PCNSE#5

Question 1

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: *DMZ zone: DMZ-L3*Public zone: Untrust-L3*Guest zone: Guest-L3*Web server zone: Trust-L3*Public IP address (Untrust-L3): 1.1.1.1*Private IP address (Trust-L3): 192.168.1.50What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?
A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3

Answer 1

A. Untrust-L3

Question 2

Firewall administrators cannot authenticate to a firewall GUI.Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)

A. ms log
B. authd log
C. System log
D. Traffic log
E. dp-monitor .log

Answer 2

B. authd log

C. System log

Question 3

The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

A. A Certificate Profile that contains the client certificate needs to be selected.
B. The source address supports only files hosted with an ftp://.
C. External Dynamic Lists do not support SSL connections.
D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer 3

D. A Certificate Profile that contains the CA certificate needs to be selected.

Question 4

Which three options are available when creating a security profile? (Choose three)

A. Anti-Malware
B. File Blocking
C. URL Filtering
D. IDS/ISPE. Threat Prevention
F. Antivirus

Answer 4

B. File Blocking
C. URL Filtering
F. Antivirus

Question 5

Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

A. Certificate revocation list
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol

Answer 5

C. Machine certificate

Question 6

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

A. The two devices must share a routable floating IP address
B. The two devices may be different models within the PA-5000 series
C. The HA1 IP address from each peer must be on a different subnet
D. The management port may be used for a backup control connection

Answer 6

D. The management port may be used for a backup control connection

Question 7

When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

A. When configuring Certificate Profiles
B. When configuring GlobalProtect portal
C. When configuring User Activity Reports
D. When configuring Antivirus Dynamic Updates

Answer 7

D. When configuring Antivirus Dynamic Updates

Question 8

The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rule base. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

A. QoS Statistics
B. Applications Report
C. Application Command Center (ACC)
D. QoS Log

Answer 8

A. QoS Statistics

Question 9

An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

A. Create an Application Override policy and a custom threat signature for the application
B. Create an Application Override policy
C. Create a custom App-ID and use the “ordered conditions” check box
D. Create a custom App ID and enable scanning on the advanced tab

Answer 9

D. Create a custom App ID and enable scanning on the advanced tab

Question 10

A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?
A. Blocked Activity
B. Bandwidth Activity
C. Threat Activity
D. Network Activity

Answer 10

D. Network Activity

Question 11

A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise? (Choose three)

A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.
B. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.
D. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.
E. Download and install PAN-OS 8.0.4 directly on each firewall.
F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Answer 11

A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.
C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.
F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Question 12

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management (SIEM) system?

A. Panorama Log Settings
B. Panorama Log Templates
C. Panorama Device Group Log Forwarding
D. Collector Log Forwarding for Collector Groups

Answer 12

A. Panorama Log Settings

Question 13

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment?

A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security policies with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert

Answer 13

A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

Question 14

A Network Administrator wants to deploy a Large-Scale VPN solution. The Network Administrator has chosen a Global Protect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. How should this be accomplished?

A. Create a Template with the appropriate IKE Gateway settings
B. Create a Template with the appropriate IPsec tunnel settings
C. Create a Device Group with the appropriate IKE Gateway settings
D. Create a Device Group with the appropriate IPsec tunnel settings

Answer 14

B. Create a Template with the appropriate IPsec tunnel settings

Question 15

Which three log-forwarding destinations require a server profile to be configured? (Choose three)
A. SNMP Trap
B. Email
C. RADIUS
D. Kerberos
E. Panorama
F. Syslog

Answer 15

A. SNMP Trap
B. Email
F. Syslog

Question 16

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3to ethernet1/4. What can be the cause of the problem?

A. DHCP has been set to Auto.
B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
D. DNS has not been properly configured on the firewall

Answer 16

B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.

Question 17

A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?

A. test security-policy-match source destination destination port protocol
B. show security rule source destination destination port protocol
C. test security rule source destination destination port protocol
D. show security-policy-match source destination destination port protocol

Answer 17

A. test security-policy-match source destination destination port protocol

Question 18

An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator’s home and experiencing issues completing the connection. the following is the output from the command:What could be the cause of this problem?
A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and theASA
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA
C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.

Answer 18

C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.

Question 19

A network security engineer has been asked to analyze Wildfire activity. However, theWildfire Submissions item is not visible form the Monitor tab.What could cause this condition?
A. The firewall does not have an active WildFire subscription
B. The engineer’s account does not have permission to view WildFire Submissions
C. A policy is blocking WildFire Submission traffic
D. Though WildFire is working, there are currently no WildFire Submissions log entries.

Answer 19

B. The engineer’s account does not have permission to view WildFire Submissions

Question 20

A company.com wants to enable Application Override. Given the following screenshot:Which two statements are true if Source and Destination traffic match the Application Override policy?(Choose two)
A. Traffic that matches “rtp-base” will bypass the App-ID and Content-ID engines
B. Traffic will be forced to operate over UDP Port 16384
C. Traffic utilizing UDP Port 16384 will now be identified as “rtp-base”
D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines

Answer 20

C. Traffic utilizing UDP Port 16384 will now be identified as “rtp-base”
D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Question 21

Which command can be used to validate a Captive Portal policy?
A. eval captive-portal policy 
B. request cp-policy-eval 
C. test cp-policy-match 
D. debug cp-policy

Answer 21

C. test cp-policy-match

Question 22

When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.Answer options may be used more than once or not at all.

Answer 22

ExplanationIMAP , POP3 , SMTP - > AlertHTTP,FTP,SMB -> Reset-both

Question 23

A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.* Users outside the company are in the “Untrust-L3” zone* The web server physically resides in the “Trust-L3” zone.* Web server public IP address: 23.54.6.10* Web server private IP address: 192.168.1.10 Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the webserver?(Choose two)
A. Untrust-L3 for both Source and Destination zone
B. Destination IP of 192.168.1.10
C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
D. Destination IP of 23.54.6.10

Answer 23

A. Untrust-L3 for both Source and Destination zone

D. Destination IP of 23.54.6.10

Question 24

. A network security engineer is asked to perform a Return Merchandise Authorization (RMA)on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama?
A. Device state and license files
B. Configuration and serial number files
C. Configuration and statistics files
D. Configuration and Large Scale VPN (LSVPN) setups file

Answer 24

A. Device state and license files

Question 25

The company’s Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed.The firewall’s dedicated management port is being used to connect to the management network.Which two commands may be used to troubleshoot this issue from the CLI of the new firewall?(Choose two)
A. test panoramas-connect 10.10.10.5
B. show panorama-status
C. show arp all I match 10.10.10.5
D. tcp dump filter “host 10.10.10.5
E. debug dataplane packet-diag set capture on

Answer 25

B. show panorama-status

D. tcp dump filter “host 10.10.10.5

Question 26

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)
A. ms.log 
B. traffic.log  
C. system.log  
D. dp-monitor.log 
E. authd.log

Answer 26

C. system.log

E. authd.log

Question 27

Support for which authentication method was added in PAN-OS 8.0?
A. RADIUS  
B. LDAP  
C. Diameter  
D. TACACS+

Answer 27

D. TACACS+

Question 28

In the following image from Panorama, why are some values shown in red?
A. sg2 session count is the lowest compared to the other managed devices
B. us3 has a logging rate that deviates from the administrator-configured thresholds
C. uk3 has a logging rate that deviates from the seven-day calculated baseline
D. sg2 has misconfigured session thresholds.

Answer 28

C. uk3 has a logging rate that deviates from the seven-day calculated baseline

Question 29

Which two statements are correct for the out-of-box configuration for Palo Alto NetworksNGFWs? (Choose two)
A. The devices are pre-configured with a virtual wire pair out the first two interfaces
B. The devices are licensed and ready for deployment
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone
E. The interface are pingable.

Answer 29

A. The devices are pre-configured with a virtual wire pair out the first two interfaces
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections

Question 30

Which CLI command can be used to export the tcpdump capture?
A. scp export tcpdump from mgmt.pcap to
B. scp extract mgmt-pcap from mgmt.pcap to
C. scp export mgmt-pcap from mgmt.pcap to
D. download mgmt.-pcap

Answer 30

C. scp export mgmt-pcap from mgmt.pcap to

Question 31

Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-100   
B. VM-200  
C. VM-1000-HV  
D. VM-300

Answer 31

C. VM-1000-HV

Question 32

Company.com has an in-house application that the Palo Alto Networks device doesn’t identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?
A. Create a custom Application without signatures, then create an Application Override policy thatincludes the source, Destination, Destination Port/Protocol and Custom Application of the traffic
B. Wait until an official Application signature is provided from Palo Alto Networks
C. Modify the session timer settings on the closest referanced application to meet the needs of thein-house application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Answer 32

D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Question 33

A firewall administrator is troubleshooting problems with traffic passing through the PaloAlto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?
A. From the CLI, issue the show counter global filter pcap yes command
B. From the CLI, issue the show counter global filter packet-filter yes command
C. From the GUI, select show global counters under the monitor tab
D. From the CLI, issue the show counter interface command for the ingress interface.

Answer 33

B. From the CLI, issue the show counter global filter packet-filter yes command

Question 34

Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?
A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000
B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000
C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000
D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000

Answer 34

C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000

Question 35

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?
A. Master  
B. Universal  
C. Shared  
D. Global

Answer 35

C. Shared

Question 36

. Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS8.0? (Choose two.)
A. KVM  
B. VMware ESX  
C. VMware NSX  
D. AWS

Answer 36

A. KVM

B. VMware ESX

Question 37

After pushing a security policy from Panorama to a PA-3020 firwall, the firewalladministrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs.What could be the problem?
A. A Server Profile has not been configured for logging to this Panorama device
B. Panorama is not licensed to receive logs from this particular firewall
C. The firewall is not licensed for logging to this Panorama device
D. None of the firewall’s policies have been assigned a Log Forwarding profile

Answer 37

D. None of the firewall’s policies have been assigned a Log Forwarding profile

Question 38

The GlobalProtect Portal interface and IP address have been configured. Which other valueneeds to be defined to complete the network settings configuration of GlobalPortect Portal?
A. Server Certificate  
B. Client Certificate  
C. Authentication Profile  
D. Certificate Profile

Answer 38

A. Server Certificate

Question 39

A network Administrator needs to view the default action for a specific spyware signature.The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware andselect default profile.What should be done next?
A. Click the simple-critical rule and then click the
B. Click the Exceptions tab and then click
C. View the default actions displayed in the Action column
D. Click the Rules tab and then look for rules with “default” in the Action column.

Answer 39

B. Click the Exceptions tab and then click

Question 40

A network security engineer needs to configure a virtual router using IPv6 addresses.Which two routing options support these addresses? (Choose two)
A. BGP not sure  
B. OSPFv3  
C. RIP  
D. Static Route

Answer 40

B. OSPFv3

D. Static Route

Question 41

Palo Alto Networks maintains a dynamic database of malicious domains.Which two Security Platform components use this database to prevent threats? (Choose two)
A. Brute-force signatures
B. BrightCloud Url Filtering
C. PAN-DB URL Filtering
D. DNS-based command-and-control signatures

Answer 41

C. PAN-DB URL Filtering

D. DNS-based command-and-control signatures

Question 42

How is the Forward Untrust Certificate used?
A. It is used for Captive Portal to identify unknown users.
B. It is presented to clients when the server they are connecting to is signed by a certificate authoritythat is not trusted by firewall.
C. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted
D. It is used when web servers request a client certificate.

Answer 42

B. It is presented to clients when the server they are connecting to is signed by a certificate authoritythat is not trusted by firewall.

Question 43

Which URL Filtering Security Profile action togs the URL Filtering category to the URLFiltering log?
A. Log  
B. Alert  
C. Allow  
D. Default

Answer 43

B. Alert

Question 44

A distributed log collection deployment has dedicated log Collectors. A developer needs adevice to send logs to Panorama instead of sending logs to the Collector Group.What should be done first?
A. Remove the cable from the management interface, reload the log Collector and then re-connectthat cable
B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
C. remove the device from the Collector Group
D. Revert to a previous configuration

Answer 44

C. remove the device from the Collector Group

Question 45

How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone when clients attempt to connect toa site that has be decrypted
B. It is used when web servers request a client certificate
C. It is presented to clients when the server they are connecting to is signed by a certificate authoritythat is not trusted by firewall
D. It is used for Captive Portal to identify unknown users.

Answer 45

C. It is presented to clients when the server they are connecting to is signed by a certificate authoritythat is not trusted by firewall

Question 46

People are having intermittent quality issues during a live meeting via web application.
A. Use QoS profile to define QoS Classes
B. Use QoS Classes to define QoS Profile
C. Use QoS Profile to define QoS Classes and a QoS Policy
D. Use QoS Classes to define QoS Profile and a QoS Policy

Answer 46

C. Use QoS Profile to define QoS Classes and a QoS Policy

Question 47

Which three options does the WF-500 appliance support for local analysis? (Choose three)
A. E-mail links  
B. APK files  
C. jar files  
D. PNG files  
E. Portable Executable (PE) files

Answer 47

A. E-mail links
C. jar files
E. Portable Executable (PE) files

Question 48

How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?
A. Enable support for non-standard syslog messages under device management
B. Check the custom-format check box in the syslog server profile
C. Select a non-standard syslog server profile
D. Create a custom log format under the syslog server profile

Answer 48

D. Create a custom log format under the syslog server profile

Question 49

Click the Exhibit button below,A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.Which is the next hop IP address for the HTTPS traffic from Will's PC?
A. 172.20.30.1  
B. 172.20.40.1  
C. 172.20.20.1  
D. 172.20.10.1

Answer 49

B. 172.20.40.1

Question 50

Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-Bis using the wrong Link Type for one of its interfaces.Which Link Type setting will correct the error?
A. Set tunnel. 1 to p2p  
B. Set tunnel. 1 to p2mp  
C. Set Ethernet 1/1 to p2mp  
D. Set Ethernet 1/1 to p2p

Answer 50

A. Set tunnel. 1 to p2p