Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Exam Practice Test

Page: 1 / 35
Total 346 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$43.75  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$38.5  $109.99
Question 1

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

Options:

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Question 2

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

Options:

A.

Successful GlobalProtect Deployed Activity

B.

GlobalProtect Deployment Activity

C.

GlobalProtect Quarantine Activity

D.

Successful GlobalProtect Connection Activity

Question 3

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

Options:

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.Required: Download PAN-OS 10.2.0.Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Question 4

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

Options:

A.

Contact the site administrator with the expired certificate to request updates or renewal.

B.

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Question 5

Which protocol is natively supported by GlobalProtect Clientless VPN?

Options:

A.

HTP

B.

SSH

C.

HTTPS

D.

RDP

Question 6

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Options:

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Question 7

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

Options:

A.

A subject alternative name

B.

A private key

C.

A server certificate

D.

A certificate authority (CA) certificate

Question 8

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?

Options:

A.

Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions.

B.

Obtain or generate the server certificate and private key from the datacenter server.

C.

Obtain or generate the self-signed certificate with private key in the firewall

D.

Obtain or generate the forward trust and forward untrust certificate from the datacenter server.

Question 9

The UDP-4501 protocol-port is to between which two GlobalProtect components?

Options:

A.

GlobalProtect app and GiobalProtect satellite

B.

GlobalRrotect app and GlobalProtect gateway

C.

GlobalProtect portal and GlobalProtect gateway

D.

GlobalProtect app and GlobalProtect portal

Question 10

What must be configured to apply tags automatically based on User-ID logs?

Options:

A.

Device ID

B.

Log Forwarding profile

C.

Group mapping

D.

Log settings

Question 11

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Options:

A.

Initial

B.

Tentative

C.

Passive

D.

Active-secondary

Question 12

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

Options:

A.

Ensure Force Template Values is checked when pushing configuration.

B.

Push the Template first, then push Device Group to the newly managed firewall.

C.

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.

Push the Device Group first, then push Template to the newly managed firewall

Question 13

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Question 14

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Question 15

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.

Tunnel mode

B.

Satellite mode

C.

IPSec mode

D.

No Direct Access to local networks

Question 16

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Options:

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Question 17

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

Options:

A.

The firewall template will show that it is out of sync within Panorama.

B.

The modification will not be visible in Panorama.

C.

Only Panorama can revert the override.

D.

Panorama will update the template with the overridden value.

Question 18

Which log type is supported in the Log Forwarding profile?

Options:

A.

Configuration

B.

GlobalProtect

C.

Tunnel

D.

User-ID

Question 19

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

Options:

A.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

B.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

C.

A User-ID Certificate profile must be configured on Panorama

D.

N/A

Question 20

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

Options:

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Question 21

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

Options:

A.

show chassis status slot s1

B.

show s/stem state filter ethernet1/1

C.

show s/stem state filter sw.dev interface config

D.

show s/stem state filter-pretty sys.sl*

Question 22

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?

Options:

A.

Change the "GlobalProtect Gateway -> Agent -> Network Services -> Split Tunnel -> No direct access to local network" setting to "off"

B.

Change the "GlobalProtect Portal -> Satellite -> Gateways -> No direct access to local network" setting to "off"

C.

Change the "GlobalProtect Gateway -> Agent -> Client Settings -> Split Tunnel -> No direct access to local network" setting to "off"

D.

Change the "GlobalProtect Portal -> Agent -> App -> Split Tunnel -> No direct access to local network" setting to "off"

Question 23

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?

Options:

A.

Install the unsupported cipher into the firewall to allow the sites to be decrypted

B.

Allow the firewall to block the sites to improve the security posture.

C.

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption.

D.

Create a Security policy to allow access to those sites.

Question 24

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

Question 25

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

Options:

A.

Application Groups

B.

Policy Optimizer

C.

Test Policy Match

D.

Config Audit

Question 26

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

Options:

A.

Management plane CPU

B.

Dataplane CPU

C.

Packet buffers

D.

On-chip packet descriptors

Question 27

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?

Options:

A.

Dedicated Service Account

B.

System Account

C.

Domain Administrator

D.

Enterprise Administrator

Question 28

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

Options:

A.

It can run on a single virtual system and multiple virtual systems.

B.

It can run on multiple virtual systems without issue.

C.

It can run only on a single virtual system.

D.

It can run only on a virtual system with an alias named "web proxy.

Question 29

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

Options:

A.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone protection profile.

C.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

D.

Remove the Zone protection profile from the zone setting.

Question 30

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?

Options:

A.

Destination Zone Outside. Destination IP address 2.2.2.1

B.

Destination Zone DMZ, Destination IP address 10.10.10.1

C.

Destination Zone DMZ, Destination IP address 2.2.2.1

D.

Destination Zone Outside. Destination IP address 10.10.10.1

Question 31

Which operation will impact the performance of the management plane?

Options:

A.

Decrypting SSL sessions

B.

Generating a SaaS Application report

C.

Enabling DoS protection

D.

Enabling packet buffer protection

Question 32

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.

shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules shared default rules

B.

shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules shared default rules

C.

shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall DATACENTER_DG post-rules shared post-rules DATACENTER_DG default rules

D.

shared pre-rules DATACENTER_DG pre-rules rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules DATACENTER_DG default rules

Question 33

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

Options:

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Question 34

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Question 35

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Question 36

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Question 37

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Question 38

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?

Options:

A.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet.1 and $permitted-subnet-2.

B.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

Question 39

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.

PBF > Zone Protection Profiles > Packet Buffer Protection

B.

BGP > PBF > NAT

C.

PBF > Static route > Security policy enforcement

D.

NAT > Security policy enforcement > OSPF

Question 40

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

Options:

A.

Monitor > Logs > System

B.

Objects > Log Forwarding

C.

Panorama > Managed Devices

D.

Device > Log Settings

Question 41

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?

Options:

A.

Device > Setup Settings Do not enable on each interface

B.

Network > Zone Settings Do not enable on each interface

C.

Network > Zone Settings Enable on each interface

D.

Device > Setup Settings Enable on each interface

Question 42

As a best practice, logging at session start should be used in which case?

Options:

A.

While troubleshooting

B.

Only on Deny rules

C.

On all Allow rules

D.

Only when log at session end is enabled

Question 43

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

Options:

A.

Panorama provides information about system resources of the managed devices in the Managed Device > Health menu.

B.

Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a system log and can send email alerts.

C.

Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

D.

Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls

Question 44

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

Options:

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Question 45

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Options:

A.

ingress for the outgoing traffic to the internet

B.

Loopback for the proxy

C.

Firewall management

D.

ingress for the client traffic

Question 46

An engineer needs to collect User-ID mappings from the company’s existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)

Options:

A.

Client Probing

B.

Syslog

C.

Server Monitoring

D.

XFF Headers

Question 47

‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

Options:

A.

Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user systems in the user and local computer stores:

B.

Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the configuration.

Question 48

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:

A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Question 49

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.

shared pre-rulesDATACENTER DG pre rulesrules configured locally on the firewallshared post-rulesDATACENTER_DG post-rulesDATACENTER.DG default rules

B.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallshared post-rulesDATACENTER.DG post-rulesshared default rules

C.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesshared default rules

D.

shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesDATACENTER_DG default rules

Question 50

An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Options:

A.

Highlight Unused Rules will highlight all rules.

B.

Highlight Unused Rules will highlight zero rules.

C.

Rule Usage Hit counter will not be reset

D.

Rule Usage Hit counter will reset

Question 51

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?

Options:

A.

Virtual Wire interface

B.

Loopback interface

C.

Layer 3 interface

D.

Layer 2 interface

Question 52

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?

Options:

A.

SMTP has a higher priority but lower bandwidth than Zoom.

B.

DNS has a higher priority and more bandwidth than SSH.

C.

google-video has a higher priority and more bandwidth than WebEx.

D.

Facetime has a higher priority but lower bandwidth than Zoom.

Question 53

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

Options:

A.

None

B.

Outside

C.

DMZ

D.

Inside

Question 54

Review the screenshots.

What is the most likely reason for this decryption error log?

Options:

A.

The Certificate fingerprint could not be found.

B.

The client expected a certificate from a different CA than the one provided.

C.

The client received a CA certificate that has expired or is not valid.

D.

Entrust is not a trusted root certificate authority (CA).

Question 55

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?

Options:

A.

The firewall template will show that it is out of sync within Panorama

B.

Only Panorama can revert the override

C.

The modification will not be visible in Panorama

D.

Panorama will update the template with the overridden value

Question 56

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

Options:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Question 57

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:

A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Question 58

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

Options:

A.

Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate

B.

External zones with the virtual systems added

C.

Route added with next hop next-vr by using the VR configured in the virtual system

D.

Layer 3 zones for the virtual systems that need to communicate

Question 59

Which link is responsible for synchronizing sessions between high availability (HA) peers?

Options:

A.

HA1

B.

HA3

C.

HA4

D.

HA2

Question 60

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.

/content

B.

/software

C.

/piugins

D.

/license

E.

/opt

Question 61

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

Options:

A.

Browser-supported cipher documentation

B.

Cipher documentation supported by the endpoint operating system

C.

URL risk-based category distinctions

D.

Legal compliance regulations and acceptable usage policies

Question 62

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)

Options:

A.

Ps1

B.

Perl

C.

Python

D.

VBS

Question 63

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

Options:

A.

ICMP Drop

B.

TCP Drop

C.

SYN Random Early Drop

D.

TCP Port Scan Block

Question 64

The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured?

Options:

A.

With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.

B.

With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings.

C.

With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings.

D.

With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding

Question 65

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Question 66

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Question 67

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

Options:

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Question 68

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?

Options:

A.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

B.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Question 69

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Datacenter

B.

Values in efwOlab.chi

C.

Values in Global Settings

D.

Values in Chicago

Question 70

Which tool can gather information about the application patterns when defining a signature for a custom application?

Options:

A.

Policy Optimizer

B.

Data Filtering Log

C.

Wireshark

D.

Expedition

Question 71

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

Options:

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.

Question 72

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

Options:

A.

Set up high availability (HA) and increase the IPsec rekey interval to reduce the likelihood of tunnel disruptions

B.

Set up a backup tunnel and reduce the tunnel monitoring interval and threshold to detect failures quickly

C.

Set up high availability (HA) and disable tunnel monitoring to prevent unnecessary failovers due to temporary connectivity issues

D.

Set up a backup tunnel and change the tunnel monitoring profile from "Wait Recover" to "Fail Over"

Question 73

Which new PAN-OS 11.0 feature supports IPv6 traffic?

Options:

A.

DHCPv6 Client with Prefix Delegation

B.

OSPF

C.

DHCP Server

D.

IKEv1

Question 74

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?

Options:

A.

Outdated plugins

B.

Global Protect agent version

C.

Expired certificates

D.

Management only mode

Question 75

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

Options:

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

Question 76

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Question 77

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Question 78

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Options:

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Question 79

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?

Options:

A.

Monitor > Logs > System

B.

Device > High Availability > Active/Passive Settings

C.

Monitor > Logs > Traffic

D.

Dashboard > Widgets > High Availability

Question 80

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Question 81

What type of NAT is required to configure transparent proxy?

Options:

A.

Source translation with Dynamic IP and Port

B.

Destination translation with Static IP

C.

Source translation with Static IP

D.

Destination translation with Dynamic IP

Question 82

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Question 83

A destination NAT policy is configured as follows to allow inbound access to an internal server in the DMZ:

    Source zone: Outside and source IP address 1.2.2.2

    Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should be used to configure the Security policy?

Options:

A.

Destination Zone Outside, Destination IP address 10.10.10.1

B.

Destination Zone DMZ, Destination IP address 2.2.2.1

C.

Destination Zone Outside, Destination IP address 2.2.2.1

D.

Destination Zone DMZ, Destination IP address 10.10.10.1

Question 84

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Question 85

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Question 86

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Question 87

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Question 88

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:

A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Question 89

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

Options:

A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Question 90

An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an active/passive HA pair. Which NGFW receives the from Panorama?

Options:

A.

The active firewall which then synchronizes to the passive firewall

B.

The passive firewall, which then synchronizes to the active firewall

C.

Both the active and passive firewalls which then synchronize with each other

D.

Both the active and passive firewalls independently, with no synchronization afterward

Question 91

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Question 92

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

Options:

A.

By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

B.

By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'

C.

By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"

D.

By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"

Question 93

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

Options:

A.

An SSL/TLS Service profile with a certificate assigned.

B.

An Interface Management profile with HTTP and HTTPS enabled.

C.

A Certificate profile with a trusted root CA.

D.

An Authentication profile with the allow list of users.

Question 94

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

Options:

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Question 95

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?

Options:

A.

Ping interval of 200 ms and ping count of three failed pings

B.

Ping interval of 5000 ms and ping count of 10 failed pings

C.

Ping interval of 200 ms and ping count of 10 failed pings

D.

Ping interval of 5000 ms and ping count of three failed pings

Question 96

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Question 97

Which rule type controls end user SSL traffic to external websites?

Options:

A.

SSL Outbound Proxyless Inspection

B.

SSL Forward Proxy

C.

SSH Proxy

D.

SSL Inbound Inspection

Question 98

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin.

B.

Create a Custom Panorama Admin.

C.

Create a Dynamic Admin with the Panorama Administrator role.

D.

Create a Dynamic Read only superuser.

Question 99

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?

Options:

A.

Managed Devices Health

B.

Test Policy Match

C.

Preview Changes

D.

Policy Optimizer

Question 100

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)

Options:

A.

IKEv1 only to deactivate the use of public key encryption

B.

IKEv2 with Hybrid Key exchange

C.

IKEv2 with Post-Quantum Pre-shared Keys

D.

IPsec with Hybrid ID exchange

Question 101

What does the User-ID agent use to find login and logout events in syslog messages?

Options:

A.

Syslog Server profile

B.

Authentication log

C.

Syslog Parse profile

D.

Log Forwarding profile

Question 102

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

Options:

A.

On Palo Alto Networks Update Servers

B.

M600 Log Collectors

C.

Cortex Data Lake

D.

Panorama

Question 103

A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two)

Options:

A.

SSL

B.

TLS

C.

HTTP

D.

Email

Page: 1 / 35
Total 346 questions