Verified PCNSE Dumps V17.02 – Worth Reading For Passing Palo Alto Networks Certified Network Security Engineer Exam

1. What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

2. Which statement regarding HA timer settings is true?

3. An administrator is building Security rules within a device group to block traffic to and from malicious locations

How should those rules be configured to ensure that they are evaluated with a high priority?

4. the firewall's device group as post-rules

How will the rule order populate once pushed to the firewall?

5. An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

6. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

7. WildFire will submit for analysis blocked files that match which profile settings?

8. Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

9. A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

10. What are two best practices for incorporating new and modified App-IDs? (Choose two.)

11. Which data flow describes redistribution of user mappings?

12. Which GlobalProtect component must be configured to enable Clientless VPN?

13. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

14. What is the best description of the HA4 Keep-Alive Threshold (ms)?

15. An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three)

16. An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

17. What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

18. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

19. When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)

20. During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted

How should the engineer proceed?

21. Which configuration task is best for reducing load on the management plane?

22. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

23. A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

24. A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

25. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

26. What is the function of a service route?

27. An administrator device-group commit push is tailing due to a new URL category

How should the administrator correct this issue?

28. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

29. An administrator needs to assign a specific DNS server to one firewall within a device group.

Where would the administrator go to edit a template variable at the device level?

30. Where is information about packet buffer protection logged?

31. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

32. An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

33. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system)

ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com. The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

34. A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the.

The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

35. An engineer needs to redistribute User-ID mappings from multiple data centers.

Which data flow best describes redistribution of user mappings?