PCNSE#2

Question 1

Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
•	A. ACC
•	B. System Logs
•	C. App Scope
•	D. Session Browser

Answer 1

D. Session Browser

Question 2

Which protection feature is available only in a Zone Protection Profile?
• A. SYN Flood Protection using SYN Flood Cookies
• B. ICMP Flood Protection
• C. Port Scan Protection
• D. UDP Flood Protections

Answer 2

C. Port Scan Protection

Question 3

Which CLI command can be used to export the tcpdump capture?
• A. scp export tcpdump from mgmt.pcap to
• B. scp extract mgmt-pcap from mgmt.pcap to
• C. scp export mgmt-pcap from mgmt.pcap to
• D. download mgmt.-pcap

Answer 3

C. scp export mgmt-pcap from mgmt.pcap to

Question 4

An administrator has configured the Palo Alto Networks NGFWs management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?
• A. A scheduler will need to be configured for application signatures.
• B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
• C. A Threat Prevention license will need to be installed.
• D. A service route will need to be configured

Answer 4

A. A scheduler will need to be configured for application signatures.

Question 5

Which three options are supported in HA Lite? (Choose three.)
• A. Virtual link
• B. Active/passive deployment
• C. Synchronization of IPsec security associations
• D. Configuration synchronization
• E. Session synchronization

Answer 5

B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization

Question 6

Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?
•	A. debug system details
•	B. show session info
•	C. show system info
•	D. show system details

Answer 6

C. show system info

Question 7

During the packet flow process, which two processes are performed in application identification? (Choose two.)
• A. Pattern based application identification
• B. Application override policy match
• C. Application changed from content inspection
• D. Session application identified.

Answer 7

A. Pattern based application identification

B. Application override policy match

Question 8

Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?
•	A. Session Browser
•	B. Application Command Center
•	C. TCP Dump
•	D. Packet Capture

Answer 8

B. Application Command Center

Question 9

Which three steps will reduce the CPU utilization on the management plane? (Choose three.)
• A. Disable SNMP on the management interface.
• B. Application override of SSL application.
• C. Disable logging at session start in Security policies.
• D. Disable predefined reports.
• E. Reduce the traffic being decrypted by the firewall.

Answer 9

A. Disable SNMP on the management interface.
C. Disable logging at session start in Security policies.
D. Disable predefined reports.

Question 10

Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?
•	A. URL Filtering profile
•	B. Zone Protection profile
•	C. Anti-Spyware profile
•	D. Vulnerability Protection profile

Answer 10

A. URL Filtering profile

Question 11

How can a candidate or running configuration be copied to a host external from Panorama?
• A. Commit a running configuration.
• B. Save a configuration snapshot.
• C. Save a candidate configuration.
• D. Export a named configuration snapshot.

Answer 11

D. Export a named configuration snapshot.

Question 12

If an administrator does not possess a websites certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?
•	A. SSL Forward Proxy
•	B. SSL Inbound Inspection
•	C. TLS Bidirectional proxy
•	D. SSL Outbound Inspection

Answer 12

A. SSL Forward Proxy

Question 13

An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the companys proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?
• A. Create a custom App-ID and enable scanning on the advanced tab.
• B. Create an Application Override policy.
• C. Create a custom App-ID and use the “ordered conditions” check box.
• D. Create an Application Override policy and custom threat signature for the application.

Answer 13

A. Create a custom App-ID and enable scanning on the advanced tab.

Question 14

Which three firewall states are valid? (Choose three.)
•	A. Active
•	B. Functional
•	C. Pending
•	D. Passive
•	E. Suspended

Answer 14

A. Active
D. Passive
E. Suspended

Question 15

Which virtual router feature determines if a specific destination IP address is reachable?
•	A. Heartbeat Monitoring
•	B. Failover
•	C. Path Monitoring
•	D. Ping-Path

Answer 15

C. Path Monitoring

Question 16

An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?
• A. Decryption Mirror interface with the Threat Analysis license
• B. Virtual Wire interface with the Decryption Port Export license
• C. Tap interface with the Decryption Port Mirror license
• D. Decryption Mirror interface with the associated Decryption Port Mirror license

Answer 16

D. Decryption Mirror interface with the associated Decryption Port Mirror license

Question 17

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
• A. In the details of the Traffic log entries
• B. Decryption log
• C. Data Filtering log
• D. In the details of the Threat log entries

Answer 17

A. In the details of the Traffic log entries

Question 18

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?
• A. Vulnerability Protection
• B. Anti-Spyware
• C. URL Filtering
• D. Antivirus

Answer 18

A. Vulnerability Protection

Question 19

Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”
• A. Descendant objects will take precedence over other descendant objects.
• B. Descendant objects will take precedence over ancestor objects.
• C. Ancestor objects will have precedence over descendant objects.
• D. Ancestor objects will have precedence over other ancestor objects.

Answer 19

C. Ancestor objects will have precedence over descendant objects.

Question 20

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?
• A. Use custom certificates
• B. Enable LDAP or RADIUS integration
• C. Set up multi-factor authentication
• D. Configure strong password authentication

Answer 20

A. Use custom certificates

Question 21

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443.
• A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
• B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
• C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
• D. Rule #1: application: web-browsing; service: service-http; action: allow

Answer 21

A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow

Question 22

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
• A. The firewall is in multi-vsys mode.
• B. The traffic is offloaded.
• C. The traffic does not match the packet capture filter.
• D. The firewall’s DP CPU is higher than 50%.

Answer 22

B. The traffic is offloaded.

C. The traffic does not match the packet capture filter.

Question 23

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS software would help in this case?
• A. application override
• B. Virtual Wire mode
• C. content inspection
• D. redistribution of user mappings

Answer 23

D. redistribution of user mappings

Question 24

An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
• A. Use config-drive on a USB stick.
• B. Use an S3 bucket with an ISO.
• C. Create and attach a virtual hard disk (VHD).
• D. Use a virtual CD-ROM with an ISO.

Answer 24

D. Use a virtual CD-ROM with an ISO.

Question 25

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)
• A. Block sessions with expired certificates
• B. Block sessions with client authentication
• C. Block sessions with unsupported cipher suites
• D. Block sessions with untrusted issuers
• E. Block credential phishing

Answer 25

A. Block sessions with expired certificates

D. Block sessions with untrusted issuers

Question 26

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
•	A. port mapping
•	B. server monitoring
•	C. client probing
•	D. XFF headers

Answer 26

A. port mapping

Question 27

Which feature can be configured on VM-Series firewalls?
•	A. aggregate interfaces
•	B. machine learning
•	C. multiple virtual systems
•	D. GlobalProtect

Answer 27

D. GlobalProtect

Question 28

In High Availability, which information is transferred via the HA data link?
•	A. session information
•	B. heartbeats
•	C. HA state information
•	D. User-ID information

Answer 28

A. session information

Question 29

The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)
• A. Create a custom application.
• B. Create a custom object for the custom application server to identify the custom application.
• C. Submit an App-ID request to Palo Alto Networks.
• D. Create a Security policy to identify the custom application.

Answer 29

A. Create a custom application.

C. Submit an App-ID request to Palo Alto Networks.

Question 30

If an administrator wants to decrypt SMTP traffic and possesses the servers certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
•	A. TLS Bidirectional Inspection
•	B. SSL Inbound Inspection
•	C. SSH Forward Proxy
•	D. SMTP Inbound Decryption

Answer 30

B. SSL Inbound Inspection

Question 31

A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?
• A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
• B. Add a Vulnerability Protection Profile to block the attack.
• C. Add QoS Profiles to throttle incoming requests.
• D. Add a DoS Protection Profile with defined session count.

Answer 31

D. Add a DoS Protection Profile with defined session count.

Question 32

Which CLI command enables an administrator to check the CPU utilization of the dataplane?
•	A. show running resource-monitor
•	B. debug data-plane dp-cpu
•	C. show system resources
•	D. debug running resources

Answer 32

A. show running resource-monitor

Question 33

Which DoS protection mechanism detects and prevents session exhaustion attacks?
•	A. Packet Based Attack Protection
•	B. Flood Protection
•	C. Resource Protection
•	D. TCP Port Scan Protection

Answer 33

C. Resource Protection

Question 34

Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)
•	A. Content-ID
•	B. User-ID
•	C. Applications and Threats
•	D. Antivirus

Answer 34

C. Applications and Threats

D. Antivirus

Question 35

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)
•	A. TACACS+
•	B. Kerberos
•	C. PAP
•	D. LDAP
•	E. SAML
•	F. RADIUS

Answer 35

A. TACACS+
E. SAML
F. RADIUS

Question 36

What is exchanged through the HA2 link?
•	A. hello heartbeats
•	B. User-ID information
•	C. session synchronization
•	D. HA state information

Answer 36

C. session synchronization

Question 37

Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
• A. Both SSH keys and SSL certificates must be generated.
• B. No prerequisites are required.
• C. SSH keys must be manually generated.
• D. SSL certificates must be generated.

Answer 37

B. No prerequisites are required.

Question 38

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)
• A. ae.8
• B. aggregate.1
• C. ae.1
• D. aggregate.8

Answer 38

A. ae.8

C. ae.1

Question 39

Which three authentication factors does PAN-OS® software support for MFA (Choose three.)
•	A. Push
•	B. Pull
•	C. Okta Adaptive
•	D. Voice
•	E. SMS

Answer 39

A. Push
D. Voice
E. SMS

Question 40

What are the differences between using a service versus using an application for Security Policy match?
• A. Use of a “service” enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an “application” allows the firewall to take immediate action if the port being used is a member of the application standard port list.
• B. There are no differences between “service” or “application”. Use of an “application” simplifies configuration by allowing use of a friendly application name instead of port numbers.
• C. Use of a “service” enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an “application” allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used
• D. Use of a “service” enables the firewall to take action after enough packets allow for App-ID identification

Answer 40

C. Use of a “service” enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an “application” allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used

Question 41

Starting with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?
•	A. GlobalProtect
•	B. System
•	C. Authentication
•	D. Configuration

Answer 41

A. GlobalProtect

Question 42

An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
• A. Enable QoS interface
• B. Enable QoS in the Interface Management Profile
• C. Enable QoS Data Filtering Profile
• D. Enable QoS monitor

Answer 42

A. Enable QoS interface

Question 43

Which log file can be used to identify SSL decryption failures?
•	A. Traffic
•	B. ACC
•	C. Configuration
•	D. Threats

Answer 43

A. Traffic

Question 44

A customer wants to set up a site-to-site VPN using tunnel interfaces.
Which two formats are correct for naming tunnel interfaces? (Choose two.)
• A. tunnel.1
• B. vpn-tunnel.1
• C. tunnel.1025
• D. vpn-tunnel.1024

Answer 44

A. tunnel.1

C. tunnel.1025

Question 45

When is the content inspection performed in the packet flow process?
• A. after the application has been identified
• B. before session lookup
• C. before the packet forwarding process
• D. after the SSL Proxy re-encrypts the packet

Answer 45

A. after the application has been identified

Question 46

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)
• A. View Runtime Stats in the virtual router.
• B. View System logs.
• C. Add a redistribution profile to forward as BGP updates.
• D. Perform a traffic pcap at the routing stage.

Answer 46

A. View Runtime Stats in the virtual router.

B. View System logs.

Question 47

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
• A. View the System logs and look for the error messages about BGP.
• B. Perform a traffic pcap on the NGFW to see any BGP problems.
• C. View the Runtime Stats and look for problems with BGP configuration.
• D. View the ACC tab to isolate routing issues.

Answer 47

A. View the System logs and look for the error messages about BGP.
C. View the Runtime Stats and look for problems with BGP configuration.

Question 48

Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
• A. Verify AutoFocus status using CLI.
• B. Check the WebUI Dashboard AutoFocus widget.
• C. Check for WildFire forwarding logs.
• D. Check the license
• E. Verify AutoFocus is enabled below Device Management tab.

Answer 48

A. Verify AutoFocus status using CLI.

E. Verify AutoFocus is enabled below Device Management tab.

Question 49

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?
• A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
• B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
• C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
• D. Configure a Security policy rule to allow all traffic to and from the update servers.

Answer 49

B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.

Question 50

A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?
A. Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Answer 50

B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.