DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Updated Palo Alto PCNSE Exam Questions– Your Path to Success

The SPOTO Palo Alto PCNSE Exam Questions were invaluable in my preparation for the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification exam. The comprehensive exam questions and answers, practice questions, and exam questions provided by SPOTO helped me thoroughly understand the concepts and scenarios required for designing, deploying, configuring, maintaining, and troubleshooting Palo Alto Networks Security Operating Platform implementations. SPOTO's study materials and exam resources, including mock exams, enabled me to simulate the real exam environment and identify areas that required further attention. Thanks to SPOTO's exhaustive exam preparation resources, I was able to pass the PCNSE exam successfully and validate my expertise in implementing Palo Alto Networks security solutions.
Take other online exams

Question #1
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
A. how system setting ssl-decrypt certs
B. how system setting ssl-decrypt certificate
C. ebug dataplane show ssl-decrypt ssl-stats
D. how system setting ssl-decrypt certificate-cache
View answer
Correct Answer: B
Question #2
Refer to the exhibit.A web server in the DMZ is being mapped to a public address through DNAT.Which Security policy rule will allow traffic to flow to the web server?
A. ntrust (any) to Untrust (10
B. ntrust (any) to Untrust (1
C. ntrust (any) to DMZ (1
D. ntrust (any) to DMZ (10
View answer
Correct Answer: C
Question #3
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.Which application should be used to identify traffic traversing the NGFW?
A. ustom application
B. ystem logs show an application error and neither signature is used
C. ownloaded application
D. ustom and downloaded application signature files are merged and both are used
View answer
Correct Answer: A
Question #4
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.Which VPN configuration would adapt to changes when deployed to the future site?
A. reconfigured GlobalProtect satellite
B. reconfigured GlobalProtect client
C. reconfigured IPsec tunnels
D. reconfigured PPTP Tunnels
View answer
Correct Answer: A
Question #5
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?
A. ction 'reset-server' and packet capture 'disable'
B. ction 'default' and packet capture 'single-packet'
C. ction 'reset-both' and packet capture 'extended-capture'
D. ction 'reset-both' and packet capture 'single-packet'
View answer
Correct Answer: D
Question #6
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.What is the correct setting?
A. hange the HA timer profile to "user-defined" and manually set the timers
B. hange the HA timer profile to "fast"
C. hange the HA timer profile to "aggressive" or customize the settings in advanced profile
D. hange the HA timer profile to "quick" and customize in advanced profile
View answer
Correct Answer: C
Question #7
Which component enables you to configure firewall resource protection settings?
A. oS Protection Profile
B. oS Profile
C. one Protection Profile
D. oS Protection policy
View answer
Correct Answer: D
Question #8
Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
A. hreat-ID processing time is decreased
B. he Palo Alto Networks NGFW stops App-ID processing at Layer 4
C. he application name assigned to the traffic by the security rule is written to the Traffic log
D. pp-ID processing time is increased
View answer
Correct Answer: CDE
Question #9
A customer wants to set up a site-to-site VPN using tunnel interfaces. Which two formats are correct for naming tunnel interfaces? (Choose two.)
A. alo Alto Networks > Symantec > VeriSign
B. eriSign > Symantec > Palo Alto Networks
C. ymantec > VeriSign > Palo Alto Networks
D. eriSign > Palo Alto Networks > Symantec
View answer
Correct Answer: AC
Question #10
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
A. t applies to existing sessions and is not global
B. t applies to existing sessions and is global
C. t applies to new sessions and is global
D. t applies to new sessions and is not global
View answer
Correct Answer: ACE
Question #11
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. heck
B. ind
C. est
D. im
View answer
Correct Answer: C
Question #12
Which Captive Portal mode must be configured to support MFA authentication?
A. irtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
B. ayer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
C. unnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
D. ayer 3 interfaces, but configuring EIGRP on the attached virtual router
View answer
Correct Answer: B
Question #13
Which logs enable a firewall administrator to determine whether a session was decrypted?
A. raffic
B. ecurity Policy
C. ecryption
D. orrelated Event
View answer
Correct Answer: A
Question #14
When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can be implemented using a phased approach in alignment with Palo Alto Networks best practices. What should you recommend?
A. nable SSL decryption for known malicious source IP addresses
B. nable SSL decryption for malicious source users
C. nable SSL decryption for source users and known malicious URL categories
D. nable SSL decryption for known malicious destination IP addresses
View answer
Correct Answer: C
Question #15
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
A. ecrypt SSL traffic and then send it as cleartext to a security chain of inspection tools
B. orce decryption of previously unknown cipher suites
C. educe SSL traffic to a weaker cipher before sending it to a security chain of inspection tools
D. nspect traffic within IPsec tunnels
View answer
Correct Answer: AD
Question #16
An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.What is the best solution for the customer?
A. onfigure a remote network on PAN-OS
B. pgrade to a PAN-OS SD-WAN subscription
C. onfigure policy-based forwarding
D. eploy Prisma SD-WAN with Prisma Access
View answer
Correct Answer: B
Question #17
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the firewall to Panorama?
A. o enable Gateway authentication to the Portal
B. o enable Portal authentication to the Gateway
C. o enable user authentication to the Portal
D. o enable client machine authentication to the Portal
View answer
Correct Answer: B
Question #18
Which feature prevents the submission of corporate login information into website forms?
A. ata filtering
B. ser-ID
C. ile blocking
D. redential phishing prevention
View answer
Correct Answer: D
Question #19
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)
A. he two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP
B. ach firewall will have a separate floating IP, and priority will determine which firewall has the primary IP
C. he firewalls do not use floating IPs in active/active HA
D. he firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails
View answer
Correct Answer: ABC
Question #20
Which feature can be configured on VM-Series firewalls?
A. ession information
B. eartbeats
C. A state information
D. ser-ID information
View answer
Correct Answer: D
Question #21
Which Palo Alto Networks VM-Series firewall is valid?
A. M-25
B. M-800
C. M-50
D. M-400
View answer
Correct Answer: C
Question #22
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
A. evice>Setup>Services>AutoFocus
B. evice> Setup>Management >AutoFocus
C. utoFocus is enabled by default on the Palo Alto Networks NGFW
D. evice>Setup>WildFire>AutoFocus
E. evice>Setup> Management> Logging and Reporting Settings
View answer
Correct Answer: B
Question #23
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. ealth and Medicine
B. igh Risk
C. nline Storage and Backup
D. inancial Services
View answer
Correct Answer: ABE
Question #24
How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?
A. hoose the download and install action for both members of the HA pair in the Schedule object
B. witch context to the firewalls to start the download and install process
C. ownload the apps to the primary no further action is required
D. onfigure the firewall's assigned template to download the content updates
View answer
Correct Answer: A
Question #25
Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?
A. how session all filter ssl-decryption yes total-count yes
B. how session all ssl-decrypt yes count yes
C. how session all filter ssl-decrypt yes count yes
D. how session filter ssl-decryption yes total-count yes
View answer
Correct Answer: C
Question #26
The firewall identifies a popular application as an unknown-tcp.Which two options are available to identify the application? (Choose two.)
A. LS Bidirectional Inspection
B. SL Inbound Inspection
C. SH Forward Proxy
D. MTP Inbound Decryption
View answer
Correct Answer: AC
Question #27
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)
A. esources Widget on the Dashboard
B. onitor > Utilization
C. upport > Resources
D. pplication Command and Control Center
View answer
Correct Answer: BCD
Question #28
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS?? version, and serial number?
A. debug system details
B. show session info
C. show system info
D. show system details
View answer
Correct Answer: C
Question #29
Which method will dynamically register tags on the Palo Alto Networks NGFW?
A. estful API or the VMware API on the firewall or on the User-ID agent or the ready-only domain controller(RODC)
B. estful API or the VMware API on the firewall or on the User-ID agent
C. ML API or the VMware API on the firewall or on the User-ID agent or the CLI
D. ML API or the VM Monitoring agent on the NGFW or on the User-ID agent
View answer
Correct Answer: D
Question #30
A user at an internal system queries the DNS server for their web server with a private IP of 10.250.241.131 in the DMZ. The DNS server returns an address of the web servers public address, 200.1.1.10. In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?
A. AT Rule:Source Zone: Untrust_L3Source IP: AnyDestination Zone: DMZDestination IP: 200
B. AT Rule:Source Zone: Trust_L3Source IP: AnyDestination Zone: DMZDestination IP: 200
C. AT Rule:Source Zone: Untrust_L3Source IP: AnyDestination Zone: Untrust_L3Destination IP: 200
D. AT Rule:Source Zone: Trust_L3Source IP: AnyDestination Zone: Untrust_L3Destination IP: 200
View answer
Correct Answer: D
Question #31
Which three settings are defined within the Templates object of Panorama? (Choose three.)
A. dmin Role
B. ebUI
C. uthentication
D. uthorization
View answer
Correct Answer: ABC
Question #32
When overriding a template configuration locally on a firewall, what should you consider?
A. anorama will update the template with the overridden value
B. he firewall template will show that it is out of sync within Panorama
C. nly Panorama can revert the override
D. anorama will lose visibility into the overridden configuration
View answer
Correct Answer: D
Question #33
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?
A. apping to the IP address of the logged-in user
B. irst four letters of the username matching any valid corporate username
C. sing the same user’s corporate username and password
D. atching any valid corporate username
View answer
Correct Answer: C
Question #34
SAML SLO is supported for which two firewall features? (Choose two.)
A. nsupported HSM
B. nknown certificate status
C. lient authentication
D. ntrusted issuer
View answer
Correct Answer: AC
Question #35
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)
A. dmin roles
B. uthentication profiles
C. emplates
D. ccess domains
View answer
Correct Answer: BE
Question #36
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?
A. emoving the Panorama serial number from the ZTP service
B. erforming a factory reset of the firewall
C. erforming a local firewall commit
D. emoving the firewall as a managed device in Panorama
View answer
Correct Answer: C
Question #37
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.Which Security Profile should be applied to a policy to prevent these packet floods?
A. ulnerability Protection profile
B. oS Protection profile
C. ata Filtering profile
D. RL Filtering profile
View answer
Correct Answer: B
Question #38
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.Which NGFW receives the configuration from Panorama?
A. he passive firewall, which then synchronizes to the active firewall
B. he active firewall, which then synchronizes to the passive firewall
C. oth the active and passive firewalls, which then synchronize with each other
D. oth the active and passive firewalls independently, with no synchronization afterward
View answer
Correct Answer: D
Question #39
What is a key step in implementing WildFire best practices?
A. onfigure the firewall to retrieve content updates every minute
B. nsure that a Threat Prevention subscription is active
C. n a mission-critical network, increase the WildFire size limits to the maximum value
D. a security-first network, set the WildFire size limits to the minimum value
View answer
Correct Answer: B
Question #40
Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?
A. RL Filtering profile
B. one Protection profile
C. nti-Spyware profile
D. ulnerability Protection profile
View answer
Correct Answer: A
Question #41
DRAG DROP (Drag and Drop is not supported)Please match the terms to their corresponding definitions.Select and Place:
A. est Policy Match
B. pplication Groups
C. olicy Optimizer
D. onfig Audit
View answer
Correct Answer: A
Question #42
Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?
A. 0,000
B. 5,000
C. ,500
D. ,000
View answer
Correct Answer: A
Question #43
A variable name must start with which symbol?
A.
B.
C.
D.
View answer
Correct Answer: A
Question #44
Which two features does PAN-OS® software use to identify applications? (Choose two.)
A. pplications and Threats
B. ML Agent
C. ildFire
D. AN-OS® Upgrade Agent
View answer
Correct Answer: AD
Question #45
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?
A. onfigure a Decryption Profile and select SSL/TLS services
B. et up SSL/TLS under Policies > Service/URL Category > Service
C. et up Security policy rule to allow SSL communication
D. onfigure an SSL/TLS Profile
View answer
Correct Answer: D
Question #46
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn gro
A. onfigure Prisma Access to learn group mapping via SAML assertion
B. et up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access
C. ssign a master device in Panorama through which Prisma Access learns groups
D. reate a group mapping configuration that references an LDAP profile that points to on-premises domain controllers
View answer
Correct Answer: C
Question #47
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.What should the enterprise do to use PAN-OS MFA?
A. se a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns
B. reate an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
C. onfigure a Captive Portal authentication policy that uses an authentication sequence
D. onfigure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile
View answer
Correct Answer: D
Question #48
When setting up a security profile, which three items can you use? (Choose three.)
A. pgrade directly to the target major version
B. pgrade the HA pair to a base image
C. pgrade one major version at a time
D. pgrade two major versions at a time
View answer
Correct Answer: ACD
Question #49
An administrator has users accessing network resources through Citrix XenApp 7.x.Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?
A. lient Probing
B. erminal Services agent
C. lobalProtect
D. yslog Monitoring
View answer
Correct Answer: B
Question #50
The following objects and policies are defined in a device group hierarchy.Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-groupNYC-DC has NYC-FW as a member of the NYC-DC device-groupWhat objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
A. ddress Objects-Shared Address1-Branch Address1Policies-Shared Policy1-Branch Policy1
B. ddress Objects-Shared Address1-Shared Address2-Branch Address1Policies-Shared Policy1-Shared Policy2-Branch Policy1
C. ddress Objects-Shared Address1-Shared Address2-Branch Address1-DC Address1Policies-Shared Policy1-Shared Policy2-Branch Policy1
D. ddress Objects-Shared Address1-Shared Address2-Branch Address1Policies-Shared Policy1-Branch Policy1
View answer
Correct Answer: D
Question #51
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.Where does the administrator view the desired data?
A. show system state filter-pretty sys
B. show system state filter-pretty sys
C. show interface ethernet1/8
D. show system state filter-pretty sys
View answer
Correct Answer: A
Question #52
Which Panorama objects restrict administrative access to specific device-groups?
A. btain an enterprise CA-signed certificate for the Forward Trust certificate
B. se an enterprise CA-signed certificate for the Forward Untrust certificate
C. se the same Forward Trust certificate on all firewalls in the network
D. btain a certificate from a publicly trusted root CA for the Forward Trust certificate
View answer
Correct Answer: D
Question #53
Which event will happen if an administrator uses an Application Override Policy?
A. eny application facebook-chat before allowing application facebook
B. eny application facebook on top
C. llow application facebook on top
D. llow application facebook before denying application facebook-chat
View answer
Correct Answer: B
Question #54
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. Pattern based application identification
B. Application override policy match
C. Application changed from content inspection
D. Session application identified
View answer
Correct Answer: AB
Question #55
An engineer is in the planning stages of deploying User-ID in a diverse directory services environment. Which server OS platforms can be used for server monitoring with User-ID?
A. icrosoft Active Directory, Red Hat Linux, and Microsoft Exchange
B. icrosoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
C. ovell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
D. icrosoft Exchange, Microsoft Active Directory, and Novell eDirectory
View answer
Correct Answer: B
Question #56
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
A. ee Explanation section for answer
View answer
Correct Answer: D
Question #57
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.Which NGFW receives the configuration from Panorama?
A. he passive firewall, which then synchronizes to the active firewall
B. he active firewall, which then synchronizes to the passive firewall
C. oth the active and passive firewalls, which then synchronize with each other
D. oth the active and passive firewalls independently, with no synchronization afterward
View answer
Correct Answer: D
Question #58
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.Which VPN configuration would adapt to changes when deployed to the future site?
A. reconfigured GlobalProtect satellite
B. reconfigured GlobalProtect client
C. reconfigured IPsec tunnels
D. reconfigured PPTP Tunnels
View answer
Correct Answer: A
Question #59
You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?
A. reate an Application Group and add Office 365, Evernote, Google Docs, and Libre Office
B. reate an Application Group and add business-systems to it
C. reate an Application Filter and name it Office Programs, then filter it on the office-programs subcategory
D. reate an Application Filter and name it Office Programs, then filter it on the business-systems category
View answer
Correct Answer: C
Question #60
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.Which Security Profile type will prevent this attack?
A. ulnerability Protection
B. nti-Spyware
C. RL Filtering
D. ntivirus
View answer
Correct Answer: A
Question #61
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select?
A. efault-no-captive-portal
B. efault-authentication-bypass
C. efault-browser-challenge
D. efault-web-form
View answer
Correct Answer: A
Question #62
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.Where is the best place to validate if the firewall is blocking the user's TAR file?
A. hreat log
B. ata Filtering log
C. ildFire Submissions log
D. RL Filtering log
View answer
Correct Answer: B
Question #63
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
A. ertificates
B. DAP
C. ADIUS
D. SH keys
View answer
Correct Answer: AC
Question #64
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
A. ystem Utilization log
B. ystem log
C. esources widget
D. PU Utilization widget
View answer
Correct Answer: C
Question #65
09. How are log retention periods on Palo Alto Networks firewalls increased?
A. ortexXDR
B. ext-generationfirewall
C. rismaSaaS
D. ineMeld
View answer
Correct Answer: AC
Question #66
Which three options are supported in HA Lite? (Choose three.)
A. ebug system details
B. how session info
C. how system info
D. how system details
View answer
Correct Answer: BCD
Question #67
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.What is the expected verdict from WildFire?
A. alware
B. rayware
C. hishing
D. pyware
View answer
Correct Answer: B
Question #68
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. heck
B. ind
C. est
D. im
View answer
Correct Answer: C
Question #69
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
A. dd an Anti-Spyware Profile to block attacking IP address
B. efine a custom App-ID to ensure that only legitimate application traffic reaches the server
C. dd QoS Profiles to throttle incoming requests
D. dd a tuned DoS Protection Profile
View answer
Correct Answer: D
Question #70
Which CLI command can be used to export the tcpdump capture?
A. scp export tcpdump from mgmt
B. scp extract mgmt-pcap from mgmt
C. scp export mgmt-pcap from mgmt
D. download mgmt-pcap
View answer
Correct Answer: C
Question #71
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A. irtual router
B. ecurity zone
C. RP entries
D. etflow Profile
View answer
Correct Answer: CD
Question #72
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?
A. hase 2 SAs are synchronized over HA2 links
B. hase 1 and Phase 2 SAs are synchronized over HA2 links
C. hase 1 SAs are synchronized over HA1 links
D. hase 1 and Phase 2 SAs are synchronized over HA3 links
View answer
Correct Answer: B
Question #73
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
A. pplication override
B. irtual Wire mode
C. ontent inspection
D. edistribution of user mappings
View answer
Correct Answer: BC
Question #74
What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?
A. raffic is dropped because there is no matching SD-WAN policy to direct traffic
B. raffic matches a catch-all policy that is created through the SD-WAN plugin
C. raffic matches implied policy rules and is redistributed round robin across SD-WAN links
D. raffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i
View answer
Correct Answer: C
Question #75
Which GlobalProtect component must be configured to enable Clientless VPN?
A. lobalProtect satellite
B. lobalProtect app
C. lobalProtect portal
D. lobalProtect gateway
View answer
Correct Answer: C
Question #76
How can a candidate or running configuration be copied to a host external from Panorama?
A. Commit a running configuration
B. Save a configuration snapshot
C. Save a candidate configuration
D. Export a named configuration snapshot
View answer
Correct Answer: D
Question #77
06. The Palo Alto Networks Cortex Data Lake can accept logging data from which two products?
A. 12bi
B. 024bi
C. 048bi
D. 096bi
View answer
Correct Answer: A
Question #78
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third- party, deep-level packet inspection appliance.Which interface type and license feature are necessary to meet the requirement?
A. ecryption Mirror interface with the Threat Analysis license
B. irtual Wire interface with the Decryption Port Export license
C. ap interface with the Decryption Port Mirror license
D. ecryption Mirror interface with the associated Decryption Port Mirror license
View answer
Correct Answer: D
Question #79
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software. Why did the bootstrap process fail for the VM-Series firewall in Azure?
A. ll public cloud deployments require the /plugins folder to support proper firewall native integrations
B. he VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
C. he /config or /software folders were missing mandatory files to successfully bootstrap
D. he /content folder is missing from the bootstrap package
View answer
Correct Answer: D
Question #80
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com.How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
A. reate and add a Monitor Profile with an action of Wait Recover in the PBF rule in question
B. reate and add a Monitor Profile with an action of Fail Over in the PBF rule in question
C. nable and configure a Link Monitoring Profile for the external interface of the firewall
D. onfigure path monitoring for the next hop gateway on the default route in the virtual router
View answer
Correct Answer: B
Question #81
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required.Which interface type would support this business requirement?
A. et deviceconfig interface speed-duplex 1Gbps-full-duplex
B. et deviceconfig system speed-duplex 1Gbps-duplex
C. et deviceconfig system speed-duplex 1Gbps-full-duplex
D. et deviceconfig Interface speed-duplex 1Gbps-half-duplex
View answer
Correct Answer: A
Question #82
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.How quickly will the firewall receive back a verdict?
A. se of a “service” enables the firewall to take immediate action with the first observed packet based on port numbers
B. here are no differences between “service” or “application”
C. se of a “service” enables the firewall to take immediate action with the first observed packet based on port numbers
D. se of a “service” enables the firewall to take action after enough packets allow for App-ID identification
View answer
Correct Answer: D
Question #83
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existingsession using which kind of match?
A. -tuple match:Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
B. -tuple match:Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
C. -tuple match:Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
D. -tuple match:Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
View answer
Correct Answer: A
Question #84
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.Which two options would help the administrator troubleshoot this issue? (Choose two.)
A. View the System logs and look for the error messages about BGP
B. Perform a traffic pcap on the NGFW to see any BGP problems
C. View the Runtime Stats and look for problems with BGP configuration
D. View the ACC tab to isolate routing issues
View answer
Correct Answer: BC
Question #85
What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?
A. thernet1/7
B. thernet1/5
C. thernet1/6
D. thernet1/3
View answer
Correct Answer: D
Question #86
In the image, what caused the commit warning?
A. he CA certificate for FWDtrust has not been imported into the firewall
B. heFWDtrust certificate has not been flagged as Trusted Root CA
C. SL Forward Proxy requires a public certificate to be imported into the firewall
D. heFWDtrust certificate does not have a certificate chain
View answer
Correct Answer: A
Question #87
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?
A. n Threat General Settings, select "Report Grayware Files"
B. ithin the log settings option in the Device tab
C. n WildFire General Settings, select "Report Grayware Files"
D. ithin the log forwarding profile attached to the Security policy rule
View answer
Correct Answer: D
Question #88
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)
A. ildFire logs
B. ystem logs
C. hreat logs
D. raffic logs
View answer
Correct Answer: AD
Question #89
If the firewall has the following link monitoring configuration, what will cause a failover?
A. thernet1/3 and ethernet1/6 going down
B. thernet1/3 going down
C. thernet1/3 or ethernet1/6 going down
D. thernet1/6 going down
View answer
Correct Answer: A
Question #90
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.Which action will stop the second and subsequent encrypted BitTorrent conne
A. reate a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy
B. reate a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy
C. isable the exclude cache option for the firewall
D. reate a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule
View answer
Correct Answer: D
Question #91
What is the maximum number of samples that can be submitted to WildFire manually per day?
A. ,000
B. ,000
C. ,000
D. 5,000
View answer
Correct Answer: A
Question #92
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
A. t-boot
B. re-logon
C. ser-logon (Always on)
D. n-demand
View answer
Correct Answer: B
Question #93
In a virtual router, which object contains all potential routes?
A. IB
B. IB
C. IP
D. IB
View answer
Correct Answer: B
Question #94
An administrator has purchased WildFire subscriptions for 90 firewalls globally.What should the administrator consider with regards to the WildFire infrastructure?
A. o comply with data privacy regulations, WildFire signatures and verdicts are not shared globally
B. alo Alto Networks owns and maintains one global cloud and four WildFire regional clouds
C. ach WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds
D. he WildFire Global Cloud only provides bare metal analysis
View answer
Correct Answer: C
Question #95
What is the function of a service route?
A. he service packets exit the firewall on the port assigned for the external service
B. he service packets enter the firewall on the port assigned from the external service
C. he service route is the method required to use the firewall's management plane to provide services to applications
D. ervice routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal
View answer
Correct Answer: A
Question #96
When is the content inspection performed in the packet flow process?
A. fter the application has been identified
B. efore session lookup
C. efore the packet forwarding process
D. fter the SSL Proxy re-encrypts the packet
View answer
Correct Answer: A
Question #97
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080?
A. pplication: web-browsing; service: application-default
B. pplication: web-browsing; service: service-https
C. pplication: ssl; service: any
D. pplication: web-browsing; service: (custom with destination TCP port 8080)
View answer
Correct Answer: D
Question #98
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
A. ggregate interfaces
B. achine learning
C. ultiple virtual systems
D. lobalProtect
View answer
Correct Answer: A
Question #99
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A. onfigure the option for “Threshold”
B. isable automatic updates during weekdays
C. utomatically “download only” and then install Applications and Threats later, after the administrator approves the update
D. utomatically “download and install” but with the “disable new applications” option used
View answer
Correct Answer: A
Question #100
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
A. efine a custom App-ID to ensure that only legitimate application traffic reaches the server
B. dd a Vulnerability Protection Profile to block the attack
C. dd QoS Profiles to throttle incoming requests
D. dd a DoS Protection Profile with defined session count
View answer
Correct Answer: B
Question #101
What are two valid deployment options for Decryption Broker? (Choose two.)
A. how routing protocol bgp rib-out
B. how routing protocol bgp peer
C. how routing protocol bgp summary
D. how routing protocol bgp state
View answer
Correct Answer: AD
Question #102
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?
A. Security policy with 'known-user' selected in the Source User field
B. Security policy with 'unknown' selected in the Source User field
C. n Authentication policy with 'known-user' selected in the Source User field
D. n Authentication policy with 'unknown' selected in the Source User field
View answer
Correct Answer: D
Question #103
As a best practice, which URL category should you target first for SSL decryption?
A. DAP Server Profile configuration
B. lobalProtect
C. indows-based User-ID agent
D. AN-OS integrated User-ID agent
View answer
Correct Answer: B
Question #104
An administrator accidentally closed the commit window/screen before the commit was finished.Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A. reate a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks
B. dd a WildFire subscription to activate DoS and zone protection features
C. eplace the hardware firewall, because DoS and zone protection are not available with VM-Series systems
D. easure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
View answer
Correct Answer: AB
Question #105
Which three options are supported in HA Lite? (Choose three.)
A. Virtual link
B. Active/passive deployment
C. Synchronization of IPsec security associations
D. Configuration synchronization
E. Session synchronization
View answer
Correct Answer: BCD
Question #106
DRAG DROP (Drag and Drop is not supported)Match each GlobalProtect component to the purpose of that component.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #107
Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”
A. escendant objects will take precedence over other descendant objects
B. escendant objects will take precedence over ancestor objects
C. ncestor objects will have precedence over descendant objects
D. ncestor objects will have precedence over other ancestor objects
View answer
Correct Answer: C
Question #108
What are two benefits of nested device groups in Panorama? (Choose two.)
A. TLM
B. edirect
C. ingle Sign-On
D. ransparent
View answer
Correct Answer: AC
Question #109
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
A. anorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks
B. n administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8
C. hen Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically
D. dministrators need to manually update variable characters to those used in pre-PAN-OS 8
View answer
Correct Answer: A
Question #110
If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites?
A. SSL Forward Proxy
B. SSL Inbound Inspection
C. SSL Reverse Proxy
D. SSL Outbound Inspection
View answer
Correct Answer: A
Question #111
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.What must be verified to upgrade the firewalls to the most recent version of PAN-OS® software?
A. ntivirus update package
B. pplications and Threats update package
C. ser-ID agent
D. ildFire update package
View answer
Correct Answer: B
Question #112
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.Which configuration will enable this HA scenario?
A. lobalProtect version 4
B. lobalProtect version 4
C. lobalProtect version 4
D. lobalProtect version 4
View answer
Correct Answer: A
Question #113
When configuring the firewall for packet capture, what are the valid stage types?
A. eceive, management, transmit, and non-syn
B. eceive, management, transmit, and drop
C. eceive, firewall, send, and non-syn
D. eceive, firewall, transmit, and drop
View answer
Correct Answer: D
Question #114
Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app?Failed to connect to server at port:4767
A. he GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
B. he GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. he PanGPS process failed to connect to the PanGPA process on port 4767
D. he PanGPA process failed to connect to the PanGPS process on port 4767
View answer
Correct Answer: B
Question #115
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.How would the administrator establish the chain of trust?
A. se custom certificates
B. nable LDAP or RADIUS integration
C. et up multi-factor authentication
D. onfigure strong password authentication
View answer
Correct Answer: A
Question #116
Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?
A. URL Filtering profile
B. Zone Protection profile
C. Anti-Spyware profile
D. Vulnerability Protection profile
View answer
Correct Answer: A
Question #117
Refer to the exhibit.An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
A. orward logs from firewalls only to Panorama and have Panorama forward logs to other external services
B. orward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW
C. onfigure log compression and optimization features on all remote firewalls
D. ny configuration on an M-500 would address the insufficient bandwidth concerns
View answer
Correct Answer: A
Question #118
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
A. orward-Untrust-Certificate
B. orward-Trust-Certificate
C. irewall-CA
D. irewall-Trusted-Root-CA
View answer
Correct Answer: BC
Question #119
A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web Ul authentication? (Choose three.)
A. ayer 3
B. ayer 2
C. ap
D. ecryption Mirror
View answer
Correct Answer: CDE
Question #120
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?
A. ownload and install application updates cannot be done automatically if the MGT port cannot reach the Internet
B. onfigure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary
C. onfigure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection
D. onfigure a Security policy rule to allow all traffic to and from the update servers
View answer
Correct Answer: B
Question #121
Panorama provides which two SD-WAN functions? (Choose two.)
A. y adding the device’s Host ID to a quarantine list and configureGlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
B. y exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook
C. y using security policies, log forwarding profiles, and log settings
D. here is no native auto-quarantine feature so a custom script would need to be leveraged
View answer
Correct Answer: AB
Question #122
A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”. Which action will this cause configuration on the matched traffic?
A. he configuration is invalid
B. he configuration will allow the matched session unless a vulnerability signature is detected
C. he configuration is invalid
D. he configuration is valid
View answer
Correct Answer: D
Question #123
When you configure a Layer 3 interface, what is one mandatory step?
A. onfigure virtual routers to route the traffic for each Layer 3 interface
B. onfigure Interface Management profiles, which need to be attached to each Layer 3 interface
C. onfigure Security profiles, which need to be attached to each Layer 3 interface
D. onfigure service routes to route the traffic for each Layer 3 interface
View answer
Correct Answer: A
Question #124
A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure only Internet egress for the connected clients. Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled:- Prisma Access for Remote Networks: 300Mbps- Prisma Access for Mobile Users: 1500 Users- Cortex Data Lake: 2TB- Trusted Zones: trust- Untrusted Zones: untrust- Parent Device Group: sharedHow ca
A. onfigure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet
B. onfigure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet
C. onfigure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet
D. onfigure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the Internet
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: