Weekend Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Question and Answers

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Last Update Feb 17, 2025
Total Questions : 294

We are offering FREE PCNSE Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare PCNSE free exam questions and then go for complete pool of Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 test questions that will help you more.

PCNSE pdf

PCNSE PDF

$36.75  $104.99
PCNSE Engine

PCNSE Testing Engine

$43.75  $124.99
PCNSE PDF + Engine

PCNSE PDF + Testing Engine

$57.75  $164.99
Questions 1

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

Options:

A.  

Any configuration on an M-500 would address the insufficient bandwidth concerns

B.  

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

C.  

Configure log compression and optimization features on all remote firewalls

D.  

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Discussion 0
Questions 2

Which statement regarding HA timer settings is true?

Options:

A.  

Use the Recommended profile for typical failover timer settings

B.  

Use the Moderate profile for typical failover timer settings

C.  

Use the Aggressive profile for slower failover timer settings.

D.  

Use the Critical profile for faster failover timer settings.

Discussion 0
Questions 3

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.  

Powershell scripts

B.  

VBscripts

C.  

MS Office

D.  

APK

E.  

ELF

Discussion 0
Questions 4

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

Options:

A.  

Create a Dynamic Read only superuser.

B.  

Create a Dynamic Admin with the Panorama Administrator role

C.  

Create a Device Group and Template Admin

D.  

Create a Custom Panorama Admin

Discussion 0
Questions 5

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.  

The PanGPS process failed to connect to the PanGPA process on port 4767

B.  

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.  

The PanGPA process failed to connect to the PanGPS process on port 4767

D.  

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Discussion 0
Questions 6

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

Options:

A.  

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.  

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.  

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.  

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-I

D.  

Discussion 0
Questions 7

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?

Options:

A.  

Performs malicious content analysis on the linked page, but not the corresponding PE file.

B.  

Performs malicious content analysis on the linked page and the corresponding PE file.

C.  

Does not perform malicious content analysis on either the linked page or the corresponding PE file.

D.  

Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file.

Discussion 0
Questions 8

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

Options:

A.  

Management plane CPU

B.  

Dataplane CPU

C.  

Packet buffers

D.  

On-chip packet descriptors

Discussion 0
Questions 9

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.  

UaCredlnstall64-11.0.0.msi

B.  

GlobalProtect64-6.2.1.msi

C.  

Talnstall-11.0.0.msi

D.  

Ualnstall-11.0.0msi

Discussion 0
Questions 10

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?

Options:

A.  

PBF > Zone Protection Profiles > Packet Buffer Protection

B.  

BGP > PBF > NAT

C.  

PBF > Static route > Security policy enforcement

D.  

NAT > Security policy enforcement > OSPF

Discussion 0
Questions 11

What must be configured to apply tags automatically based on User-ID logs?

Options:

A.  

Device ID

B.  

Log Forwarding profile

C.  

Group mapping

D.  

Log settings

Discussion 0
Questions 12

The UDP-4501 protocol-port is to between which two GlobalProtect components?

Options:

A.  

GlobalProtect app and GiobalProtect satellite

B.  

GlobalRrotect app and GlobalProtect gateway

C.  

GlobalProtect portal and GlobalProtect gateway

D.  

GlobalProtect app and GlobalProtect portal

Discussion 0
Questions 13

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

Options:

A.  

Traffic logs

B.  

Data filtering logs

C.  

Policy Optimizer

D.  

Wireshark

Discussion 0
Questions 14

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

Options:

A.  

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

B.  

Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

C.  

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

D.  

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Discussion 0
Questions 15

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

Options:

A.  

an Authentication policy with 'unknown' selected in the Source User field

B.  

an Authentication policy with 'known-user' selected in the Source User field

C.  

a Security policy with 'known-user' selected in the Source User field

D.  

a Security policy with 'unknown' selected in the Source User field

Discussion 0
Questions 16

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.  

Perform a commit force from the CLI of the firewall.

B.  

Perform a template commit push from Panorama using the "Force Template Values" option.

C.  

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.  

Reload the running configuration and perform a Firewall local commit.

Discussion 0
Questions 17

What is the best definition of the Heartbeat Interval?

Options:

A.  

The interval in milliseconds between hello packets

B.  

The frequency at which the HA peers check link or path availability

C.  

The frequency at which the HA peers exchange ping

D.  

The interval during which the firewall will remain active following a link monitor failure

Discussion 0
Questions 18

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

Options:

A.  

OSPFV3

B.  

ECMP

C.  

ASBR

D.  

OSBF

Discussion 0
Questions 19

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.  

/content

B.  

/software

C.  

/piugins

D.  

/license

E.  

/opt

Discussion 0
Questions 20

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.  

Preview Changes

B.  

Managed Devices Health

C.  

Test Policy Match

D.  

Policy Optimizer

Discussion 0
Questions 21

Given the following configuration, which route is used for destination 10 10 0 4?

Options:

A.  

Route 2

B.  

Route 3

C.  

Route 1

D.  

Route 4

Discussion 0
Questions 22

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.  

debug dataplane Internal vif route 250

B.  

show routing route type service-route

C.  

show routing route type management

D.  

debug dataplane internal vif route 255

Discussion 0
Questions 23

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.  

Application filter

B.  

Application override policy rule

C.  

Security policy rule

D.  

Custom app

Discussion 0
Questions 24

Review the screenshots.

What is the most likely reason for this decryption error log?

Options:

A.  

The Certificate fingerprint could not be found.

B.  

The client expected a certificate from a different CA than the one provided.

C.  

The client received a CA certificate that has expired or is not valid.

D.  

Entrust is not a trusted root certificate authority (CA).

Discussion 0
Questions 25

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

Options:

A.  

The profile rule action

B.  

CVE column

C.  

Exceptions lab

D.  

The profile rule threat name

Discussion 0
Questions 26

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?

Options:

A.  

show system setting ssl-decrypt certificate

B.  

show system setting ssl-decrypt certs

C.  

debug dataplane show ssl-decrypt ssl-certs

D.  

show system setting ssl-decrypt certificate-cache

Discussion 0
Questions 27

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

Options:

A.  

ECDSA

B.  

ECDHE

C.  

RSA

D.  

DHE

Discussion 0
Questions 28

Which two statements correctly describe Session 380280? (Choose two.)

Options:

A.  

The session went through SSL decryption processing.

B.  

The session has ended with the end-reason unknown.

C.  

The application has been identified as web-browsing.

D.  

The session did not go through SSL decryption processing.

Discussion 0
Questions 29

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?

Options:

A.  

test routing route ip 10.2.5.3 *

B.  

test routing route ip 10.2.5.3 virtual-router default

C.  

test routing fib-lookup ip 10.2.5.0/24 virtual-router default

D.  

test routing fib-lookup ip 10.2.5.3 virtual-router default

Discussion 0
Questions 30

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

Options:

A.  

It matches to the New App-IDs downloaded in the last 90 days.

B.  

It matches to the New App-IDs in the most recently installed content releases.

C.  

It matches to the New App-IDs downloaded in the last 30 days.

D.  

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Discussion 0
Questions 31

Which statement about High Availability timer settings is true?

Options:

A.  

Use the Critical timer for faster failover timer settings.

B.  

Use the Aggressive timer for faster failover timer settings

C.  

Use the Moderate timer for typical failover timer settings

D.  

Use the Recommended timer for faster failover timer settings.

Discussion 0
Questions 32

Match the terms to their corresponding definitions

Options:

Discussion 0
Questions 33

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:

A.  

HTTPS

B.  

SSH

C.  

Permitted IP Addresses

D.  

HTTP

E.  

User-IO

Discussion 0
Questions 34

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.  

No Direct Access to local networks

B.  

Tunnel mode

C.  

iPSec mode

D.  

Satellite mode

Discussion 0
Questions 35

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

Options:

A.  

Export the log database.

B.  

Use the import option to pull logs.

C.  

Use the scp logdb export command.

D.  

Use the ACC to consolidate the logs.

Discussion 0
Questions 36

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?

Options:

A.  

Outdated plugins

B.  

Global Protect agent version

C.  

Expired certificates

D.  

Management only mode

Discussion 0
Questions 37

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

Options:

A.  

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.  

No action was taken because Path Monitoring is disabled

C.  

No action was taken because interface ethernet1/1 did not fail

D.  

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Discussion 0
Questions 38

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Options:

A.  

Voice

B.  

Fingerprint

C.  

SMS

D.  

User certificate

E.  

One-time password

Discussion 0
Questions 39

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

Options:

A.  

Destination user/group

B.  

URL Category

C.  

Destination Domain

D.  

video streaming application

E.  

Source Domain

F.  

Client Application Process

Discussion 0
Questions 40

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:

A.  

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.  

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.  

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.  

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Discussion 0
Questions 41

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

Options:

A.  

Create a Group Mapping for the GlobalProtect Group.

B.  

Enable Captive Portal on the expected source interfaces.

C.  

Add the users to the proper Dynamic User Group.

D.  

Enable User-ID on the expected trusted zones.

Discussion 0
Questions 42

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Options:

A.  

Set the passive link state to shutdown".

B.  

Disable config sync.

C.  

Disable the HA2 link.

D.  

Disable HA.

Discussion 0
Questions 43

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.  

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.  

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

C.  

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

D.  

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Discussion 0
Questions 44

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.  

Inherit settings from the Shared group

B.  

Inherit IPSec crypto profiles

C.  

Inherit all Security policy rules and objects

D.  

Inherit parent Security policy rules and objects

Discussion 0
Questions 45

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)

Options:

A.  

Move the policy with action decrypt to the top of the decryption policy rulebase.

B.  

Temporarily disable SSL decryption for all websites to troubleshoot the issue.

C.  

Create a policy-based “No Decrypt” rule in the decryption policy to exclude specific traffic from decryption.

D.  

Investigate decryption logs of the specific traffic to determine reasons for failure.

E.  

Disable SSL handshake logging.

Discussion 0
Questions 46

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.  

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.  

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.  

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.  

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Discussion 0
Questions 47

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?

Options:

A.  

An Enterprise Root CA certificate

B.  

The same certificate as the Forward Trust certificate

C.  

A Public Root CA certificate

D.  

The same certificate as the Forward Untrust certificate

Discussion 0
Questions 48

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Options:

A.  

Configure a floating IP between the firewall pairs.

B.  

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.  

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.  

On one pair of firewalls, run the CLI command: set network interface vlan arp.

Discussion 0
Questions 49

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

Options:

A.  

Configure the DNS server locally on the firewall.

B.  

Change the DNS server on the global template.

C.  

Override the DNS server on the template stack.

D.  

Configure a service route for DNS on a different interface.

Discussion 0
Questions 50

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Options:

A.  

IPSec Tunnel settings

B.  

IKE Crypto profile

C.  

IPSec Crypto profile

D.  

IKE Gateway profile

Discussion 0
Questions 51

Which CLI command displays the physical media that are connected to ethernet1/8?

Options:

A.  

> show system state filter-pretty sys.si. p8. stats

B.  

> show system state filter-pretty sys.sl.p8.phy

C.  

> show system state filter-pretty sys.sl.p8.med

D.  

> show interface ethernet1/8

Discussion 0
Questions 52

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

Options:

A.  

Contact the site administrator with the expired certificate to request updates or renewal.

B.  

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.  

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.  

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Discussion 0
Questions 53

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

Options:

A.  

To allow traffic between zones in different virtual systems without the traffic leaving the appliance

B.  

To allow traffic between zones in different virtual systems while the traffic is leaving the appliance

C.  

External zones are required because the same external zone can be used on different virtual systems

D.  

Multiple external zones are required in each virtual system to allow the communications between virtual systems

Discussion 0
Questions 54

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.  

A self-signed Certificate Authority certificate generated by the firewall

B.  

A Machine Certificate for the firewall signed by the organization's PKI

C.  

A web server certificate signed by the organization's PKI

D.  

A subordinate Certificate Authority certificate signed by the organization's PKI

Discussion 0
Questions 55

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

Options:

A.  

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.  

By configuring User-ID group mapping in Panorama > User Identification

C.  

By configuring User-ID source device in Panorama > Managed Devices

D.  

By configuring Master Device in Panorama > Device Groups

Discussion 0
Questions 56

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

Options:

A.  

show routing protocol bgp summary

B.  

show routing protocol bgp rib-out

C.  

show routing protocol bgp state

D.  

show routing protocol bgp peer

Discussion 0
Questions 57

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options:

A.  

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.  

Add the network segment's IP range to the Permitted IP Addresses list.

C.  

Enable HTTPS in an Interface Management profile on the subinterface.

D.  

Configure a service route for HTTP to use the subinterface.

Discussion 0
Questions 58

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Options:

A.  

Configure a Captive Portal authentication policy that uses an authentication sequence.

B.  

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

C.  

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

D.  

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

Discussion 0
Questions 59

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.  

Data Patterns within Objects > Custom Objects

B.  

Custom Log Format within Device Server Profiles> Syslog

C.  

Built-in Actions within Objects > Log Forwarding Profile

D.  

Logging and Reporting Settings within Device > Setup > Management

Discussion 0
Questions 60

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.  

VirtualWire

B.  

Layer3

C.  

TAP

D.  

Layer2

Discussion 0
Questions 61

What happens when the log forwarding built-in action with tagging is used?

Options:

A.  

Destination IP addresses of selected unwanted traffic are blocked. *

B.  

Selected logs are forwarded to the Azure Security Center.

C.  

Destination zones of selected unwanted traffic are blocked.

D.  

Selected unwanted traffic source zones are blocked.

Discussion 0
Questions 62

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Options:

A.  

User logon

B.  

Push

C.  

One-Time Password

D.  

SSH key

E.  

Short message service

Discussion 0
Questions 63

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.  

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.  

A Decryption profile must be attached to the Security policy that the traffic matches.

C.  

There must be a certificate with only the Forward Trust option selected.

D.  

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Discussion 0
Questions 64

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Options:

A.  

Initial

B.  

Tentative

C.  

Passive

D.  

Active-secondary

Discussion 0
Questions 65

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

Options:

A.  

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B.  

Phase 2 SAs are synchronized over HA2 links.

C.  

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

D.  

Phase 1 SAs are synchronized over HA1 links.

Discussion 0
Questions 66

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

Options:

A.  

Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

B.  

Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

C.  

Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution

D.  

Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Discussion 0
Questions 67

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

Options:

A.  

It blocks all communication with the server indefinitely.

B.  

It downgrades the protocol to ensure compatibility.

C.  

It automatically adds the server to the SSL Decryption Exclusion list.

D.  

It generates an decryption error message but allows the traffic to continue decryption.

Discussion 0
Questions 68

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

Options:

A.  

Threat

B.  

HIP Match

C.  

Traffic

D.  

Configuration

Discussion 0
Questions 69

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:

A.  

increase the frequency of the applications and threats dynamic updates.

B.  

Increase the frequency of the antivirus dynamic updates

C.  

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.  

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Discussion 0
Questions 70

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?

Options:

A.  

South

B.  

West

C.  

East

D.  

Central

Discussion 0
Questions 71

What type of NAT is required to configure transparent proxy?

Options:

A.  

Source translation with Dynamic IP and Port

B.  

Destination translation with Static IP

C.  

Source translation with Static IP

D.  

Destination translation with Dynamic IP

Discussion 0
Questions 72

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Options:

A.  

TCP Fast Open in the Strip TCP options

B.  

Ethernet SGT Protection

C.  

Stream ID in the IP Option Drop options

D.  

Record Route in IP Option Drop options

Discussion 0
Questions 73

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Options:

A.  

Custom URL category in URL Filtering profile

B.  

EDL in URL Filtering profile

C.  

PAN-DB URL category in URL Filtering profile

D.  

Custom URL category in Security policy rule

Discussion 0
Questions 74

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.  

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.  

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.  

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.  

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Discussion 0
Questions 75

Which link is responsible for synchronizing sessions between high availability (HA) peers?

Options:

A.  

HA1

B.  

HA3

C.  

HA4

D.  

HA2

Discussion 0
Questions 76

Which new PAN-OS 11.0 feature supports IPv6 traffic?

Options:

A.  

DHCPv6 Client with Prefix Delegation

B.  

OSPF

C.  

DHCP Server

D.  

IKEv1

Discussion 0
Questions 77

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

Options:

A.  

> show counter global filter packet-filter yes delta yes

B.  

> show counter global filter severity drop

C.  

> debug dataplane packet-diag set capture stage drop

D.  

> show counter global filter delta yes I match 10.1.1-1

Discussion 0
Questions 78

An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.

• Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Options:

A.  

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B.  

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C.  

Set DNS and Palo Alto Networks Services to use the MGT source interface.

D.  

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Discussion 0
Questions 79

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

Options:

A.  

Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

B.  

Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

C.  

Navigate to Objects > Security Profiles > Vulnerability Protection

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable

Commit

D.  

Navigate to Objects > Security Profiles > Anti-Spyware

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable Commit

Discussion 0
Questions 80

Why would a traffic log list an application as "not-applicable”?

Options:

A.  

The firewall denied the traffic before the application match could be performed.

B.  

The TCP connection terminated without identifying any application data

C.  

There was not enough application data after the TCP connection was established

D.  

The application is not a known Palo Alto Networks App-I

D.  

Discussion 0
Questions 81

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

Options:

A.  

Minimum TLS version

B.  

Certificate

C.  

Encryption Algorithm

D.  

Maximum TLS version

E.  

Authentication Algorithm

Discussion 0
Questions 82

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?

Options:

A.  

Enable PFS under the IKE gateway advanced options.

B.  

Enable PFS under the IPSec Tunnel advanced options.

C.  

Add an authentication algorithm in the IPSec Crypto profile.

D.  

Select the appropriate DH Group under the IPSec Crypto profile.

Discussion 0
Questions 83

‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

Options:

A.  

Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user systems in the user and local computer stores:

B.  

Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the configuration

C.  

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

D.  

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the configuration.

Discussion 0
Questions 84

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Options:

A.  

IP Netmask

B.  

IP Wildcard Mask

C.  

IP Address

D.  

IP Range

Discussion 0
Questions 85

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

Options:

A.  

Configure the decryption profile.

B.  

Define a Forward Trust Certificate.

C.  

Configure SSL decryption rules.

D.  

Configure a SSL/TLS service profile.

Discussion 0
Questions 86

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

Options:

A.  

Ensure Force Template Values is checked when pushing configuration.

B.  

Push the Template first, then push Device Group to the newly managed firewall.

C.  

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.  

Push the Device Group first, then push Template to the newly managed firewall

Discussion 0
Questions 87

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

Options:

A.  

Multiple external gateways

B.  

Single or multiple internal gateways

C.  

Split DNS and HIP checks

D.  

IPv6 for internal gateways

Discussion 0
Questions 88

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS.

The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.

What is the recommended order of operational steps when upgrading?

Options:

A.  

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

B.  

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

C.  

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.  

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

Discussion 0