PCNSE-Topic-5
Question #: 278
Topic #: 1
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
A. GlobalProtect HIP
B. source users
C. App-ID
D. URL categories
E. source and destination IP addresses
Selected Answer: BDE
Question #: 214
Topic #: 1
In a Panorama template, which three types of objects are configurable? (Choose three.)
A. certificate profiles
B. HIP objects
C. QoS profiles
D. security profiles
E. interface management profiles
Selected Answer: ABE
Question #: 211
Topic #: 1
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
A. LDAP Server Profile configuration
B. GlobalProtect
C. Windows-based User-ID agent
D. PAN-OS integrated User-ID agent
Selected Answer: B
Question #: 200
Topic #: 1
A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour’s routing table.
Which two configurations should you check on the firewall? (Choose two.)
A. Ensure that the OSPF neighbour state is “2-Way”
B. In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
C. Within the redistribution profile ensure that Redist is selected.
D. In the redistribution profile check that the source type is set to “ospf.”
Selected Answer: B
Question #: 155
Topic #: 1
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity
D. GlobalProtect Quarantine Activity
Selected Answer: CD
Question #: 380
Topic #: 1
After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings
C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers.
D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-order and application identification.
Selected Answer: C
Question #: 452
Topic #: 1
What are two explanations for this type of issue? (Choose two.)
A. Either management or a data-plane interface is used as HA1-backup.
B. One of the firewalls has gone into the suspected state.
C. The peer IP is not included in the permit list on Management Interface Settings.
D. The Backup Peer HA1 IP Address was not configured when the commit was issued.
Selected Answer: A
Question #: 484
Topic #: 1
A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in the future, but it does not perform SSL Forward Proxy decryption at this time.
Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted websites?
A. By having a Certificate profile that contains the website’s Root CA assigned to the respective Security policy rule
B. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and the server/client session keys in order to validate a certificate’s authenticity and expiration
C. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in order to validate a certificates authenticity and expiration
D. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule
Selected Answer: D
Question #: 551
Topic #: 1
Which operation will impact the performance of the management plane?
A. Enabling DoS protection
B. Enabling packet buffer protection
C. Decrypting SSL sessions
D. Generating a Saas Application report
Selected Answer: D
Question #: 5
Topic #: 1
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
A. Preconfigured GlobalProtect satellite
B. Preconfigured GlobalProtect client
C. Preconfigured IPsec tunnels
D. Preconfigured PPTP Tunnels
Selected Answer: A
Question #: 142
Topic #: 1
An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
Selected Answer: A
Question #: 290
Topic #: 1
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?
A. Layer 2
B. Virtual Wire
C. Tap
D. Layer 3
Selected Answer: C
Question #: 428
Topic #: 1
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025.
The validity date on the PA-generated certificate is taken from what?
A. The root CA
B. The untrusted certificate
C. The server certificate
D. The trusted certificate
Selected Answer: C
Question #: 418
Topic #: 1
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.
B. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.
C. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
D. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.
Selected Answer: A
Question #: 330
Topic #: 1
A firewall has Security policies from three sources:
1. locally created policies
2. shared device group policies as pre-rules
3. the firewall’s device group as post-rules
How will the rule order populate once pushed to the firewall?
A. shared device group policies, local policies, firewall device group policies
B. firewall device group policies, local policies, shared device group policies
C. local policies, firewall device group policies, shared device group policies
D. shared device group policies, firewall device group policies, local policies
Selected Answer: A
Question #: 13
Topic #: 1
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
A. Device>Setup>Services>AutoFocus
B. Device> Setup>Management >AutoFocus
C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
D. Device>Setup>WildFire>AutoFocus
E. Device>Setup> Management> Logging and Reporting Settings
Selected Answer: B
Question #: 297
Topic #: 1
An administrator analyzes the following portion of a VPN system log and notices the following issue:
`Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0.`
What is the cause of the issue?
A. bad local and peer identification IP addresses in the IKE gateway
B. IPSec crypto profile mismatch
C. mismatched Proxy-IDs
D. IPSec protocol mismatch
Selected Answer: C
Question #: 110
Topic #: 1
A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)
A. tunnel.1
B. vpn-tunnel.1
C. tunnel.1025
D. vpn-tunnel.1024
Selected Answer: AC
Question #: 547
Topic #: 1
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
A. A QoS policy for each application
B. An Application Override policy for the SIP traffic
C. A QoS profile defining traffic classes
D. QoS on the ingress interface for the traffic flows
E. QoS on the egress interface for the traffic flows
Selected Answer: ACE
Question #: 409
Topic #: 1
A QoS profile is configured as shown in the image. The following throughput is realized:
Class 3 traffic 325Mbps –
Class 5 traffic 470Mbps –
Class 7 traffic: 330Mbps –
What happens as a result?
A. Available bandwidth from the unused classes will be used to maintain the Egress Guaranteed throughput for each.
B. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5 maintaining their Egress Guaranteed throughput.
C. All traffic continues to flow based on the overhead in each class’s Egress Max settings.
D. Classes 3, 5, and 7 will each have round-robin packet drops as needed against the profile Egress Max.
Selected Answer: B
Question #: 569
Topic #: 1
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
A. ECDSA
B. ECDHE
C. RSA
D. DHE
Selected Answer: BD
Question #: 383
Topic #: 1
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
A. Apply DOS profile to security rules allow traffic from outside.
B. Enable packet buffer protection for the affected zones.
C. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
D. Add a Zone Protection profile to the affected zones.
Selected Answer: B
Question #: 372
Topic #: 1
What can an engineer use with GlobalProtect to assign user-specific client certificates to each GlobalProtect user?
A. SCEP
B. SSL/TLS Service profile
C. OCSP Responder
D. Certificate profile
Selected Answer: A
Question #: 298
Topic #: 1
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment.
They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
A. QoS can be used in conjunction with SSL decryption
B. QoS is only supported on hardware firewalls
C. QoS is only supported on firewalls that have a single virtual system configured
D. QoS can be used on firewalls with multiple virtual systems configured
Selected Answer: D
Question #: 550
Topic #: 1
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
A. Virtual Wire
B. Layer 2
C. Layer 3
D. TAP
Selected Answer: AB
Question #: 354
Topic #: 1
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this?
A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
C. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
D. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
Selected Answer: C
Question #: 579
Topic #: 1
An administrator notices interface ethernet1/2 failed on the active firewall in an active I passive firewall high availability(HA) pair.
Based on the image below, what – if any – action was taken by the active firewall when the link failed?
A. No action was taken because interface ethernet1/1 did not fail.
B. The active firewall failed over to the passive HA member due to an AE1 Link Group failure.
C. No action was taken because Path Monitoring is disabled.
D. The active firewall failed over to the passive HA member because “any” is selected for the Link Monitoring “Failure Condition”.
Selected Answer: A
Question #: 553
Topic #: 1
Why would a traffic log list an application as “not-applicable”?
A. There was not enough application data after the TCP connection was established.
B. The TCP connection terminated without identifying any application data.
C. The firewall denied the traffic before the application match could be performed.
D. The application is not a known Palo Alto Networks App-ID.
Selected Answer: C
Question #: 393
Topic #: 1
During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
A. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.
Selected Answer: B
Question #: 336
Topic #: 1
A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?
A. First migrate SSH rules to App-ID; then implement SSL decryption.
B. Configure SSL decryption without migrating port-based security rules to App-ID rules.
C. First implement SSL decryption; then migrate port-based rules to App-ID rules.
D. First migrate port-based rules to App-ID rules; then implement SSL decryption.
Selected Answer: D
Question #: 321
Topic #: 1
When using certificate authentication for firewall administration, which method is used for authorization?
A. LDAP
B. Radius
C. Local
D. Kerberos
Selected Answer: C
Question #: 317
Topic #: 1
Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?
A. template variables
B. the ‘Shared’ device group
C. template stacks
D. a device group
Selected Answer: A
Question #: 315
Topic #: 1
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?
A. Traffic Distribution profile
B. Path Quality profile
C. Certificate profile
D. SD-WAN interface profile
Selected Answer: D
Question #: 494
Topic #: 1
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
A. Run the CLI command show advanced-routing ospf neighbor
B. In the WebUI, view the Runtime Stats in the virtual router
C. Look for configuration problems in Network > virtual router > OSPF
D. In the WebUI, view Runtime Stats in the logical router
Selected Answer: AD
Question #: 258
Topic #: 1
What are three reasons why an installed session can be identified with the “application incomplete” tag? (Choose three.)
A. There was no application data after the TCP connection was established.
B. The client sent a TCP segment with the PUSH flag set.
C. The TCP connection was terminated without identifying any application data.
D. There is not enough application data after the TCP connection was established.
E. The TCP connection did not fully establish.
Selected Answer: ACE
Question #: 101
Topic #: 1
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)
A. TACACS+
B. Kerberos
C. PAP
D. LDAP
E. SAML
F. RADIUS
Selected Answer: AEF
Question #: 123
Topic #: 1
Which operation will impact the performance of the management plane?
A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions
Selected Answer: C
Question #: 166
Topic #: 1
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a firewall that was previously being used in a lab.
The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-
OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been restarted using command: > request restart system
Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:
A. The bootstrap.xml file is a required file, but it is missing
B. Firewall must be in factory default state or have all private data deleted for bootstrapping
C. The hostname is a required parameter, but it is missing in init-cfg.txt
D. The USB must be formatted using the ext3 file system. FAT32 is not supported
Selected Answer: B
