PCNSE-Topic-3
Question #: 16
Topic #: 1
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OSֲ® software?
A. XML API
B. Port Mapping
C. Client Probing
D. Server Monitoring
Selected Answer: A
Question #: 604
Topic #: 1
A firewall engineer has determined that, in an application developed by the company’s internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
A. Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.
B. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.
C. Create a custom application with specific timeouts, then create an application override rule and reference the custom application.
D. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.
Selected Answer: C
Question #: 587
Topic #: 1
An administrator is considering deploying WildFire globally.
What should the administrator consider with regards to the WildFire infrastructure?
A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.
Selected Answer: C
Question #: 197
Topic #: 1
When you configure an active/active high availability pair, which two links can you use? (Choose two.)
A. ׀׀3
B. Console Backup
C. HSCI-C
D. HA2 backup
Selected Answer: AD
Question #: 223
Topic #: 1
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
A. Forward-Untrust-Certificate
B. Forward-Trust-Certificate
C. Firewall-CA
D. Firewall-Trusted-Root-CA
Selected Answer: B
Question #: 140
Topic #: 1
Which administrative authentication method supports authorization by an external service?
A. Certificates
B. LDAP
C. RADIUS
D. SSH keys
Selected Answer: C
Question #: 528
Topic #: 1
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.)
A. TACACS+
B. Kerberos
C. SAML
D. RADIUS
E. LDAP
Selected Answer: ACD
Question #: 134
Topic #: 1
An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?
A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution
Selected Answer: D
Question #: 240
Topic #: 1
A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?
A. Configure an LDAP Server profile and enable the User-ID service on the management interface.
B. Configure a group mapping profile to retrieve the groups in the target template.
C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D. Configure a master device within the device groups.
Selected Answer: A
Question #: 500
Topic #: 1
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?
A. Heartbeat Interval
B. Promotion Hold Time
C. Additional Master Hold Up Time
D. Monitor Fail Hold Up Time
Selected Answer: B
Question #: 492
Topic #: 1
An administrator is configuring SSL decryption and needs to ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall.
When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)
A. Forward Untrust certificate
B. Enterprise Root CA certificate
C. Forward Trust certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)
Selected Answer: ACD
Question #: 238
Topic #: 1
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)
A. certificate authority (CA) certificate
B. server certificate
C. client certificate
D. certificate profile
Selected Answer: AD
Question #: 220
Topic #: 1
In a firewall, which three decryption methods are valid? (Choose three.)
A. SSL Outbound Proxyless Inspection
B. SSL Inbound Inspection
C. SSH Proxy
D. SSL Inbound Proxy
E. Decryption Mirror
Selected Answer: BCE
Question #: 454
Topic #: 1
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.
Which three items should be prioritized for decryption? (Choose three.)
A. Financial, health, and government traffic categories
B. Less-trusted internal IP subnets
C. Known malicious IP space
D. High-risk traffic categories
E. Public-facing servers
Selected Answer: C
Question #: 450
Topic #: 1
Which three authentication types can be used to authenticate users? (Choose three.)
A. Local database authentication
B. PingID
C. Kerberos single sign-on
D. GlobalProtect client
E. Cloud authentication service
Selected Answer: ACE
Question #: 440
Topic #: 1
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
A. The forward trust certificate has not been signed by the self-singed root CA certificate.
B. The forward trust certificate has not been installed in client systems.
C. The forward untrust certificate has not been signed by the self-singed root CA certificate.
D. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
Selected Answer: A
Question #: 434
Topic #: 1
What must be configured to apply tags automatically to User-ID logs?
A. User mapping
B. Log Forwarding profile
C. Log settings
D. Group mapping
Selected Answer: C
Question #: 424
Topic #: 1
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI.
Which CLI command can the engineer use?
A. test vpn flow
B. test vpn tunnel
C. test vpn gateway
D. test vpn ike-sa
Selected Answer: D
Question #: 423
Topic #: 1
Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted.
What is the result of traffic that matches the “Alert -Threats” Profile Match List?
A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
Selected Answer: C
Question #: 208
Topic #: 1
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
A. virtual systems
B. template stacks
C. variables
D. collector groups
Selected Answer: BC
Question #: 381
Topic #: 1
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
A. upload-only
B. install and reboot
C. upload and install
D. upload and install and reboot
E. verify and install
Selected Answer: ACD
Question #: 377
Topic #: 1
While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?
A. Enable resources protection under the DoS Protection profile.
B. Change the SYN flood action from Random Early Drop to SYN cookies.
C. Increase the activate rate for the SYN flood protection.
D. Change the DoS Protection profile type from aggregate to classified.
Selected Answer: B
Question #: 375
Topic #: 1
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?
A. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
C. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
Selected Answer: B
Question #: 365
Topic #: 1
An administrator is seeing one of the firewalls in a HA active/passive pair moved to “suspended” state due to Non-functional loop.
Which three actions will help the administrator resolve this issue? (Choose three.)
A. Check the HA Link Monitoring interface cables.
B. Check High Availability > Active/Passive Settings > Passive Link State
C. Check the High Availability > Link and Path Monitoring settings.
D. Check the High Availability > HA Communications > Packet Forwarding settings.
E. Use the CLI command show high-availability flap-statistics
Selected Answer: ACE
Question #: 35
Topic #: 1
A customer has an application that is being identified as unknown-tcp for one of their custom PostgreSQL database connections.
Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)
A. Application Override policy.
B. Security policy to identify the custom application.
C. Custom application.
D. Custom Service object.
Selected Answer: AC
Question #: 78
Topic #: 1
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet
Selected Answer: C
Question #: 335
Topic #: 1
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch.
Which statement is correct about the configuration of the interfaces assigned to an aggregated interface group?
A. They can have different hardware media such as the ability to mix fiber optic and copper.
B. They can have a different interface type such as Layer 3 or Layer 2.
C. They can have a different interface type from an aggregate interface group.
D. They can have a different bandwidth.
Selected Answer: A
Question #: 331
Topic #: 1
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
A. logging
B. signature matching for content inspection
C. Quality of Service
D. IPSec tunnel standup
Selected Answer: A
Question #: 291
Topic #: 1
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software. Why did the bootstrap process fail for the VM-Series firewall in
Azure?
A. All public cloud deployments require the /plugins folder to support proper firewall native integrations
B. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
C. The /config or /software folders were missing mandatory files to successfully bootstrap
D. The /content folder is missing from the bootstrap package
Selected Answer: D
Question #: 289
Topic #: 1
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. Use the import option to pull logs.
B. Use the scp logdb export command.
C. Export the log database.
D. Use the ACC to consolidate the logs.
Selected Answer: C
Question #: 286
Topic #: 1
What is considered the best practice with regards to zone protection?
A. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
B. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
C. Set the Alarm Rate threshold for event-log messages to high severity or critical severity
D. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
Selected Answer: A
Question #: 283
Topic #: 1
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?
A. Add a firewall to both the device group and the template
B. Add the template as a reference template in the device group
C. Enable “Share Unused Address and Service Objects with Devices” in Panorama settings
D. Specify the target device as the master device in the device group
Selected Answer: B
Question #: 281
Topic #: 1
The manager of the network security team has asked you to help configure the company’s Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?
A. action ‘reset-server’ and packet capture ‘disable’
B. action ‘default’ and packet capture ‘single-packet’
C. action ‘reset-both’ and packet capture ‘extended-capture’
D. action ‘reset-both’ and packet capture ‘single-packet’
Selected Answer: D
Question #: 272
Topic #: 1
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web
UI? (Choose two.)
A. server certificate
B. SSL/TLS Service Profile
C. certificate profile
D. SSH Service Profile
Selected Answer: AC
Question #: 265
Topic #: 1
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID?
A. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange
B. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
C. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
D. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory
Selected Answer: D
Question #: 502
Topic #: 1
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode.
Which three elements must be in place before a transparent web proxy can function? (Choose three.)
A. User-ID for the proxy zone
B. DNS Security license
C. Prisma Access explicit proxy license
D. Cortex Data Lake license
E. Authentication Policy Rule set to default-web-form
Selected Answer: ABE
Question #: 239
Topic #: 1
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. WildFire logs
B. System logs
C. Threat logs
D. Traffic logs
Selected Answer: A
Question #: 235
Topic #: 1
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A. GlobalProtect app and GlobalProtect satellite
B. GlobalProtect app and GlobalProtect portal
C. GlobalProtect app and GlobalProtect gateway
D. GlobalProtect portal and GlobalProtect gateway
Selected Answer: C
Question #: 79
Topic #: 1
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries
Selected Answer: A
