0% found this document useful (0 votes)

35 views42 pages

Pcnse - Test

The document contains a series of questions and answers related to Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, focusing on various technical aspects such as high availability settings, VPN configurations, and security profiles. It provides explanations for each question, detailing the correct options and their implications on network security and management. The content serves as a study guide for engineers preparing for the PCNSE exam, covering topics like SSL decryption, application identification, and multi-factor authentication integration.

Uploaded by

ABDUL WADOOD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

35 views42 pages

Pcnse - Test

Uploaded by

ABDUL WADOOD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

Palo Alto

Networks
PCNSE
Palo Alto Networks Certified Network
Security Engineer PAN-OS 11.0 Version
QUESTION & ANSWERS
[Link]
QUESTION: 1

An engineer is reviewing the following high availability (HA) settings to understand a recent HA
failover event.

Which timer determines the frequency between packets sent to verify that the HA functionality
on the other HA firewall is operational?

Option A : Hello Interval

Option B : Monitor Fail Hold Up

Time Option C : Heartbeat

Interval

Option D : Promotion Hold Time

Explanation/Reference:

The timer that determines the frequency between packets sent to verify that the HA functionality on the other

HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello

packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000

ms for all platforms, and the range is 8000- 60000 ms. If the firewall does not receive a hello packet from its

peer within the specified interval, it will declare the peer as

failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best
Practices How

to Configure Ping Interval/Timeout Settings ... - Palo Alto Networks

QUESTION: 2

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should
have failed over to a backup path. What part of the network profile configuration should the
engineer verify?

Option A : Destination

IP Option B :

Threshold Option C :

Action

Option D : Interval

QUESTION: 3

Which virtual router feature determines if a specific destination IP address is reachable?

Option A : Heartbeat Monitoring

Option B : Failover
Option C : Path Monitoring
Option D : Ping-Path

Explanation/Reference:

Reference: [Link]

pbf/path- monitoring-for-pbf

QUESTION: 4

After switching to a different WAN connection, users have reported that various websites will not
load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching
the users behind the firewall. The engineer later concludes that the maximum transmission unit
(MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

Option A : Change the subnet mask from /23

to /24. Option B : Lower the interface MTU value

below 1500

Option C : Adjust the TCP maximum segment size (MSS)

value. Option D : Enable the Ignore IPv4 Don't Fragment

(DF) setting.

Explanation/Reference:

The engineer should adjust the TCP maximum segment size (MSS) value on ethernet1/1 to remedy this problem.

This is because the MTU on an upstream router interface is set to 1400 bytes, which is causing the A. B. C. return

traffic from the web servers to not reach the users behind the firewall. By adjusting the TCP MSS value, the

engineer can ensure that the return traffic is able to reach the users without any issues. The TCP MSS is the

maximum amount of data that can be transmitted in a single TCP segment, excluding the TCP and IP headers.

The TCP MSS is usually derived from the MTU of the underlying network, which is the maximum packet size that

can be transmitted without fragmentation. For example, if the MTU is 1500 bytes, which is the default value for
ethernet interfaces, then the TCP MSS is 1460 bytes (1500 - 20 bytes for IP header - 20

bytes for TCP header). However, if there are intermediate devices or networks that have a lower MTU than the

end-to-end path, then the TCP MSS may need to be adjusted accordingly to avoid packet loss or fragmentation1.

In this case, the firewall has an MTU of 1500 bytes on ethernet1/1, which is connected to a WAN link. However, an

upstream router has an MTU of 1400 bytes on its interface, which means that any packet larger than 1400 bytes

will be either dropped or fragmented by the router. This can cause problems for the return traffic from the web

servers, which may have a TCP MSS of 1460 bytes or higher, depending on their MTU settings. If these packets

have the Don’t Fragment (DF) bit set in their IP header, which is common for TCP packets, then they will be

dropped by the router and never reach the firewall or the users behind it. If they do not have the DF bit set, then

they will be fragmented by the router and reassembled by the firewall, which can cause performance degradation

and overhead2. To avoid these problems, the engineer should adjust the TCP MSS value on ethernet1/1 to match

or be lower than the MTU of the upstream router. This can be done by using the CLI command set network

interface ethernet ethernet1/1 tcp-mss , where is an integer between 64 and 15003. For example, if the

engineer sets the TCP MSS value to 1360 bytes (1400 - 20 - 20), then this will ensure that any TCP packet sent or

received by ethernet1/1 will not exceed 1400 bytes in total size, and thus will not be dropped or fragmented by

the router. This will allow the return traffic from the web servers to reach the users behind the firewall without any

issues4. References: TCP Maximum Segment Size (MSS), Configure Session Settings, TCP MSS Adjustments,

PCNSE Study Guide (page 59)

QUESTION: 5

A customer is replacing their legacy remote access VPN solution The current solution is in place
to secure only internet egress for the connected clients Prisma Access has been selected to
replace the current remote access VPN solution During onboarding the following options and
licenses were selected and enabled - Prisma Access for Remote Networks 300Mbps - Prisma
Access for Mobile Users 1500 Users - Cortex Data Lake 2TB - Trusted Zones trust - Untrusted
Zones untrust - Parent Device Group shared How can you configure Prisma Access to provide the
same level of access as the current VPN solution?

Option A : Configure mobile users with trust-to-untrust Security policy rules to allow the desired
traffic outbound to the internet
Option B : Configure mobile users with a service connection and trust-to-trust Security
policy rules to allow the desired traffic outbound to the internet
Option C : Configure remote networks with a service connection and trust-to-untrust Security
policy rules to allow the desired traffic outbound to the internet
Option D : Configure remote networks with trust-to-trust Security policy rules to allow the desired
traffic outbound to the internet
Explanation/Reference:

To provide the same level of access as the current VPN solution, which is to secure only Internet egress for the

connected clients, you can configure mobile users with trust-to-untrust Security policy rules to allow the desired

traffic outbound to the Internet. This way, the mobile users will be assigned an IP address from a pool that

belongs to the trust zone, and they will be able to access the Internet through Prisma Access using a gateway

that belongs to the untrust zone1. You do not need to

configure a service connection for this scenario, as a service connection is used to enable access between

mobile users and remote networks or private apps2 . You also do not need to configure trust-to-trust Security

policy rules, as they are used to enable access between mobile users and other trusted resources3.

References: 1: [Link]

the-prisma-access-inf2: [Link]

admin/prisma-access-service-co3: [Link]

managed-admin/prisma-access-mobile-us

QUESTION: 6

When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can
be implemented using a phased approach in alignment with Palo Alto Networks best practices.
What should you recommend?

Option A : Enable SSL decryption for known malicious source IP

addresses Option B : Enable SSL decryption for malicious source users
Option C : Enable SSL decryption for source users and known malicious URL
categories Option D : Enable SSL decryption for known malicious destination IP
addresses

QUESTION: 7

An engineer is configuring a template in Panorama which will contain settings that need to be
applied to all firewalls in production. Which three parts of a template an engineer can configure?
(Choose three.)

Option A : NTP Server

Address Option B : Antivirus
Profile Option C :
Authentication Profile
Option D : Service Route
Configuration Option E : Dynamic
Address Groups
Explanation/Reference:

NTP Server Address D. Service Route Configuration Short Explanation of Correct Answer Only: These parts of a

template can be configured on Panorama1. An antivirus profile and an authentication profile are not parts of a

template, but parts of a device group2. References: 1:

[Link] templates-and-

template-2 :[Link] device-

groups/device-g
QUESTION: 8

When setting up a security profile, which three items can you use? (Choose three.)

Option A : Wildfire
analysis Option B : anti-
ransomware Option C :
antivirus
Option D : URL filtering
Option E : decryption
profile

Explanation/Reference:

Reference: [Link]

QUESTION: 9

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose
two.)

Option A : self-signed CA
certificate Option B : server
certificate
Option C : wildcard server
certificate Option D : client
certificate
Option E : enterprise CA certificate

Explanation/Reference:

Reference: [Link]

forwardproxy#:~:text=You can use an enterprise,as the forward trust certificate.

QUESTION: 10

After some firewall configuration changes, an administrator discovers that application

identification has started failing. The administrator investigates further and notices that a high
number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
Option A : enabling Forward segments that exceed the TCP App-ID inspection queue in Device
> Setup > Content-ID > Content-ID Settings
Option B : enabling Forward segments that exceed the TCP content inspection queue in Device
> Setup > Content-ID > Content-ID Settings
Option C : Jumbo frames were enabled on the firewall, which reduced the App-ID queue size
and the number of available packet buffers.
Option D : Jumbo frames were disabled on the firewall, which reduced the queue sizes
dedicated for out- of-order and application identification.

QUESTION: 11

Starting with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which
firewall log?

Option A :
GlobalProtect Option
B : System Option C :
Authentication Option
D : Configuration

Explanation/Reference:

Reference: [Link] enhanced-logging-

for- [Link]

QUESTION: 12

A security engineer has configured a GlobalProtect portal agent with four gateways Which
GlobalProtect Gateway will users connect to based on the chart provided?

Option A : South
Option B : West
Option C : East

Option D : Central

Explanation/Reference:

Based on the provided table, the GlobalProtect portal agent configuration includes four gateways with varying

priorities and response times. Users will connect to the gateway with the highest priority and, if multiple gateways

share the same priority, the one with the lowest response time. Answer Determination Prioritize by Priority Level:

East: Highest South: High West: Medium Central: Low Evaluate Response Times Within Each Priority: East

(Highest): 35 ms South (High): 30 ms West (Medium): 50 ms Central (Low): 20 ms Given the highest priority is

"East" with a response time of 35 ms, users will connect to the East gateway based on the highest priority.

QUESTION: 13

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external
customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Option A : Proxy IDs

Option B : ToS Header

Option C : GRE

Encapsulation Option D :

Tunnel Monitor

Explanation/Reference:

An administrator should configure proxy IDs to route interesting traffic through the VPN tunnel when the peer

device is a policy-based VPN device. Proxy IDs are used to identify the traffic that belongs to a particular IPSec

VPN and to direct it to the

appropriate tunnel. Proxy IDs consist of a local IP address, a remote IP address, and an application (protocol and

port numbers). Each proxy ID is considered to be a VPN tunnel and is counted towards the IPSec VPN tunnel

capacity of the firewall. Proxy IDs

are required for IKEv1 VPNs and optional for IKEv2 VPNs. If the proxy ID is not configured, the firewall uses the
default values of

source IP: [Link]/0, destination IP: [Link]/0, and application: any, which may not match the peer’s policy and

result in a failure to establish the VPN connection. References: Proxy ID for IPSec VPN Set Up an IPSec Tunnel

QUESTION: 14

An enterprise Information Security team has deployed policies based on AD groups to restrict
user access to critical infrastructure systems. However, a recent phishing campaign against the
organization has prompted Information Security to look for more controls that can secure access
to critical assets. For users that need to access these systems. Information Security wants to use
PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise
do to use PAN-OS MFA?

Option A : Use a Credential Phishing agent to detect, prevent, and mitigate credential
phishing campaigns.
Option B : Create an authentication profile and assign another authentication factor to be used by
a Captive Portal authentication policy

Option C : Configure a Captive Portal authentication policy that uses an authentication

sequence. Option D : Configure a Captive Portal authentication policy that uses an
authentication profile that references a RADIUS profile.

Explanation/Reference:

To use PAN-OS multi-factor authentication (MFA) to secure access to critical assets, the enterprise should

configure a Captive Portal authentication policy that uses an authentication sequence. An authentication

sequence is a feature that allows the firewall to enforce multiple authentication methods (factors) for users who

access sensitive services or applications. An authentication sequence can include up to four factors, such as login

and password, Voice, SMS, Push, or One-time Password (OTP) authentication. The firewall can integrate with MFA

vendors through RADIUS or vendor APIs to provide the additional factors12. To configure an authentication

sequence, the enterprise needs to create an authentication profile for each factor and then add them to the

sequence in the desired order. The enterprise also needs to create a Captive Portal authentication policy that

matches the traffic that requires MFA and applies the authentication sequence to it. The Captive Portal is a web

page that the firewall displays to users who need to authenticate before accessing the network or the internet.

The Captive Portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate

download link, and a logout button34. When a user tries to access a service or application that matches the
Captive Portal authentication policy, the

firewall redirects the user to the Captive Portal web form for the first factor. After the user successfully

authenticates for the first factor, the firewall prompts the user for the second factor through RADIUS or vendor API

integration. The firewall repeats this process until all factors in the sequence are completed or until one factor

fails. If all factors are completed successfully, the firewall allows the user to access the service or application. If

one factor fails, the firewall denies access and logs an event56. Configuring a Captive Portal authentication policy

that uses an authentication profile that references a RADIUS profile is not sufficient to use PAN-OS MFA. This

option only provides one factor of authentication through RADIUS integration with an MFA vendor. To use multiple

factors of authentication, an authentication sequence is required. Creating an authentication profile and assigning

another authentication factor to be used by a Captive Portal authentication policy is not correct to use PAN-OS

MFA. This option does not specify how to create or apply an authentication sequence, which is necessary for

enforcing multiple factors of authentication. Using a Credential Phishing agent to detect, prevent, and mitigate

credential phishing campaigns is not relevant to use PAN-OS MFA. This option is a feature of Palo Alto Networks

Cortex XDR™ that helps protect endpoints from credential theft by malicious actors. It does not provide any MFA

functionality for accessing critical assets. References: Authentication Sequence, Configure Multi-Factor

Authentication, Configure an Authentication Portal, Create an Authentication Profile, Create an Authentication

Sequence, Create a Captive Portal Authentication Policy, [Credential Phishing Agent]

QUESTION: 15

A firewall has been assigned to a new template stack that contains both 'Global' and 'Local'
templates in Panorama, and a successful commit and push has been performed. While validating
the configuration on the local firewall, the engineer discovers that some settings are not being
applied as [Link] setting values from the 'Global' template are applied to the firewall
instead of the 'Local' template that has different values for the same [Link] should be
done to ensure that the settings in the 'Local' template are applied while maintaining settings
from both templates?

Option A : Move the 'Global' template above the 'Local' template in the template
stack. Option B : Perform a commit and push with the 'Force Template Values'
option selected. Option C : Move the 'Local' template above the 'Global' template
in the template stack.

Explanation/Reference:

Explanation [Link]

routes-for-a- virtual-sy

QUESTION: 17
An administrator needs to gather information about the CPU utilization on both the management
plane and the data plane. Where does the administrator view the desired data?

Option A : Resources Widget on the

Dashboard Option B : Monitor >
Utilization
Option C : Support > Resources
Option D : Application Command and Control Center

Explanation/Reference:

Reference: [Link]

QUESTION: 18

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the
website [Link] certificate. End-users are receiving the "security
certificate is not trusted" [Link] SSL decryption, the web browser shows that the
website certificate is trusted and signed by a wellknown certificate chain: Well-Known-
Intermediate and [Link] network security administrator who represents the
customer requires the following two behaviors whenSSL Forward Proxy is enabled:1. End-users
must not get the warning for the [Link] website2. End-users
should get the warning for any other untrusted websiteWhich approach meets the two customer
requirements?

Option A : Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and
commit the configuration
Option B : Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-
user systems in the user and local computer stores
Option C : Navigate to Device > Certificate Management > Certificates > Device Certificates,
import Well- KnownIntermediate-CA and Well-Known-Root-CA, select the Trusted Root CA
check box, and commit the configuration
Option D : Navigate to Device > Certificate Management > Certificates > Default Trusted
Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the
Trusted Root CA check box, and commit the configuration

QUESTION: 19

An Administrator is configuring Authentication Enforcement and they would like to create an

exemption rule to exempt a specific group from authentication. Which authentication
enforcement object should they select?

Option A : default-no-captive-portal
Option B : default-authentication-
bypass Option C : default-browser-
challenge Option D : default-web-
form

Explanation/Reference:

Reference: [Link]

QUESTION: 20

An engineer reviews high availability (HA) settings to understand a recent HA failover event.
Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of
an ICMP (ping)

Option A : Hello Interval

Option B : Promotion Hold Time
Option C : Heartbeat Interval
Option D : Monitor Fail Hold Up Time

Explanation/Reference:

The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an

ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures

and trigger failover in an HA pair1. The other options are not correct. The hello interval determines the frequency

at which the HA peers exchange messages in the form of an HA packet. The default value is 3000 milliseconds (3

seconds). The hello interval is used to establish and maintain HA connectivity2. The promotion hold time

determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on

the active firewall. The default value is 5000 milliseconds (5 seconds)3.

The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor

failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)4.

References: 1: [Link]

timers 2:

[Link] 3:

[Link] 4

:[Link]

QUESTION: 21

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services
for authenticating users. What should the administrator be aware of regarding the authentication
sequence, based on the Authentication profiles in the order Kerberos, LDAP, and TACACS+?

Option A : The priority assigned to the Authentication profile defines the order of the sequence.

Option B : The firewall evaluates the profiles in the alphabetical order the Authentication
profiles have been named until one profile successfully authenticates the user.

Option C : If the authentication times out for the first Authentication profile in the
authentication sequence, no further authentication attempts will be made

Option D : The firewall evaluates the profiles in top-to-bottom order until one Authentication
profile successfully authenticates the user.

QUESTION: 22

Which type of zone will allow different virtual systems to communicate with each other?

Option A : Tap
Option B :
External
Option C : Virtual Wire
Option D : Tunnel

Explanation/Reference:

An external zone is a type of zone that will allow different virtual systems to communicate with each other. An

external zone is a special zone that is shared by all virtual systems on the firewall and can be used to route traffic

between virtual systems

without leaving the firewall. The external zone can also be used to route traffic to other zones within the same
virtual system1. The other options are not correct. A tap zone is a type of zone that is used to passively monitor

traffic without affecting the flow of packets2. A virtual wire zone is a type of zone that is used to create a

transparent bridge between two network segments without changing the original IP addressing or routing3. A

tunnel zone is a type of zone that is used to terminate VPN tunnels or other types of encapsulated traffic4.

References: 1: [Link] admin/virtual-systems/communication-

between-virtual-systems/2: [Link] admin/networking/configure-

interfaces/configure-a-tap-interface3 :[Link]

admin/networking/configure-interfaces/configure-a-virtual-wire4

:[Link] admin/networking/configure-interfaces/configure-a-tunnel-

inter

QUESTION: 23

A new application server [Link] has been deployed in the DMZ. There are no public
IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another
OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been
configured The application team has confirmed mat the new server is able to establish a
secure connection to an external database with IP address [Link]. The database team
reports that they are unable to establish a secure connection to
196 51 100 88 from [Link] However it confirm a successful prig test to 198 51 100 88
Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve
the situation and ensure inbound and outbound connections work concurrently for both DMZ
servers?

Option
Option A
C ::

Configure separate source NAT and destination NAT rules for the two DMZ servers without using
the bidirectional option.

Option D : Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

Explanation/Reference:
The table displays NAT rules configured on the firewall. The key points are: Source Zone and Destination Zone

define the traffic flow. Source Address and Destination Address specify the IP addresses involved. Service

indicates the type of traffic (e.g., any, ping). Source Translation and Destination Translation show the translated

IP addresses for NAT. Issue and Resolution Options The application server at [Link] can establish

outbound connections but faces issues with inbound connections due to the shared NAT IP [Link]. The

external database server cannot establish a secure connection back to

[Link]. Options to Resolve the Issue: Replace the Two NAT Rules with a Single Rule: Combining both

DMZ servers into one NAT rule might simplify configuration but could cause issues in distinguishing inbound

traffic for each server. Pros: Simplifies rule management. Cons: Might not address the inbound traffic issue

properly. New Public IP Address: Obtaining a new public IP address for the new server ([Link]) ensures

dedicated inbound and outbound NAT. Pros: Clear separation of traffic, resolves inbound connectivity issues.

Cons: Requires additional public IP. Separate Source NAT and Destination NAT Rules: Configuring distinct NAT

rules for source and destination addresses without using the bidirectional option. Pros: Clear and distinct rules for
QUESTION: 25

Which Panorama objects restrict administrative access to specific device-groups?

Option A : admin roles

Option B : authentication
profiles Option C : templates
Option D : access domains

Explanation/Reference:

Reference: [Link]

basedaccess- control/access-domains

QUESTION: 26

A network security administrator has an environment with multiple forms of authentication. There
is a network access control system in place that authenticates and restricts access for wireless
users, multiple Windows domain controllers, and an MDM solution for company-provided
smartphones. All of these devices have their authentication events logged. Given the information,
what is the best choice for deploying User-ID to ensure maximum coverage?

Option A : agentless User-ID with

redistribution Option B : Syslog listener
Option C : captive portal
Option D : standalone User-ID agent
Explanation/Reference:

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with

multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive

syslog messages from other systems and parse them for IP address-to-username mappings. A syslog listener can

collect user mapping information from a variety of sources, such as network access control systems, domain

controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2. A syslog listener can also

support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3.

Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-

scale network. References: Configure a Syslog Listener for User Mapping, User-ID Agent Deployment Guide,

PCNSE Study Guide (page 48)

QUESTION: 27

A client wants to detect the use of weak and manufacturer-default passwords for IoT
[Link] option will help the customer?

Option A : Configure a Data Filtering profile with alert

mode Option B : Configure an Antivirus profile with alert
mode Option C : Configure an Anti-Spyware profile with
alert mode
Option D : Configure a Vulnerability Protection profile with alert mode.

QUESTION: 28

A firewall administrator notices that many Host Sweep scan attacks are being allowed through the
firewall sourced from the outside zone. What should the firewall administrator do to mitigate this
type of attack?

Option A : Create a Zone Protection profile, enable reconnaissance protection, set action to
Block, and apply it to the outside zone.
Option B : Create a DOS Protection profile with SYN Flood protection enabled and apply it to all
rules allowing traffic from the outside zone.
Option C : Enable packet buffer protection in the outside zone.
Option D : Create a Security rule to deny all ICMP traffic from the outside zone.

QUESTION: 29
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

Option A : SSH key

Option B : User
logon
Option C : Short message
service Option D : One-Time
Password Option E : Push

QUESTION: 30

An administrator wants to grant read-only access to all firewall settings, except administrator
accounts, to a new-hire colleague in the IT department. Which dynamic role does the
administrator assign to the new-hire
colleague?

Option A : Superuser (read-only)

Option B : Device administrator (read-
only) Option C : Firewall administrator
(read-only) Option D : System
administrator (read-only)

QUESTION: 31

An administrator has left a firewall to use the default port for all management

services. Which three functions are performed by the dataplane? (Choose three.)

Option A : WildFire updates

Option B : NAT

Option C : NTP

Option D :

antivirus

Option E : file blocking

QUESTION: 32

In High Availability, which information is transferred via the HA data link?

Option A : session
information Option B :
heartbeats
Option C : HA state information
Option D : User-ID information

Explanation/Reference:

Reference: [Link] ha-

links-and- backup-links
QUESTION: 33

What are three important considerations during SD-WAN configuration planning? (Choose three.)

Option A : link requirements

Option B : IP Addresses
Option C : connection
throughput Option D : dynamic
routing
Option E : branch and hub locations

Explanation/Reference:

[Link]

QUESTION: 34

An engineer is planning an SSL decryption [Link] of the following statements is

a best practice for SSL decryption?

Option A : Obtain an enterprise CA-signed certificate for the Forward Trust

certificate. Option B : Use an enterprise CA-signed certificate for the Forward
Untrust certificate. Option C : Use the same Forward Trust certificate on all
firewalls in the network
Option D : Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

Explanation/Reference:

Reference: [Link]

QUESTION: 35

PBF can address which two scenarios? (Choose two.)

Option A : routing FTP to a backup ISP link to save bandwidth on the primary ISP
link Option B : providing application connectivity the primary circuit fails
Option C : enabling the firewall to bypass Layer 7 inspection
Option D : forwarding all traffic by using source port 78249 to a specific egress interface
Explanation/Reference:

Reference: [Link]

pbf-for- outbound-access-with-dual-isps

QUESTION: 36

When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to
check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound
Inspection certificate?

Option A : show system setting ssl-decrypt

certificate Option B : show system setting ssl-

decrypt certs Option C :

debug dataplane show ssl-decrypt ssl-certs

Option D : show system setting ssl-decrypt certificate-cache

Explanation/Reference:

To troubleshoot SSL Decryption issues and check the details of the Forward Trust certificate, Forward Untrust

certificate, and SSL Inbound Inspection certificate, the PAN-OS CLI command debug dataplane show ssl-decrypt

ssl-certs is used. This command provides detailed information about the SSL certificates involved in decryption

and inspection processes, allowing administrators to verify certificate validity, issuer details, and other critical

parameters. Understanding the certificate details is crucial in diagnosing issues related to SSL decryption, such as

certificate validation errors or misconfigurations that could lead to decryption failures.

QUESTION: 37

Which two events trigger the operation of automatic commit recovery? (Choose two.)
Option A : when an aggregate Ethernet interface component
fails Option B : when Panorama pushes a configuration
Option C : when a firewall performs a local
commit Option D : when a firewall HA pair fails
over

Explanation/Reference:

Reference: [Link]

automaticpanorama- [Link]

QUESTION: 38

A network administrator is trying to prevent domain username and password submissions to

phishing sites on some allowed URL categories. Which set of steps does the administrator need
to take in the URL Filtering profile to prevent credential phishing on the firewall?

Option A :

Choose the URL categories in the User Credential Submission column and set action to block
Select the User credential Detection tab and select Use Domain Credential Filter Commit

Option B :

Choose the URL categories in the User Credential Submission column and set action to block
Select the User credential Detection tab and select use IP User Mapping Commit

Option C :

Choose the URL categories on Site Access column and set action to block Click the User
credential Detection tab and select IP User Mapping Commit

Option D :

Choose the URL categories in the User Credential Submission column and set action to block
Select the URL filtering settings and enable Domain Credential Filter Commit
Explanation/Reference:

[Link]

phishing/setup[Link]

credential-phishing/set-up-cre

QUESTION: 39

Which three items are import considerations during SD-WAN configuration planning? (Choose
three.)

Option A :the name of the ISP

Option B : link requirements
Option C : IP Addresses
Option D : branch and hub locations

Explanation/Reference:

[Link]

QUESTION: 40
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Option A : Enable Advanced Routing Engine in Device > Setup > Session > Session Settings,
then commit and reboot.

Option B : Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and
then commit.
Option C : Enable Advanced Routing in Network > Virtual Routers > Router Settings > General,
then commit and reboot.

Option D :

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit
and reboot

Explanation/Reference:

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot 1.

This means that the administrator can enable advanced routing features such asRIB filtering, BFD, multicast, and

redistribution profiles for each virtual router on the firewall. The firewall requires a reboot after enabling

advanced routing to apply the changes.

QUESTION: 41

An administrator has configured PAN-OS SD-WAN and has received a request to find out the
reason for a session failover for a session that has already ended Where would you find this in
Panorama or firewall logs?

Option A : Traffic Logs

Option B : System Logs
Option C : Session
Browser
Option D : You cannot find failover details on closed sessions
Explanation/Reference:

[Link]

QUESTION: 42

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all
perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the
least time to implement?

Option A :

Use Expedition to create custom vulnerability signatures, deploy them to Panorama

using API and push them to the firewalls.

Option B :
Create custom vulnerability signatures manually on one firewall export them, and then import
them to the rest of the firewalls

Option C :

Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them
to the firewalls.

Option D : Create custom vulnerability signatures manually in Panorama, and push them to the
firewalls

QUESTION: 43

An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software.
The followingis occurring:Firewall has internet connectivity through e 1/[Link] security rules
and security rules allowing all SSL and web-browsing traffic to and from any [Link] route is
configured, sourcing update traffic from e1/1.A communication error appears in the System logs
when updates are [Link] does not [Link] must be configured to enable
the firewall to download the current version of PAN-OS software?

Option A : Static route pointing application PaloAlto-updates to the update

servers Option B : Security policy rule allowing PaloAlto-updates as the
application
Option C : Scheduler for timed downloads of PAN-OS
software Option D :
DNS settings for the firewall to use for resolution

QUESTION: 44

An engineer has been given approval to upgrade their environment to the latest version of PAN-
OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and
virtual log collectors. What is the recommended order of operational steps when upgrading?

Option A : Upgrade the firewalls, upgrade log collectors, upgrade

Panorama Option B : Upgrade the firewalls, upgrade Panorama, upgrade
the log collectors Option C : Upgrade the log collectors, upgrade the
firewalls, upgrade Panorama Option D : Upgrade Panorama, upgrade the
log collectors, upgrade the firewalls
Explanation/Reference:

When planning an upgrade in an environment that includes Panorama, firewalls, and log collectors, it's crucial to

follow the recommended sequence to ensure compatibility and minimize disruptions. Palo Alto Networks

recommends the following order: Upgrade Panorama: Start with Panorama because it's the central management

platform. Upgrading Panorama first ensures that it's compatible with the new PAN-OS versions that the managed

devices (firewalls and log collectors) will be upgraded to. Panorama must be able to support the new versions for it

to manage and monitor the devices effectively. Upgrade the log collectors: Next, upgrade the log collectors. Since

log collectors work closely with Panorama to aggregate and store logs from the firewalls, they should be upgraded

after Panorama to ensure compatibility. Upgrading the log collectors ensures they can handle the log formats and

features introduced in the new PAN-OS version. A. B. C. D. A. B. C. D. Upgrade the firewalls: Finally, upgrade the

firewalls. The firewalls are the last components to be upgraded to ensure that they remain compatible with the

management and log collection infrastructure. Upgrading the firewalls last minimizes the risk of compatibility

issues with Panorama and log collectors. This sequence ensures that all components are compatible and that the

management and logging infrastructure can fully support the firewalls running the latest PAN-OS version.

QUESTION: 45

When you configure a Layer 3 interface, what is one mandatory step?

Option A : Configure virtual routers to route the traffic for each Layer 3 interface
Option B : Configure Interface Management profiles, which need to be attached to each Layer 3
interface. Option C : Configure Security profiles, which need to be attached to each Layer 3
interface.
Option D : Configure service routes to route the traffic for each Layer 3 interface.

Explanation/Reference:

Reference: [Link]
[Link]

QUESTION: 46

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward
Secrecy) needs to be enabled. What action should the engineer take?

Option A : Enable PFS under the IPSec Tunnel advanced

options. Option B : Add an authentication algorithm in the
IPSec Crypto profile
Option C : Select the appropriate DH Group under the IPSec Crypto
profile. Option D : Enable PFS under the IKE gateway advanced
options.
QUESTION: 47

An engineer is in the planning stages of deploying User-ID in a diverse directory services

environment. Which server OS platforms can be used for server monitoring with User-ID?

Option A : Microsoft Terminal Server, Red Hat Linux, and Microsoft Active
Directory Option B : Microsoft Active Directory, Red Hat Linux, and
Microsoft Exchange Option C : Microsoft Exchange, Microsoft Active
Directory, and Novell eDirectory
Option D : Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

Explanation/Reference:

[Link]

QUESTION: 48

A superuser is tasked with creating administrator accounts for three contractors. For compliance
purposes, all three contractors will be working with different device-groups in their hierarchy to
deploy policies and objects Which type of role-based access is most appropriate for this project?

Option A : Create a Dynamic Admin with the Panorama Administrator

role. Option B : Create a Device Group and Template Admin.
Option C : Create a Custom Panorama Admin.
Option D : Create a Dynamic Read only
superuser

Explanation/Reference:

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that

an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to

read-only, or you can limit an administrator’s access to Panorama plugins. Custom Panorama Admin roles require

planning and configuration, but they provide extensive flexibility because you can control what administrators can

access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template

Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to

define which Panorama templates or Panorama device groups an administrator can access and configure. You can

hide tabs in the web interface or set specific items to read only to control

what administrators can configure.

QUESTION: 49

An administrator pushes a new configuration from Panorama to a pair of firewalls that are
configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

Option A : The passive firewall, which then synchronizes to the active

firewall Option B : The active firewall, which then synchronizes to the
passive firewall
Option C : Both the active and passive firewalls, which then synchronize with each other
Option D : Both the active and passive firewalls independently, with no synchronization afterward

QUESTION: 50

Given the following snippet of a WildFire submission log, did the end user successfully download a
file?

Option A : No, because the URL generated an alert.

Option B : Yes, because both the web-browsing application and the flash file have the

'alert" action. Option C : Yes, because the final action is set to "allow.''

Option D : No, because the action for the wildfire-virus is "reset-both."

Explanation/Reference:

Based on the snippet of the WildFire submission log provided, it appears that the end user was able to

successfully download a file. The key indicator here is that the final action for the web-browsing application and

the flash file is set to “allow.” This means that despite any alerts or other actions taken earlier in the process, the

ultimate decision was to allow the file to be downloaded.

QUESTION: 51
An administrator would like to determine which action the firewall will take for a specific CVE. Given
the screenshot below, where should the administrator navigate to view this information?

Option A : The profile rule action

Option B : CVE column
Option C : Exceptions lab
Option D : The profile rule threat name

Explanation/Reference:

[Link] the dynamic user

group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules:

one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to

prevent (in this case, questionable- activity). To tag users, the rule to allow traffic must have a higher rule number

in your rulebase than the rule that denies traffic.[Link]

policy/use-dynamic-user-groups-in-policy

QUESTION: 52

Which component enables you to configure firewall resource protection settings?

Option A : DoS Protection Profile

Option B : QoS Profile

Option C : Zone Protection

Profile Option D : DoS Protection

policy

QUESTION: 53

Which User-ID method maps IP addresses to usernames for users connecting through a web proxy
that has already authenticated the user?
Option A : syslog listening
Option B : server
monitoring Option C : client
probing Option D : port
mapping

QUESTION: 54

What are two valid deployment options for Decryption Broker? (Choose two.)

Option A : Transparent Bridge Security

Chain Option B : Transparent Mirror
Security Chain Option C : Layer 2
Security Chain
Option D : Layer 3 Security Chain

QUESTION: 55

Refer to the exhibit.

Which certificates can be used as a Forward Trust certificate?

Option A : Certificate from Default Trust Certificate

Authorities Option B : Domain Sub-CA
Option C : Forward-Trust
Option D : Domain-Root-
Cert
QUESTION: 56

Which Security profile generates a packet threat type found in threat logs?

Option A : WildFire

Option B : Zone

Protection Option C :

Anti-Spyware Option D :

Antivirus

QUESTION: 57

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of
[Link] deployed, each firewall must establish secure tunnels back to multiple
regional data centers to include thefuture regional data [Link] VPN configuration would
adapt to changes when deployed to the future site?

Option A : Preconfigured GlobalProtect

satellite Option B : Preconfigured
GlobalProtect client Option C :
Preconfigured IPsec tunnels
Option D : Preconfigured PPTP Tunnels

QUESTION: 58

Which three firewall states are valid? (Choose three.)

Option A : Active
Option B : Functional
Option C : Pending
Option D : Passive
Option E :
Suspended
Explanation/Reference:

Reference: [Link]

QUESTION: 59

Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to
a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy
in the Palo Alto Networks firewall.

Option A :

Option B :
Option C :

Option D :

QUESTION: 60

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS
11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method?
(Choose two.)

Option A : No client configuration is required for explicit proxy, which simplifies the
deployment complexity.
Option B : Explicit proxy allows for easier troubleshooting, since the client browser is aware of the
existence of the proxy.
Option C : Explicit proxy supports interception of traffic using non-standard
HTTPS ports. Option D :

It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in
the outgoing request

Explanation/Reference:

[Link]

mobile-us [Link]

web-proxy

QUESTION: 61

Which log type would provide information about traffic blocked by a Zone Protection profile?

Option A : Data
Filtering Option B : IP-
Tag
Option C :
Traffic Option
D : Threat

Explanation/Reference:

[Link] D is the correct

answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.

This is because Zone Protection profiles are used to protect the network from attacks, including common flood,

reconnaissance attacks, and other packet-based attacks1. These attacks are classified as threats by the firewall

and are logged in the threat log2. The threat log displays information such as the source and destination IP

addresses, ports, zones, applications, threat types, actions, and severity of the threats2. Verified References: 1:

Zone protection profiles - Palo Alto Networks Knowledge Base 2: Threat Log Fields - Palo Alto Networks

QUESTION: 62
An engineer must configure a new SSL decryption deployment. Which profile or certificate is
required before any traffic that matches an SSL decryption rule is decrypted?

Option A : A Decryption profile must be attached to the Decryption policy that the traffic
matches Option B : There must be a certificate with both the Forward Trust option and
Forward Untrust option selected.
Option C : A Decryption profile must be attached to the Security policy that the traffic
matches. Option D : There must be a certificate with only the Forward Trust option
selected.