Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer

PaloAltoNetworks.PCNSE.v2022-01-18.
q127
Exam Code: PCNSE

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS
Exam Name:
10.0
Certification Provider: Palo Alto Networks
Free Question
127
Number:
Version: v2022-01-18
# of views: 115
# of Questions views: 1485
https://www.freecram.net/torrent/PaloAltoNetworks.PCNSE.v2022-01-18.q127.html
NEW QUESTION: 1
An enterprise information Security team has deployed policies based on AD groups to restrict
user access to critical infrastructure systems However a recent phisning campaign against the
organization has prompted Information Security to look for more controls that can secure access
to critical assets For users that need to access these systems Information Security wants to use
PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1?
A. Configure a Captive Portal authentication policy that uses an authentication sequence
B. Create an authentication profile and assign another authentication factor to be used by a
Captive Portal authentication policy
C. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
D. Configure a Captive Porta1 authentication policy that uses an authentication profile that
references a RADIUS profile
Answer: (SHOW ANSWER)
NEW QUESTION: 2
Which two methods can be used to mitigate resource exhaustion of an application server?
(Choose two)
A. DoS Protection Profile
B. Vulnerability Object
C. Zone Protection Profile
D. Data Filtering Profile
NEW QUESTION: 3
Which command can be used to validate a Captive Portal policy?
A. request cp-policy-eval <criteria>
B. eval captive-portal policy <criteria>
C. debug cp-policy <criteria>
D. test cp-policy-match <criteria>
NEW QUESTION: 4
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to
ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to
ethernet1/4. What can be the cause of the problem?
A. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
B. DNS has not been properly configured on the firewall
C. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
D. DHCP has been set to Auto.
NEW QUESTION: 5
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire
Submissions item is not visible form the Monitor tab.
What could cause this condition?
A. The firewall does not have an active WildFire subscription.
B. A policy is blocking WildFire Submission traffic.
C. The engineer's account does not have permission to view WildFire Submissions.
D. Though WildFire is working, there are currently no WildFire Submissions log entries.
NEW QUESTION: 6
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-
enabled wireless network device that has no native integration with PAN-OS software?
A. XML API
B. Port Mapping
C. Client Probing
D. Server Monitoring
Explanation
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/user-
mapping/xml-api.htm
NEW QUESTION: 7
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls
into their AWS tenant Which two statements are correct regarding the bootstrap package
contents? (Choose two )
A. The directory structure must include a /config /content, /software and /license folders
B. The bootstrap xml file allows for automated deployment of VM-Senes firewalls with full network
and policy configurations.
C. The bootstrap package is stored on an AFS share or a discrete container file bucket
D. The /config /content and /software folders are mandatory while the /license and /plugin folders
are optional
E. The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config
folder
NEW QUESTION: 8
Refer to Exhibit:
A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is
configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.
A. 172.20.40.1
B. 172.20.30.1
C. 172.20.20.1
D. 172.20.10.1
NEW QUESTION: 9
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate?

A. Domain-Root-Cert
B. Domain Sub-CA
C. Certificate from Default Trust Certificate Authorities
D. Forward_Trust
Answer: B (LEAVE A REPLY)
NEW QUESTION: 10
A. Policy Optimizer
B. Config Audit
C. Test Policy Match
D. Application Groups
NEW QUESTION: 11
A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of
certificate should the administrator use?
A. client certificate
B. server certificate
C. machine certificate
D. certificate authority (CA) certificate
NEW QUESTION: 12
An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?
A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain
Explanation
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces.
Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your
security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or
bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the
security chain, and which interface receives the traffic back from the security chain after it has
undergone additional enforcement.
NEW QUESTION: 13
An administrator has configured the Palo Alto Networks NGFW's management interface to
connect to the internet through a dedicated path that does not traverse back through the NGFW
itself.
Which configuration setting or step will allow the firewall to get automatic application signature
updates?
A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall
to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-
dynamic-updates
NEW QUESTION: 14
Which three authentication factors does PAN-OS software support for MFA (Choose three.)
A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS
Answer: A,D,E (LEAVE A REPLY)
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-
multi-factor-authe
NEW QUESTION: 15
When configuring the firewall for packet capture, what are the valid stage types?
A. Receive , firewall, send , and non-syn
B. Receive management , transmit, and non-syn
C. Receive, management , transmit , and drop
D. Receive , firewall, transmit, and drop
NEW QUESTION: 16
The firewall determines if a packet is the first packet of a new session or if a packet is part of an
existing session using which kind of match?
A. 6-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source
Security Zone
B. 5-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol
C. 7-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL
Category, and Source Security Zone
D. 9-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source
Security Zone, Destination Security Zone, Application, and URL Category
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0
Valid PCNSE Dumps shared by Fast2test.com for Helping Passing PCNSE Exam!
Fast2test.com now offer the newest PCNSE exam dumps, the Fast2test.com PCNSE exam
questions have been updated and answers have been corrected get the newest
Fast2test.com PCNSE dumps with Test Engine here: https://www.fast2test.com/PCNSE-
premium-file.html (394 Q&As Dumps, 30%OFF Special Discount: freecram)
NEW QUESTION: 17
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability
(HA) pair?
(Choose two)
A. Configure Ethernet 1/1 as HA2 Backup
B. Configure ethernet1/1 as HA3 Backup
C. Configure the management interface as HA2 Backup
D. Configure the management interface as HA1 Backup
E. Configure the management interface as HA3 Backup
F. Configure Ethernet 1/1 as HA1 Backup
NEW QUESTION: 18
Which User-ID method should be configured to map IP addresses to usernames for users
connected through a terminal server?
A. port mapping
B. server monitoring
C. client probing
D. XFF headers
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip-addresses-to-
users/configure-user-m
NEW QUESTION: 19
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?
A. URL Filtering profile
B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-
credential-phishin
NEW QUESTION: 20
A. at zone level to protect firewall resources and ingress zones but not at the device level
B. at me device level (globally to protect firewall resources and ingress zones, but not at the zone
level
C. at the interlace level to protect firewall resources
D. at the device level (globally) and it enabled globally, at the zone level
NEW QUESTION: 21
Based on the following image,
what is the correct path of root, intermediate, and end-user certificate?

A. Palo Alto Networks > Symantec > VeriSign
B. VeriSign > Palo Alto Networks > Symantec
C. VeriSign > Symantec > Palo Alto Networks
D. Symantec > VeriSign > Palo Alto Networks
NEW QUESTION: 22
Which three rule types are available when defining policies in Panorama? (Choose three.)
A. Pre Rules
B. Post Rules
C. Default Rules
D. Stealth Rules
E. Clean Up Rules
Explanation
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-web-
interface/definin
NEW QUESTION: 23
A session in the Traffic log is reporting the application as "incomplete." What does "incomplete"
mean?
A. The three-way TCP handshake was observed, but the application could not be identified.
B. The three-way TCP handshake did not complete.
C. The traffic is coming across UDP, and the application could not be identified.
D. Data was received but was instantly discarded because of a Deny policy was applied before
App-ID could be applied.
Answer: B (LEAVE A REPLY)
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
NEW QUESTION: 24
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining
support for all existing monitoring/ security platforms?
A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other
external services.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send
them to the NGFW.
C. Configure log compression and optimization features on all remote firewalls.
D. Any configuration on an M-500 would address the insufficient bandwidth concerns.
Answer: A (LEAVE A REPLY)
Explanation
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-
overview/centralized-logging-and-
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKFCA0
"When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider
reducing the number of log streams that are sent over the link" "With this configuration, firewalls
will forward logs to Panorama, assuming that log forwarding was configured correctly on the
firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams
significantly."
NEW QUESTION: 25
When backing up and saving configuration files, what is achieved using only the firewall and is
not available in Panorama?
A. Save candidate config
B. Load configuration version
C. Export device state
D. Load named configuration snapshot
NEW QUESTION: 26
In a security-first network what is the recommended threshold value for content updates to be
dynamically updated?
A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-
content-and-thre
NEW QUESTION: 27
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication
Profile?
A. To enable Gateway authentication to the Portal
B. To enable Portal authentication to the Gateway
C. To enable user authentication to the Portal
D. To enable client machine authentication to the Portal
Explanation
The additional options of Browser and Satellite enable you to specify the authentication profile to
use for specific scenarios. Select Browser to specify the authentication profile to use to
authenticate a user accessing the portal from a web browser with the intent of downloading the
GlobalProtect agent (Windows and Mac).
Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-
help/globalprotect/network-globalpr
NEW QUESTION: 28
A global corporate office has a large-scale network with only one User-ID agent, which creates a
bottleneck near the User-ID agent server.
Which solution in PAN-OS software would help in this case?
A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-
large-scale-netw
NEW QUESTION: 29
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a
"No Decrypt" action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing
Explanation
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-
decryption-exceptions
NEW QUESTION: 30
A. Wildfire analysis
B. anti-ransom ware
C. antivirus
D. URL filtering
E. decryption profile
Explanation
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
NEW QUESTION: 31
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab
environment (not in
"the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A. Use config-drive on a USB stick.
B. Use an S3 bucket with an ISO.
C. Create and attach a virtual hard disk (VHD).
D. Use a virtual CD-ROM with an ISO.
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-
features/bootstrapp firewalls-for-rapid-deployment.html
NEW QUESTION: 32
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum
allowable bandwidth for the YouTube application. However , YouTube is consuming more than
the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
A. Enable QoS Data Filtering Profile
B. Enable QoS monitor
C. Enable Qos interface
D. Enable Qos in the interface Management Profile.
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-
qos/qos-interface-sett
NEW QUESTION: 33
Which client software can be used to connect remote Linux client into a Palo Alto Networks
Infrastructure without sacrificing the ability to scan traffic and protect against threats?
A. X-Auth IPsec VPN
B. GlobalProtect Apple IOS
C. GlobalProtect SSL
D. GlobalProtect Linux
Explanation
( http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/ )
NEW QUESTION: 34
An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is
decrypted?
A. There must be a certificate with only the Forward Trust option selected
B. A Decryption profile must be attached to the Decryption policy that the traffic matches
C. A Decryption profile must be attached to the Security policy that the traffic matches
D. There must be a certificate with both the Forward Trust option and Forward Untrust option
selected
NEW QUESTION: 35
Which two actions would be part of an automatic solution that would block sites with untrusted
certificates without enabling SSL Forward Proxy? (Choose two.)
A. Create a Dynamic Address Group for untrusted sites
B. Create a no-decrypt Decryption Policy rule.
C. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
D. Create a Security Policy rule with vulnerability Security Profile attached.
E. Enable the "Block sessions with untrusted issuers" setting.
NEW QUESTION: 36
Which CLI command displays the physical media that are connected to ethernetl/8?
A. > show system state filter-pretty sys.si.p8.stats
B. > show system state filter-pretty sys.si.p8.med
C. > show interface ethernetl/8
D. > show system state filter-pretty sys.sl.p8.phy
NEW QUESTION: 37
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Objects > CustomerObjects > DNS
B. Network > Virtual Router > DNS Interface
C. Device > Setup > Services > Service Route Configuration
D. Network > Interface Mgrnt
NEW QUESTION: 38
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an
email?
A. reconnaissance
B. delivery
C. exploitation
D. IP command and control
NEW QUESTION: 39
Which three fields can be included in a pcap filter? (Choose three)
A. Egress interface
B. Source IP
C. Rule number
D. Destination IP
E. Ingress interface
Explanation
(https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-
p/72069)
NEW QUESTION: 40
A. View Runtime Stats in the virtual router.
B. View System logs.
C. Add a redistribution profile to forward as BGP updates.
D. Perform a traffic pcap at the routing stage.
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldcCAC
NEW QUESTION: 41
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world
Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises
infrastructure The administrator wants to scale the configuration out quickly and wants all of the
firewalls to use the same template configuration Which two solutions can the administrator use to
scale this configuration? (Choose two.)
A. variables
B. template stacks
C. collector groups
D. virtual systems
Answer: C (LEAVE A REPLY)
NEW QUESTION: 42
An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?
A. Use the same Forward Trust certificate on all firewalls in the network
B. Obtain an enterprise CA-signed certificate for the Forward Trust certificate
C. Use an enterprise CA-signed certificate for the Forward Untrust certificate
D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate
NEW QUESTION: 43
A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny".
Which action will this cause configuration on the matched traffic?
A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is
set to
"Deny".
B. The configuration will allow the matched session unless a vulnerability signature is detected.
The
"Deny" action will supersede theper-severity defined actions defined in the associated
Vulnerability Protection Profile.
C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning
will be displayed during a commit.
D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any
configured Security Profiles have no effect if the Security policy rule action is set to "Deny."
Explanation
"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied
to scan traffic after the application or category is allowed by the security policy."
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-profiles.html#
NEW QUESTION: 44
When you configure an active/active high availability pair which two links can you use? (Choose
two)
A. HA3
B. Console Backup
C. HSCI-C
D. HA2 backup
NEW QUESTION: 45
SAML SLO is supported for which two firewall features? (Choose two.)
A. CLI
B. CaptivePortal
C. GlobalProtect Portal
D. WebUI
NEW QUESTION: 46
Which version of GlobalProtect supports split tunneling based on destination domain, client
process, and HTTP/HTTPS video streaming application?
A. GlobalProtect version 4.0 with PAN-OS 8.1
B. GlobalProtect version 4.1 with PAN-OS 8.1
C. GlobalProtect version 4.0 with PAN-OS 8.0
D. GlobalProtect version 4.1 with PAN-OS 8.0
NEW QUESTION: 47
A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the
neighbor is correct but the route is not in the neighbor's routing table Which two configurations
should you check on the firewall'? (Choose two )
A. Within the redistribution profile ensure that Redist is selected
B. In the redistribution profile check that the source type is set to "ospf"
C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF
Export Rules section
D. Ensure that the OSPF neighbor state is "2-Way"
NEW QUESTION: 48
How does an administrator schedule an Applications and Threats dynamic update while delaying
installation of the update for a certain amount of time?
A. Configure the option for "Threshold".
B. Disable automatic updates during weekdays.
C. Automatically "download only" and then install Applications and Threats later, after the
administrator approves the update.
D. Automatically "download and install" but with the "disable new applications" option used.
Explanation
For Antivirus and Applications and Threats updates, you have the option to set a minimum
Threshold of time that a content update must be available before the firewall installs it. Very
rarely, there can be an error in a content update and this threshold ensures that the firewall only
downloads content releases that have been available and functioning in customer environments
for the specified amount of time.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-
updates
NEW QUESTION: 49
When you configure a Layer 3 interface what is one mandatory step?
A. Configure Security profiles, which need to be attached to each Layer 3 interface
B. Configure Interface Management profiles which need to be attached to each Layer 3 interface
C. Configure service routes to route the traffic for each Layer 3 interface
D. Configure virtual routers to route the traffic for each Layer 3 interface
NEW QUESTION: 50
A. ms.log
B. system.log
C. dp-monitor.log
D. authd.log
E. traffic.log
NEW QUESTION: 51
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXwCAK
NEW QUESTION: 52
What are two characteristic types that can be defined for a variable? (Choose two )
A. zone
B. FQDN
C. path group
D. IP netmask
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-
interface/panorama-tem
NEW QUESTION: 53
in URL filtering, which component matches URL patterns?
A. security processing on the data plane
B. single-pass pattern matching on the data plane
C. signature matching on the data plane
D. live URL feeds on the management plane
NEW QUESTION: 54
Which logs enable a firewall administrator to determine whether a session was decrypted?
A. Traffic
B. Decryption
C. Correlated Event
D. Security Policy
NEW QUESTION: 55
A client is concerned about resource exhaustion because of denial-of-service attacks against their
DNS servers.
Which option will protect the individual servers?
A. Enable packet buffer protection on the Zone Protection Profile.
B. Apply an Anti-Spyware Profile with DNS sinkholing.
C. Use the DNS App-ID with application-default.
D. Apply a classified DoS Protection Profile.
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos-
protection/zone-defense/do To protect critical web or DNS servers on your network, protect the
individual servers. To do this, set appropriate flooding and resource protection thresholds in a
DoS protection profile, and create a DoS protection policy rule that applies the profile to each
server's IP address by adding the IP addresses as the rule's destination criteria.
NEW QUESTION: 56
Which configuration task is best for reducing load on the management plane?
A. Disable logging on the default deny rule
B. Disable pre-defined reports
C. Enable session logging at start
D. Set the URL filtering action to send alerts
NEW QUESTION: 57
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices
are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
A. Wildfire update package
B. User-ID agent
C. Anti virus update package
D. Application and Threats update package
Answer: D (LEAVE A REPLY)
Dependencies : Before upgrade, make sure the firewall is running a version of app + threat
(content version) that meets the minimum requirement of the new PAN-OS Upgrade.
Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-
Upgrade/ta-p/111045
NEW QUESTION: 58
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator
notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could
be the problem?
A. A Server Profile has not been configured for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. The firewall is not licensed for logging to this Panorama device.
D. None of the firwwall's policies have been assigned a Log Forwarding profile
Answer: D (LEAVE A REPLY)
NEW QUESTION: 59
An administrator wants multiple web servers in the DMZ to receive connections initiated from the
internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic
correctly?
A)
B)
C)
D)
A. Option D
B. Option B
C. Option C
D. Option A
NEW QUESTION: 60
A. Panorama discards incoming logs when storage capacity full.

B. Panorama stops accepting logs until licenses for additional storage space are applied
C. Panorama stops accepting logs until a reboot to clean storage space.
D. Panorama automatically deletes older logs to create space for new ones.
Explanation
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-
panorama/determ
NEW QUESTION: 61
Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?
A. ethernet1/5
B. ethernet1/7
C. ethernet1/3
D. ethernet1/6
NEW QUESTION: 62
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing
the Policies tab. Which profile is the cause of the missing Policies tab?
A. Authentication
B. WebUI
C. Authorization
D. Admin Role
NEW QUESTION: 63
Which field is optional when creating a new Security Policy rule?
A. Destination Zone
B. Description
C. Action
D. Source Zone
E. Name
NEW QUESTION: 64
Which certificate can be used as the Forward Trust certificate?

A. Forward-Trust
B. Certificate from Default Trusted Certificate Authorities
C. Domain Sub-CA
D. Domain-Root-Cert
NEW QUESTION: 65
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-1000-HV
B. VM-100
C. VM-300
D. VM-200
NEW QUESTION: 66
Which administrative authentication method supports authorization by an external service?
A. RADIUS
B. Certificates
C. SSH keys
D. LDAP
NEW QUESTION: 67
An administrator notices that an interlace configuration has been overridden locally on a firewall.
They require an configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
A. Reload the running configuration and perform a Firewall local commit.
B. Perform a device-group commit push from Panorama using the "Include Device and Network
Templates" option.
C. Perform a template commit push from Panorama using the "Force Template Values'' option
D. Perform a commit force from the CLI of the firewall.
NEW QUESTION: 68
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two)
A. GlobalProtect Quarantine Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Deployed Activity
D. Successful GlobalProtect Connection Activity
NEW QUESTION: 69
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection
against worms and trojans. Which Security Profile type will protect against worms and trojans?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/antivirus-
profiles
NEW QUESTION: 70
A. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
C. Create new VPN zones at each site to terminate each VPN connection
D. Assign an IP address on each tunnel interface at each site
NEW QUESTION: 71
Which two statements are correct for the out-of-box configuration for Palo Alto Networks
NGFWs? (Choose two)
A. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
B. The interface are pingable.
C. The devices are pre-configured with a virtual wire pair out the first two interfaces.
D. The devices are licensed and ready for deployment.
E. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS
connections.
NEW QUESTION: 72
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in
general?
A. Deny application facebook-chat before allowing application facebook
B. Deny application facebook on top
C. Allow application facebook on top
D. Allow application facebook before denying application facebook-chat
Reference:
https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block-Facebook-Chat-
Consistently/ta-p/11
NEW QUESTION: 73
A network administrator uses Panorama to push security polices to managed firewalls at branch
offices. Which policy type should be configured on Panorama if the administrators at the branch
office sites to override these products?
A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules
NEW QUESTION: 74
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to
dynamically create the routes between the sites. The OSPF configuration in Site-A is configured
properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic
are using a broadcast Link Type. The administrator has determined that the OSPF configuration
in Site-B is using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error?

A. Set tunnel. 1 to p2p
B. Set Ethernet 1/1 to p2mp
C. Set Ethernet 1/1 to p2p
D. Set tunnel. 1 to p2mp
NEW QUESTION: 75
If the firewall has the link monitoring configuration, what will cause a failover?
A. ethernet1/3 or Ethernet1/6 going down
B. ethernet1/6 going down
C. ethernet1/3 and ethernet1/6 going down
D. ethernet1/3 going down
NEW QUESTION: 76
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all
devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls
to PanoramA.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
A. Use the import option to pull logs into Panorama.
B. A CLI command will forward the pre-existing logs to Panorama.
C. Use the ACC to consolidate pre-existing logs.
D. The log database will need to exported form the firewalls and manually imported into
Panorama.
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/management-
features/pa-7000-series-firewall
NEW QUESTION: 77
An administrator device-group commit push is tailing due to a new URL category How should the
administrator correct this issue?
A. ensure that the firewall can communicate with the URL cloud
B. verify that the URL seed Tile has been downloaded and activated on the firewall
C. change the new category action to alert" and push the configuration again
D. update the Firewall Apps and Threat version to match the version of Panorama
NEW QUESTION: 78
Which log file can be used to identify SSL decryption failures?
A. Configuration
B. Threats
C. ACC
D. Traffic
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC
NEW QUESTION: 79
Match each type of DoS attack to an example of that type of attack
Answer:
Explanation
Plan to defend your network against different types of DoS attacks:
* Application-Based Attacks
-Target weaknesses in a particular application and try to exhaust its resources so legitimate users
can't use it.
An example of this is the Slowloris attack.
* Protocol-Based Attacks
-Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common
example is a SYN flood attack.
* Volumetric Attacks
-High-volume attacks that attempt to overwhelm the available network resources, especially
bandwidth, and bring down the target to prevent legitimate users from accessing those resources.
An example of this is a UDP flood attack.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-
protection/zone-defense.ht
NEW QUESTION: 80
A. Create a Custom Application with signatures matching unique identifiers of the in-house
application traffic
B. Modify the session timer settings on the closest referanced application to meet the needs of
the in-house application
C. Create a custom Application without signatures, then create an Application Override policy that
includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
D. Wait until an official Application signature is provided from Palo Alto Networks.
NEW QUESTION: 81
The following objects and policies are defined in a device group hierarchy
A)
B)
C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -
Shared Policy2 -Branch Policyl
A. Option A
B. Option D
C. Option C
D. Option B
NEW QUESTION: 82
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma
Access for mobile users, which is managed by Panorama The enterprise already uses
GlobalProtect with SAML authentication to obtain iP-to-user mapping information However
information Security wants to use this information in Prisma Access for policy enforcement based
on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain
about what is needed for Prisma Access to learn groups from AD How can portaes based on
group mapping be learned and enforced in Prisma Access?
A. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma
Access
B. Configure Prisma Access to learn group mapping via SAML assertion
C. Create a group mapping configuration that references an LDAP profile that points to on-
premises domain controllers
D. Assign a master device in Panorama through which Prisma Access learns groups
NEW QUESTION: 83
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure
mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication
Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-
overview/plan panorama-deployment
NEW QUESTION: 84
A customer has an application that is being identified as unknown-top for one of their custom
PostgreSQL database connections. Which two configuration options can be used to correctly
categorize their custom database application? (Choose two.)
A. Application Override policy.
B. Security policy to identify the custom application.
C. Custom application.
D. Custom Service object.
Explanation
Unlike the App-ID engine, which inspects application packet contents for unique signature
elements, the Application Override policy's matching conditions are limited to header-based data
only. Traffic matched by an Application Override policy is identified by the App-ID entered in the
Application entry box.Choices are limited to applications currently in the App-ID
database.Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a
Layer-4 firewall. Thus, this traffic should be trusted without the need for Content-ID inspection.
The resulting application assignment can be used in other firewall functions such as Security
policy and QoS.Use CasesThree primary uses cases for Application Override Policy are:
To identify "Unknown" App-IDs with a different or custom application signature To re-identify an
existing application signature To bypass the Signature Match Engine (within the SP3 architecture)
to improve processing timesA discussion of typical uses of application override and specific
implementation examples is here:https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-
Tricks-How-to-Create-an-Application- Ov
NEW QUESTION: 85
If an administrator does not possess a website's certificate, which SSL decryption mode will allow
the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?
A. SSL Forward Proxy
B. SSL Inbound Inspection
C. TLS Bidirectional proxy
D. SSL Outbound Inspection
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK
NEW QUESTION: 86
An administrator wants to enable zone protection
Before doing so, what must the administrator consider?
A. Activate a zone protection subscription.
B. The zone protection profile will apply to all interfaces within that zone
C. To increase bandwidth no more than one firewall interface should be connected to a zone
D. Security policy rules do not prevent lateral movement of traffic between zones
NEW QUESTION: 87
What are three valid method of user mapping? (Choose three)
A. 802.1X
B. Server Monitoring
C. WildFire
D. XML API
E. Syslog
NEW QUESTION: 88
People are having intermittent quality issues during a live meeting via web application.
A. Use QoS Classes to define QoS Profile
B. Use QoS profile to define QoS Classes
C. Use QoS Classes to define QoS Profile and a QoS Policy
D. Use QoS Profile to define QoS Classes and a QoS Policy
NEW QUESTION: 89
Which Panorama objects restrict administrative access to specific device-groups?
A. access domains
B. admin roles
C. authentication profiles
D. templates
NEW QUESTION: 90
A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-
multi-factor-authe
NEW QUESTION: 91
Which option describes the operation of the automatic commit recovery feature?
A. It enables a firewall to revert to the previous configuration if rule shadowing is detected
B. It enables a firewall to revert to the previous configuration if a commit causes Panorama
connectivity failure.
C. It enables a firewall to revert to the previous configuration if a commit causes HA partner
connectivity failure
D. It enables a firewall to revert to the previous configuration if application dependency errors are
found
NEW QUESTION: 92
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose
three)
A. Clean
B. Bengin
C. Adware
D. Suspicious
E. Grayware
F. Malware
Explanation
https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/wildfire-
features/wildfire-grayw
NEW QUESTION: 93
Which Device Group option is assigned by default in Panorama whenever a new device group is
created to manage a Firewall?
A. Global
B. Shared
C. Universal
D. Master
NEW QUESTION: 94
Which CLI command displays the current management plan memory utilization?
A. > show system info
B. > show system resources
C. > debug management-server show
D. > show running resource-monitor
Explanation
https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-Command-
Displays-CPU-Ut
NEW QUESTION: 95
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows
google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to
function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to
accesss https://www.youtube.com in a web browser, they get an error indecating that the server
cannot be found.
Which action will allow youtube.com display in the browser correctly?
A. Add the DNS App-ID to Rule2
B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
C. Add SSL App-ID to Rule1
D. Add the Web-browsing App-ID to Rule2
NEW QUESTION: 96
In an enterprise deployment, a network security engineer wants to assign to a group of
administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?
A. RADIUS with Vendor-Specific Attributes
B. LDAP
C. Kerberos
D. Certification based authentication
NEW QUESTION: 97
A firewall administrator has completed most of the steps required to provision a standalone Palo
Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the
security policies.
Which CLI command syntax will display the rule that matches the test?
A. test security -policy- match source <ip_address> destination <IP_address> destination port
<port number> protocol <protocol number
B. show security rule source <ip_address> destination <IP_address> destination port <port
number> protocol <protocol number>
C. test security rule source <ip_address> destination <IP_address> destination port <port
number> protocol
<protocol number>
D. show security-policy-match source <ip_address> destination <IP_address> destination port
<port number> protocol <protocol number> test security-policy-match source
Explanation
test security-policy-match source <source IP> destination <destination IP> protocol <protocol
number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy-
Applies-to-a-Tra
NEW QUESTION: 98
Match each SD-WAN configuration element to the description of that element.
Answer:
Explanation
* An
SD-WAN Interface Profile
specifies the Tag that you apply to the physical interface, and also specifies the type of Link that
interface is (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio,
satellite, WiFi, or other). The Interface Profile is also where you specify the maximum upload and
download speeds (in Mbps) of the ISP's connection. You can also change whether the firewall
monitors the path frequently or not; the firewall monitors link types appropriately by default.
* A Layer3 Ethernet
Interface
with an IPv4 address can support SD-WAN functionalities. You apply an SD-WAN Interface
Profile to this interface (red arrow) to indicate the characteristics of the interface. The blue arrow
indicates that physical Interfaces are referenced and grouped in a virtual SD-WAN Interface.
* A virtual
SD-WAN Interface
is a VPN tunnel or DIA group of one or more interfaces that constitute a numbered, virtual SD-
WAN Interface to which you can route traffic. The paths belonging to an SD-WAN Interface all go
to the same destination WAN and are all the same type (either DIA or VPN tunnel). (Tag A and
Tag B indicate that physical interfaces for the virtual interface can have different tags.)
*A
Path Quality Profile
specifies maximum latency, jitter, and packet loss thresholds. Exceeding a threshold indicates
that the path has deteriorated and the firewall needs to select a new path to the target. A
sensitivity setting of high, medium, or low lets you indicate to the firewall which path monitoring
parameter is more important for the applications to which the profile applies. The green arrow
indicates that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus,
you can specify different thresholds for rules applied to packets having different applications,
services, sources, destinations, zones, and users.
*A
Traffic Distribution Profile
specifies how the firewall determines a new best path if the current preferred path exceeds a path
quality threshold. You specify which Tags the distribution method uses to narrow its selection of a
new path; hence, the yellow arrow points from Tags to the Traffic Distribution profile. A Traffic
Distribution profile specifies the distribution method for the rule.
* The preceding elements come together in
SD-WAN Policy Rules
The purple arrow indicates that you reference a Path Qualify Profile and a Traffic Distribution
profile in a rule, along with packet applications/services, sources, destinations, and users to
specifically indicate when and how the firewall performs application-based SD-WAN path
selection for a packet not belonging to a session.
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/sd-wan-
configuration-elements.h
NEW QUESTION: 99
What is exchanged through the HA2 link?
A. hello heartbeats
B. User-ID information
C. session synchronization
D. HA state information
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha-links-and-
backup-links
NEW QUESTION: 100

A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-
types/multi-factor-auth
NEW QUESTION: 101

Which three log-forwarding destinations require a server profile to be configured? (Choose three)
A. Kerberos
B. Panorama
C. Email
D. SNMP Trap
E. RADIUS
F. Syslog
NEW QUESTION: 102

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in
Active/Passive mode.
Which statement is true about this deployment?
A. The HA1 IP address from each peer must be on a different subnet
B. The two devices may be different models within the PA-5000 series
C. The management port may be used for a backup control connection
D. The two devices must share a routable floating IP address
NEW QUESTION: 103

An administrator has a PA-820 firewall with an active Threat Prevention subscription The
administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?
A. WildFire and Threat Prevention combine to minimize the attack surface
B. Protection against unknown malware can be provided in near real-time
C. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
D. After 24 hours WildFire signatures are included in the antivirus update
NEW QUESTION: 104

Which authentication source requires the installation of Palo Alto Networks software, other than
PAN-OS 7x, to obtain a username-to-IP-address mapping?
A. Microsoft Terminal Services
B. Palo Alto Networks Captive Portal
C. Aerohive Wireless Access Point
D. Microsoft Active Directory
NEW QUESTION: 105

An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama
reports. The configuration problem seems to be on the firewall Which settings, if configured
incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)
A. Option B
B. Option C
C. Option A
D. Option D
NEW QUESTION: 106

Which User-ID method maps IP address to usernames for users connecting through a web proxy
that has already authenticated the user?
A. Client Probing
B. Port mapping
C. Server monitoring
D. Syslog listening
Explanation
To obtain user mappings from existing network services that authenticate users-such as wireless
controllers,
802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control
(NAC) mechanisms-Configure User-ID to Monitor Syslog Senders for User Mapping.While you
can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall
to listen for authentication syslog messages from the network services, because only the PAN-OS
integrated agent supports syslog listening over TLS, it is the preferred configuration.
NEW QUESTION: 107

When overriding a template configuration locally on a firewall, what should you consider?
A. The firewall template will show that it is out of sync within Panorama
B. Panorama will update the template with the overridden value
C. Panorama will lose visibility into the overridden configuration
D. Only Panorama can revert the override
NEW QUESTION: 108

For which two reasons would a firewall discard a packet as part of the packet flow sequence?
(Choose two )
A. rule match with action "deny"
B. ingress processing errors
C. equal-cost multipath
D. rule match with action "allow"
NEW QUESTION: 109

A remote administrator needs firewall access on an untrusted interface Which two components
are required on the firewall to configure certificate-based administrator authentication to the web
Ul? (Choose two)
A. client certificate
B. certificate authority (CA) certificate
C. server certificate
D. certificate profile
NEW QUESTION: 110

A. HTTPS
B. SSH
C. User-ID
D. HTTP
E. Permitted IP Addresses
NEW QUESTION: 111

A network design change requires an existing firewall to start accessing Palo Alto Updates from a
data plane interface address instead of the management interface.
Which configuration setting needs to be modified?
A. Service route
B. Management profile
C. Authentication profile
D. Default route
NEW QUESTION: 112

On the NGFW. how can you generate and block a private key from export and thus harden your
security posture and prevent rogue administrators or other bad actors from misusing keys?
A. 1 Select Device > Certificate Management > Certificates > Device > Certificates
2 Generate the certificate
3 Select Block Private Key Export
4 Click Genet ale to generate the new certificate.
B. 1 Select Device > Certificates
2 Select Certificate Profile.
4 Select Block Private Key Export
C. 1.Select Device > Certificate Management > Certificates >Devace > Certificates
2. Import the certificate.
3 Select Import Private Key
4 Click Generate to generate the new certificate
D. 1 Select Device > Certificates
2 Select Certificate Profile
4 Select Block Private Key Export.
NEW QUESTION: 113
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
A. Both SSH keys and SSL certificates must be generated.
B. No prerequisites are required.
C. SSH keys must be manually generated.
D. SSL certificates must be generated.
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssh-
proxy
"In an SSH Proxy configuration, the firewall resides between a client and a server. SSH Proxy
enables the firewall to decrypt inbound and outbound SSH connections and ensures that
attackers don't use SSH to tunnel unwanted applications and content. SSH decryption does not
require certificates and the firewall automatically generates the key used for SSH decryption
when the firewall boots up."
NEW QUESTION: 114

Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)
A. DNS-based command-and-control signatures
B. PAN-DB URL Filtering
C. BrightCloud Url Filtering
D. Brute-force signatures
Answer: A,B (LEAVE A REPLY)
NEW QUESTION: 115

Panorama provides which two SD_WAN functions? (Choose two.)
A. physical network links
B. data plane
C. control plane
D. network monitoring
NEW QUESTION: 116

During the packet flow process, which two processes are performed in application identification?
(Choose two.)
A. Pattern based application identification
B. Application override policy match
C. Application changed from content inspection
D. Session application identified.
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
NEW QUESTION: 117

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and
Panorama configuration Place the steps in order.
Answer:
NEW QUESTION: 118

An engines must configure the Decryption Broker feature To which router must the engineer
assign the decryption forwarding interfaces that are used m the Decryption Broker security
Chain?
A. the default virtual router (If there is no default virtual router the engineer must create one
during setup)
B. the virtual router that routes the traffic that the Decryption Broker security chain inspects
C. a virtual router that is configured with at least one dynamic routing protocol and has at least
one entry in the RIB
D. a virtual router that has no additional interfaces for passing data-plane traffic and no other
configured routes than those used in for the security chain
NEW QUESTION: 119

An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and
experiencing issues completing the connection. the following is the output from the command:
What could be the cause of this problem?

A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and
the ASA.
B. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
C. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.
D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.
NEW QUESTION: 120

When using the predefined default profile, the policy will inspect for viruses on the decoders.
Match each decoder with its default action.
Answer options may be used more than once or not at all.
Answer:
Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both
NEW QUESTION: 121

Given the following snippet of a WildFire submission log. did the end-user get access to the
requested information and why or why not?
A. Yes because the action is set to "alert"

B. No because WildFire categorized a file with the verdict "malicious"
C. No because WildFire classified the seventy as "high."
D. Yes. because the action is set to "allow ''
NEW QUESTION: 122

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link.
They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own
zone which options differentiates multiple VLAN into separate zones?
A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag
Allowed" field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the
Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0
for untagged traffic. Assign each interface/sub interface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common
virtual router.
The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface
tA.
unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each
interface/sub interface to a unique zone.
Explanation
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-
interfaces/virtual-wire-interfa Virtual wire interfaces by default allow all untagged traffic. You can,
however, use a virtual wire to connect two interfaces and configure either interface to block or
allow traffic based on the virtual LAN (VLAN) tags.
VLAN tag 0 indicates untagged traffic.You can also create multiple subinterfaces, add them into
different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag
with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN
tags or for VLAN tags from a specific source IP address, range, or subnet.
NEW QUESTION: 123

Which three steps will reduce the CPU utilization on the management plane? (Choose three.)
A. Disable SNMP on the management interface.
B. Application override of SSL application.
C. Disable logging at session start in Security policies.
D. Disable predefined reports.
E. Reduce the traffic being decrypted by the firewall.
Answer: A,C,D (LEAVE A REPLY)
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS
NEW QUESTION: 124
Which CLI command can be used to export the tcpdump capture?
A. scp export tcpdump from mgmt.pcap to <username@host:path>
B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
D. download mgmt.-pcap
Reference:
https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-
Management-I p/55415
NEW QUESTION: 125

When a malware-infected host attempts to resolve a known command-and-control server, the
traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?
A. The IP Address of sinkhole.paloaltonetworks.com
B. The IP Address of the command-and-control server
C. The IP Address specified in the sinkhole configuration
D. The IP Address of one of the external DNS servers identified in the anti-spyware database
Explanation
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function-
is-Working/t
NEW QUESTION: 126

What are the differences between using a service versus using an application for Security Policy
match?
A. Use of a "service" enables the firewall to take immediate action with the first observed packet
based on port numbers. Use of an "application" allows the firewall to take immediate action it the
port being used is a member of the application standardport list
B. Use of a "service" enables the firewall to take immediate action with the first observed packet
based on port numbers Use of an "application" allows the firewall to take action after enough
packets allow for App-ID identification regardless of the ports being used.
C. There are no differences between "service" or "application" Use of an "application" simplifies
configuration by allowing use of a friendly application name instead of port numbers.
D. Use of a "service" enables the firewall to take action after enough packets allow for App-ID
identification
NEW QUESTION: 127

Which of the following commands would you use to check the total number of the sessions that
are currently going through SSL Decryption processing?
A. show session all filter ssl-decrypt yes count yes
B. show session filter ssl-decryption yes total-count yes
C. show session all filter ssl-decryption yes total-count yes
D. show session all ssI-decrypt yes count yes

Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer

Uploaded by

Copyright:

Available Formats

Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Paloaltonetworks - Pcnse.V2022-01-18.Q127: Show Answer

Uploaded by

Copyright:

Available Formats

PaloAltoNetworks.PCNSE.v2022-01-18.

Exam Code: PCNSE

Which certificates can be used as a Forwarded Trust certificate?

what is the correct path of root, intermediate, and end-user certificate?

A. Panorama discards incoming logs when storage capacity full.

Which certificate can be used as the Forward Trust certificate?

Which Link Type setting will correct the error?

NEW QUESTION: 100

NEW QUESTION: 101

NEW QUESTION: 102

NEW QUESTION: 103

NEW QUESTION: 104

NEW QUESTION: 105

NEW QUESTION: 106

NEW QUESTION: 107

NEW QUESTION: 108

NEW QUESTION: 109

NEW QUESTION: 110

NEW QUESTION: 111

NEW QUESTION: 112

NEW QUESTION: 114

NEW QUESTION: 115

NEW QUESTION: 116

NEW QUESTION: 117

NEW QUESTION: 118

NEW QUESTION: 119

What could be the cause of this problem?

NEW QUESTION: 120

NEW QUESTION: 121

A. Yes because the action is set to "alert"

NEW QUESTION: 122

NEW QUESTION: 123

NEW QUESTION: 125

NEW QUESTION: 126

NEW QUESTION: 127

You might also like