PCNSE-Topic-6
Question #: 530
Topic #: 1
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
A. Clone the security policy and add it to the other device groups.
B. Add the policy to the target device group and apply a master device to the device group.
C. Reference the targeted device’s templates in the target device group.
D. Add the policy in the shared device group as a pre-rule.
Selected Answer: D
Question #: 523
Topic #: 1
If a URL is in multiple custom URL categories with different actions, which action will take priority?
A. Block
B. Allow
C. Alert
D. Override
Selected Answer: A
Question #: 522
Topic #: 1
Which new PAN-OS 11.0 feature supports IPv6 traffic?
A. OSPF
B. IKEv1
C. DHCP Server
D. DHCPv6 Client with Prefix Delegation
Selected Answer: D
Question #: 521
Topic #: 1
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewall.
C. Push the Device Group first, then push Template to the newly managed firewall.
D. Perform the Export or push Device Config Bundle to the newly managed firewall.
Selected Answer: D
Question #: 520
Topic #: 1
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application
Selected Answer: D
Question #: 518
Topic #: 1
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
A. Inherit all Security policy rules and objects
B. Inherit settings from the Shared group
C. Inherit IPSec crypto profiles
D. Inherit parent Security policy rules and objects
Selected Answer: BD
Question #: 517
Topic #: 1
An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)
A. Device certificate
B. Subordinate CA from the administrator’s own PKI infrastructure
C. Self-signed root CA
D. External CA certificate
Selected Answer: BC
Question #: 515
Topic #: 1
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
A. LDAP
B. Log Ingestion
C. HTTP
D. Log Forwarding
Selected Answer: CD
Question #: 513
Topic #: 1
An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.
What part of the network profile configuration should the engineer verify?
A. Destination IP
B. Threshold
C. Action
D. Interval
Selected Answer: C
Question #: 510
Topic #: 1
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
A. Create a Dynamic Admin with the Panorama Administrator role.
B. Create a Dynamic Read only superuser.
C. Create a Device Group and Template Admin.
D. Create a Custom Panorama Admin.
Selected Answer: C
Question #: 509
Topic #: 1
Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?
A. Satellite mode
B. Tunnel mode
C. No Direct Access to local networks
D. IPSec mode
Selected Answer: B
Question #: 508
Topic #: 1
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
A. Panorama
B. M600 Log Collectors
C. Cortex Data Lake
D. On Palo Alto Networks Update Servers
Selected Answer: C
Question #: 507
Topic #: 1
An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?
A. set deviceconfig setting tcp asymmetric-path drop
B. set session tcp-reject-non-syn yes
C. set deviceconfig setting tcp asymmetric-path bypass
D. set deviceconfig setting session tcp-reject-non-syn no
Selected Answer: D
Question #: 506
Topic #: 1
An engineer discovers the management interface is not routable to the User-ID agent.
What configuration is needed to allow the firewall to communicate to the User-ID agent?
A. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
B. Create a NAT policy for the User-ID agent server
C. Create a custom service route for the UID Agent
D. Add a static route to the virtual router
Selected Answer: C
Question #: 505
Topic #: 1
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy.
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. SSL forward proxy
B. Explicit proxy
C. Transparent proxy
D. DNS proxy
Selected Answer: C
Question #: 504
Topic #: 1
Which type of zone will allow different virtual systems to communicate with each other?
A. Tap
B. Tunnel
C. Virtual Wire
D. External
Selected Answer: D
Question #: 503
Topic #: 1
Which source is the most reliable for collecting User-ID user mapping?
A. Microsoft Active Directory
B. Microsoft Exchange
C. GlobalProtect
D. Syslog Listener
Selected Answer: C
Question #: 498
Topic #: 1
An engineer configures SSL decryption in order to have more visibility to the internal users’ traffic when it is egressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
A. High availability (HA)
B. Layer 3
C. Layer 2
D. Tap
E. Virtual Wire
Selected Answer: BCE
Question #: 497
Topic #: 1
An engineer troubleshoots an issue that causes packet drops.
Which command should the engineer run in the CLI to see if packet buffer protection is enabled and activated?
A. show session id
B. show system state | match packet-buffer-protection
C. show session packet-buffer- protection
D. show running resource-monitor
Selected Answer: C
Question #: 495
Topic #: 1
In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?
A. The existing session is transferred to the active firewall.
B. The firewall drops the session.
C. The session is sent to fastpath.
D. The firewall allows the session but does not decrypt the session.
Selected Answer: D
Question #: 493
Topic #: 1
An administrator would like to determine which action the firewall will take for a specific CVE.
Given the screenshot below, where should the administrator navigate to view this information?
A. The profile rule action
B. CVE column
C. The profile rule threat name
D. Exceptions tab
Selected Answer: D
Question #: 491
Topic #: 1
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts.
B. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls.
C. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.
D. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.
Selected Answer: C
Question #: 490
Topic #: 1
The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.
When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?
A. GlobalProtect agent version
B. Outdated plugins
C. Management only mode
D. Expired certificates
Selected Answer: B
Question #: 488
Topic #: 1
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile.
What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
A. TCP Drop
B. ICMP Drop
C. SYN Random Early Drop
D. TCP Port Scan Block
Selected Answer: AB
Question #: 487
Topic #: 1
An engineer is deploying VoIP and needs to ensure that voice traffic is treated with the highest priority on the network.
Which QoS priority should be assigned to such an application?
A. Medium
B. Low
C. High
D. Real-time
Selected Answer: D
Question #: 485
Topic #: 1
A company is looking to increase redundancy in their network.
Which interface type could help accomplish this?
A. Tap
B. Layer 2
C. Virtual wire
D. Aggregate ethernet
Selected Answer: D
Question #: 483
Topic #: 1
An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
A. /plugins
B. /license
C. /opt
D. /content
E. /software
Selected Answer: BDE
Question #: 482
Topic #: 1
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
A. Virtual Wire interface
B. Layer 3 interface
C. Layer 2 interface
D. Loopback interface
Selected Answer: B
Question #: 481
Topic #: 1
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.
In which section is this configured?
A. Monitor > Logs > System
B. Objects > Log Forwarding
C. Device > Log Settings
D. Panorama > Managed Devices
Selected Answer: C
Question #: 480
Topic #: 1
Which three external services perform both authentication and authorization for administration of firewalls? (Choose three.)
A. Kerberos
B. TACACS+
C. SAML
D. Radius
E. LDAP
Selected Answer: BCD
Question #: 477
Topic #: 1
Which feature detects the submission of corporate login information into website forms?
A. App-ID
B. File Blocking profile
C. Data Filtering profile
D. Credential Phishing
Selected Answer: D
Question #: 476
Topic #: 1
A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”.
Which action will this configuration cause on the matched traffic?
A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny”.
B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
C. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D. The Profile Settings section will be grayed out when the Action is set to “Deny”.
Selected Answer: A
Question #: 475
Topic #: 1
An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth.
Which QoS setting should the engineer adjust?
A. QoS interface: Egress Guaranteed
B. QoS profile: Egress Max
C. QoS profile: Egress Guaranteed
D. QoS interface: Egress Max
Selected Answer: C
Question #: 473
Topic #: 1
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
A. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
B. On one pair of firewalls, run the CLI command: set network interface vlan arp.
C. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
D. Configure a floating IP between the firewall pairs.
Selected Answer: C
Question #: 472
Topic #: 1
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.
What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?
A. The priority assigned to the Authentication profile defines the order of the sequence.
B. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user.
C. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made.
D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.
Selected Answer: D
Question #: 471
Topic #: 1
An administrator is configuring a Panorama device group.
Which two objects are configurable? (Choose two.)
A. URL Filtering profiles
B. SSL/TLS profiles
C. Address groups
D. DNS Proxy
Selected Answer: AC
Question #: 470
Topic #: 1
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication.
Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
A. ASBR
B. OSPFv3
C. ECMP
D. OSPF
Selected Answer: B
Question #: 469
Topic #: 1
You have been asked to implement GlobalProtect for your organization. You have decided on https://gp.mycompany.com for your Portal, and have received the certificate and key.
Where would you navigate to on the firewall UI to import the certificate?
A. Device > Certificate Management > Device Certificates > Certificates
B. Device Certificates > Certificate Management > Certificates > Device
C. Device > Device Certificates > Certificate Management > Certificates
D. Device > Certificate Management > Certificates > Device Certificates
Selected Answer: D
Question #: 468
Topic #: 1
A network security administrator wants to configure SSL inbound inspection.
Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)
A. An SSL/TLS Service profile
B. The web server’s security certificate with the private key
C. A Decryption profile
D. A Decryption policy
E. The client’s security certificate with the private key
Selected Answer: BCD
Question #: 467
Topic #: 1
An administrator wants to perform HIP checks on the endpoints to ensure their security posture.
Which license is required on all Palo Alto Networks next-generation firewalls that will be performing the HIP checks?
A. GlobalProtect Gateway
B. Current and Active Support License
C. Threat Prevention
D. GlobalProtect Portal
Selected Answer: A
Question #: 466
Topic #: 1
Where can an administrator see both the management-plane and data-plane CPU utilization in the WebUI?
A. Session Browser
B. System Logs widget
C. System Resources widget
D. General Information widget
Selected Answer: C
Question #: 465
Topic #: 1
Which log type would provide information about traffic blocked by a Zone Protection profile?
A. Data Filtering
B. IP-Tag
C. Threat
D. Traffic
Selected Answer: C
Question #: 464
Topic #: 1
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose two.)
A. Enable decryption
B. Exclude video traffic
C. Create a Tunnel Inspection policy
D. Block traffic that is not work-related
Selected Answer: BD
Question #: 462
Topic #: 1
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices.
Which two variable types can be defined? (Choose two.)
A. IP netmask
B. Zone
C. Path group
D. FQDN
Selected Answer: AD
