Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netbudy65

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Questions and Answers

Questions 4

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

Options:

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Buy Now
Questions 5

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Buy Now
Questions 6

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Questions 7

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Buy Now
Questions 8

What is the best description of the Cluster Synchronization Timeout (min)?

Options:

A.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

D.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

Buy Now
Questions 9

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Questions 10

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

Options:

A.

A subject alternative name

B.

A private key

C.

A server certificate

D.

A certificate authority (CA) certificate

Buy Now
Questions 11

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

Options:

A.

Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

B.

Use the highest TLS protocol version to maximize security.

C.

Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

D.

Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

Buy Now
Questions 12

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

C.

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

D.

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Buy Now
Questions 13

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Options:

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Buy Now
Questions 14

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

Options:

A.

No client configuration is required for explicit proxy, which simplifies the deployment complexity.

B.

Explicit proxy supports interception of traffic using non-standard HTTPS ports.

C.

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

D.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Questions 15

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Options:

A.

PAN-OS integrated User-ID agent

B.

GlobalProtect

C.

Windows-based User-ID agent

D.

LDAP Server Profile configuration

Buy Now
Questions 16

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

Options:

A.

Run the CLI command show advanced-routing ospf neighbor

B.

In the WebUI, view the Runtime Stats in the virtual router

C.

Look for configuration problems in Network > virtual router > OSPF

D.

In the WebUI, view Runtime Stats in the logical router

Questions 17

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

Options:

A.

Minimum TLS version

B.

Certificate

C.

Encryption Algorithm

D.

Maximum TLS version

E.

Authentication Algorithm

Questions 18

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Options:

A.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

B.

NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

C.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

D.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Questions 19

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Buy Now
Questions 20

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Buy Now
Questions 21

What is the best definition of the Heartbeat Interval?

Options:

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Buy Now
Questions 22

If a URL is in multiple custom URL categories with different actions, which action will take priority?

Options:

A.

Allow

B.

Override

C.

Block

D.

Alert

Buy Now
Questions 23

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

Options:

A.

Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server

B.

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

C.

Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

D.

Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

Buy Now
Questions 24

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

Options:

A.

None

B.

Outside

C.

DMZ

D.

Inside

Questions 25

Which statement about High Availability timer settings is true?

Options:

A.

Use the Critical timer for faster failover timer settings.

B.

Use the Aggressive timer for faster failover timer settings

C.

Use the Moderate timer for typical failover timer settings

D.

Use the Recommended timer for faster failover timer settings.

Buy Now
Questions 26

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

Options:

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.

2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.

2. Check the box for negate option to negate this IP from the NAT translation.

Buy Now
Questions 27

PBF can address which two scenarios? (Choose two.)

Options:

A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Buy Now
Questions 28

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.

A self-signed Certificate Authority certificate generated by the firewall

B.

A Machine Certificate for the firewall signed by the organization's PKI

C.

A web server certificate signed by the organization's PKI

D.

A subordinate Certificate Authority certificate signed by the organization's PKI

Buy Now
Questions 29

An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.

• Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Options:

A.

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B.

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C.

Set DNS and Palo Alto Networks Services to use the MGT source interface.

D.

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Questions 30

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

Options:

A.

High availability (HA)

B.

Layer 3

C.

Layer 2

D.

Tap

E.

Virtual Wire

Buy Now
Questions 31

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Datacenter

B.

Values in efwOlab.chi

C.

Values in Global Settings

D.

Values in Chicago

Buy Now
Questions 32

What can the Log Forwarding built-in action with tagging be used to accomplish?

Options:

A.

Block the source zones of selected unwanted traffic.

B.

Block the destination IP addresses of selected unwanted traffic.

C.

Forward selected logs to the Azure Security Center.

D.

Block the destination zones of selected unwanted traffic.

Buy Now
Questions 33

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

Options:

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

Buy Now
Questions 34

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Buy Now
Questions 35

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

Options:

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Buy Now
Questions 36

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

Options:

A.

Encryption algorithm

B.

Number of security zones in decryption policies

C.

TLS protocol version

D.

Number of blocked sessions

Buy Now
Questions 37

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)

Options:

A.

An Application Override policy for the SIP traffic

B.

QoS on the egress interface for the traffic flows

C.

QoS on the ingress interface for the traffic flows

D.

A QoS profile defining traffic classes

E.

A QoS policy for each application ID

Buy Now
Questions 38

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Buy Now
Questions 39

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.

PBF > Zone Protection Profiles > Packet Buffer Protection

B.

BGP > PBF > NAT

C.

PBF > Static route > Security policy enforcement

D.

NAT > Security policy enforcement > OSPF

Buy Now
Questions 40

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.

1 to 4 hours

B.

6 to 12 hours

C.

24 hours

D.

36 hours

Buy Now
Questions 41

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

Options:

A.

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.

Update the apps and threat version using device-deployment

C.

Perform a device group push using the "merge with device candidate config" option

D.

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Questions 42

Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 43

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Questions 44

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Buy Now
Questions 45

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Options:

A.

Configure a floating IP between the firewall pairs.

B.

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.

On one pair of firewalls, run the CLI command: set network interface vlan arp.

Questions 46

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Buy Now
Questions 47

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Options:

A.

Configure a Captive Portal authentication policy that uses an authentication sequence.

B.

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

C.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

D.

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

Buy Now
Questions 48

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Options:

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Buy Now
Questions 49

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Questions 50

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

Options:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Buy Now
Questions 51

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Questions 52

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

Options:

A.

The running configuration with the candidate configuration of the firewall

B.

Applications configured in the rule with applications seen from traffic matching the same rule

C.

Applications configured in the rule with their dependencies

D.

The security rule with any other security rule selected

Buy Now
Questions 53

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options:

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2
Last Update: Jun 17, 2024
Questions: 177

PDF + Testing Engine

$130

Testing Engine

$95

PDF (Q&A)

$80