups from Panorama?

2. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

3. In a firewall, which three decryption methods are valid? (Choose three)

4. While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

5. A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

6. How can packet butter protection be configured?

7. A remote administrator needs firewall access on an untrusted interface.

Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

8. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

9. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

10. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

11. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

12. Before you upgrade a Palo Alto Networks NGFW, what must you do?

13. Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

14. Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

15. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

16. Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

17. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

18. in a template you can configure which two objects? (Choose two.)

19. In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

20. An administrator needs to gather information about the CPU utilization on both the management plane and the data plane

Where does the administrator view the desired data?

21. You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For.

Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

22. A variable name must start with which symbol?

23. Which three statements accurately describe Decryption Mirror? (Choose three.)

24. DRAG DROP

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

25. Refer to the diagram.

An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups

Where will the object need to be created within the device-group hierarchy?

26. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

27. An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information

However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD

How can portaes based on group mapping be learned and enforced in Prisma Access?

28. What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

29. An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

30. Which configuration task is best for reducing load on the management plane?

31. Which rule type controls end user SSL traffic to external websites?

32. Given the following configuration, which route is used for destination 10.10.0.4?

33. When you configure an active/active high availability pair which two links can you use? (Choose two)

34. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

35. DRAG DROP

Match each SD-WAN configuration element to the description of that element.

36. When setting up a security profile which three items can you use? (Choose three)

37. You need to allow users to access the office-suite applications of their choice .

How should you configure the firewall to allow access to any office-suite application?

38. A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.

Prisma Access has been selected to replace the current remote access VPN solution.

During onboarding the following options and licenses were selected and enabled

What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?

39. An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infrastructure?

40. Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

41. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

42. DRAG DROP

Match each GlobalProtect component to the purpose of that component

43. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

44. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two)

45. A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?

46. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

47. During SSL decryption which three factors affect resource consumption1? (Choose three)

48. What are three types of Decryption Policy rules? (Choose three.)

49. Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

50. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

51. An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

52. An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

53. What are two valid deployment options for Decryption Broker? (Choose two)

54. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

55. What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

56. An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

57. What are three reasons for excluding a site from SSL decryption? (Choose three.)

58. What is a key step in implementing WildFire best practices?

59. Which two statements are true for the DNS Security service? (Choose two.)

60. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

61. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

62. A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users

Which two settings must the customer configure? (Choose two)

63. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

64. Use the image below.

If the firewall has the displayed link monitoring configuration what will cause a failover?

65. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

66. A remote administrator needs access to the firewall on an untrust interlace .

Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

67. When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

68. in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

69. A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.

To install the certificate and key for an endpoint, which three components are required? (Choose three.)

70. A standalone firewall with local objects and policies needs to be migrated into Panorama .

What procedure should you use so Panorama is fully managing the firewall?

71. A security engineer needs firewall management access on a Inside interface.

When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

72. Which statement is true regarding a Best Practice Assessment?

73. As a best practice, which URL category should you target first for SSL decryption*?

74. DRAG DROP

Please match the terms to their corresponding definitions.

75. An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

76. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

77. Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two)

78. PBF can address which two scenarios? (Select Two)

79. Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.

Which method can capture IP-to-user mapping information for users on the Linux machines?

80. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.