Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

PCNSE > Exam > Flashcards

Exam Flashcards

1
Q

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?

A. Destination-Based Service Route
B. Inherit Global Setting
C. IPv6 Source or Destination Address
D. IPv4 Source Interface

A

IPv4 Source Interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?

A. Add SSL application to the same rule.
B. SSL and web-browsing must both be explicitly allowed.
C. Add SSL and web-browsing applications to the same rule.
D. Add web-browsing application to the same rule.

A

Add SSL application to the same rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.)

A. Service Route Configuration
B. Dynamic Address Groups
C. NTP Server Address
D. Antivirus Profile
E. Authentication Profile

A

Service Route Configuration

NTP Server Address

Authentication Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?

A. Change destination NAT zone to Trust_L3.

B. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.

C. Change Source NAT zone to Untrust_L3.

D. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

A

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

A. A service route to the LDAP server
B. A User-ID agent on the LDAP server
C. A Master Device
D. Authentication Portal

A

A Master Device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?

A. Configuration
B. Data Filtering
C. Traffic
D. Threat

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution.

How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?

A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution.
C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

A

Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions

A

Proxy-IDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where can a service route be configured for a specific destination IP?

A. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4
B. Use Device > Setup > Services > Services
C. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
D. Use Device > Setup > Services > Service Route Configuration > Customize > Destination

A

Use Device > Setup > Services > Service Route Configuration > Customize > Destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

A. Reload the running configuration and perform a Firewall local commit.
B. Perform a commit force from the CLI of the firewall.
C. Perform a template commit push from Panorama using the “Force Template Values” option.
D. Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option

A

Perform a template commit push from Panorama using the “Force Template Values” option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

A. 1
B. 2
C. 3
D. 4

A

4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama.

They notice that commit times have drastically increased for the PA-220s after the migration.

What can they do to reduce commit times?

A. Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.
B. Perform a device group push using the “merge with device candidate config” option.
C. Update the apps and threat version using device-deployment.
D. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config.

A

Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

A. OSPF
B. IGRP
C. OSPFv3 virtual link
D. BGP
E. RIP

A

OSPF

BGP

RIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A. Deny
B. Allow
C. Discard
D. Next VR

A

Discard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel?

A. The User-ID agent is connected to a domain controller labeled lab-client.
B. The host lab-client has been found by the User-ID agent.
C. The host lab-client has been found by a domain controller.
D. The User-ID agent is connected to the firewall labeled lab-client.

A

The User-ID agent is connected to a domain controller labeled lab-client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

A. Clone the security policy and add it to the other device groups.
B. Add the policy to the target device group and apply a master device to the device group.
C. Reference the targeted device’s templates in the target device group.
D. Add the policy in the shared device group as a pre-rule.

A

Add the policy in the shared device group as a pre-rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.)

A. TACACS+
B. Kerberos
C. SAML
D. RADIUS
E. LDAP

A

TACACS+
SAML
RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)

A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

A

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An engineer is configuring a firewall with three interfaces:

  • MGT connects to a switch with internet access.
  • Ethernet1/1 connects to an edge router.
  • Ethernet1/2 connects to a virtualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

A. Set DNS and Palo Alto Networks Services to use the MGT source interface.
B. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
C. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.

A

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which three items must be configured to implement application override? (Choose three.)

A. Application filter
B. Application override policy rule
C. Custom app
D. Decryption policy rule
E. Security policy rule

A

Application override policy rule

Custom app

Security policy rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

542 If a URL is in multiple custom URL categories with different actions, which action will take priority?

A. Block
B. Allow
C. Alert
D. Override

A

Block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which new PAN-OS 11.0 feature supports IPv6 traffic?

A. OSPF
B. IKEv1
C. DHCP Server
D. DHCPv6 Client with Prefix Delegation

A

DHCPv6 Client with Prefix Delegation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewall.
C. Push the Device Group first, then push Template to the newly managed firewall.
D. Perform the Export or push Device Config Bundle to the newly managed firewall.

A

Perform the Export or push Device Config Bundle to the newly managed firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.

What can the engineer do to solve the VoIP traffic issue?

A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application

A

Disable ALG under SIP application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A. A self-signed certificate generated on the firewall
B. A web server certificate signed by the organization’s PKI
C. A web server certificate signed by an external Certificate Authority
D. A subordinate Certificate Authority certificate signed by the organization’s PKI

A

A self-signed certificate generated on the firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A. Inherit all Security policy rules and objects
B. Inherit settings from the Shared group
C. Inherit IPSec crypto profiles
D. Inherit parent Security policy rules and objects

A

Inherit settings from the Shared group

Inherit parent Security policy rules and objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

A. LDAP
B. Log Ingestion
C. HTTP
D. Log Forwarding

A

HTTP
Log Forwarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A network security administrator has been tasked with deploying User-ID in their organization. What are three valid methods of collecting User-ID information in the network?

A Windows User-ID agent
Dynamic User Groups
External Dynamic List
GlobalProtect
XML API

A

A Windows User-ID agent
GlobalProtect
XML API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

Satellite mode
Tunnel mode
No Direct Access to local networks
IPSec mode

A

Tunnel mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls.
Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy.
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

forward proxy
Explicit proxy
Transparent proxy
DNS proxy

A

Transparent proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which type of zone will allow different virtual systems to communicate with each other?

Tap
Tunnel
Virtual Wire
External

A

External

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which source is the most reliable for collecting User-ID user mapping?

Microsoft Active Directory
Microsoft Exchange
GlobalProtect
Syslog Listener

A

GlobalProtect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

An engineer configures SSL decryption in order to have more visibility to the internal users’ traffic when it is egressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)

High availability (HA)
Layer 3
Layer 2
Tap
Wire

A

Layer 3

Layer 2

Wire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned. Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

A. Run the CLI command show advanced-routing ospf neighbor
B. In the WebUI, view the Runtime Stats in the virtual router
C. Look for configuration problems in Network > virtual router > OSPF
D. In the WebUI, view Runtime Stats in the logical router

A

Run the CLI command show advanced-routing ospf neighbor

In the WebUI, view Runtime Stats in the logical router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts.

B. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls.

C. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.

D. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

A

Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.

When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

A. GlobalProtect agent version
B. Outdated plugins
C. Management only mode
D. Expired certificates

A

Outdated plugins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)

TCP Drop
ICMP Drop
SYN Random Early Drop
TCP Port Scan Block

A

TCP Drop
ICMP Drop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

An engineer is bootstrapping a VM-Series Firewall. Other than the /config folder, which three directories are mandatory as part of the bootstrap
package directory structure? (Choose three.)

A. /plugins
B. /license
C. /opt
D. /content
E. /software

A

/license

/content

/software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama.

A. Monitor > Logs > System
B. Objects > Log Forwarding
C. Device > Log Settings
D. Panorama > Managed Devices

A

Device > Log Settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

An administrator needs to identify which NAT policy is being used for internet traffic.
From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?

A. From the Monitor tab, click Traffic view and review the information in the detailed log view.
B. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
C. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules.
D. From the Monitor tab, click Session Browser and review the session details.

A

From the Monitor tab, click Session Browser and review the session details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

A. Short message service
B. Push
C. User logon
D. One-Time Password
C. SSH key

A

Short message service
Push
One-Time Password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls. What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

A. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
B. On one pair of firewalls, run the CLI command: set network interface vlan arp.
C. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
D. Configure a floating IP between the firewall pairs.

A

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

43
Q

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?

A. The priority assigned to the Authentication profile defines the order of the sequence.
B. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully
authenticates the user.
C. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made.
D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

A

The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

44
Q

An administrator is configuring a Panorama device group.
Which two objects are configurable? (Choose two.)

A. URL Filtering profiles
B. SSL/TLS profiles
C. Address groups
D. DNS Proxy

A

URL Filtering profiles

Address groups

45
Q

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

A. ASBR
B. OSPFv3
C. ECMP
D. OSPF

A

OSPFv3

46
Q

Which log type would provide information about traffic blocked by a Zone Protection profile?

Data Filtering
IP-Tag
Threat
Traffic

A

Threat

47
Q

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose two.)

A. Enable decryption
B. Exclude video traffic
C. Create a Tunnel Inspection policy
D. Block traffic that is not work-related

A

Exclude video traffic

Block traffic that is not work-related

48
Q

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

A. A Decryption policy to decrypt the traffic and see the tag
B. A Deny policy with the “tag” App-ID to block the tagged traffic
C. An Allow policy for the initial traffic
D. A Deny policy for the tagged traffic

A

An Allow policy for the initial traffic

A Deny policy for the tagged traffic

49
Q

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

A. A certificate authority (CA) certificate
B. A private key
C. A server certificate
D. subject alternative name

A

A certificate authority (CA) certificate
subject alternative name

50
Q

Which three authentication types can be used to authenticate users? (Choose three.)

A. Local database authentication
B. PingID
C. Kerberos single sign-on
D. GlobalProtect client
E. Cloud authentication service

A

Local database authentication

Kerberos single sign-on

Cloud authentication service

51
Q

A company has configured a URL Filtering profile with override action on their firewall.

Which two profiles are needed to complete the configuration? (Choose two.)
A. Decryption
B. HTTP Server
C. SSL/TLS Service
D. Interface Management

A

SSL/TLS Service
Interface Management

52
Q

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A. A Machine Certificate for the firewall signed by the organization’s PKI
B. A web server certificate signed by the organization’s PKI
C. A subordinate Certificate Authority certificate signed by the organization’s PKI
D. A self-signed Certificate Authority certificate generated by the firewall

A

A subordinate Certificate Authority certificate signed by the organization’s PKI

53
Q

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

A. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.
B. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.
C. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
D. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

A

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

54
Q

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

A. Browser-supported cipher documentation
B. Cipher documentation supported by the endpoint operating system
C. URL risk-based category distinctions
D. Legal compliance regulations and acceptable usage policies

A

Legal compliance regulations and acceptable usage policies

55
Q

What must be configured to apply tags automatically to User-ID logs?

A. User mapping
B. Log Forwarding profile
C. Log settings
D. Group mapping

A

Log settings

56
Q

As a best practice, logging at session start should be used in which case?

A. While troubleshooting
B. Only on Deny rules
C. Only when log at session end is enabled
D. On all Allow rules

A

While troubleshooting

57
Q

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
A. PA-220
B. PA-800 Series
C. PA-5000
D. PA-500
E. PA-3400 Series

A

PA-220

PA-800 Series

PA-3400 Series

58
Q

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

A. IKE Gateway profile
B. IPSec Crypto profile
C. IKE Crypto profile
D. IPSec Tunnel settings

A

IPSec Crypto profile

59
Q

An engineer needs to collect User-ID mappings from the company’s existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)

A. Client probing
B. XFF Headers
C. Syslog
D. Server Monitoring

A

XFF Headers
Syslog

60
Q

An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?

A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its vsys in a single device group.

D. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single
device group.

A

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

61
Q

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI.
Which CLI command can the engineer use?

A. test vpn flow
B. test vpn tunnel
C. test vpn gateway
D. test vpn ike-sa

A

test vpn ike-sa

62
Q

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you consider?

A. Only Panorama can revert the override.
B. The modification will not be visible in Panorama.
C. Panorama will update the template with the overridden value.
D. The firewall template will show that it is out of sync within Panorama.

A

The modification will not be visible in Panorama

63
Q

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs the administrator finds that the scan is dropped in the Threat Logs.
What should the administrator do to allow the tool to scan through the firewall?

A. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.

C. Remove the Zone Protection profile from the zone setting.

D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

A

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.

64
Q

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

A. Check dependencies
B. Schedules
C. Verify
D. Revert content
E. Install

A

Schedules

Revert content

Install

65
Q

What is the best definition of the Heartbeat Interval?

A. the interval during which the firewall will remain active following a link monitor failure
B. the frequency at which the HA peers exchange ping
C. the interval in milliseconds between hello packets
D. the frequency at which the HA peers check link or path availability

A

The frequency at which the HA peers exchange ping

66
Q

An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames.

The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28.
What information does the administrator need to provide in the User Identification > Discovery section?

A. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

B. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange

C. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers

D. network 192.168.28.32/27 with server type Microsoft

A

The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

67
Q

An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up.

If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

A. show system state filter sw.dev.interface.config
B. show chassis status slot s1
C. show system state filter-pretty sys.s1.*
D. show system state filter ethernet1/1

A

show system state filter-pretty sys.s1.*

68
Q

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

A. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

A

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

69
Q

Which protocol is supported by GlobalProtect Clientless VPN?
A. FTP
B. HTTPS
C. SSH
D. RDP

A

HTTPS

70
Q

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

A. upload-only
B. install and reboot
C. upload and install
D. upload and install and reboot
E. verify and install

A

A. upload-only

C. upload and install

D. upload and install and reboot

71
Q

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?

A. Configure the TAP interface for segment X on the firewall
B. Configure a Layer 3 interface for segment X on the firewall.
C. Configure vwire interfaces for segment X on the firewall.
D. Configure a new vsys for segment X on the firewall.

A

Configure vwire interfaces for segment X on the firewall

72
Q

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known.
What can the administrator configure to establish the VPN connection?

A. Use the Dynamic IP address type
B. Enable Passive Mode.
C. Set up certificate authentication.
D. Configure the peer address as an FQDN.

A

Use the Dynamic IP address type

73
Q

Which Panorama mode should be used so that all logs are sent to, and only stored in, Cortex Data Lake?

A. Legacy
B. Management Only
C. Log Collector
D. Panorama

A

Management Only

74
Q

Which Panorama feature protects logs against data loss if a Panorama server fails?

A. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

B. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group.

C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

A

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

75
Q

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

A. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.
B. The firewall rejects the pushed configuration, and the commit fails.
C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects.
D. The firewall renames the duplicate local objects with “-1” at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

A

The firewall rejects the pushed configuration, and the commit fails.

76
Q

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this?

A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
C. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes
D. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

A

Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes

77
Q

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

A. #set deviceconfig setting session tcp-reject-non-syn no

B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to Global Set ג€Asymmetric Path” to Global

C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to No Set “Asymmetric Path” to Bypass

D. > set session tcp-reject-non-syn no

A
  1. # set deviceconfig setting session tcp-reject-non-syn no
  2. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set “Reject Non-syn-TCP” to No Set “Asymmetric Path” to Bypass
78
Q

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories. Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

A. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

B. Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C. Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

D. Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

A

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

79
Q

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

A. template variables
B. the ‘Shared’ device group
C. template stacks
D. a device group

A

template variables

80
Q

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the “security certificate is not trusted” warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/ website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores

C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration

A

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

81
Q

Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app?
Failed to connect to server at port:4767

A. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C. The PanGPS process failed to connect to the PanGPA process on port 4767

D. The PanGPA process failed to connect to the PanGPS process on port 4767

A

The PanGPA process failed to connect to the PanGPS process on port 4767

82
Q

Which statement regarding HA timer settings is true?

A. Use the Moderate profile for typical failover timer settings
B. Use the Critical profile for faster failover timer settings
C. Use the Aggressive profile for slower failover timer settings
D. Use the Recommended profile for typical failover timer settings

A

Use the Recommended profile for typical failover timer settings

83
Q

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

A. Use the import option to pull logs.
B. Use the scp logdb export command.
C. Export the log database.
D. Use the ACC to consolidate the logs.

A

Export the log database

84
Q

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What must the administrator do to correct this issue?

A. Add a firewall to both the device group and the template
B. Add the template as a reference template in the device group
C. Enable “Share Unused Address and Service Objects with Devices” in Panorama settings
D. Specify the target device as the master device in the device group

A

Add the template as a reference template in the device group

85
Q

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

A. show routing protocol bgp rib-out
B. show routing protocol bgp peer
C. show routing protocol bgp summary
D. show routing protocol bgp state

A

Show routing protocol bgp peer

86
Q

A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.) (related to #238 and #314)

A- Authentication Algorithm
B- Encryption Algorithm
C- Certificate
D- Maximum TLS version
E- Minimum TLS version

A

Certificate
Maximum TLS version
Minimum TLS version

87
Q

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

A. Vulnerability Protection profile
B. DoS Protection profile
C. Data Filtering profile
D. URL Filtering profile

A

DoS Protection profile

88
Q

In a template, you can configure which two objects? (Choose two.)

A. Monitor profile
B. application group
C. SD-WAN path quality profile
D. IPsec tunnel

A

Monitor profile

IPsec tunnel

89
Q

In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?

A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours

A

6 to 12 hours

90
Q

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A. LDAP Server Profile configuration
B. GlobalProtect
C. Windows-based User-ID agent
D. PAN-OS integrated User-ID agent

A

GlobalProtect

91
Q

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?

A. Resources Widget on the Dashboard
B. Monitor > Utilization
C. Support > Resources
D. Application Command and Control Center

A

Resources Widget on the Dashboard

92
Q

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

A. HA3
B. Console Backup
C. HSCI-C
D. HA2 backup

A

HA3

HA2 backup

93
Q

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

A. Permitted IP Addresses
B. SSH
C. https
D. User-ID
E. HTTP

A

Permitted IP Addresses
SSH
https

94
Q

An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A. A Decryption profile must be attached to the Decryption policy that the traffic matches.

B. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

C. A Decryption profile must be attached to the Security policy that the traffic matches.

D. There must be a certificate with only the Forward Trust option selected.

A

There must be a certificate with only the Forward Trust option selected

95
Q

An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?

A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

A

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds

96
Q

An administrator receives the following error message:
“IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0.”
How should the administrator identify the root cause of this error message?

A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.

B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.

C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.

D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

A

Check whether the VPN peer on one end is set up correctly using policy-based VPN.

97
Q

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity
D. GlobalProtect Quarantine Activity

A

GlobalProtect Deployment Activity

Successful GlobalProtect Connection Activity

98
Q

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)

A. video streaming application
B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category

A

Video streaming application

Client Application Process

Destination Domain

99
Q

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

A. Rule Usage Hit counter will not be reset.
B. Highlight Unused Rules will highlight all rules.
C. Highlight Unused Rules will highlight zero rules.
D. Rule Usage Hit counter will reset.

A

Rule Usage Hit counter will not be reset.

Highlight Unused Rules will highlight all rules

100
Q

Which operation will impact the performance of the management plane?

A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions

A

Generating a SaaS Application report

101
Q

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A. Load configuration version
B. Save candidate config
C. Export device state
D. Load named configuration snapshot

A

Export device state

102
Q

Which DoS protection mechanism detects and prevents session exhaustion attacks?
A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection

A

Resource Protection

103
Q

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

A. The passive firewall, which then synchronizes to the active firewall

B. The active firewall, which then synchronizes to the passive firewall

C. Both the active and passive firewalls, which then synchronize with each other

D. Both the active and passive firewalls independently, with no synchronization afterward

A

Both the active and passive firewalls independently, with no synchronization afterward

104
Q

A company wants to add thread prevention to the network without redisigning the network routing. What are the two best practice deployment modes for the firewall?

Tap
Virtual Wire
Layer 2
Layer 3

A

Tap
Virtual Wire

PCNSE (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions