DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 Updated PCNSE Exam Questions & Practice Tests, Palo Alto Networks Certified | SPOTO

Preparing for the PCNSE certification exam? Our latest practice tests and exam materials offer comprehensive coverage of the exam objectives. Access free test questions, exam practice with online exam questions, sample questions, and exam dumps to gauge your readiness. Our exam questions and answers, mock exams, and exam questions cover real-world scenarios, helping you gain in-depth knowledge and abilities to design, install, configure, maintain, and troubleshoot Palo Alto Networks implementations. This intermediate PCNSE certification validates your expertise as a Palo Alto Networks Certified Network Security Engineer. Leverage our up-to-date practice tests and exam materials to succeed and pass the PCNSE certification exam with confidence.
Take other online exams

Question #1
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A. Use config-drive on a USB stick
B. Use an S3 bucket with an ISO
C. Create and attach a virtual hard disk (VHD)
D. Use a virtual CD-ROM with an ISO
View answer
Correct Answer: DEF
Question #2
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?
A. Certificate revocation list
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
View answer
Correct Answer: A
Question #3
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
A. The firewall is in multi-vsys mode
B. The traffic is offloaded
C. The traffic does not match the packet capture filter
D. The firewall’s DP CPU is higher than 50%
View answer
Correct Answer: B
Question #4
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.What is the expected verdict from WildFire?
A. Malware
B. Grayware
C. Phishing
D. Spyware
View answer
Correct Answer: B
Question #5
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?
A. Admin Role
B. WebUI
C. Authentication
D. Authorization
View answer
Correct Answer: DE
Question #6
What is the best description of the Cluster Synchronization Timeout (min)?
A. The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
B. The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
C. The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
D. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
View answer
Correct Answer: B
Question #7
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email?
A. exploitation
B. IP command and control
C. delivery
D. reconnaissance
View answer
Correct Answer: D
Question #8
Which three options are supported in HA Lite? (Choose three.)
A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization
View answer
Correct Answer: BCD
Question #9
View the screenshots. A QoS profile and policy rules are configured as shown.Based on this information, which two statements are correct? (Choose two.)
A. SMTP has a higher priority but lower bandwidth than Zoom
B. Facetime has a higher priority but lower bandwidth than Zoom
C. google-video has a higher priority and more bandwidth than WebEx
D. DNS has a higher priority and more bandwidth than SSH
View answer
Correct Answer: BD
Question #10
Which three options are supported in HA Lite? (Choose three.)
A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization
View answer
Correct Answer: AB
Question #11
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the webUI? (Choose two.)
A. server certificate
B. SSL/TLS Service Profile
C. certificate profile
D. SSH Service Profile
View answer
Correct Answer: BC
Question #12
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users.What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?
A. The priority assigned to the Authentication profile defines the order of the sequence
B. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user
C. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made
D. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user
View answer
Correct Answer: C
Question #13
People are having intermittent quality issues during a live meeting via web application.
A. Use QoS profile to define QoS Classes
B. Use QoS Classes to define QoS Profile
C. Use QoS Profile to define QoS Classes and a QoS Policy
D. Use QoS Classes to define QoS Profile and a QoS Policy
View answer
Correct Answer: C
Question #14
What is the best description of the HA4 Keep-alive Threshold (ms)?
A. the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
D. the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
View answer
Correct Answer: B
Question #15
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)
A. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions
B. Enable User-ID on the zone object for the destination zone
C. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions
D. Enable User-ID on the zone object for the source zone
E. Configure a RADIUS server profile to point to a domain controller
View answer
Correct Answer: ACF
Question #16
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription. On each firewall, WildFire logs are available.This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. System logs
B. WildFire logs
C. Threat logs
D. Traffic logs
View answer
Correct Answer: A
Question #17
Which command can be used to validate a Captive Portal policy?
A. eval captive-portal policy
B. request cp-policy-eval
C. test cp-policy-match
D. debug cp-policy
View answer
Correct Answer: ADE
Question #18
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing
View answer
Correct Answer: ACF
Question #19
Which log file can be used to identify SSL decryption failures?
A. Configuration
B. Threats
C. ACC
D. Traffic
View answer
Correct Answer: A
Question #20
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall. Which interface configuration will accept specific VLAN IDs? Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)
A. A report can be created that identifies unclassified traffic on the network
B. Different security profiles can be applied to traffic matching rules 2 and 3
C. Rule 2 and 3 apply to traffic on different ports
D. Separate Log Forwarding profiles can be applied to rules 2 and 3
View answer
Correct Answer: C
Question #21
A customer wants to set up a site-to-site VPN using tunnel interfaces? Which two formats are correct for naming tunnel interfaces? (Choose two.)
A. Vpn-tunnel
B. vpn-tunne
C. tunnel 1025
D. tunne
E. 1
View answer
Correct Answer: C
Question #22
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
A. Verify AutoFocus status using CLI
B. Check the WebUI Dashboard AutoFocus widget
C. Check for WildFire forwarding logs
D. Check the license
E. Verify AutoFocus is enabled below Device Management tab
View answer
Correct Answer: AB
Question #23
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
A. Configure the management interface as HA3 Backup
B. Configure Ethernet 1/1 as HA1 Backup
C. Configure Ethernet 1/1 as HA2 Backup
D. Configure the management interface as HA2 Backup
E. Configure the management interface as HA1 Backup
F. Configure ethernet1/1 as HA3 Backup
View answer
Correct Answer: CD
Question #24
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)
A. Application Override policy
B. Security policy to identify the custom application
C. Custom application
D. Custom Service object
View answer
Correct Answer: B
Question #25
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?
A. Log
B. Alert
C. Allow
D. Default
View answer
Correct Answer: BCEF
Question #26
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)
A. dll
B. exe
C. src
D. apk
E. pdf
F. jar
View answer
Correct Answer: B
Question #27
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?
A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication
View answer
Correct Answer: DEF
Question #28
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)
A. The firewalls must have the same set of licenses
B. The management interfaces must to be on the same network
C. The peer HA1 IP address must be the same on both firewalls
D. HA1 should be connected to HA1
View answer
Correct Answer: C
Question #29
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?
A. Microsoft Active Directory
B. Microsoft Terminal Services
C. Aerohive Wireless Access Point
D. Palo Alto Networks Captive Portal
View answer
Correct Answer: CD
Question #30
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab. What could cause this condition?
A. The firewall does not have an active WildFire subscription
B. The engineer's account does not have permission to view WildFire Submissions
C. A policy is blocking WildFire Submission traffic
D. Though WildFire is working, there are currently no WildFire Submissions log entries
View answer
Correct Answer: A
Question #31
Which field is optional when creating a new Security Policy rule?
A. Name
B. Description
C. Source Zone
D. Destination Zone
E. Action
View answer
Correct Answer: C
Question #32
Which three log-forwarding destinations require a server profile to be configured? (Choose three)
A. SNMP Trap
B. Email
C. RADIUS
D. Kerberos
E. Panorama
F. Syslog
View answer
Correct Answer: A
Question #33
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?
A. Enable packet buffer protection on the Zone Protection Profile
B. Apply an Anti-Spyware Profile with DNS sinkholing
C. Use the DNS App-ID with application-default
D. Apply a classified DoS Protection Profile
View answer
Correct Answer: D
Question #34
A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”. Which action will this cause configuration on the matched traffic?
A. The configuration is invali
B. The Profile Settings section will be grayed out when the Action is set to “Deny”
C. The configuration will allow the matched session unless a vulnerability signature is detecte
D. The “Deny” action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile
E. The configuration is invali
F. It will cause the firewall to skip this Security policy rul G
View answer
Correct Answer: BC
Question #35
Which CLI command can be used to export the tcpdump capture?
A. Mastered
B. Not Mastered
View answer
Correct Answer: D
Question #36
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-100
B. VM-200
C. VM-1000-HV
D. VM-300
View answer
Correct Answer: CD
Question #37
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario?
A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP
C. The firewalls do not use floating IPs in active/active HA
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails
View answer
Correct Answer: A
Question #38
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)
A.
B.
C.
D.
E.
F.
View answer
Correct Answer: AD
Question #39
A variable name must start with which symbol?
A. $
B. &
C. !
D. #
View answer
Correct Answer: C
Question #40
Given the following table. Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?
A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext
D. Configuring the metric for RIP to be lower than that OSPF Ext
View answer
Correct Answer: A
Question #41
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?
A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules
View answer
Correct Answer: CD
Question #42
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge. What is the expected verdict from WildFire?
A. Grayware
B. Malware
C. Spyware
D. Phishing
View answer
Correct Answer: A
Question #43
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )
A. The /config /content and /software folders are mandatory while the /license and /plugin folders are optional
B. The bootstrap package is stored on an AFS share or a discrete container file bucket
C. The directory structure must include a /config /content, /software and /license folders
D. The init-cfg txt and bootstrap
E. The bootstrap xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations
View answer
Correct Answer: B
Question #44
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:
B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question:
C. Enable and configure a Link Monitoring Profile for the external interface of the firewall
D. Configure path monitoring for the next hop gateway on the default route in the virtual router
View answer
Correct Answer: A
Question #45
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)
A. Disable SNMP on the management interface
B. Application override of SSL application
C. Disable logging at session start in Security policies
D. Disable predefined reports
E. Reduce the traffic being decrypted by the firewall
View answer
Correct Answer: B
Question #46
Which three rule types are available when defining policies in Panorama? (Choose three.)
A. Pre Rules
B. Post Rules
C. Default Rules
D. Stealth Rules
E. Clean Up Rules
View answer
Correct Answer: B
Question #47
What can missing SSL packets when performing a packet capture on dataplane interfaces?
A. The packets are hardware offloaded to the offloaded processor on the dataplane
B. The missing packets are offloaded to the management plane CPU
C. The packets are not captured because they are encrypted
D. There is a hardware problem with offloading FPGA on the management plane
View answer
Correct Answer: C
Question #48
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration
View answer
Correct Answer: B
Question #49
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS? software, the administrator enables log forwarding from the firewalls to PanoramA. Pre-existing logs from the firewalls are not appearing in PanoramA. Which action would enable the firewalls to send their pre-existing logs to Panorama?
A. Use the import option to pull logs into Panorama
B. A CLI command will forward the pre-existing logs to Panorama
C. Use the ACC to consolidate pre-existing logs
D. The log database will need to exported form the firewalls and manually imported into Panorama
View answer
Correct Answer: C
Question #50
What is the purpose of the firewall decryption broker?
A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
B. Force decryption of previously unknown cipher suites
C. Inspection traffic within IPsec tunnel
D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools
View answer
Correct Answer: C
Question #51
A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?
A. Block all unauthorized applications using a security policy
B. Block all known internal custom applications
C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks
View answer
Correct Answer: C
Question #52
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. check
B. find
C. test
D. sim
View answer
Correct Answer: C
Question #53
What is the purpose of the firewall decryption broker?
A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
B. Force decryption of previously unknown cipher suites
C. Inspection traffic within IPsec tunnel
D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools
View answer
Correct Answer: A
Question #54
A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?
A. Untrust (any) to Untrust (10
B. Untrust (any) to Untrust (1
C. Untrust (any) to DMZ (1
D. Untrust (any) to DMZ (10
View answer
Correct Answer: C
Question #55
DRAG DROP When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all.
A. Mastered
B. Not Mastered
View answer
Correct Answer: ABC
Question #56
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-and-install, with "Disable new apps in content update" selected
C. Select download-only
D. Select disable application updates and select "Install only Threat updates"
View answer
Correct Answer: A
Question #57
Which DoS protection mechanism detects and prevents session exhaustion attacks?
A. Packet Based Attack Protection
B. Flood Protection
C. Resource Protection
D. TCP Port Scan Protection
View answer
Correct Answer: D
Question #58
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources
View answer
Correct Answer: D
Question #59
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?
A. Enable on Site-A only
B. Enable on Site-B only
C. Enable on Site-B only with passive mode
D. Enable on Site-A and Site-B
View answer
Correct Answer: BE
Question #60
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)
A. WildFire updates
B. NAT
C. NTP
D. antivirus
E. File blocking
View answer
Correct Answer: BDE
Question #61
Which three function are found on the dataplane of a PA-5050? (Choose three)
A. Protocol Decoder
B. Dynamic routing
C. Management
D. Network Processing
E. Signature Match
View answer
Correct Answer: CD
Question #62
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
A. Mastered
B. Not Mastered
View answer
Correct Answer: A
Question #63
Which option is an IPv6 routing protocol?
A. RIPv3
B. OSPFv3
C. OSPv3
D. BGP NG
View answer
Correct Answer: B
Question #64
Match each GlobalProtect component to the purpose of that component
A. Mastered
B. Not Mastered
View answer
Correct Answer: A
Question #65
Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.
A. Zone Pair:Source Zone: Internet Destination Zone: DMZ Rule Type:“intrazone”
B. Zone Pair:Source Zone: Internet Destination Zone: DMZ Rule Type:“intrazone” or “universal”
C. Zone Pair:Source Zone: Internet Destination Zone: Internet Rule Type:“intrazone” or “universal”
D. Zone Pair:Source Zone: Internet Destination Zone: Internet Rule Type:“intrazone”
View answer
Correct Answer: A
Question #66
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?
A. From the CLI, issue the show counter global filter pcap yes command
B. From the CLI, issue the show counter global filter packet-filter yes command
C. From the GUI, select show global counters under the monitor tab
D. From the CLI, issue the show counter interface command for the ingress interface
View answer
Correct Answer: ADE
Question #67
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?
A. A Server Profile has not been configured for logging to this Panorama device
B. Panorama is not licensed to receive logs from this particular firewall
C. The firewall is not licensed for logging to this Panorama device
D. None of the firwwall's policies have been assigned a Log Forwarding profile
View answer
Correct Answer: A
Question #68
Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?
A. show session all filter ssl-decryption yes total-count yes
B. show session all ssl-decrypt yes count yes
C. show session all filter ssl-decrypt yes count yes
D. show session filter ssl-decryption yes total-count yes
View answer
Correct Answer: C
Question #69
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
A. To enable Gateway authentication to the Portal
B. To enable Portal authentication to the Gateway
C. To enable user authentication to the Portal
D. To enable client machine authentication to the Portal
View answer
Correct Answer: D
Question #70
The firewall identifies a popular application as an unknown-tcp. Which two options are available to identify the application? (Choose two.)
A. Create a custom application
B. Create a custom object for the custom application server to identify the custom application
C. Submit an Apple-ID request to Palo Alto Networks
D. Create a Security policy to identify the custom application
View answer
Correct Answer: A
Question #71
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
A. 15,000
B. 10,000
C. 75,00
D. 5,000
View answer
Correct Answer: C
Question #72
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)
A. Download PAN-OS 8
B. Download PAN-OS 8
C. Push the PAN-OS 8
D. Push the PAN-OS 8
E. Download and install PAN-OS 8
F. Download and push PAN-OS 8
View answer
Correct Answer: A
Question #73
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A. Log
B. Alert
C. Allow
D. Default
View answer
Correct Answer: A
Question #74
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?
A. URL Filtering profile
B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile
View answer
Correct Answer: A
Question #75
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption
View answer
Correct Answer: B
Question #76
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
A. The interface must be used for traffic to the required services
B. You must enable DoS and zone protection
C. You must set the interface to Layer 2 Layer 3
D. You must use a static IP address
View answer
Correct Answer: CD
Question #77
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?
A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic
B. Wait until an official Application signature is provided from Palo Alto Networks
C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
View answer
Correct Answer: D
Question #78
Click the Exhibit button below, A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC?
A. 172
B. 172
C. 172
D. 172
View answer
Correct Answer: BD
Question #79
Match each SD-WAN configuration element to the description of that element.
A. Mastered
B. Not Mastered
View answer
Correct Answer: AD
Question #80
Which CLI command displays the current management plan memory utilization?
A. > show system info
B. > show system resources
C. > debug management-server show
D. > show running resource-monitor
View answer
Correct Answer: D
Question #81
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus
View answer
Correct Answer: D
Question #82
Which four NGFW multi-factor authentication factors are supported by PAN-OSS? (Choose four.)
A. User logon
B. Short message service
C. Push
D. SSH keyE
View answer
Correct Answer: D
Question #83
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log. What will be the destination IP Address in that log entry?
A. The IP Address of sinkhole
B. The IP Address of the command-and-control server
C. The IP Address specified in the sinkhole configuration
D. The IP Address of one of the external DNS servers identified in the anti-spyware database
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: