Month End Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Exam Practice Test

Page: 1 / 24
Total 243 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$36  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$31.5  $104.99
Question 1

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

Options:

A.

Custom application

B.

Unknown application

C.

Incomplete application

D.

Downloaded application

Question 2

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

Options:

A.

The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.

B.

Registry keys on the Windows system.

C.

X-Auth Support in the GlobalProtect Gateway Tunnel Settings.

D.

The Certificate profile in the GlobalProtect Portal Authentication Settings.

Question 3

A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 4

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

Options:

A.

No client configuration is required for explicit proxy, which simplifies the deployment complexity.

B.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

C.

Explicit proxy supports interception of traffic using non-standard HTTPS ports.

D.

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request

Question 5

An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Options:

A.

Self-signed CA and End-entity certificate

B.

Root CA and Intermediate CA(s)

C.

Self-signed certificate with exportable private key

D.

Intermediate CA (s) and End-entity certificate

Question 6

Which steps should an engineer take to forward system logs to email?

Options:

A.

Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.

B.

Enable log forwarding under the email profile in the Objects tab.

C.

Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.

D.

Enable log forwarding under the email profile in the Device tab.

Question 7

An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

Options:

A.

Protection against unknown malware can be provided in near real-time

B.

WildFire and Threat Prevention combine to provide the utmost security posture for the firewall

C.

After 24 hours WildFire signatures are included in the antivirus update

D.

WildFire and Threat Prevention combine to minimize the attack surface

Question 8

Place the steps in the WildFire process workflow in their correct order.

Options:

Question 9

Given the screenshot, how did the firewall handle the traffic?

Options:

A.

Traffic was allowed by profile but denied by policy as a threat

B.

Traffic was allowed by policy but denied by profile as..

C.

Traffic was allowed by policy but denied by profile as ..

D.

Traffic was allowed by policy but denied by profile as a..

Question 10

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

Options:

A.

upload-only

B.

upload and install and reboot

C.

verify and install

D.

upload and install

E.

install and reboot

Question 11

A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

Options:

A.

Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic

B.

Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic

C.

Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive

D.

Use Decryption profiles to drop traffic that uses processor-intensive ciphers

Question 12

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

Options:

A.

the website matches a category that is not allowed for most users

B.

the website matches a high-risk category

C.

the web server requires mutual authentication

D.

the website matches a sensitive category

Question 13

Which CLI command displays the physical media that are connected to ethernet1/8?

Options:

A.

> show system state filter-pretty sys.si.p8.stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show interface ethernet1/8

D.

> show system state filter-pretty sys.sl.p8.med

Question 14

An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

Options:

A.

Use the same Forward Trust certificate on all firewalls in the network.

B.

Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

C.

Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

D.

Use an enterprise CA-signed certificate for the Forward Untrust certificate.

Question 15

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Options:

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Add the HTTP, SSL, and Evernote applications to the same Security policy

C.

Add only the Evernote application to the Security policy rule.

D.

Create an Application Override using TCP ports 443 and 80.

Question 16

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

Options:

A.

Cortex Data Lake

B.

Panorama

C.

On Palo Alto Networks Update Servers

D.

M600 Log Collectors

Question 17

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

Options:

A.

Windows User-ID agent

B.

GlobalProtect

C.

XMLAPI

D.

External dynamic list

E.

Dynamic user groups

Question 18

A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.

What must be enabled to allow an interface to forward multicast traffic?

Options:

A.

IGMP

B.

PIM

C.

BFD

D.

SSM

Question 19

An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two )

Options:

A.

DNS Proxy

B.

Address groups

C.

SSL/TLS roles

D.

URL Filtering profiles

Question 20

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Question 21

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Question 22

PBF can address which two scenarios? (Select Two)

Options:

A.

forwarding all traffic by using source port 78249 to a specific egress interface

B.

providing application connectivity the primary circuit fails

C.

enabling the firewall to bypass Layer 7 inspection

D.

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

Question 23

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

Options:

A.

High availability (HA)

B.

Layer

C.

Virtual Wire

D.

Tap

E.

Layer 3

Question 24

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Options:

Question 25

After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

What are two explanations for this type of issue? (Choose two)

Options:

A.

The peer IP is not included in the permit list on Management Interface Settings

B.

The Backup Peer HA1 IP Address was not configured when the commit was issued

C.

Either management or a data-plane interface is used as HA1-backup

D.

One of the firewalls has gone into the suspended state

Question 26

An engineer has been given approval to upgrade their environment 10 PAN-OS 10 2

The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log collectors

What is the recommended order when upgrading to PAN-OS 10.2?

Options:

A.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

B.

Upgrade the firewalls upgrade log collectors, upgrade Panorama

C.

Upgrade the firewalls upgrade Panorama, upgrade the log collectors

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Question 27

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

Options:

A.

IKE Gateway profile

B.

IPSec Crypto profile

C.

IPSec Tunnel settings

D.

IKE Crypto profile

Question 28

What can be used to create dynamic address groups?

Options:

A.

dynamic address

B.

region objects

C.

tags

D.

FODN addresses

Question 29

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

Options:

A.

Panorama > Managed Devices

B.

Monitor > Logs > Traffic

C.

Device Groups > Objects > Log Forwarding

D.

Templates > Device > Log Settings

Question 30

A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

Options:

A.

routes listed in the routing table with flags

B.

routes listed in the routing table with flags A?

C.

under the BGP Summary tab

D.

routes listed in the forwarding table with BGP in the Protocol column

Question 31

A company is deploying User-ID in their network. The firewall learn needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules

How can this be achieved?

Options:

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID source device in Panorama > Managed Devices

C.

By configuring User-ID group mapping in Panorama > User Identification

D.

By configuring Master Device in Panorama > Device Groups

Question 32

An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.

Which of the following statements is consistent with SSL decryption best practices?

Options:

A.

The forward trust certificate should not be stored on an HSM.

B.

The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.

C.

Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption

D.

The forward untrust certificate should not be signed by a Trusted Root CA

Question 33

An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.

/software

B.

/opt

C.

/license

D.

/content

E.

/plugins

Question 34

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Options:

A.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

B.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

C.

It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

D.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

Question 35

An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

Options:

A.

Configure a remote network on PAN-OS

B.

Upgrade to a PAN-OS SD-WAN subscription

C.

Deploy Prisma SD-WAN with Prisma Access

D.

Configure policy-based forwarding

Question 36

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.

A self-signed Certificate Authority certificate generated by the firewall

B.

A Machine Certificate for the firewall signed by the organization's PKI

C.

A web server certificate signed by the organization's PKI

D.

A subordinate Certificate Authority certificate signed by the organization's PKI

Page: 1 / 24
Total 243 questions