PCNSE#3

Question 1

Which data flow describes redistribution of user mappings?
A. User-ID agent to firewall
B. Domain Controller to User-ID agent
C. User-ID agent to Panorama
D. firewall to firewall

Answer 1

D. firewall to firewall

Question 2

Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
A. System Utilization log
B. System log
C. Resources widget
D. CPU Utilization widget

Answer 2

C. Resources widget

Question 3

Which four NGFW multi-factor authentication factors are supported by PAN-OS®? (Choose four.)
A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password

Answer 3

A. Short message service
B. Push
D. Voice
F. One-Time Password

Question 4

Which two features does PAN-OS® software use to identify applications? (Choose two.)
A. transaction characteristics
B. session number
C. port number
D. application layer payload

Answer 4

A. transaction characteristics

D. application layer payload

Question 5

An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.1.0. The firewall is not a part of an HA pair.
What needs to be updated first?
A. Applications and Threats
B. XML Agent
C. WildFire
D. PAN-OS® Upgrade Agent

Answer 5

A. Applications and Threats

Question 6

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
A. Load configuration version
B. Save candidate config
C. Export device state
D. Load named configuration snapshot

Answer 6

C. Export device state

Question 7

Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)
A. HA1 IP Address
B. Master Key
C. Zone Protection Profile
D. Network Interface Type

Answer 7

A. HA1 IP Address

B. Master Key

Question 8

When configuring the firewall for packet capture, what are the valid stage types?
A. Malware
B. Grayware
C. Phishing
D. Spyware

Answer 8

B. Grayware

Question 9

When configuring the firewall for packet capture, what are the valid stage types?
A. receive, management, transmit, and non-syn
B. receive, management, transmit, and drop
C. receive, firewall, send, and non-syn
D. receive, firewall, transmit, and drop

Answer 9

D. receive, firewall, transmit, and drop

Question 10

Which operation will impact the performance of the management plane?
A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions

Answer 10

C. generating a SaaS Application report

Question 11

Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
A. syslog listening
B. server monitoring
C. client probing
D. port mapping

Answer 11

A. syslog listening

Question 12

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?
A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

Answer 12

A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone

Question 13

Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
A. At-boot
B. Pre-logon
C. User-logon (Always on)
D. On-demand

Answer 13

B. Pre-logon

Question 14

Which feature can provide NGFWs with User-ID mapping information?
A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect
D. Native 802.1x authentication

Answer 14

C. GlobalProtect

Question 15

Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)
A. Role Based
B. Custom Panorama Admin
C. Device Group
D. Dynamic
E. Template Admin

Answer 15

C. Device Group

E. Template Admin

Question 16

Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-only
C. Select download-and-install, with “Disable new apps in content update” selected
D. Select disable application updates and select “Install only Threat updates”

Answer 16

C. Select download-and-install, with “Disable new apps in content update” selected

Question 17

Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?
A. 10,000
B. 15,000
C. 7,500
D. 5,000

Answer 17

A. 10,000

Question 18

In which two types of deployment is active/active HA configuration supported? (Choose two.)
A. Layer 3 mode
B. TAP mode
C. Virtual Wire mode
D. Layer 2 mode

Answer 18

A. Layer 3 mode

C. Virtual Wire mode

Question 19

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)
A. ingress processing errors
B. rule match with action "deny"
C. rule match with action "allow"
D. equal-cost multipath

Answer 19

A. ingress processing errors

B. rule match with action “deny”

Question 20

Which logs enable a firewall administrator to determine whether a session was decrypted?
A. Traffic
B. Security Policy
C. Decryption
D. Correlated Event

Answer 20

A. Traffic

Question 21

An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?
A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution

Answer 21

D. DNS settings for the firewall to use for resolution

Question 22

A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
A. Add an Anti-Spyware Profile to block attacking IP address
B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
C. Add QoS Profiles to throttle incoming requests
D. Add a tuned DoS Protection Profile

Answer 22

D. Add a tuned DoS Protection Profile

Question 23

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS® software?
A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package

Answer 23

B. Applications and Threats update package.

Question 24

A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus

Answer 24

A. Anti-Spyware

Question 25

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer 25

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.

Question 26

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile

Answer 26

A. CRL

C. OCSP

Question 27

Which administrative authentication method supports authorization by an external service?
A. Certificates
B. LDAP
C. RADIUS
D. SSH keys

Answer 27

C. RADIUS

Question 28

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Answer 28

A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

Question 29

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
A. GlobalProtect version 4.0 with PAN-OS 8.1
B. GlobalProtect version 4.1 with PAN-OS 8.1
C. GlobalProtect version 4.1 with PAN-OS 8.0
D. GlobalProtect version 4.0 with PAN-OS 8.0

Answer 29

B. GlobalProtect version 4.1 with PAN-OS 8.1

Question 30

How does Panorama prompt VMWare NSX to quarantine an infected VM?
A. HTTP Server Profile
B. Syslog Server Profile
C. Email Server Profile
D. SNMP Server Profile

Answer 30

A. HTTP Server Profile

Question 31

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
A. Create a no-decrypt Decryption Policy rule.
B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
C. Create a Dynamic Address Group for untrusted sites.
D. Create a Security Policy rule with vulnerability Security Profile attached.
E. Enable the “Block sessions with untrusted issuers” setting.

Answer 31

A. Create a no-decrypt Decryption Policy rule.

E. Enable the “Block sessions with untrusted issuers” setting.

Question 32

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.
B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones. Enable Packet Buffer Protection per egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

Answer 32

A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.

Question 33

What is the purpose of the firewall decryption broker?
A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
B. force decryption of previously unknown cipher suites
C. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
D. inspect traffic within IPsec tunnels

Answer 33

A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.

Question 34

SAML SLO is supported for which two firewall features? (Choose two.)
A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI

Answer 34

A. GlobalProtect Portal

C. WebUI

Question 35

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
A. Rule Usage Hit counter will not be reset
B. Highlight Unused Rules will highlight all rules.
C. Highlight Unused Rules will highlight zero rules.
D. Rule Usage Hit counter will reset.

Answer 35

A. Rule Usage Hit counter will not be reset

B. Highlight Unused Rules will highlight all rules.

Question 36

Which is not a valid reason for receiving a decrypt-cert-validation error?
A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer

Answer 36

A. Unsupported HSM

Question 37

Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)
A. video streaming application
B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category

Answer 37

A. video streaming application
B. Client Application Process
C. Destination Domain

Question 38

Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. Successful GlobalProtect Connection Activity
D. GlobalProtect Quarantine Activity

Answer 38

B. GlobalProtect Deployment Activity

C. Successful GlobalProtect Connection Activity

Question 39

Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
A. log forwarding auto-tagging
B. XML API
C. GlobalProtect agent
D. User-ID Windows-based agent

Answer 39

A. log forwarding auto-tagging

B. XML API

Question 40

SD-WAN is designed to support which two network topology types? (Choose two.)
A. point-to-point
B. hub-and-spoke
C. full-mesh
D. ring

Answer 40

B. hub-and-spoke

C. full-mesh

Question 41

Which option describes the operation of the automatic commit recovery feature?
A. It enables a firewall to revert to the previous configuration if rule shadowing is detected.
B. It enables a firewall to revert to the previous configuration if application dependency errors are found.
C. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.
D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Answer 41

D. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.

Question 42

. Which three items are important considerations during SD-WAN configuration planning? (Choose three.)
A. branch and hub locations
B. link requirements
C. the name of the ISP
D. IP Addresses

Answer 42

A. branch and hub locations
B. link requirements
D. IP Addresses

Question 43

Starting with PAN-OS version 9.1, application dependency information is now reported in which two new locations? (Choose two.)
A. on the App Dependency tab in the Commit Status window
B. on the Policy Optimizer’s Rule Usage page
C. on the Application tab in the Security Policy Rule creation window
D. on the Objects > Applications browser pages

Answer 43

A. on the App Dependency tab in the Commit Status window

C. on the Application tab in the Security Policy Rule creation window

Question 44

Which two events trigger the operation of automatic commit recovery? (Choose two.)
A. when an aggregate Ethernet interface component fails
B. when Panorama pushes a configuration
C. when a firewall performs a local commit
D. when a firewall HA pair fails over

Answer 44

B. when Panorama pushes a configuration

C. when a firewall performs a local commit

Question 45

Panorama provides which two SD-WAN functions? (Choose two.)
A. network monitoring
B. control plane
C. data plane
D. physical network links

Answer 45

A. network monitoring

B. control plane

Question 46

A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company’s firewall.
Which interface configuration will accept specific VLAN IDs? Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

A. A report can be created that identifies unclassified traffic on the network.
B. Different security profiles can be applied to traffic matching rules 2 and 3.
C. Rule 2 and 3 apply to traffic on different ports.
D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Answer 46

B. Different security profiles can be applied to traffic matching rules 2 and 3.
D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Question 47

Which two interface types can be used when configuring Global Protect Portal? (Choose two)
A. Virtual Wire
B. Loopback
C. Layer 3
D. Tunnel"

Answer 47

B. Loopback

C. Layer 3

Question 48

Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?
A. Enable on Site-A only
B. Enable on Site-B only
C. Enable on Site-B only with passive mode
D. Enable on Site-A and Site-B

Answer 48

D. Enable on Site-A and Site-B

Question 49

Based on the following image, what is the correct path of root, intermediate, and end-user certificate?
A. Palo Alto Networks > Symantec > VeriSign
B. Symantec > VeriSign > Palo Alto Networks
C. VeriSign > Palo Alto Networks > Symantec
D. VeriSign > Symantec > Palo Alto Networks

Answer 49

B. Symantec > VeriSign > Palo Alto Networks

Question 50

Based on the image, what caused the commit warning?
A. The CA certificate for FWD trust has not been imported into the firewall.
B. The FWD trust certificate has not been flagged as Trusted Root CA.
C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
D. The FWD trust certificate does not have a certificate chain.

Answer 50

D. The FWD trust certificate does not have a certificate chain.