Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

Options:

A.

Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

B.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.

Required: Download PAN-OS 10.2.0.

Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

C.

Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

D.

Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0.

Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.

Buy Now
Questions 5

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Options:

A.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option

B.

Perform a template commit push from Panorama using the "Force Template Values" option

C.

Perform a commit force from the CLI of the firewall

D.

Reload the running configuration and perform a firewall local commit

Buy Now
Questions 6

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

Options:

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Buy Now
Questions 7

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.

PBF > Zone Protection Profiles > Packet Buffer Protection

B.

BGP > PBF > NAT

C.

PBF > Static route > Security policy enforcement

D.

NAT > Security policy enforcement > OSPF

Buy Now
Questions 8

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?

Options:

A.

HA1

B.

HA3

C.

HA2

D.

HA4

Buy Now
Questions 9

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Buy Now
Questions 10

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

Options:

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Buy Now
Questions 11

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Buy Now
Questions 12

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Options:

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Buy Now
Questions 13

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:

A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Buy Now
Questions 14

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

Options:

A.

Data Filtering

B.

Configuration

C.

Threat

D.

Traffic

Buy Now
Questions 15

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:

A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Buy Now
Questions 16

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.

HSCI-C

B.

Console Backup

C.

HA3

D.

HA2 backup

Buy Now
Questions 17

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Data Patterns within Objects > Custom Objects

B.

Custom Log Format within Device Server Profiles> Syslog

C.

Built-in Actions within Objects > Log Forwarding Profile

D.

Logging and Reporting Settings within Device > Setup > Management

Buy Now
Questions 18

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

Options:

A.

Minimum TLS version

B.

Certificate

C.

Encryption Algorithm

D.

Maximum TLS version

E.

Authentication Algorithm

Buy Now
Questions 19

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Options:

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Buy Now
Questions 20

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

Options:

A.

Enable PFS under the IKE Gateway advanced options

B.

Enable PFS under the IPsec Tunnel advanced options

C.

Select the appropriate DH Group under the IPsec Crypto profile

D.

Add an authentication algorithm in the IPsec Crypto profile

Buy Now
Questions 21

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

Options:

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Buy Now
Questions 22

A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two)

Options:

A.

SSL

B.

TLS

C.

HTTP

D.

Email

Buy Now
Questions 23

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

Options:

A.

Create a Group Mapping for the GlobalProtect Group.

B.

Enable Captive Portal on the expected source interfaces.

C.

Add the users to the proper Dynamic User Group.

D.

Enable User-ID on the expected trusted zones.

Buy Now
Questions 24

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?

Options:

A.

Managed Devices Health

B.

Test Policy Match

C.

Preview Changes

D.

Policy Optimizer

Buy Now
Questions 25

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

Options:

A.

Set up high availability (HA) and increase the IPsec rekey interval to reduce the likelihood of tunnel disruptions

B.

Set up a backup tunnel and reduce the tunnel monitoring interval and threshold to detect failures quickly

C.

Set up high availability (HA) and disable tunnel monitoring to prevent unnecessary failovers due to temporary connectivity issues

D.

Set up a backup tunnel and change the tunnel monitoring profile from "Wait Recover" to "Fail Over"

Buy Now
Questions 26

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

Options:

A.

Configure the decryption profile.

B.

Define a Forward Trust Certificate.

C.

Configure SSL decryption rules.

D.

Configure a SSL/TLS service profile.

Buy Now
Questions 27

Which three items must be configured to implement application override? (Choose three )

Options:

A.

Custom app

B.

Security policy rule

C.

Application override policy rule

D.

Decryption policy rule

E.

Application filter

Buy Now
Questions 28

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.

shared pre-rules

DATACENTER DG pre rules

rules configured locally on the firewall

shared post-rules

DATACENTER_DG post-rules

DATACENTER.DG default rules

B.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

shared post-rules

DATACENTER.DG post-rules

shared default rules

C.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

shared default rules

D.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

DATACENTER_DG default rules

Buy Now
Questions 29

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Buy Now
Questions 30

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

Options:

A.

Specify the target device as the master device in the device group

B.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

C.

Add the template as a reference template in the device group

D.

Add a firewall to both the device group and the template

Buy Now
Questions 31

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

Options:

A.

It can run on a single virtual system and multiple virtual systems.

B.

It can run on multiple virtual systems without issue.

C.

It can run only on a single virtual system.

D.

It can run only on a virtual system with an alias named "web proxy.

Buy Now
Questions 32

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

Options:

A.

show chassis status slot s1

B.

show s/stem state filter ethernet1/1

C.

show s/stem state filter sw.dev interface config

D.

show s/stem state filter-pretty sys.sl*

Buy Now
Questions 33

A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?

Options:

A.

Create a service route that sets the source interface to the data plane interface in question

B.

Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed

C.

Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface

D.

Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface’s IP

Buy Now
Questions 34

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Buy Now
Questions 35

If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?

Options:

A.

Post-NAT destination address

B.

Pre-NAT destination address

C.

Post-NAT source address

D.

Pre-NAT source address

Buy Now
Questions 36

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Options:

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Buy Now
Questions 37

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Buy Now
Questions 38

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

Options:

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Buy Now
Questions 39

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.

Which two actions are required for this scenario to work? (Choose two.)

Options:

A.

On the HQ firewall select peer IP address type FQDN

B.

On the remote location firewall select peer IP address type Dynamic

C.

On the HQ firewall enable DDNS under the interface used for the IPSec tunnel

D.

On the remote location firewall enable DONS under the interface used for the IPSec tunnel

Buy Now
Questions 40

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Buy Now
Questions 41

Why would a traffic log list an application as "not-applicable”?

Options:

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Buy Now
Questions 42

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Buy Now
Questions 43

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

Options:

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

Buy Now
Questions 44

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

Options:

A.

SSL/TLS Service

B.

HTTP Server

C.

Decryption

D.

Interface Management

Buy Now
Questions 45

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?

Options:

A.

Enable PFS under the IKE gateway advanced options.

B.

Enable PFS under the IPSec Tunnel advanced options.

C.

Add an authentication algorithm in the IPSec Crypto profile.

D.

Select the appropriate DH Group under the IPSec Crypto profile.

Buy Now
Questions 46

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

Options:

A.

DoS Protection profile

B.

Data Filtering profile

C.

Vulnerability Protection profile

D.

URL Filtering profile

Buy Now
Questions 47

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

Options:

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Buy Now
Questions 48

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?

Options:

A.

Destination Zone Outside. Destination IP address 2.2.2.1

B.

Destination Zone DMZ, Destination IP address 10.10.10.1

C.

Destination Zone DMZ, Destination IP address 2.2.2.1

D.

Destination Zone Outside. Destination IP address 10.10.10.1

Buy Now
Questions 49

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two)

Options:

A.

RSA

B.

DHE

C.

ECDSA

D.

ECDHE

Buy Now
Questions 50

Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?

Options:

A.

The first route installed

B.

The route with the lowest administrative distance

C.

Bidirectional Forwarding Detection

D.

The route with the highest administrative distance

Buy Now
Questions 51

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Options:

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Buy Now
Questions 52

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Buy Now
Questions 53

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

Options:

A.

Any configuration on an M-500 would address the insufficient bandwidth concerns

B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

C.

Configure log compression and optimization features on all remote firewalls

D.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Buy Now
Questions 54

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?

Options:

A.

Virtual Wire interface

B.

Loopback interface

C.

Layer 3 interface

D.

Layer 2 interface

Buy Now
Questions 55

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

Options:

A.

the 'Shared' device group

B.

template stacks

C.

a device group

D.

template variables

Buy Now
Questions 56

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options:

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

Buy Now
Questions 57

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Buy Now
Questions 58

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?

Options:

A.

SMTP has a higher priority but lower bandwidth than Zoom.

B.

DNS has a higher priority and more bandwidth than SSH.

C.

google-video has a higher priority and more bandwidth than WebEx.

D.

Facetime has a higher priority but lower bandwidth than Zoom.

Buy Now
Questions 59

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?

Options:

A.

Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

B.

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

D.

Create the appropriate rules with a Block action and apply them at the top of the Default Rules.

Buy Now
Questions 60

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Buy Now
Questions 61

What is the best definition of the Heartbeat Interval?

Options:

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Buy Now
Questions 62

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

Options:

A.

The PAN-OS integrated User-ID agent must be a member of the Active Directory domain

B.

The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW’s management CPU

C.

The standalone User-ID agent consumes fewer resources on the NGFW’s management CPU

D.

The standalone User-ID agent must run directly on the domain controller server

Buy Now
Questions 63

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Buy Now
Questions 64

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

Options:

A.

Destination user/group

B.

URL Category

C.

Destination Domain

D.

video streaming application

E.

Source Domain

F.

Client Application Process

Buy Now
Questions 65

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Options:

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Buy Now
Questions 66

Match the terms to their corresponding definitions

Options:

Buy Now
Questions 67

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?

Options:

A.

Ping interval of 200 ms and ping count of three failed pings

B.

Ping interval of 5000 ms and ping count of 10 failed pings

C.

Ping interval of 200 ms and ping count of 10 failed pings

D.

Ping interval of 5000 ms and ping count of three failed pings

Buy Now
Questions 68

Which source is the most reliable for collecting User-ID user mapping?

Options:

A.

Syslog Listener

B.

Microsoft Exchange

C.

Microsoft Active Directory

D.

GlobalProtect

Buy Now
Questions 69

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

Options:

A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Buy Now
Questions 70

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

Options:

A.

Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate

B.

External zones with the virtual systems added

C.

Route added with next hop next-vr by using the VR configured in the virtual system

D.

Layer 3 zones for the virtual systems that need to communicate

Buy Now
Questions 71

Review the screenshots.

What is the most likely reason for this decryption error log?

Options:

A.

The Certificate fingerprint could not be found.

B.

The client expected a certificate from a different CA than the one provided.

C.

The client received a CA certificate that has expired or is not valid.

D.

Entrust is not a trusted root certificate authority (CA).

Buy Now
Questions 72

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

Options:

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Buy Now
Questions 73

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?

Options:

A.

show system setting ssl-decrypt certificate

B.

show system setting ssl-decrypt certs

C.

debug dataplane show ssl-decrypt ssl-certs

D.

show system setting ssl-decrypt certificate-cache

Buy Now
Questions 74

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?

Options:

A.

The amount of decrypted traffic

B.

The timeout value for admin sessions

C.

The number of mapped User-ID groups

D.

The number of permitted IP addresses on the management interface

Buy Now
Questions 75

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

Options:

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Buy Now
Questions 76

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?

Options:

A.

Change the "GlobalProtect Gateway -> Agent -> Network Services -> Split Tunnel -> No direct access to local network" setting to "off"

B.

Change the "GlobalProtect Portal -> Satellite -> Gateways -> No direct access to local network" setting to "off"

C.

Change the "GlobalProtect Gateway -> Agent -> Client Settings -> Split Tunnel -> No direct access to local network" setting to "off"

D.

Change the "GlobalProtect Portal -> Agent -> App -> Split Tunnel -> No direct access to local network" setting to "off"

Buy Now
Questions 77

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

Options:

A.

Log Collector

B.

Panorama

C.

Legacy

D.

Management Only

Buy Now
Questions 78

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

Options:

A.

Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to ensure version consistency

B.

Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer

C.

Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability

D.

Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

Buy Now
Questions 79

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

Options:

A.

A subject alternative name

B.

A private key

C.

A server certificate

D.

A certificate authority (CA) certificate

Buy Now
Questions 80

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Buy Now
Questions 81

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Buy Now
Questions 82

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Options:

A.

Initial

B.

Tentative

C.

Passive

D.

Active-secondary

Buy Now
Questions 83

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Buy Now
Questions 84

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

Options:

A.

Multiple external gateways

B.

Single or multiple internal gateways

C.

Split DNS and HIP checks

D.

IPv6 for internal gateways

Buy Now
Questions 85

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)

Options:

A.

Move the policy with action decrypt to the top of the decryption policy rulebase.

B.

Temporarily disable SSL decryption for all websites to troubleshoot the issue.

C.

Create a policy-based “No Decrypt” rule in the decryption policy to exclude specific traffic from decryption.

D.

Investigate decryption logs of the specific traffic to determine reasons for failure.

E.

Disable SSL handshake logging.

Buy Now
Questions 86

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

Options:

A.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone protection profile.

C.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

D.

Remove the Zone protection profile from the zone setting.

Buy Now
Questions 87

What is the best description of the Cluster Synchronization Timeout (min)?

Options:

A.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

B.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

C.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

D.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

Buy Now
Questions 88

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

Options:

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Buy Now
Questions 89

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Buy Now
Questions 90

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Buy Now
Questions 91

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

Options:

A.

No client configuration is required for explicit proxy, which simplifies the deployment complexity.

B.

Explicit proxy supports interception of traffic using non-standard HTTPS ports.

C.

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

D.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

Buy Now
Questions 92

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Buy Now
Questions 93

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?

Options:

A.

Dedicated Service Account

B.

System Account

C.

Domain Administrator

D.

Enterprise Administrator

Buy Now
Questions 94

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

Options:

A.

Source IP address

B.

Dynamic tags

C.

Static tags

D.

Ldap attributes

Buy Now
Questions 95

Given the following configuration, which route is used for destination 10 10 0 4?

Options:

A.

Route 2

B.

Route 3

C.

Route 1

D.

Route 4

Buy Now
Questions 96

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

TAP

B.

Layer 2

C.

Layer 3

D.

Virtual Wire

Buy Now
Questions 97

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

Options:

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Buy Now
Questions 98

An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?

Options:

A.

1- Open the current log forwarding profile.

2. Open the existing match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

B.

1. Create a new log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the Panorama and syslog forward methods.

C.

1. Open the current log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

D.

1. Create a new log forwarding profile.

2. Add a new match list for threat log type.

3. Define the filter.

4. Select the syslog forward method.

Buy Now
Questions 99

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

Options:

A.

Configure the DNS server locally on the firewall.

B.

Change the DNS server on the global template.

C.

Override the DNS server on the template stack.

D.

Configure a service route for DNS on a different interface.

Buy Now
Questions 100

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

Options:

A.

Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

B.

Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

C.

Navigate to Objects > Security Profiles > Vulnerability Protection

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable

Commit

D.

Navigate to Objects > Security Profiles > Anti-Spyware

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable Commit

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Apr 4, 2025
Questions: 334

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99