PCNSE-Topic-4
Question #: 156
Topic #: 1
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. log forwarding auto-tagging
B. XML API
C. GlobalProtect agent
D. User-ID Windows-based agent
Selected Answer: AB
Question #: 141
Topic #: 1
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)
A. .dll
B. .exe
C. .fon
D. .apk
E. .pdf
F. .jar
Selected Answer: ABC
Question #: 129
Topic #: 1
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-only
C. Select download-and-install, with ג€Disable new apps in content updateג€ selected
D. Select disable application updates and select ג€Install only Threat updatesג€
Selected Answer: C
Question #: 308
Topic #: 1
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
A. review the configuration logs on the Monitor tab
B. use Test Policy Match to review the policies in Panorama
C. context-switch to the affected firewall and use the configuration audit tool
D. click Preview Changes under Push Scope
Selected Answer: A
Question #: 109
Topic #: 1
Which log file can be used to identify SSL decryption failures?
A. Traffic
B. ACC
C. Configuration
D. Threats
Selected Answer: A
Question #: 432
Topic #: 1
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
A. PA-220
B. PA-800 Series
C. PA-5000 Series
D. PA-500
E. PA-3400 Series
Selected Answer: ABE
Question #: 549
Topic #: 1
Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
A. shared pre-rules
DATACENTER_DG pre-rules –
rules configured locally on the firewall
DATACENTER_DG post-rules –
shared post-rules
shared default rules
B. shared pre-rules
DATACENTER_DG pre-rules –
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules –
DATACENTER_DG default rules
C. shared pre-rules
DATACENTER_DG pre-rules –
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules –
shared default rules
D. shared pre-rules
DATACENTER_DG pre-rules –
rules configured locally on the firewall
DATACENTER_DG post-rules –
shared post-rules
DATACENTER_DG default rules
Selected Answer: D
Question #: 248
Topic #: 1
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache
Selected Answer: B
Question #: 17
Topic #: 1
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?
A. web-browsing and 443
B. SSL and 80
C. SSL and 443
D. web-browsing and 80
Selected Answer: A
Question #: 514
Topic #: 1
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
A. One-time password
B. User certificate
C. SMS
D. Voice
E. Fingerprint
Selected Answer: ACD
Question #: 512
Topic #: 1
A customer wants to set up a site-to-site VPN using tunnel interfaces.
What format is the correct naming convention for tunnel interfaces?
A. tun.1025
B. tunnel.50
C. vpn.1024
D. gre1/2
Selected Answer: B
Question #: 511
Topic #: 1
An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.
What should the administrator configure in order to connect the sites?
A. Generic Routing Encapsulation (GRE) Tunnels
B. GlobalProtect Satellite
C. SD-WAN
D. IKE Gateways
Selected Answer: B
Question #: 576
Topic #: 1
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours.
Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
A. Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours.
B. Click “Review Apps” after application updates are installed in order to assess how the changes might impact Security policy.
C. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.
D. Select the action “download-only” when configuring an Applications and Threats update schedule.
Selected Answer: BC
Question #: 605
Topic #: 1
What happens when the log forwarding built-in action with tagging is used?
A. Selected logs are forwarded to the Azure Security Center.
B. Destination zones of selected unwanted traffic are blocked.
C. Destination IP addresses of selected unwanted traffic are blocked.
D. Selected unwanted traffic source zones are blocked.
Selected Answer: C
Question #: 603
Topic #: 1
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
B. Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority.
C. Use the highest TLS protocol version to maximize security.
D. Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority.
Selected Answer: B
Question #: 592
Topic #: 1
Which two are required by IPSec in transport mode? (Choose two.)
A. Auto generated key
B. NAT Traversal
C. IKEv1
D. DH-group 20 (ECP-384 bits)
Selected Answer: AD
Question #: 3
Topic #: 1
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A. Virtual router
B. Security zone
C. ARP entries
D. Netflow Profile
Selected Answer: AB
Question #: 516
Topic #: 1
What is the PAN-OS NPTv6 feature based on RFC 6296 used for?
A. Application port number translation
B. IPv6-to-IPv6 network prefix translation
C. Stateful translation to provide better security
D. IPv6-to-IPv6 host portion translation
Selected Answer: B
Question #: 320
Topic #: 1
A network administrator wants to deploy SSL Inbound Inspection. What two attributes should the required certificate have? (Choose two.)
A. a client certificate
B. a private key
C. a server certificate
D. a subject alternative name
Selected Answer: BD
Question #: 548
Topic #: 1
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
A. Rename a vsys on a multi-vsys firewall
B. Change the firewall management IP address
C. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
D. Add administrator accounts
E. Configure a device block list
Selected Answer: ACE
Question #: 601
Topic #: 1
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
A. With the relevant system log filter inside Device > Log Settings
B. With the relevant configuration log filter inside Device > Log Settings
C. With the relevant configuration log filter inside Objects > Log Forwarding
D. With the relevant system log filter inside Objects > Log Forwarding
Selected Answer: B
Question #: 524
Topic #: 1
An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
A. Hello Interval
B. Monitor Fail Hold Up Time
C. Heartbeat Interval
D. Promotion Hold Time
Selected Answer: A
Question #: 254
Topic #: 1
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
A. Preview Changes
B. Policy Optimizer
C. Managed Devices Health
D. Test Policy Match
Selected Answer: A
Question #: 593
Topic #: 1
A firewall engineer needs to patch the company’s Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis.
What must the engineer consider when planning deployment?
A. Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls.
B. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.
C. Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.
D. Only Panorama must be patched to the target PAN-OS version before updating the firewalls.
Selected Answer: C
Question #: 589
Topic #: 1
A firewall engineer needs to update a company’s Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
A. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.
C. Upload the image to Panorama > Software menu, and deploy it to the firewalls.
D. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.
Selected Answer: A
Question #: 519
Topic #: 1
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
A. A self-signed certificate generated on the firewall
B. A web server certificate signed by the organization’s PKI
C. A web server certificate signed by an external Certificate Authority
D. A subordinate Certificate Authority certificate signed by the organization’s PKI
Selected Answer: A
Question #: 486
Topic #: 1
An auditor has requested that roles and responsibilities be split inside the security team. Group A will manage templates, and Group B will manage device groups inside Panorama.
Which two specific firewall configurations will Group B manage? (Choose two.)
A. Routing
B. Security rules
C. Interfaces
D. Address objects
Selected Answer: BD
Question #: 453
Topic #: 1
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
A. A certificate authority (CA) certificate
B. A private key
C. A server certificate
D. A subject alternative name
Selected Answer: AD
Question #: 439
Topic #: 1
An engineer has been given approval to upgrade their environment to PAN-OS 10.2.
The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors.
What is the recommended order when upgrading to PAN-OS 10.2?
A. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
B. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
C. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
D. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
Selected Answer: D
Question #: 398
Topic #: 1
An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. From the Pre-defined Categories tab within the URL Filtering profile what is the right configuration to prevent such connections?
A. Set the malware category to block
B. Set the Command and Control category to block
C. Set the phishing category to override
D. Set the hacking category to continue
Selected Answer: B
Question #: 396
Topic #: 1
Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?
A. service route
B. data redistribution
C. SNMP setup
D. dynamic updates
Selected Answer: A
Question #: 479
Topic #: 1
An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?
A. From the Monitor tab, click Traffic view and review the information in the detailed log view.
B. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
C. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules.
D. From the Monitor tab, click Session Browser and review the session details.
Selected Answer: D
Question #: 478
Topic #: 1
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
A. Short message service
B. Push
C. User logon
D. One-Time Password
E. SSH key
Selected Answer: ABD
Question #: 191
Topic #: 1
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A. A Decryption profile must be attached to the Decryption policy that the traffic matches.
B. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
C. A Decryption profile must be attached to the Security policy that the traffic matches.
D. There must be a certificate with only the Forward Trust option selected.
Selected Answer: A
Question #: 598
Topic #: 1
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Site B configuration:
A. Match IKE version on both firewalls.
B. Configure Local Identification on Site B firewall.
C. Enable NAT Traversal on Site B firewall.
D. Disable passive mode on Site A firewall.
Selected Answer: AD
Question #: 268
Topic #: 1
Which component enables you to configure firewall resource protection settings?
A. DoS Protection Profile
B. QoS Profile
C. Zone Protection Profile
D. DoS Protection policy
Selected Answer: C
Question #: 456
Topic #: 1
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
A. Click the hyperlink for the ZeroAccess.Gen threat.
B. Click the source user with the highest threat count.
C. Click the left arrow beside the ZeroAccess.Gen threat.
D. Click the hyperlink for the botnet Threat Category.
Selected Answer: C
Question #: 85
Topic #: 1
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
Selected Answer: C
Question #: 74
Topic #: 1
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)
A. View Runtime Stats in the virtual router.
B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. Perform a traffic pcap at the routing stage.
Selected Answer: AD
Question #: 6
Topic #: 1
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
A. 0
B. 99
C. 1
D. 255
Selected Answer: D
Question #: 582
Topic #: 1
All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time.
Which method is the most time-efficient to complete this task?
A. Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time
B. Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time
C. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received
D. Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time
Selected Answer: A
Question #: 599
Topic #: 1
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
A. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
B. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
C. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
D. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange
Selected Answer: C
Question #: 584
Topic #: 1
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?
A. GlobalProtect agent version
B. Outdated plugins
C. Management only mode
D. Expired certificates
Selected Answer: B
Question #: 43
Topic #: 1
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW.
The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?
A. Custom application
B. System logs show an application error and neither signature is used.
C. Downloaded application
D. Custom and downloaded application signature files are merged and both are used
Selected Answer: C
Question #: 406
Topic #: 1
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames.
The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27.
The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28.
What information does the administrator need to provide in the User Identification > Discovery section?
A. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
B. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange
C. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers
D. network 192.168.28.32/27 with server type Microsoft
Selected Answer: A
Question #: 313
Topic #: 1
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
A. unknown-udp
B. not-applicable
C. insufficient-data
D. incomplete
Selected Answer: A
