PCNSE-Topic-1
Question #: 559
Topic #: 1
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
A. Yes, because the final action is set to “allow.”
B. No, because the action for the wildfire-virus is “reset-both.”
C. No, because the URL generated an alert.
D. Yes, because both the web-browsing application and the flash file have the “alert” action.
Selected Answer: B
Question #: 586
Topic #: 1
A firewall engineer is managing a Palo Alto Networks NGFW which is not in line of any DHCP traffic.
Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying IoT devices while receiving broadcast DHCP traffic?
A. Virtual wire
B. Layer 3
C. Layer 2
D. Tap
Selected Answer: A
Question #: 1
Topic #: 1
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. check
B. find
C. test
D. sim
Selected Answer: C
Question #: 244
Topic #: 1
What is the function of a service route?
A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.
B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address.
C. The service route is the method required to use the firewall’s management plane to provide services to applications.
D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.
Selected Answer: D
Question #: 231
Topic #: 1
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.
C. Configure a Captive Portal authentication policy that uses an authentication sequence.
D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.
Selected Answer: D
Question #: 541
Topic #: 1
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
A. A service route to the LDAP server
B. A User-ID agent on the LDAP server
C. A Master Device
D. Authentication Portal
Selected Answer: C
Question #: 538
Topic #: 1
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions
Selected Answer: C
Question #: 534
Topic #: 1
A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama.
They notice that commit times have drastically increased for the PA-220s after the migration.
What can they do to reduce commit times?
A. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.
B. Perform a device group push using the “merge with device candidate config” option.
C. Update the apps and threat version using device-deployment.
D. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.
Selected Answer: A
Question #: 533
Topic #: 1
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
A. OSPF
B. IGRP
C. OSPFv3 virtual link
D. BGP
E. RIP
Selected Answer: ADE
Question #: 529
Topic #: 1
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
A. insufficient-data
B. incomplete
C. not-applicable
D. unknown-tcp
Selected Answer: C
Question #: 527
Topic #: 1
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
Selected Answer: CD
Question #: 526
Topic #: 1
An engineer is configuring a firewall with three interfaces:
• MGT connects to a switch with internet access.
• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a virtualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
A. Set DNS and Palo Alto Networks Services to use the MGT source interface.
B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
C. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.
Selected Answer: B
Question #: 525
Topic #: 1
Which three items must be configured to implement application override? (Choose three.)
A. Application filter
B. Application override policy rule
C. Custom app
D. Decryption policy rule
E. Security policy rule
Selected Answer: BCE
Question #: 206
Topic #: 1
Given the following configuration, which route is used for destination 10.10.0.4? set network virtual-router 2 routing-table ip static-route “Route 1” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route “Route 1” metric 30 set network virtual-router 2 routing-table ip static-route “Route 1” destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route “Route 1” re route-table unicast set network virtual-router 2 routing-table ip static-route “Route 2” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route “Route 2” metric 20 set network virtual-router 2 routing-table ip static-route “Route 2” destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route “Route 2” route-table unicast set network virtual-router 2 routing-table ip static-route “Route 3” nexthop ip-address 10.10.20.1 set network virtual-router 2 routing-table ip static-route “Route 3” metric 5 set network virtual-router 2 routing-table ip static-route “Route 3” destination 0.0.0.0/0 set network virtual-router 2 routing-table ip static-route “Route 3” route-table unicast set network virtual-router 2 routing-table ip static-route “Route 4” nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route “Route 4” metric 10 set network virtual-router 2 routing-table ip static-route “Route 4” destination 10.10.1.0/25 set network virtual-router 2 routing-table ip static-route “Route 4” route-table unicast
A. Route 1
B. Route 3
C. Route 2
D. Route 4
Selected Answer: C
Question #: 568
Topic #: 1
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
A. Authentication Portal
B. SSL Decryption profile
C. SSL decryption policy
D. comfort pages
Selected Answer: A
Question #: 566
Topic #: 1
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
A. Passive
B. Initial
C. Active
D. Active-primary
Selected Answer: D
Question #: 564
Topic #: 1
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?
A. Proxy IDs
B. ToS Header
C. GRE Encapsulation
D. Tunnel Monitor
Selected Answer: A
Question #: 561
Topic #: 1
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
A. Change the subnet mask from /23 to /24.
B. Lower the interface MTU value below 1500.
C. Adjust the TCP maximum segment size (MSS) value.
D. Enable the Ignore IPv4 Don’t Fragment (DF) setting.
Selected Answer: B
Question #: 578
Topic #: 1
What can the Log Forwarding built-in action with tagging be used to accomplish?
A. Forward selected logs to the Azure Security Center.
B. Block the destination zones of selected unwanted traffic.
C. Block the source zones of selected unwanted traffic.
D. Block the destination IP addresses of selected unwanted traffic.
Selected Answer: D
Question #: 580
Topic #: 1
A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT.
Which CLI command can the administrator use?
A. show session all filter nat source
B. show running nat-rule-ippool rule “rule_name”
C. show running nat-policy
D. show session all filter nat-rule-source
Selected Answer: A
Question #: 581
Topic #: 1
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named “Global” and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
A. Log Forwarding profile
B. SSL decryption exclusion
C. Tags
D. Login banner
E. Dynamic updates
Selected Answer: BDE
Question #: 583
Topic #: 1
A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.
Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?
A. Pre-NAT source IP address –
Pre-NAT source zone
B. Post-NAT source IP address –
Pre-NAT source zone
C. Pre-NAT source IP address –
Post-NAT source zone
D. Post-NAT source IP address –
Post-NAT source zone
Selected Answer: A
Question #: 585
Topic #: 1
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
A. By navigating to Monitor > Logs > Traffic, applying filter “(subtype eq virus)”
B. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq virus)”
C. By navigating to Monitor > Logs > Threat, applying filter “(subtype eq wildfire-virus)”
D. By navigating to Monitor > Logs > WildFire Submissions, applying filter “(subtype eq wildfire-virus)”
Selected Answer: C
Question #: 588
Topic #: 1
Which log type is supported in the Log Forwarding profile?
A. User-ID
B. GlobalProtect
C. Configuration
D. Tunnel
Selected Answer: D
Question #: 590
Topic #: 1
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)
A. HA cluster members must be the same firewall model and run the same PAN-OS version.
B. HA cluster members must share the same zone names.
C. Panorama must be used to manage HA cluster members.
D. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces.
Selected Answer: AB
Question #: 595
Topic #: 1
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.
Where can the firewall engineer define the data to be added into each forwarded log?
A. Custom Log Format within Device > Server Profiles > Syslog
B. Built-in Actions within Objects > Log Forwarding Profile
C. Logging and Reporting Settings within Device > Setup > Management
D. Data Patterns within Objects > Custom Objects
Selected Answer: A
Question #: 171
Topic #: 1
What is the maximum number of samples that can be submitted to WildFire manually per day?
A. 1,000
B. 2,000
C. 5,000
D. 15,000
Selected Answer: A
Question #: 499
Topic #: 1
If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?
A. Post-NAT destination address
B. Pre-NAT destination address
C. Pre-NAT source address
D. Post-NAT source address
Selected Answer: C
Question #: 496
Topic #: 1
An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewall’s dashboard is showing as down.
What could an administrator do to troubleshoot the issue?
A. Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
B. Go to Device > High Availability > HA Communications > General > and check the Heartbeat Backup under Election Settings
C. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings
D. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings
Selected Answer: B
Question #: 413
Topic #: 1
Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose two.)
A. All traffic from source network 192.168.100.0/24 is sent to an external syslog target.
B. All threats are logged to Panorama.
C. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake.
D. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.
Selected Answer: AC
Question #: 405
Topic #: 1
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. System logs
B. WildFire logs
C. Threat logs
D. Traffic logs
Selected Answer: C
Question #: 403
Topic #: 1
Which statement is true regarding a heatmap in a BPA report?
A. When guided by authorized sales engineer, it helps determine the areas of the greatest security risk.
B. It runs only on firewalls.
C. It provides a percentage of adoption for each assessment area.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
Selected Answer: C
Question #: 333
Topic #: 1
An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?
A. PDF Export under Panorama > templates
B. Variable CSV export under Panorama > templates
C. Managed Devices > Device Association
D. Manage variables under Panorama > templates
Selected Answer: D
Question #: 84
Topic #: 1
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to Untrust (10.1.1.100), web browsing ג€” Allow
B. Untrust (any) to Untrust (1.1.1.100), web browsing ג€” Allow
C. Untrust (any) to DMZ (1.1.1.100), web browsing ג€” Allow
D. Untrust (any) to DMZ (10.1.1.100), web browsing ג€” Allow
Selected Answer: D
Question #: 161
Topic #: 1
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A. when an aggregate Ethernet interface component fails
B. when Panorama pushes a configuration
C. when a firewall performs a local commit
D. when a firewall HA pair fails over
Selected Answer: BC
Question #: 160
Topic #: 1
Starting with PAN-OS version 9.1, application dependency information is now reported in which two locations? (Choose two.)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer’s Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages
Selected Answer: AC
Question #: 323
Topic #: 1
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?
A. Guest devices may not trust the CA certificate used for the forward trust certificate
B. Guests may use operating systems that can’t be decrypted
C. The organization has no legal authority to decrypt their traffic
D. Guest devices may not trust the CA certificate used for the forward untrust certificate
Selected Answer: A
Question #: 322
Topic #: 1
Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)
A. The environment requires real full-time redundancy from both firewalls at all times.
B. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes.
C. The environment requires Layer 2 interfaces in the deployment.
D. The environment requires that all configuration must be fully synchronized between both members of the HA pair.
E. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence.
Selected Answer: ABE
Question #: 318
Topic #: 1
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface.
What are three supported functions on the VWire interface? (Choose three.)
A. IPSec
B. OSPF
C. SSL Decryption
D. QoS
E. NAT
Selected Answer: CDE
Question #: 577
Topic #: 1
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
A. HA1
B. HA2
C. HA3
D. HA4
Selected Answer: D
Question #: 574
Topic #: 1
A security engineer wants to upgrade the company’s deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the newTLSv1.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
A. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
B. Optional: Download and install the latest preferred PAN-OS 10.1 release.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
C. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0.
Required: Download and install the desired PAN-OS 11.0.x.
Selected Answer: B
Question #: 572
Topic #: 1
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment.
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
A. Kerberos or SAML authentication need to be configured.
B. RADIUS is only supported for a transparent Web Proxy.
C. RADIUS is not supported for explicit or transparent Web Proxy.
D. LDAP or TACACS+ authentication need to be configured.
Selected Answer: AC
Question #: 570
Topic #: 1
An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.
Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.)
A. Override the DNS server on the template stack.
B. Configure the DNS server locally on the firewall.
C. Change the DNS server on the global template.
D. Configure a service route for DNS on a different interface.
Selected Answer: AB
Question #: 554
Topic #: 1
What must be configured to apply tags automatically based on User-ID logs?
A. Device ID
B. Log settings
C. Group mapping
D. Log Forwarding profile
Selected Answer: B
