PDF Only
$35.00 Free Updates Upto 90 Days
- PCNSE Dumps PDF
- 374 Questions
- Updated On November 13, 2025
PDF + Test Engine
$60.00 Free Updates Upto 90 Days
- PCNSE Question Answers
- 374 Questions
- Updated On November 13, 2025
Test Engine
$50.00 Free Updates Upto 90 Days
- PCNSE Practice Questions
- 374 Questions
- Updated On November 13, 2025
How to pass Palo Alto Networks PCNSE exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Palo Alto Networks PCNSE Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know Palo Alto Networks PCNSE Dumps are Worth it?
Did we mention our latest PCNSE Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Palo Alto Networks Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get PCNSE Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the PCNSE exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
Paloalto Networks PCNSE Exam Overview Detail Exam Overview Details:
| Aspect | Details |
|---|---|
| Exam Cost | $1600 USD |
| Total Time | 80 minutes |
| Available Languages | English, Japanese, Simplified Chinese |
| Passing Marks | 70% |
| Number of Questions | 60 |
| Exam Format | Multiple choice, scenario-based questions |
| Prerequisites | None |
| Exam Delivery | Proctored exam, in-person or online |
| Certification Validity | 2 years |
| Renewal Options | Retake exam or earn Continuing Education Units (CEUs) |
Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Exam Topics Breakdown
| Content Area | Percentage |
|---|---|
| Architecture and Design | 17% |
| Core Concepts | 12% |
| Logging and Monitoring | 12% |
| Troubleshooting | 13% |
| Network | 17% |
| Management | 11% |
| Policy | 10% |
| VPN | 8% |
Palo Alto Networks PCNSE Frequently Asked Questions
Question # 1
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access. What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
A. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and
reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired
PAN-OS 11.0.x.
B. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release
and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and
reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired
PAN-OS 11.0.x.
C. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional:
Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PANOS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x
D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release
and reboot. Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required:
Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.
Question # 2
A company wants to add threat prevention to the network without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.)
A. VirtualWire
B. Layer3
C. TAP
D. Layer2
Question # 3
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
A. Monitor Fail Hold Up Time
B. Promotion Hold Time
C. Heartbeat Interval
D. Hello Interval
Question # 4
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?
A. IPv6 Source or Destination Address
B. Destination-Based Service Route
C. IPv4 Source Interface
D. Inherit Global Setting
Question # 5
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. Decryption Mirror requires a tap interface on the firewall
B. Use of Decryption Mirror might enable malicious users with administrative access to the
firewall to harvest sensitive information that is submitted via an encrypted channel
C. Only management consent is required to use the Decryption Mirror feature.
D. Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.
E. You should consult with your corporate counsel before activating and using DecryptionMirror in a production environment.
Question # 6
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA. Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
A. Generate a single subordinate CA certificate for both Forward Trust and Forward
Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Question # 7
An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?
A. Terminal Server Agent for User Mapping
B. Windows-Based User-ID Agent
C. PAN-OS Integrated User-ID Agent
D. PAN-OS XML API
Question # 8
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.)
A. An Application Override policy for the SIP traffic
B. QoS on the egress interface for the traffic flows
C. QoS on the ingress interface for the traffic flows
D. A QoS profile defining traffic classes
E. A QoS policy for each application ID
Question # 9
A security engineer needs firewall management access on a trusted interface. Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
A. Minimum TLS version
B. Certificate
C. Encryption Algorithm
D. Maximum TLS version
E. Authentication Algorithm
Question # 10
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
A. /content
B. /software
C. /piugins
D. /license
E. /opt
Question # 11
Where can a service route be configured for a specific destination IP?
A. Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4
B. Use Device > Setup > Services > Services
C. Use Device > Setup > Services > Service Route Configuration > Customize > Destination
D. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
Question # 12
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
A. debug dataplane internal vif route 255
B. show routing route type management
C. debug dataplane internal vif route 250
D. show routing route type service-route
Question # 13
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
A. Panorama provides information about system resources of the managed devices in the
Managed Device > Health menu.
B. Firewalls send SNMP traps to Panorama wen resource exhaustion is detected
Panorama generates a system log and can send email alerts.
C. Panorama monitors all firewalls using SNMP. It generates a system log and can send
email alerts when resource exhaustion is detected on a managed firewall.
D. Panorama provides visibility all the system and traffic logs received from firewalls it does
not offer any ability to see or monitor resource utilization on managed firewalls
Question # 14
Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
A. It can run on a single virtual system and multiple virtual systems.
B. It can run on multiple virtual systems without issue.
C. It can run only on a single virtual system.
D. It can run only on a virtual system with an alias named "web proxy.
Question # 15
An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?
A. 1
B. 2
C. 3
D. 4
Question # 16
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?
A. To allow traffic between zones in different virtual systems without the traffic leaving the
appliance
B. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
C. External zones are required because the same external zone can be used on different virtual systems
D. Multiple external zones are required in each virtual system to allow the communications between virtual systems
Question # 17
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
A. debug ike stat
B. test vpn ipsec-sa tunnel
C. show vpn ipsec-sa tunnel
D. test vpn ike-sa gateway
Question # 18
‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled: 1. End-users must not get the warning for the https:///www.very-import-website.com/ website. 2. End-users should get the warning for any other untrusted website. Which approach meets the two customer requirements?
A. Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all enduser systems in the user and local computer stores:
B. Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate=
and commit the configuration
C. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate
Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the
Trusted Root CA check box, aid commit the configuration.
D. Navigate to Device > Certificate Management > Certificates > Device Certificates, import
Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check
box, and commit the configuration.
Question # 19
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
A. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then
commit and reboot.
B. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General,
then commit and reboot.
C. Enable Advanced Routing in General Settings of Device > Setup > Management, then
commit and reboot.
D. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and
then commit.
Question # 20
What should an engineer consider when setting up the DNS proxy for web proxy?
A. A secondary DNS server in the DNS proxy is optional, and configuration commit to the
firewall will succeed with only one DNS server.
B. A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS
proxy.
C. DNS timeout for web proxy can be configured manually, and it should be set to the
highest value possible.
D. Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within
20 seconds.
Question # 21
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
A. HSCI-C
B. Console Backup
C. HA3
D. HA2 backup
Question # 22
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values: - Source zone: Outside and source IP address 1.2.2.2 - Destination zone: Outside and destination IP address 2.2.2.1 The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone. Which destination IP address and zone should the engineer use to configure the security policy?
A. Destination Zone Outside. Destination IP address 2.2.2.1
B. Destination Zone DMZ, Destination IP address 10.10.10.1
C. Destination Zone DMZ, Destination IP address 2.2.2.1
D. Destination Zone Outside. Destination IP address 10.10.10.1
Question # 23
A firewall engineer needs to patch the company’s Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?
A. Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS
version before updating the firewalls
B. Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the
target PAN-OS version before updating the firewalls.
C. Panorama, Dedicated Log Collectors and WildFire appliances must have the target
PAN-OS version downloaded, after which the order of patching does not matter.
D. Only Panorama must be patched to the PAN-OS version before updating the firewalls
Question # 24
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
A. Configure a URL profile to block the phishing category.
B. Create a URL filtering profile
C. Enable User-ID.
D. Create an anti-virus profile.
E. Create a decryption policy rule.
Question # 25
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
A. On Palo Alto Networks Update Servers
B. M600 Log Collectors
C. Cortex Data Lake
D. Panorama
Question # 26
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?
A. IPSec Tunnel settings
B. IKE Crypto profile
C. IPSec Crypto profile
D. IKE Gateway profile
Question # 27
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?
A. A web server certificate signed by the organization's PKI
B. A self-signed certificate generated on the firewall
C. A subordinate Certificate Authority certificate signed by the organization's PKI
D. A web server certificate signed by an external Certificate Authority
Question # 28
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?
A. Add SSL and web-browsing applications to the same rule.
B. Add web-browsing application to the same rule.
C. Add SSL application to the same rule.
D. SSL and web-browsing must both be explicitly allowed.
Question # 29
View the screenshots A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?
A. SMTP has a higher priority but lower bandwidth than Zoom.
B. DNS has a higher priority and more bandwidth than SSH.
C. google-video has a higher priority and more bandwidth than WebEx.
D. Facetime has a higher priority but lower bandwidth than Zoom.
Question # 30
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
A. Schedule
B. Source Device
C. Custom Application
D. Source Interface
Question # 31
What is the best definition of the Heartbeat Interval?
A. The interval in milliseconds between hello packets
B. The frequency at which the HA peers check link or path availability
C. The frequency at which the HA peers exchange ping
D. The interval during which the firewall will remain active following a link monitor failure
Question # 32
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
A. Deploy the GlobalProtect as a lee data hub.
B. Deploy Window User 0 agents on each domain controller.
C. Deploys AILS integrated Use 10 agent on each vsys.
D. Deploy a M.200 as a Users-ID collector.
Question # 33
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
A. Navigate to Panorama > Managed Collectors, and open the Statistics windows for each
Log Collector during the peak time.
B. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last
page to find out how many logs have been received.
C. Navigate to Panorama> Managed Devices> Health, open the Logging tab for each
managed firewall and check the log rates during the peak time.
D. Navigate to ACC> Network Activity, and determine the total number of sessions and
threats during the peak time.
Question # 34
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
A. Upload the image to Panorama > Software menu, and deploy it to the firewalls. *
B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and
deploy it to the firewalls.
C. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.
D. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to
the firewalls.
Question # 35
An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
A. In the IKE Gateway configuration, verify that the IP address for each VPN peer is
accurate
B. Verify that the IP addresses can be pinged and that routing issues are not causing the
connection failure
C. Check whether the VPN peer on one end is set up correctly using policy-based VPN
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN
peers or disabled on both VPN peers.
Question # 36
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
A. Add the tool IP address to the reconnaissance protection source address exclusion in
the DoS Protection profile.
B. Add the tool IP address to the reconnaissance protection source address exclusion in
the Zone protection profile.
C. Change the TCP port scan action from Block to Alert in the Zone Protection profile.
D. Remove the Zone protection profile from the zone setting.
Question # 37
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
A. Hello Interval
B. Promotion Hold Time
C. Heartbeat Interval
D. Monitor Fail Hold Up Time
Question # 38
An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an active/passive HA pair. Which NGFW receives the from Panorama?
A. The active firewall which then synchronizes to the passive firewall
B. The passive firewall, which then synchronizes to the active firewall
C. Both the active and passive firewalls which then synchronize with each other
D. Both the active and passive firewalls independently, with no synchronization afterward
Question # 39
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
A. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
B. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
D. It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.
Question # 40
If a URL is in multiple custom URL categories with different actions, which action will take priority?
A. Allow
B. Override
C. Block
D. Alert
Question # 41
A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs. How can the administrator ensure that User-IDs are populated in the traffic logs?
A. Create a Group Mapping for the GlobalProtect Group.
B. Enable Captive Portal on the expected source interfaces.
C. Add the users to the proper Dynamic User Group.
D. Enable User-ID on the expected trusted zones.
Question # 42
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all." Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'
A. Active-Secondary
B. Non-functional
C. Passive
D. Active
Question # 43
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)
A. HA cluster members must share the same zone names.
B. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces
C. Panorama must be used to manage HA cluster members.
D. HA cluster members must be the same firewall model and run the same PAN-OS version.
Question # 44
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
A. An Enterprise Root CA certificate
B. The same certificate as the Forward Trust certificate
C. A Public Root CA certificate
D. The same certificate as the Forward Untrust certificate
Question # 45
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
A. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
B. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
C. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange
D. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
Question # 46
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
A. No client configuration is required for explicit proxy, which simplifies the deployment
complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
Question # 47
Which statement regarding HA timer settings is true?
A. Use the Recommended profile for typical failover timer settings
B. Use the Moderate profile for typical failover timer settings
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.
Question # 48
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
A. show system setting ssl-decrypt certificate
B. show system setting ssl-decrypt certs
C. debug dataplane show ssl-decrypt ssl-certs
D. show system setting ssl-decrypt certificate-cache
Question # 49
Which type of zone will allow different virtual systems to communicate with each other?
A. Tap
B. External
C. Virtual Wire
D. Tunnel
Question # 50
Which rule type controls end user SSL traffic to external websites?
A. SSL Outbound Proxyless Inspection
B. SSL Forward Proxy
C. SSH Proxy
D. SSL Inbound Inspection
Question # 51
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
A. Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. *
Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal
Agent to collect HIP Data Collection. Create a Security policy that matches source HIP
profile. Enable GlobalProtect Gateway Agent for HIP Notification.
B. Create Security Profiles for Antivirus and Anti-Spyware.
Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable
GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that
matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.
C. Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes.
Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway
Agent to collect HIP Data Collection. Create a Security policy that matches source device
object. Enable GlobalProtect Portal Agent for HIP Notification.
D. Create Security Profiles for Antivirus and Anti-Spyware.
Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable
GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that
has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent
for HIP Notification.
Question # 52
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
A. The running configuration with the candidate configuration of the firewall
B. Applications configured in the rule with applications seen from traffic matching the same rule
C. Applications configured in the rule with their dependencies
D. The security rule with any other security rule selected
Question # 53
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
A. Resource Protection
B. TCP Port Scan Protection
C. Packet Based Attack Protection
D. Packet Buffer Protection
Question # 54
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
A. Create a custom application with specific timeouts and signatures based on patterns
discovered in packet captures.
B. Access the Palo Alto Networks website and raise a support request through the
Customer Support Portal.
C. Create a custom application with specific timeouts, then create an application override
rule and reference the custom application.
D. Access the Palo Alto Networks website and complete the online form to request that a
new application be added to App-ID.
Question # 55
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)
A. Destination user/group
B. URL Category
C. Destination Domain
D. video streaming application
E. Source Domain
F. Client Application Process
Question # 56
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. DNS proxy
B. Explicit proxy
C. SSL forward proxy
D. Transparent proxy
Question # 57
A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?
A. Create one template stack and place the BranchOffice_Template in higher priority than
Datacenter_Template.
B. Create one template stack and place the Datanceter_Template in higher priority than
BranchOffice_template.
C. Create two separate template stacks one each for Datacenter and BranchOffice, and
verify that Datacenter_Template and BranchOffice_template are at the bottom of their
stack.
D. Create two separate template stacks one each for Datacenter and BranchOffice, and
verify that Datacenter_template are at the top of their stack
Question # 58
An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)
A. Powershell scripts
B. VBscripts
C. MS Office
D. APK
E. ELF
Question # 59
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
A. Custom Log Format within Device > Server Profiles > Syslog
B. Built-in Actions within Objects > Log Forwarding Profile
C. Logging and Reporting Settings within Device > Setup > Management
D. Data Patterns within Objects > Custom Objects
Question # 60
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic?
A. It matches to the New App-IDs downloaded in the last 90 days.
B. It matches to the New App-IDs in the most recently installed content releases.
C. It matches to the New App-IDs downloaded in the last 30 days.
D. It matches to the New App-IDs installed since the last time the firewall was rebooted.
Question # 61
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known What can the administrator configure to establish the VPN connection?
A. Set up certificate authentication.
B. Use the Dynamic IP address type.
C. Enable Passive Mode
D. Configure the peer address as an FQDN.
Question # 62
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
A. show chassis status slot s1
B. show s/stem state filter ethernet1/1
C. show s/stem state filter sw.dev interface config
D. show s/stem state filter-pretty sys.sl*
Question # 63
An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter. What must the administrator consider as they prepare to configure the decryption policy?
A. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted
sessions.
B. Obtain or generate the server certificate and private key from the datacenter server.
C. Obtain or generate the self-signed certificate with private key in the firewall
D. Obtain or generate the forward trust and forward untrust certificate from the datacenter server.
Question # 64
A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?
A. Multiple external gateways
B. Single or multiple internal gateways
C. Split DNS and HIP checks
D. IPv6 for internal gateways
Question # 65
Which Panorama feature protects logs against data loss if a Panorama server fails?
A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA
Cluster.
B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a
server fails inside the Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside
the HA Cluster.
D. Panorama Collector Group automatically ensures that no logs are lost if a server fails
inside the Collector Group
Question # 66
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
A. HA1
B. HA3
C. HA2
D. HA4
Question # 67
Which three items must be configured to implement application override? (Choose three )
A. Custom app
B. Security policy rule
C. Application override policy rule
D. Decryption policy rule
E. Application filter
Question # 68
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
A. Highlight Unused Rules will highlight all rules.
B. Highlight Unused Rules will highlight zero rules.
C. Rule Usage Hit counter will not be reset
D. Rule Usage Hit counter will reset
Question # 69
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
A. The profile rule action
B. CVE column
C. Exceptions lab
D. The profile rule threat name
Question # 70
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned. Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
A. Run the CLI command show advanced-routing ospf neighbor
B. In the WebUI, view the Runtime Stats in the virtual router
C. Look for configuration problems in Network > virtual router > OSPF
D. In the WebUI, view Runtime Stats in the logical router
Question # 71
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall. Which three types of interfaces support SSL Forward Proxy? (Choose three.)
A. High availability (HA)
B. Layer 3
C. Layer 2
D. Tap
E. Virtual Wire
Question # 72
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.)
A. Log Forwarding profile
B. SSL decryption exclusion
C. Email scheduler
D. Login banner
E. Dynamic updates
Question # 73
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)
A. Check dependencies
B. Schedules
C. Verify
D. Revert content
E. Install
Question # 74
A company wants to implement threat prevention to take action without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.)
A. TAP
B. Layer 2
C. Layer 3
D. Virtual Wire
Question # 75
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration. firewall
B. Push the Template first, then push Device Group to the newly managed firewall.
C. Perform the Export or push Device Config Bundle to the newly managed firewall.
D. Push the Device Group first, then push Template to the newly managed
Leave a comment
Your email address will not be published. Required fields are marked *