Summer Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1271b8m643

PCNSE Exam Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0

Question # 4

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

A.

link requirements

B.

the name of the ISP

C.

IP Addresses

D.

branch and hub locations

Full Access
Question # 5

Which CLI command displays the current management plan memory utilization?

A.

> show system info

B.

> show system resources

C.

> debug management-server show

D.

> show running resource-monitor

Full Access
Question # 6

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

A.

Disable Server Response Inspection

B.

Apply an Application Override

C.

Disable HIP Profile

D.

Add server IP Security Policy exception

Full Access
Question # 7

Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

A.

Log

B.

Alert

C.

Allow

D.

Default

Full Access
Question # 8

How is the Forward Untrust Certificate used?

A.

It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/

B.

It is used when web servers request a client certificate.

C.

It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.

D.

It is used for Captive Portal to identify unknown users.

Full Access
Question # 9

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

A.

Master

B.

Universal

C.

Shared

D.

Global

Full Access
Question # 10

People are having intermittent quality issues during a live meeting via web application.

A.

Use QoS profile to define QoS Classes

B.

Use QoS Classes to define QoS Profile

C.

Use QoS Profile to define QoS Classes and a QoS Policy

D.

Use QoS Classes to define QoS Profile and a QoS Policy

Full Access
Question # 11

Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

A.

Set tunnel. 1 to p2p

B.

Set tunnel. 1 to p2mp

C.

Set Ethernet 1/1 to p2mp

D.

Set Ethernet 1/1 to p2p

Full Access
Question # 12

When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

A.

When configuring Certificate Profiles

B.

When configuring GlobalProtect portal

C.

When configuring User Activity Reports

D.

When configuring Antivirus Dynamic Updates

Full Access
Question # 13

Which field is optional when creating a new Security Policy rule?

A.

Name

B.

Description

C.

Source Zone

D.

Destination Zone

E.

Action

Full Access
Question # 14

The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.

Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

A.

test panoramas-connect 10.10.10.5

B.

show panoramas-status

C.

show arp all I match 10.10.10.5

D.

topdump filter "host 10.10.10.5

E.

debug dataplane packet-diag set capture on

Full Access
Question # 15

Which operation will impact performance of the management plane?

A.

DoS protection

B.

WildFire submissions

C.

generating a SaaS Application report

D.

decrypting SSL sessions

Full Access
Question # 16

The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

A.

Server Certificate

B.

Client Certificate

C.

Authentication Profile

D.

Certificate Profile

Full Access
Question # 17

Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

A.

Virtual Wire

B.

Loopback

C.

Layer 3

D.

Tunnel

Full Access
Question # 18

A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.

What should be done next?

A.

Click the simple-critical rule and then click the Action drop-down list.

B.

Click the Exceptions tab and then click show all signatures.

C.

View the default actions displayed in the Action column.

D.

Click the Rules tab and then look for rules with "default" in the Action column.

Full Access
Question # 19

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

A.

ms.log

B.

traffic.log

C.

system.log

D.

dp-monitor.log

E.

authd.log

Full Access
Question # 20

Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.

Which step is required to accomplish this goal?

A.

Assign an IP address on each tunnel interface at each site

B.

Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0

C.

Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces

D.

Create new VPN zones at each site to terminate each VPN connection

Full Access
Question # 21

YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:

* ethernet1/1, Zone: Untrust (Internet-facing)

* ethernet1/2, Zone: Trust (client-facing)

A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.

Which setting for class 6 with throttle YouTube traffic?

A.

Outbound profile with Guaranteed Ingress

B.

Outbound profile with Maximum Ingress

C.

Inbound profile with Guaranteed Egress

D.

Inbound profile with Maximum Egress

Full Access
Question # 22

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

A.

To enable Gateway authentication to the Portal

B.

To enable Portal authentication to the Gateway

C.

To enable user authentication to the Portal

D.

To enable client machine authentication to the Portal

Full Access
Question # 23

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

A.

6-tuple match:

Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone

B.

5-tuple match:

Source IP Address, Destination IP Address, Source port, Destination Port, Protocol

C.

7-tuple match:

Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone

D.

9-tuple match:

Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone,

Destination Security Zone, Application, and URL Category

Full Access
Question # 24

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.

Which solution in PAN-OS® software would help in this case?

A.

application override

B.

Virtual Wire mode

C.

content inspection

D.

redistribution of user mappings

Full Access
Question # 25

During the packet flow process, which two processes are performed in application identification? (Choose two.)

A.

Pattern based application identification

B.

Application override policy match

C.

Application changed from content inspection

D.

Session application identified.

Full Access
Question # 26

Which data flow describes redistribution of user mappings?

A.

User-ID agent to firewall

B.

firewall to firewall

C.

Domain Controller to User-ID agent

D.

User-ID agent to Panorama

Full Access
Question # 27

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?

A.

Preconfigured GlobalProtect satellite

B.

Preconfigured GlobalProtect client

C.

Preconfigured IPsec tunnels

D.

Preconfigured PPTP Tunnels

Full Access
Question # 28

How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

A.

by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device

B.

by using security policies, log forwarding profiles, and log settings.

C.

by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook

D.

There is no native auto-quarantine feature so a custom script would need to be leveraged.

Full Access
Question # 29

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

A.

Create a no-decrypt Decryption Policy rule.

B.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

C.

Create a Dynamic Address Group for untrusted sites

D.

Create a Security Policy rule with vulnerability Security Profile attached.

E.

Enable the “Block sessions with untrusted issuers” setting.

Full Access
Question # 30

Which is not a valid reason for receiving a decrypt-cert-validation error?

A.

Unsupported HSM

B.

Unknown certificate status

C.

Client authentication

D.

Untrusted issuer

Full Access
Question # 31

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

A.

Deny application facebook-chat before allowing application facebook

B.

Deny application facebook on top

C.

Allow application facebook on top

D.

Allow application facebook before denying application facebook-chat

Full Access
Question # 32

Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 33

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.)

A.

View Runtime Stats in the virtual router.

B.

View System logs.

C.

Add a redistribution profile to forward as BGP updates.

D.

Perform a traffic pcap at the routing stage.

Full Access
Question # 34

Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

A.

Session Browser

B.

Application Command Center

C.

TCP Dump

D.

Packet Capture

Full Access
Question # 35

An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

A.

Create an Application Override policy and a custom threat signature for the application

B.

Create an Application Override policy

C.

Create a custom App-ID and use the "ordered conditions" check box

D.

Create a custom App ID and enable scanning on the advanced tab

Full Access
Question # 36

When is the content inspection performed in the packet flow process?

A.

after the application has been identified

B.

before session lookup

C.

before the packet forwarding process

D.

after the SSL Proxy re-encrypts the packet

Full Access
Question # 37

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.

What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

A.

Wildfire update package

B.

User-ID agent

C.

Anti virus update package

D.

Application and Threats update package

Full Access
Question # 38

An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

A.

Client Probing

B.

Terminal Services agent

C.

GlobalProtect

D.

Syslog Monitoring

Full Access
Question # 39

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS® software can be upgraded?

A.

Security policy rule

B.

CRL

C.

Service route

D.

Scheduler

Full Access
Question # 40

An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 41

ON NO: 56

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.

The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.

Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

A.

Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy.

B.

Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy.

C.

Disable the exclude cache option for the firewall.

D.

Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Full Access
Question # 42

What are two characteristic types that can be defined for a variable? (Choose two )

A.

zone

B.

FQDN

C.

path group

D.

IP netmask

Full Access
Question # 43

Before you upgrade a Palo Alto Networks NGFW, what must you do?

A.

Make sure that the PAN-OS support contract is valid for at least another year

B.

Export a device state of the firewall

C.

Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

D.

Make sure that the firewall is running a supported version of the app + threat update

Full Access
Question # 44

A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

A.

Application Override policy.

B.

Security policy to identify the custom application.

C.

Custom application.

D.

Custom Service object.

Full Access
Question # 45

In a virtual router, which object contains all potential routes?

A.

MIB

B.

RIB

C.

SIP

D.

FIB

Full Access
Question # 46

Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

A.

Kerberos

B.

PAP

C.

SAML

D.

TACACS+

E.

RADIUS

F.

LDAP

Full Access
Question # 47

Match each SD-WAN configuration element to the description of that element.

Full Access
Question # 48

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

A.

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

B.

Create an Application Group and add business-systems to it.

C.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

D.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Full Access
Question # 49

What is the function of a service route?

A.

The service route is the method required to use the firewall's management plane to provide services to applications

B.

The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address

C.

The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address

D.

Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal

Full Access
Question # 50

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A.

The interface must be used for traffic to the required services

B.

You must enable DoS and zone protection

C.

You must set the interface to Layer 2 Layer 3. or virtual wire

D.

You must use a static IP address

Full Access
Question # 51

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A.

the website is not present in English

B.

unsupported ciphers

C.

certificate pinning

D.

unsupported browser version

E.

mutual authentication

Full Access
Question # 52

Which CLI command displays the physical media that are connected to ethernetl/8?

A.

> show system state filter-pretty sys.si.p8.stats

B.

> show interface ethernetl/8

C.

> show system state filter-pretty sys.sl.p8.phy

D.

> show system state filter-pretty sys.si.p8.med

Full Access
Question # 53

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A.

wildcard server certificate

B.

enterprise CA certificate

C.

client certificate

D.

server certificate

E.

self-signed CA certificate

Full Access
Question # 54

Which statement accurately describes service routes and virtual systems?

A.

Virtual systems can only use one interface for all global service and service routes of the firewall

B.

The interface must be used for traffic to the required external services

C.

Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall

D.

Virtual systems cannot have dedicated service routes configured: and virtual systems always use the global service and service route settings for the firewall

Full Access
Question # 55

Which GlobalProtect component must be configured to enable Clientless VPN?

A.

GlobalProtect satellite

B.

GlobalProtect app

C.

GlobalProtect portal

D.

GlobalProtect gateway

Full Access
Question # 56

The UDP-4501 protocol-port is used between which two GlobalProtect components?

A.

GlobalProtect app and GlobalProtect gateway

B.

GlobalProtect portal and GlobalProtect gateway

C.

GlobalProtect app and GlobalProtect satellite

D.

GlobalProtect app and GlobalProtect portal

Full Access
Question # 57

An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

A.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

B.

Reload the running configuration and perform a Firewall local commit.

C.

Perform a template commit push from Panorama using the "Force Template Values'' option

D.

Perform a commit force from the CLI of the firewall.

Full Access
Question # 58

A Panorama administrator configures a new zone and uses the zone in a new Security policy.

After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?

A.

force template values

B.

merge with candidate config

C.

specify the template as a reference template

D.

include device and network templates

Full Access
Question # 59

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A.

PAN-OS integrated User-ID agent

B.

LDAP Server Profile configuration

C.

GlobalProtect

D.

Windows-based User-ID agent

Full Access
Question # 60

With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

A.

incomplete

B.

unknown-tcp

C.

insufficient-data

D.

unknown-udp

Full Access
Question # 61

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.

Which configuration is necessary to retrieve groups from Panorama?

A.

Configure an LDAP Server profile and enable the User-ID service on the management interface.

B.

Configure a group mapping profile to retrieve the groups in the target template.

C.

Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.

D.

Configure a master device within the device groups.

Full Access
Question # 62

Which statement regarding HA timer settings is true?

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Full Access
Question # 63

In a firewall, which three decryption methods are valid? (Choose three )

A.

SSL Inbound Inspection

B.

SSL Outbound Proxyless Inspection

C.

SSL Inbound Proxy

D.

Decryption Mirror

E.

SSH Proxy

Full Access
Question # 64

Cortex XDR notifies an administrator about grayware on the endpoints.

There are no entnes about grayware in any of the logs of the corresponding firewall.

Which setting can the administrator configure on the firewall to log grayware verdicts?

A.

within the log settings option in the Device tab

B.

within the log forwarding profile attached to the Security policy rule

C.

in WildFire General Settings, select "Report Grayware Files"

D.

in Threat General Settings^ select "Report Grayware Files"

Full Access
Question # 65

Which Panorama objects restrict administrative access to specific device-groups?

A.

templates

B.

admin roles

C.

access domains

D.

authentication profiles

Full Access
Question # 66

A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

A.

Blocked Activity

B.

Bandwidth Activity

C.

Threat Activity

D.

Network Activity

Full Access
Question # 67

Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

A.

Override the value on the NYCFW template.

B.

Override a template value using a template stack variable.

C.

Override the value on the Global template.

D.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

Full Access
Question # 68

Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

A.

No Direct Access to local networks

B.

Satellite mode

C.

Tunnel mode

D.

IPSec mode

Full Access