PCNSE-Topic-2
Question #: 209
Topic #: 1
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.
B. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
C. Decryption Mirror requires a tap interface on the firewall.
D. Only management consent is required to use the Decryption Mirror future.
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.
Selected Answer: ABE
Question #: 121
Topic #: 1
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?
A. Malware
B. Grayware
C. Phishing
D. Spyware
Selected Answer: D
Question #: 463
Topic #: 1
Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover that there are two different static routes on the firewall for the server.
What is used to determine which route has priority?
A. The first route installed
B. Bidirectional Forwarding Detection
C. The route with the lowest administrative distance
D. The route with the highest administrative distance
Selected Answer: C
Question #: 73
Topic #: 1
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
A. View the System logs and look for the error messages about BGP.
B. Perform a traffic pcap on the NGFW to see any BGP problems.
C. View the Runtime Stats and look for problems with BGP configuration.
D. View the ACC tab to isolate routing issues.
Selected Answer: AC
Question #: 62
Topic #: 1
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.
Selected Answer: A
Question #: 56
Topic #: 1
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications
DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?
A. Create a decryption rule matching the encrypted BitTorrent traffic with action ג€No-Decrypt,ג€ and place the rule at the top of the Decryption policy.
B. Create a Security policy rule that matches application ג€encrypted BitTorrentג€ and place the rule at the top of the Security policy.
C. Disable the exclude cache option for the firewall.
D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.
Selected Answer: D
Question #: 407
Topic #: 1
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
A. NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 172.16.15.10 –
Application: ssh
B. NAT Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP / 172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
C. NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
D. NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
Selected Answer: D
Question #: 378
Topic #: 1
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?
A. Configure the TAP interface for segment X on the firewall
B. Configure a Layer 3 interface for segment X on the firewall.
C. Configure vwire interfaces for segment X on the firewall.
D. Configure a new vsys for segment X on the firewall.
Selected Answer: C
Question #: 597
Topic #: 1
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
A. Application filter
B. Application override policy rule
C. Security policy rule
D. Custom app
Selected Answer: BC
Question #: 27
Topic #: 1
In the image, what caused the commit warning?
A. The CA certificate for FWDtrust has not been imported into the firewall.
B. The FWDtrust certificate has not been flagged as Trusted Root CA.
C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
D. The FWDtrust certificate does not have a certificate chain.
Selected Answer: A
Question #: 2
Topic #: 1
Refer to the exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
C. Configure log compression and optimization features on all remote firewalls.
D. Any configuration on an M-500 would address the insufficient bandwidth concerns.
Selected Answer: A
Question #: 594
Topic #: 1
Which rule type controls end user SSL traffic to external websites?
A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. SSL Outbound Proxyless Inspection
Selected Answer: C
Question #: 501
Topic #: 1
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
A. None
B. Inside
C. DMZ
D. Outside
Selected Answer: D
Question #: 575
Topic #: 1
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
A. Configure the decryption profile.
B. Configure SSL decryption rules.
C. Define a Forward Trust Certificate.
D. Configure a SSL / TLS service profile.
Selected Answer: BC
Question #: 602
Topic #: 1
An engineer has been given approval to upgrade their environment to the latest of PAN-OS.
The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.
What is the recommended order of operational steps when upgrading?
A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
Selected Answer: D
Question #: 600
Topic #: 1
An engineer is monitoring an active/passive high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
A. Active-primary
B. Active
C. Active-secondary
D. Initial
Selected Answer: B
Question #: 596
Topic #: 1
When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate?
A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache
Selected Answer: B
Question #: 591
Topic #: 1
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?
A. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
B. External zones are required because the same external zone can be used on different virtual systems
C. To allow traffic between zones in different virtual systems without the traffic leaving the appliance
D. Multiple external zones are required in each virtual system to allow the communications between virtual systems
Selected Answer: C
Question #: 606
Topic #: 1
A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.
B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.
C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).
D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-1) above (NAT-Rule-2).
Selected Answer: C
Question #: 437
Topic #: 1
An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.
How can the engineer remediate this issue?
A. Add a Security policy to allow UDP/500.
B. Add a Security policy to allow the IKE application.
C. Add a Security policy to allow the IPSec application.
D. Add a Security policy to allow UDP/4501.
Selected Answer: C
Question #: 288
Topic #: 1
An engineer must configure the Decryption Broker feature. Which Decryption Broker security chain supports bi-directional traffic flow?
A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain
Selected Answer: B
Question #: 325
Topic #: 1
Which feature of PAN-OS SD-WAN allows you to configure a bandwidth-intensive application to go directly to the internet through the branch’s ISP link instead of going back to the data-center hub through the VPN tunnel, thus saving WAN bandwidth costs?
A. SD-WAN Full Mesh with branches only
B. SD-WAN direct internet access (DIA) links
C. SD-WAN Interface profile
D. VPN Cluster
Selected Answer: B
Question #: 215
Topic #: 1
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)
A. duplicate static route
B. no install on the route
C. disabling of the static route
D. path monitoring on the static route
Selected Answer: AD
Question #: 269
Topic #: 1
How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?
A. Choose the download and install action for both members of the HA pair in the Schedule object
B. Switch context to the firewalls to start the download and install process
C. Download the apps to the primary no further action is required
D. Configure the firewall’s assigned template to download the content updates
Selected Answer: A
Question #: 266
Topic #: 1
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?
A. in Threat General Settings, select “Report Grayware Files”
B. within the log settings option in the Device tab
C. in WildFire General Settings, select “Report Grayware Files”
D. within the log forwarding profile attached to the Security policy rule
Selected Answer: C
Question #: 22
Topic #: 1
Which Captive Portal mode must be configured to support MFA authentication?
A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent
Selected Answer: B
