DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master the Palo Alto PCNSE Exam with Realistic Practice Tests

SPOTO's Palo Alto PCNSE exam questions played a crucial role in my preparation for the PCNSE certification exam. SPOTO's exam questions and answers, along with practice questions and mock exams, provided a comprehensive and structured approach to mastering the necessary skills and knowledge required for the exam. The study materials offered by SPOTO covered key concepts and practical scenarios relevant to Palo Alto Networks' security solutions, enhancing my understanding and proficiency in network security engineering. Additionally, SPOTO's exam resources and study aids were instrumental in simulating the exam environment, allowing me to assess my readiness and improve my performance.
Take other online exams

Question #1
An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:-Firewall has internet connectivity through e 1/1.-Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.-Service route is configured, sourcing update traffic from e1/1.-A communication error appears in the System logs when updates are performed.-Download does not complete.What must be configured to enable the firewall to download the curren
A. tatic route pointing application PaloAlto-updates to the update servers
B. ecurity policy rule allowing PaloAlto-updates as the application
C. cheduler for timed downloads of PAN-OS software
D. NS settings for the firewall to use for resolution
View answer
Correct Answer: D
Question #2
What are three types of Decryption Policy rules? (Choose three.)
A. Decryption profile must be attached to the Decryption policy that the traffic matches
B. here must be a certificate with both the Forward Trust option and Forward Untrust option selected
C. Decryption profile must be attached to the Security policy that the traffic matches
D. here must be a certificate with only the Forward Trust option selected
View answer
Correct Answer: ABC
Question #3
A Panorama administrator configures a new zone and uses the zone in a new Security policy. After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?
A. erge with candidate config
B. nclude device and network templates
C. pecify the template as a reference template
D. orce template values
View answer
Correct Answer: A
Question #4
Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.How can the issue be corrected?
A. verride the value on the NYCFW template
B. verride a template value using a template stack variable
C. verride the value on the Global template
D. nable "objects defined in ancestors will take higher precedence" under Panorama settings
View answer
Correct Answer: B
Question #5
What file type upload is supported as part of the basic WildFire service?
A. LF
B. AT
C. E
D. BS
View answer
Correct Answer: C
Question #6
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)
A. ort mapping
B. erver monitoring
C. lient probing
D. FF headers
View answer
Correct Answer: AD
Question #7
On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?
A.
B.
C.
D.
View answer
Correct Answer: C
Question #8
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.Which action would enable the firewalls to send their pre-existing logs to Panorama?
A. ore than 15 minutes
B. minutes
C. 0 to 15 minutes
D. to 10 minutes
View answer
Correct Answer: B
Question #9
DRAG DROP (Drag and Drop is not supported)Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #10
An administrator wants to enable zone protection.Before doing so, what must the administrator consider?
A. ctivate a zone protection subscription
B. ecurity policy rules do not prevent lateral movement of traffic between zones
C. he zone protection profile will apply to all interfaces within that zone
D. o increase bandwidth, no more than one firewall interface should be connected to a zone
View answer
Correct Answer: C
Question #11
DRAG DROP (Drag and Drop is not supported)Match each type of DoS attack to an example of that type of attack.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #12
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A. nable and configure the Packet Buffer Protection thresholds
B. nable and then configure Packet Buffer thresholds
C. reate and Apply Zone Protection Profiles in all ingress zones
D. onfigure and apply Zone Protection Profiles for all egress zones
E. nable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits
View answer
Correct Answer: AD
Question #13
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure SSL/TLS connection?
A. ink state
B. rofiles
C. tateful firewall connection
D. ertificates
View answer
Correct Answer: D
Question #14
In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?
A. to 4 hours
B. to 12 hours
C. 4 hours
D. 6 hours
View answer
Correct Answer: B
Question #15
Given the following configuration, which route is used for destination 10.10.0.4?set network virtual-router 2 routing-table ip static-route "Route 1" nexthop ip-address 192.168.1.2set network virtual-router 2 routing-table ip static-route "Route 1" metric 30set network virtual-router 2 routing-table ip static-route "Route 1" destination 10.10.0.0/24set network virtual-router 2 routing-table ip static-route "Route 1" reroute-table unicastset network virtual-router 2 routing-table ip static-route "Route 2" ne
A. oute 1
B. oute 3
C. oute 2
D. oute 4
View answer
Correct Answer: C
Question #16
In a template, you can configure which two objects? (Choose two.)
A. o
B. es
C. o
D. es
View answer
Correct Answer: AD
Question #17
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.Which solution in PAN-OS® software would help in this case?
A. se config-drive on a USB stick
B. se an S3 bucket with an ISO
C. reate and attach a virtual hard disk (VHD)
D. se a virtual CD-ROM with an ISO
View answer
Correct Answer: D
Question #18
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
A. o enable Gateway authentication to the Portal
B. o enable Portal authentication to the Gateway
C. o enable user authentication to the Portal
D. o enable client machine authentication to the Portal
View answer
Correct Answer: C
Question #19
An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription.How does adding the WildFire subscription improve the security posture of the organization?
A. ildFire and Threat Prevention combine to minimize the attack surface
B. fter 24 hours, WildFire signatures are included in the antivirus update
C. rotection against unknown malware can be provided in near real-time
D. ildFire and Threat Prevention combine to provide the utmost security posture for the firewall
View answer
Correct Answer: C
Question #20
Before you upgrade a Palo Alto Networks NGFW, what must you do?
A. ake sure that the PAN-OS support contract is valid for at least another year
B. xport a device state of the firewall
C. ake sure that the firewall is running a supported version of the app + threat update
D. ake sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions
View answer
Correct Answer: C
Question #21
Which three authentication factors does PAN-OS® software support for MFA? (Choose three.)
A. one Protection
B. eplay
C. eb Application
D. oS Protection
View answer
Correct Answer: ADE
Question #22
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.Which Security Profile type will protect against worms and trojans?
A. nti-Spyware
B. nstruction Prevention
C. ile Blocking
D. ntivirus
View answer
Correct Answer: D
Question #23
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.Which priority is correct for the passive firewall?
A.
B. 9
C.
D. 55
View answer
Correct Answer: D
Question #24
An engineer must configure the Decryption Broker feature. Which Decryption Broker security chain supports bi-directional traffic flow?
A. ayer 2 security chain
B. ayer 3 security chain
C. ransparent Bridge security chain
D. ransparent Proxy security chain
View answer
Correct Answer: B
Question #25
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone.What can the administrator do to correct this issue?
A. dd a firewall to both the device group and the template
B. dd the template as a reference template in the device group
C. nable "Share Unused Address and Service Objects with Devices" in Panorama settings
D. pecify the target device as the master device in the device group
View answer
Correct Answer: A
Question #26
Refer to the exhibit.An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
A. orward logs from firewalls only to Panorama and have Panorama forward logs to other external services
B. orward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW
C. onfigure log compression and optimization features on all remote firewalls
D. ny configuration on an M-500 would address the insufficient bandwidth concerns
View answer
Correct Answer: A
Question #27
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A. espond to changes in user behaviour or potential threats using manual policy changes
B. espond to changes in user behaviour or potential threats without manual policy changes
C. espond to changes in user behaviour or potential threats without automatic policy changes
D. espond to changes in user behaviour and confirmed threats with manual policy changes
View answer
Correct Answer: BC
Question #28
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
A. ML API
B. ort Mapping
C. lient Probing
D. erver Monitoring
View answer
Correct Answer: BD
Question #29
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
A. he settings assigned to the template that is on top of the stack
B. he administrator will be promoted to choose the settings for that chosen firewall
C. ll the settings configured in all templates
D. epending on the firewall location, Panorama decides with settings to send
View answer
Correct Answer: A
Question #30
What is exchanged through the HA2 link?
A. oth SSH keys and SSL certificates must be generated
B. o prerequisites are required
C. SH keys must be manually generated
D. SL certificates must be generated
View answer
Correct Answer: C
Question #31
Which option is part of the content inspection process?
A. acket forwarding process
B. SL Proxy re-encrypt
C. Psec tunnel encryption
D. acket egress process
View answer
Correct Answer: B
Question #32
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
A. lobalProtect client
B. PTP tunnels
C. Psec tunnels using IKEv2
D. lobalProtect satellite
View answer
Correct Answer: B
Question #33
Which statement regarding HA timer settings is true?
A. se the Moderate profile for typical failover timer settings
B. se the Critical profile for faster failover timer settings
C. se the Aggressive profile for slower failover timer settings
D. se the Recommended profile for typical failover timer settings
View answer
Correct Answer: D
Question #34
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
A. ecurity policy rule allowing SSL to the target server
B. irewall connectivity to a CRL
C. oot certificate imported into the firewall with “Trust” enabled
D. mportation of a certificate from an HSM
View answer
Correct Answer: A
Question #35
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
A. ou must set the interface to Layer 2, Layer 3, or virtual wire
B. he interface must be used for traffic to the required services
C. ou must use a static IP address
D. ou must enable DoS and zone protection
View answer
Correct Answer: C
Question #36
What are two characteristic types that can be defined for a variable? (Choose two.)
A. scp export mgmt-pcap from mgmt
B. scp export poap-mgmt from poap
C. ftp export mgmt-pcap from mgmt
D. scp export pcap from pcap to (username@host:path)
View answer
Correct Answer: BC
Question #37
Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
A. yslog listening
B. erver monitoring
C. lient probing
D. ort mapping
View answer
Correct Answer: A
Question #38
Which two subscriptions are available when configuring Panorama to push dynamic updates to connected devices? (Choose two.)
A. t configures the tunnel address of all internal clients to an IP address range starting at 192
B. t forces an internal client to connect to an internal gateway at IP address 192
C. t enables a client to perform a reverse DNS lookup on 192
D. t forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server
View answer
Correct Answer: CD
Question #39
02. Which two external authentication methods can be used with Authentication Profiles in PAN-OS?
A. TLM
B. SH
C. DAP
D. ADIUS
View answer
Correct Answer: A
Question #40
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?
A. n the details of the Traffic log entries
B. ecryption log
C. ata Filtering log
D. n the details of the Threat log entries
View answer
Correct Answer: A
Question #41
07. A legacy virtual router can use a Redistribution Profile to share routes between which three routing protocols?
A. nspectingtrafficattheapplicationlaye
B. reatingvirtualconnectionsoutofUDPtraffic
C. heckingforsuspicious,buttechnicallycompliant,protocolbehavi
D. emporarilyallowinganexternalwebservertosendinboundpacketsafteranoutboundrequestforawebpage
View answer
Correct Answer: C
Question #42
How can a candidate or running configuration be copied to a host external from Panorama?
A. ommit a running configuration
B. ave a configuration snapshot
C. ave a candidate configuration
D. xport a named configuration snapshot
View answer
Correct Answer: D
Question #43
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.Which option will protect the individual servers?
A. nable packet buffer protection on the Zone Protection Profile
B. pply an Anti-Spyware Profile with DNS sinkholing
C. se the DNS App-ID with application-default
D. pply a classified DoS Protection Profile
View answer
Correct Answer: D
Question #44
Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.
A. nable QoS interface
B. nable QoS in the Interface Management Profile
C. nable QoS Data Filtering Profile
D. nable QoS monitor
View answer
Correct Answer: B
Question #45
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?
A. Session Browser
B. Application Command Center
C. TCP Dump
D. Packet Capture
View answer
Correct Answer: B
Question #46
What is the best description of the HA4 Keep-alive Threshold (ms)?
A. he timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
B. he timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
C. he maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
D. he time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
View answer
Correct Answer: B
Question #47
DRAG DROP (Drag and Drop is not supported)Place the steps in the WildFire process workflow in their correct order.Select and Place:
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #48
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
A. TTP Server Profile
B. yslog Server Profile
C. mail Server Profile
D. NMP Server Profile
View answer
Correct Answer: B
Question #49
An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?
A. anorama does not have valid licenses to push the dynamic updates
B. anorama has no connection to Palo Alto Networks update servers
C. ocally-defined dynamic update settings take precedence over the settings that Panorama pushed
D. o service route is configured on the firewalls to Palo Alto Networks update servers
View answer
Correct Answer: C
Question #50
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best describes redistribution of user mappings?
A. ser-ID agent to firewall
B. irewall to firewall
C. omain Controller to User-ID agent
D. ser-ID agent to Panorama
View answer
Correct Answer: B
Question #51
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. scheduler will need to be configured for application signatures
B. Security policy rule will need to be configured to allow the update requests from the firewall to the update servers
C. Threat Prevention license will need to be installed
D. service route will need to be configured
View answer
Correct Answer: A
Question #52
The firewall is not downloading IP addresses from MineMeld. Based on the image, what most likely is wrong?
A. Certificate Profile that contains the client certificate needs to be selected
B. he source address supports only files hosted with an ftp://
C. xternal Dynamic Lists do not support SSL connections
D. Certificate Profile that contains the CA certificate needs to be selected
View answer
Correct Answer: D
Question #53
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:
A. BP (Protocol Based Protection)
B. GP (Border Gateway Protocol)
C. GP (Packet Gateway Protocol)
D. BP (Packet Buffer Protection)
View answer
Correct Answer: D
Question #54
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.Which option would achieve this result?
A. reate a custom App-ID and enable scanning on the advanced tab
B. reate an Application Override policy
C. reate a custom App-ID and use the “ordered conditions” check box
D. reate an Application Override policy and a custom threat signature for the application
View answer
Correct Answer: A
Question #55
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?
A. 0Mbps
B. 5Mbps
C. 0Mbps
D. 00Mbps
View answer
Correct Answer: C
Question #56
Which statement accurately describes service routes and virtual systems?
A. irtual systems can only use one interface for all global service and service routes of the firewall
B. irtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall
C. irtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall
D. he interface must be used for traffic to the required external services
View answer
Correct Answer: B
Question #57
An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.1.0. The firewall is not a part of an HA pair.What needs to be updated first?
A. oad configuration version
B. ave candidate config
C. xport device state
D. oad named configuration snapshot
View answer
Correct Answer: A
Question #58
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A. nable session logging at start
B. isable logging on the default deny rule
C. et the URL filtering action to send alerts
D. isable pre-defined reports
View answer
Correct Answer: A
Question #59
An engineer is planning an SSL decryption implementation.Which of the following statements is a best practice for SSL decryption?
A. erify that the IP addresses can be pinged and that routing issues are not causing the connection failure
B. heck whether the VPN peer on one end is set up correctly using policy-based VPN
C. n the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
D. n the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers
View answer
Correct Answer: A
Question #60
Which data flow describes redistribution of user mappings?
A. ser-ID agent to firewall
B. omain Controller to User-ID agent
C. ser-ID agent to Panorama
D. irewall to firewall
View answer
Correct Answer: D
Question #61
DRAG DROP (Drag and Drop is not supported)Match each SD-WAN configuration element to the description of that element.
A. ee Explanation section for answer
View answer
Correct Answer: A
Question #62
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
A. onfigure an LDAP Server profile and enable the User-ID service on the management interface
B. onfigure a group mapping profile to retrieve the groups in the target template
C. onfigure a Data Redistribution Agent to receive IP User Mappings from User-ID agents
D. onfigure a master device within the device groups
View answer
Correct Answer: A
Question #63
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.Which two options enable the administrator to troubleshoot this issue? (Choose two.)
A. View Runtime Stats in the virtual router
B. View System logs
C. Add a redistribution profile to forward as BGP updates
D. Perform a traffic pcap at the routing stage
View answer
Correct Answer: AB
Question #64
Starting with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?
A. lobalProtect
B. ystem
C. uthentication
D. onfiguration
View answer
Correct Answer: A
Question #65
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?
A. orward Trust certificate
B. elf-Signed Root CA certificate
C. eb Server certificate
D. ublic CA signed certificate
View answer
Correct Answer: B
Question #66
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company?€?s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.Which option would achieve this result?
A. Create a custom App-ID and enable scanning on the advanced tab
B. Create an Application Override policy
C. Create a custom App-ID and use the ?€ordered conditions?€ check box
D. Create an Application Override policy and a custom threat signature for the application
View answer
Correct Answer: A
Question #67
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?
A. ecurity policy
B. ecryption policy
C. uthentication policy
D. pplication Override policy
View answer
Correct Answer: C
Question #68
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.Which two options would help the administrator troubleshoot this issue? (Choose two.)
A. eartbeat Monitoring
B. ailover
C. ath Monitoring
D. ing-Path
View answer
Correct Answer: BC
Question #69
To more easily reuse templates and template stacks, you can create template variables in place of firewall- specific and appliance-specific IP literals in your configurations.Which one is the correct configuration?
A. Panorama
B. Panorama
C. Panorama
D. Panorama
View answer
Correct Answer: C
Question #70
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?
A. ayer 2
B. irtual Wire
C. ap
D. ayer 3
View answer
Correct Answer: C
Question #71
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?
A. eb-browsing and 443
B. SL and 80
C. SL and 443
D. eb-browsing and 80
View answer
Correct Answer: A
Question #72
Which protection feature is available only in a Zone Protection Profile?
A. YN Flood Protection using SYN Flood Cookies
B. CMP Flood Protection
C. ort Scan Protection
D. DP Flood Protections
View answer
Correct Answer: C
Question #73
What best describes the HA Promotion Hold Time?
A. he time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
B. he time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
C. he time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
D. he time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
View answer
Correct Answer: A
Question #74
Which log file can be used to identify SSL decryption failures?
A. raffic
B. CC
C. onfiguration
D. hreats
View answer
Correct Answer: A
Question #75
Refer to the exhibit.Which will be the egress interface if the traffic’s ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
A. thernet1/6
B. thernet1/3
C. thernet1/7
D. thernet1/5
View answer
Correct Answer: D
Question #76
Which feature can provide NGFWs with User-ID mapping information?
A. eb Captcha
B. ative 802
C. lobalProtect
D. ative 802
View answer
Correct Answer: C
Question #77
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
A. achine certificate
B. erver certificate
C. ertificate authority (CA) certificate
D. lient certificate
View answer
Correct Answer: B
Question #78
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
A. g2 session count is the lowest compared to the other managed devices
B. s3 has a logging rate that deviates from the administrator-configured thresholds
C. k3 has a logging rate that deviates from the seven-day calculated baseline
D. g2 has misconfigured session thresholds
View answer
Correct Answer: AB
Question #79
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?
A. he three-way TCP handshake was observed, but the application could not be identified
B. he three-way TCP handshake did not complete
C. he traffic is coming across UDP, and the application could not be identified
D. ata was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied
View answer
Correct Answer: B
Question #80
Which CLI command can be used to export the tcpdump capture?
A. cp export tcpdump from mgmt
B. cp extract mgmt-pcap from mgmt
C. cp export mgmt-pcap from mgmt
D. ownloadmgmt-pcap
View answer
Correct Answer: C
Question #81
An administrator has configured the Palo Alto Networks NGFW?€?s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. A scheduler will need to be configured for application signatures
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers
C. A Threat Prevention license will need to be installed
D. A service route will need to be configured
View answer
Correct Answer: A
Question #82
A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.Which option differentiates multiple VLANs into separate zones?
A. reate V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object
B. reate V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object
C. reate Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router
D. reate VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN I Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic
View answer
Correct Answer: B
Question #83
An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?
A. reate the appropriate rules with a Block action and apply them at the top of the local firewall Security rules
B. reate the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules
C. reate the appropriate rules with a Block action and apply them at the top of the Security Post-Rules
D. reate the appropriate rules with a Block action and apply them at the top of the Default Rules
View answer
Correct Answer: B
Question #84
SD-WAN is designed to support which two network topology types? (Choose two.)
A. t enables a firewall to revert to the previous configuration if rule shadowing is detected
B. t enables a firewall to revert to the previous configuration if application dependency errors are found
C. t enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure
D. t enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure
View answer
Correct Answer: BC
Question #85
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file system ntfs and the initial configuration is stored in a file named init-cfg.txt.The contents of init-cfg.txt in the USB flash drive are as follows:The USB flash drive has been inserted in the firewalls’ USB port, and the firewall has been powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failu
A. he bootstrap
B. it-cfg
C. he USB must be formatted using the ext4 file system
D. here must be commas between the parameter names and their values instead of the equal symbols
E. he USB drive has been formatted with an unsupported file system
View answer
Correct Answer: E
Question #86
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to
A. ule #1: application: web-browsing; service: application-default; action: allowRule #2: application: ssl; service: application-default; action: allow
B. ule #1: application: web-browsing; service: service-http; action: allowRule #2: application: ssl; service: application-default; action: allow
C. ule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
D. ule #1: application: web-browsing; service: service-https; action: allowRule #2: application: ssl; service: application-default; action: allow
View answer
Correct Answer: D
Question #87
05. Which two functions can be performed with a next­generation firewall but NOT with a legacy firewall?
A. ctive­Activemode
B. ctive­Passivemode
C. A­LiteActive­Passivemode
D. ctive­Passivemodewith"tcp­reject­non­syn"setto"no"
View answer
Correct Answer: CD
Question #88
Which DoS protection mechanism detects and prevents session exhaustion attacks?
A. acket Based Attack Protection
B. lood Protection
C. esource Protection
D. CP Port Scan Protection
View answer
Correct Answer: C
Question #89
Which three firewall states are valid? (Choose three.)
A. Active
B. Functional
C. Pending
D. Passive
E. Suspended
View answer
Correct Answer: ADE
Question #90
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
A. isable H
B. isable the HA2 link
C. et the passive link state to "shutdown
D. isable config sync
View answer
Correct Answer: D
Question #91
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. ession Browser
B. pplication Command Center
C. CP Dump
D. acket Capture
View answer
Correct Answer: AB
Question #92
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone.What must the administrator configure so that the PAN-OS® software can be upgraded?
A. ecurity policy rule
B. RL
C. ervice route
D. cheduler
View answer
Correct Answer: C
Question #93
The certificate information displayed in the following image is for which type of certificate?
A. Forward Trust certificate
B. Self-Signed Root CA certificate
C. Web Server certificate
D. Public CA signed certificate
View answer
Correct Answer: B
Question #94
Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given this scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?
A. AN-OS integrated agent
B. itrix terminal server agent with adequate data-plane resources
C. aptive Portal
D. indows-based User-ID agent on a standalone server
View answer
Correct Answer: D
Question #95
Which value in the Application column indicates UDP traffic that did not match an App-ID signature?
A. nknown-udp
B. nknown-ip
C. ncomplete
D. ot-applicable
View answer
Correct Answer: A
Question #96
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
A. CC
B. ystem Logs
C. pp Scope
D. ession Browser
View answer
Correct Answer: D
Question #97
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
A. he settings assigned to the template that is on top of the stack
B. he administrator will be promoted to choose the settings for that chosen firewall
C. ll the settings configured in all templates
D. epending on the firewall location, Panorama decides with settings to send
View answer
Correct Answer: C
Question #98
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)
A. Disable SNMP on the management interface
B. Application override of SSL application
C. Disable logging at session start in Security policies
D. Disable predefined reports
E. Reduce the traffic being decrypted by the firewall
View answer
Correct Answer: ACD
Question #99
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.Which Security Profile type will prevent these behaviors?
A. nti-Spyware
B. ildFire
C. ulnerability Protection
D. ntivirus
View answer
Correct Answer: A
Question #100
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites?
A. SL Forward Proxy
B. SL Inbound Inspection
C. LS Bidirectional proxy
D. SL Outbound Inspection
View answer
Correct Answer: A
Question #101
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
A. se the debug dataplane packet-diag set capture stage firewall file command
B. nable all four stages of traffic capture (TX, RX, DROP, Firewall)
C. se the debug dataplane packet-diag set capture stage management file command
D. se the tcpdump command
View answer
Correct Answer: D
Question #102
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. se the import option to pull logs
B. se the scp logdb export command
C. xport the log database
D. se the ACC to consolidate the logs
View answer
Correct Answer: B
Question #103
Which operation will impact the performance of the management plane?
A. oS protection
B. ildFire submissions
C. enerating a SaaS Application report
D. ecrypting SSL sessions
View answer
Correct Answer: C
Question #104
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. elect download-and-install
B. elect download-only
C. elect download-and-install, with “Disable new apps in content update” selected
D. elect disable application updates and select “Install only Threat updates”
View answer
Correct Answer: C
Question #105
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:The USB flash drive has been inserted in the firewalls’ USB port,
A. he bootstrap
B. irewall must be in factory default state or have all private data deleted for bootstrapping
C. he hostname is a required parameter, but it is missing in init-cfg
D. AN-CS version must be 9
E. he USB must be formatted using the ext3 file system
View answer
Correct Answer: D
Question #106
What is considered the best practice with regards to zone protection?
A. se separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
B. eview DoS threat activity (ACC > Block Activity) and look for patterns of abuse
C. et the Alarm Rate threshold for event-log messages to high severity or critical severity
D. f the levels of zone and DoS protection consume too many firewall resources, disable zone protection
View answer
Correct Answer: D
Question #107
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
A. ee Explanation section for answer
View answer
Correct Answer: D
Question #108
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?
A. ort Inspection
B. ertificate revocation
C. ontent-ID
D. pp-ID
View answer
Correct Answer: D
Question #109
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A. nti-Spyware
B. nstruction Prevention
C. ile Blocking
D. ntivirus
View answer
Correct Answer: CD
Question #110
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version.What is considered best practice for this scenario?
A. erform the Panorama and firewall upgrades simultaneously
B. pgrade the firewall first, wait at least 24 hours, and then upgrade the Panorama version
C. pgrade Panorama to a version at or above the target firewall version
D. xport the device state, perform the update, and then import the device state
View answer
Correct Answer: C
Question #111
In URL filtering, which component matches URL patterns?
A. ive URL feeds on the management plane
B. ecurity processing on the data plane
C. ingle-pass pattern matching on the data plane
D. ignature matching on the data plane
View answer
Correct Answer: C
Question #112
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?
A. kta
B. UO
C. ADIUS
D. ingID
View answer
Correct Answer: C
Question #113
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)
A. se the import option to pull logs into Panorama
B. CLI command will forward the pre-existing logs to Panorama
C. se the ACC to consolidate pre-existing logs
D. he log database will need to exported form the firewalls and manually imported into Panorama
View answer
Correct Answer: BDE
Question #114
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.Which priority is correct for the passive firewall?
A.
B. 9
C.
D. 55
View answer
Correct Answer: D
Question #115
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
A. review Changes
B. olicy Optimizer
C. anaged Devices Health
D. est Policy Match
View answer
Correct Answer: D
Question #116
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs):I) Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.)ii) Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificateiii) Enterprise-Intermediate-CAiv) Enterprise-Root-CA, which is verified only as Trusted Root CAAn end-user visits https://www.example-website.com/ with
A. nterprise-Trusted-CA which is a self-signed CA
B. nterprise-Root-CA which is a self-signed CA
C. nterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA
D. nterprise-Untrusted-CA which is a self-signed CA
View answer
Correct Answer: D
Question #117
How can packet buffer protection be configured?
A. t zone level to protect firewall resources and ingress zones, but not at the device level
B. t the interface level to protect firewall resources
C. t the device level (globally) to protect firewall resources and ingress zones, but not at the zone level
D. t the device level (globally) and, if enabled globally, at the zone level
View answer
Correct Answer: D
Question #118
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
A. how running resource-monitor
B. ebug data-plane dp-cpu
C. how system resources
D. ebug running resources
View answer
Correct Answer: A
Question #119
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A. lobalProtect app and GlobalProtect satellite
B. lobalProtect app and GlobalProtect portal
C. lobalProtect app and GlobalProtect gateway
D. lobalProtect portal and GlobalProtect gateway
View answer
Correct Answer: C
Question #120
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)
A. ello heartbeats
B. ser-ID information
C. ession synchronization
D. A state information
View answer
Correct Answer: AEF
Question #121
What are three reasons why an installed session can be identified with the "application incomplete" tag? (Choose three.)
A. pdate the Firewall Apps and Threat version to match the version of Panorama
B. hange the new category action to "alert" and push the configuration again
C. nsure that the firewall can communicate with the URL cloud
D. erity that the URL seed tile has been downloaded and activated on the firewall
View answer
Correct Answer: ADE
Question #122
Refer to the exhibit.Which certificates can be used as a Forward Trust certificate?
A. ertificate from Default Trust Certificate Authorities
B. omain Sub-CA
C. orward_Trust
D. omain-Root-Cert
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: