PCNSE Dumps Help You Study Objectives

1. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

2. An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?

3. What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

4. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

5. After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

6. Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

A. Threat

B. HIP Match

C. Traffic

D. Configuration

7. Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

8. A company has configured a URL Filtering profile with override action on their firewall.

Which two profiles are needed to complete the configuration? (Choose two)

9. Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

10. An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

11. An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

12. A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

13. What can the Log Forwarding built-in action with tagging be used to accomplish?

14. A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

15. Which two are required by IPSec in transport mode? (Choose two.)

A. Auto generated key

B. NAT Traversal

C. IKEv1

D. DH-group 20 (ECP-384 bits)

16. A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

17. Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

18. A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

19. An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

20. Which statement regarding HA timer settings is true?

21. A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.

How can they achieve this?

22. An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.

What is the recommended order of operational steps when upgrading?

23. A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?

24. A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panorama.

Which two additional log forwarding methods will PAN-OS support? (Choose two)

25. What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?

26. A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall.

In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

27. When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate.

Forward Untrust certificate, and SSL Inbound Inspection certificate?

28. Which three statements accurately describe Decryption Mirror? (Choose three.)

29. A security engineer has configured a GlobalProtect portal agent with four gateways.





Which GlobalProtect Gateway will users connect to based on the chart provided?

30. An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

31. In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

32. An engineer configures a destination NAT policy to allow inbound access to an internal server in the

DMZ.

The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?

33. Refer to the exhibit.





Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

34. An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

35. A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses.

Which consideration should the engineers take into account when planning to enable IPv6?

36. A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes.

How can the administrator assign these settings through the use of template stacks?

37. Which three sessions are created by a NGFW for web proxy? (Choose three.)

38. An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?

39. In a template, which two objects can be configured? (Choose two.)

40. A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured. The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

41. An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

42. An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

43. A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

44. A firewall administrator wants to be able at to see all NAT sessions that are going ‘through a firewall with source NAT.

Which CLI command can the administrator use?

45. An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

46. What does the User-ID agent use to find login and logout events in syslog messages?

47. An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.

What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?

48. A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10.

Refer to the routing and interfaces information below.





What should the NAT rule destination zone be set to?

49. During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

50. An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

51. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

52. Refer to the exhibit.





Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

53. A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

54. An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

55. Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?

56. Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

57. A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following: threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

58. Which protocol is natively supported by GlobalProtect Clientless VPN?

59. An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

60. An administrator is required to create an application-based Security policy rule to allow Evernote.

The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

61. A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?

62. An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?

63. Which source is the most reliable for collecting User-ID user mapping?

64. Refer to the exhibit.





Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

65. Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

66. An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

67. An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

68. Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

69. An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

70. Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade.

What is the next best step to minimize downtime and ensure a smooth transition?

71. A firewall engineer is investigating high dataplane CPU utilization.

To decrease the load on this CPU, what should be reduced?

72. Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

73. Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

74. A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall.

Which Security Profile should be applied to a policy to prevent these packet floods?

75. An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

76. When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)

77. View the screenshots









A QoS profile and policy rules are configured as shown.

Based on this information which two statements are correct?

78. A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

79. The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding.

How should syslog log forwarding be configured?

80. Which statement applies to HA timer settings?

81. If a URL is in multiple custom URL categories with different actions, which action will take priority?

82. An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)

83. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

84. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

A. Click Preview Changes under Push Scope

B. Use Test Policy Match to review the policies in Panorama

C. Review the configuration logs on the Monitor tab

D. Context-switch to the affected firewall and use the configuration audit tool

85. A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue.

Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)

86. How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

87. An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected.

What is the most likely cause of this issue?

88. A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.

In which section is this configured?

89. Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

90. In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

91. A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.

What is the best option for the administrator to take?

92. An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.

Which three items should be prioritized for decryption? (Choose three.)

93. 1.A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

94. An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

95. A security team has enabled real-time WildFire signature lookup on all its firewalls.

Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

96. Given the following snippet of a WildFire submission log, did the end user successfully download a file?

97. An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

98. A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration.

Which interface mode can the broadcast DHCP traffic?

99. A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

100. What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?

101. What is the best definition of the Heartbeat Interval?

102. ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

103. Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

104. An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.

What is the recommended order of operational steps when upgrading?